Dynamics Community Forum Thread Details

Entra Security Groups in Business Central on-prem

After finding Entra security groups can be used with specific on-prem editions of BC, I've been trying to setup a proof of concept for this but so far have been unsuccessful.

Documentation source: https://learn.microsoft.com/en-us/dynamics365/business-central/ui-security-groups?tabs=onprem

I've got BC 27.4 installed and have access control authentication configured and working. When the "EnableEntraGroupsOnPrem" setting is enabled upon login to the client a technical error is thrown and event viewer mentions

"AzureActiveDirectoryClientSecret" or "AzureActiveDirectoryClientCertificateThumbprint" must be configured.

Creating an app registration in Entra and providing it what I think should be sufficient permissions (Group.Read.All, GroupMember.Read.All and User.Read.All), both delegated and application and with admin consent. Then setting ClientSecret allows the web client to work once again, but upon going to security groups, add and "..." to browse them, the "something went wrong" page comes up and event viewer shows various errors/warnings including:

NavLicenseServiceException ... An error occurred while querying for external license information

When configuring the AzureActiveDirectoryClientID with the client ID of the app created (or the app used for login) the client won't open at all (technical issue) and event viewer shows

GetLicenseDetailsByObjectIdAsync failed due to a transient exception: Graph.ServiceException: Code: Authorization_RequestDenied

LicenseServiceTransientException

It also mentions;

This request was received by an Azure AD regional authentication endpoint. Only managed identities and Microsoft internal service identities are supported. SN+I authentication is required. All others, send your request to login.microsoftonline.com: in MSAL avoid using .WithAzureRegion(), in App Service, set REGION_NAME to null

Does this suggest the feature isn't designed for use on-premises?

Has anyone been able to configure this feature successfully?

I've been unable to find any working configuration or any more documentation on what is required for this feature to be configured. Any suggestions would be greatly appreciated!

Categories:

Dynamics 365 Business Central

Hello,
it is designed for on-prem, but only in BC 25.11 / 26.5 / 27.4 or later with Microsoft Entra ID authentication, and the error suggests BC can’t call Microsoft Graph correctly with the app credentials you configured. I would not use the normal sign-in app registration blindly; create/use a server-side Entra app for BC, set EnableEntraGroupsOnPrem = true, configure AzureActiveDirectoryClientId plus either AzureActiveDirectoryClientSecret or preferably AzureActiveDirectoryClientCertificateThumbprint, and grant/admin-consent Microsoft Graph application permissions to read users/groups. The Authorization_RequestDenied means Graph accepted the call but the app identity lacks the needed rights or is using the wrong authority/tenant; the “regional authentication endpoint” message sounds like a product/config bug or unsupported authority path, so if the tenant ID, metadata URL, client ID, secret/cert, and Graph app permissions are all correct, I’d open a Microsoft support case because the public doc doesn’t yet give a full working permission matrix for this feature. Also note the docs still say that on-prem security groups are selected through the Windows group name field, which looks inconsistent with Entra groups and may be part of the rough edge here.
Regards,
Oussama Sabbouh

Quick Links

Leaderboard > Small and medium business | Business Central, NAV, RMS