Small and medium business | Business Central, N...

OData Access using AAD OAuth Tokens on BC14 OnPrem

(0) Share

Report

Posted on by Jakob Theiner

Hi!

I'm having an issue accessing a BC14 (CU22) OnPrem OData Webservice via OAuth.

I have AAD Authentication set up and can log in with AAD Users.

I have registered a second application as the consumer and created a secret to retrieve Tokens, this works fine as well:

curl --location --request POST 'https://login.microsoftonline.com/{{tenantId}}/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={{ApiConsumerApplicationId}}' \
--data-urlencode 'client_secret={{ApiConsumerClientSecret}}' \
--data-urlencode 'resource={{BusinessCentralApplicationId}}'

Response:

{
    "token_type": "Bearer",
    "expires_in": "86399",
    "ext_expires_in": "86399",
    "expires_on": "1622970582",
    "not_before": "1622883882",
    "resource": "821ba44a-a427-472e-9cc9-12b89bf42c08",
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI4MjFiYTQ0YS1hNDI3LTQ3MmUtOWNjOS0xMmI4OWJmNDJjMDgiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC82YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMvIiwiaWF0IjoxNjIyODgzODgyLCJuYmYiOjE2MjI4ODM4ODIsImV4cCI6MTYyMjk3MDU4MiwiYWlvIjoiRTJaZ1lOQk1uT2ZFTGw0aXBOa1VjL3ZXOGYvUEFRPT0iLCJhcHBpZCI6ImY0NTc1OTk0LTYzYmYtNGQxMS1iNGVmLTM5NjQ1MjU3YWMzZCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzZhYTQ3NzU1LTA2NjYtNGE3Yi1hZWYzLWZkNjZlMzZmOWQ0My8iLCJvaWQiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJyaCI6IjAuQVlFQVZYZWthbVlHZTBxdThfMW00Mi1kUTVSWlZfU19ZeEZOdE84NVpGSlhyRDJCQUFBLiIsInJvbGVzIjpbIkZpbmFuY2lhbHMuUmVhZFdyaXRlLkFsbCJdLCJzdWIiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJ0aWQiOiI2YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMiLCJ1dGkiOiJaWEQtZ0VrNGkwV1NoNWtlcElnRkFBIiwidmVyIjoiMS4wIn0.VLpIJwhivCHAfNuwnF_PTgkfLIXS95twOFkDcXVYcBpL6F0AMFjMWwyrqTRSnvpYvsR2HDz7lWhzL-IvZfafZ1En1NJhyAgpL2pB1yVqqVPPPE_jYbo7mm6JyuxK1iuwj_gH1LmQb8LL3VzrewZDHigW0W57VTG_6M1b24njQv3sNcAU3e7WkCmughbyvXECW89vcPE1twANpLoY-GpYjXQaE923eG3ROf195F5P9aRQeYmBgZ06GVxIvhQcUrriNsURixeAkXZA8zYSsegINinOdy5pIGx3heK5AklLulr5lzwp70uoPDl0gvUFG9y68A1Px4J_elBMiW1fBOnvWw"
}

Here's the issue; when I use the Token to make a request I get the following response (HTTP 500):

{
    "error": {
        "code": "Unknown",
        "message": "IDX10231: Audience validation failed. Delegate returned false, securitytoken: '[PII is hidden]'.  CorrelationId:  54ded16a-9bf6-466a-8300-3adac2b6c614."
    }
}

The Event log (Admin) shows the following message:

Server instance: RELion10_EXTENSIONS_OData_Oauth2
Tenant ID: 
Type: Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException
InvalidAudience: 821ba44a-a427-472e-9cc9-12b89bf42c08
Message: IDX10231: Audience validation failed. Delegate returned false, securitytoken: '[PII is hidden]'.
StackTrace:
     at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
     at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
     at Microsoft.Dynamics.Nav.Service.NavJwtSecurityTokenFactory.CreateAndValidateWithAudienceList(String serializedToken, FederationMetadataProvider federationMetadataProvider, IEnumerable`1 allowedAudiences, String tokenId, NavDiagnostics diagnostics)
     at Microsoft.Dynamics.Nav.Service.WebServiceBearerAuthenticator.TryAuthenticateUser(String authorizationHeader, Uri requestUrl)
     at Microsoft.Dynamics.Nav.Service.ServiceAuthenticationHelper.AuthenticateForServiceCall(Uri uri, String authorizationValue, Func`3 createException)
     at Microsoft.Dynamics.Nav.Service.OData.V4.HttpRequestMessageExtensions.Authenticate(HttpRequestMessage request)
     at System.Lazy`1.CreateValue()
     at System.Lazy`1.LazyInitValue()
     at Microsoft.Dynamics.Nav.Service.OData.NavServiceEnvironment.EnsureNavAuthentication()
     at Microsoft.Dynamics.Nav.Service.OData.V4.RouteBuilder.GetEdmModelInternal(IServiceProvider serviceProvider)
     at lambda_method(Closure , ServiceProvider )
     at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
     at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
     at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer, Boolean template)
     at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer)
     at Microsoft.Dynamics.Nav.Service.OData.V4.PathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer)
     at Microsoft.Dynamics.Nav.Service.OData.V4.RouteConstraint.Match(HttpRequestMessage request, IHttpRoute route, String parameterName, IDictionary`2 values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.ProcessConstraint(HttpRequestMessage request, Object constraint, String parameterName, HttpRouteValueDictionary values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.ProcessConstraints(HttpRequestMessage request, HttpRouteValueDictionary values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.GetRouteData(String virtualPathRoot, HttpRequestMessage request)
     at System.Web.Http.HttpRouteCollection.GetRouteData(HttpRequestMessage request)
     at System.Web.Http.Dispatcher.HttpRoutingDispatcher.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     at System.Net.Http.DelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     at System.Web.Http.HttpServer.d__0.MoveNext()
Source: Microsoft.IdentityModel.Tokens
HResult: -2146233088
StackTrace:
     at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
     at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
     at Microsoft.Dynamics.Nav.Service.NavJwtSecurityTokenFactory.CreateAndValidateWithAudienceList(String serializedToken, FederationMetadataProvider federationMetadataProvider, IEnumerable`1 allowedAudiences, String tokenId, NavDiagnostics diagnostics)
     at Microsoft.Dynamics.Nav.Service.WebServiceBearerAuthenticator.TryAuthenticateUser(String authorizationHeader, Uri requestUrl)
     at Microsoft.Dynamics.Nav.Service.ServiceAuthenticationHelper.AuthenticateForServiceCall(Uri uri, String authorizationValue, Func`3 createException)
     at Microsoft.Dynamics.Nav.Service.OData.V4.HttpRequestMessageExtensions.Authenticate(HttpRequestMessage request)
     at System.Lazy`1.CreateValue()
     at System.Lazy`1.LazyInitValue()
     at Microsoft.Dynamics.Nav.Service.OData.NavServiceEnvironment.EnsureNavAuthentication()
     at Microsoft.Dynamics.Nav.Service.OData.V4.RouteBuilder.GetEdmModelInternal(IServiceProvider serviceProvider)
     at lambda_method(Closure , ServiceProvider )
     at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
     at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
     at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer, Boolean template)
     at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer)
     at Microsoft.Dynamics.Nav.Service.OData.V4.PathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer)
     at Microsoft.Dynamics.Nav.Service.OData.V4.RouteConstraint.Match(HttpRequestMessage request, IHttpRoute route, String parameterName, IDictionary`2 values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.ProcessConstraint(HttpRequestMessage request, Object constraint, String parameterName, HttpRouteValueDictionary values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.ProcessConstraints(HttpRequestMessage request, HttpRouteValueDictionary values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.GetRouteData(String virtualPathRoot, HttpRequestMessage request)
     at System.Web.Http.HttpRouteCollection.GetRouteData(HttpRequestMessage request)
     at System.Web.Http.Dispatcher.HttpRoutingDispatcher.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     at System.Net.Http.DelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     at System.Web.Http.HttpServer.d__0.MoveNext()

Event Log (Operational)

Server instance: RELion10_EXTENSIONS_OData_Oauth2
Tenant ID: 
The received security token could be validated but does not give access to Dynamics 365 Business Central.
Token Details : Issuer: https://sts.windows.net/6aa47755-0666-4a7b-aef3-fd66e36f9d43/
Expiry (UTC): 07.06.2021 09:29:10
 TenantId: 6aa47755-0666-4a7b-aef3-fd66e36f9d43
 AppId: f4575994-63bf-4d11-b4ef-39645257ac3d
 IdentityProvider: https://sts.windows.net/6aa47755-0666-4a7b-aef3-fd66e36f9d43/
 Version: 1.0

I am using the Business Central (AAD) Application's Id as the Resource (821ba44a-a427-472e-9cc9-12b89bf42c08).

I also tried using the appIdUrl as the resource, again I can retrieve Tokens just fine. When I use a token like this, I get a different error message (HTTP Status 401):

{
    "error": {
        "code": "Authentication_InvalidCredentials",
        "message": "The server has rejected the client credentials.  CorrelationId:  b08e51a3-7702-4ec0-9c07-6c7eedb39ae4."
    }
}

In this case the event log does not create an entry.

What am I doing wrong?

I've been at it for hours now, so any help is greatly appreciated

Jakob

All responses (10)

Answers (0)

WayneStevens 10 on at

Like (2)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

I had this same problem today with a BC20 on-prem setup - got the SecurityTokenInvalidAudienceException exception trying to use the token. I found this article telling me more than I ever wanted to know about audiences/scopes: https://www.kauffmann.nl/2022/02/23/configuring-business-central-for-azure-active-directory-authentication-and-oauth-2/. I jumped straight to option 2 and configured the instance to allow the "standard" scope:

Set-NAVServerConfiguration -ServerInstance BC200 -KeyName ValidAudiences -KeyValue "https://api.businesscentral.dynamics.com"
Restart-NAVServerInstance -ServerInstance BC200

That solved this issue for me - hope it helps you...

-Wayne
Jakob Theiner 42 on at

Like (0)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hi Drew!

No, we didn't get the issue resolved. The ticket was closed since support for Service to Service Authentication has only been added officially for 18.3+ or so. Since most of our customers are still on BC 14 I didn't invest more time. We just use a second server instance with NavUserPassword Authentication via which our APIs can be consumed using basic Auth, the old, not very nice way.

I hope you'll get that issue resolved though, next year at the latest we'll have to get back to this as well...

Jakob
Drew Gaskin 5 on at

Like (0)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hi Jakob,

Wondering if you found the solution for this? We have run into the same problem configuring BC20 from scratch.

We had the same setup where SSO was configured already for user logins and working successfully.

We then configured a second azure app registration like you did as the redirect URI was different for the OAUTH connection.

After troubleshooting the error I found in the event log it was expecting the APP ID of the existing SSO app registration we setup for the user sign in and therefore the a different Azure app reg for OAUTH couldn't be used.

I then added a second redirect URI to the SSO app registration which matched the OUATH URI your-bc-uri/.../OAuthLanding.htm

This resolved the problem but now appears the user created in the BC portal for the SSO isn't licensed which I found in the event log of the app server. Did you get to this stage and come across the license error?

Cheers,

Drew
Suggested answer

Marco Mels on at

Like (0)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hello,

Glad that you were finally able to get to us. Not good that you spend a lot of hours on it! I would be very frustrated as well! For us at CSS, we do not have any access ID's nor accounts within partner center that fully match all support contracts that are out there, so it is a black box for us as well.

If you are able to get to a support team using the support entitlements you have access to, you can maybe reference the community posting in the request and name the support staff that provided answers to your question. We can then internally figure it out how to address the request further and it becomes our problem again to assign the right resource to your support request.

Thanks.
Jakob Theiner 42 on at

Like (0)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hi Benny, thanks for letting me know! I've been googling for quite some time before posting but didn't find the post you mentioned. We also have a case running now, we'll so what comes out of it :)
Benny Van Lyssebettens 35 on at

Like (2)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hi Jakaob,

First of al, you're not alone... Jaan also reported this behavior a time ago: community.dynamics.com/.../bc-14-onprem-multitenant-oauth-for-web-services. I have the same issue in a 17.6 On Prem. It has something to do with the scope that you include in the token-generation, but I can't figure out the correct one, nor if we need to create one in the Azure App Registration.
Jakob Theiner 42 on at

Like (0)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hello Marco,

well yes and no :D

When I follow the links, I get sent to the power platform support. There I am forced to select a (SaaS) environment, which I don't have since this is a OnPrem issue. Of course I can input some stuff like this, but I don't think, it's the right channel:

If I select the above link "If you are a Microsoft partner, request support via the partner center", I get back to the partner center (where I started). Welcome to the infinite loop of "How to open a support request with Microsoft as a Gold Partner".

Now from the Office 365 Admin Center I found business support and it seems very nice, I can select the product and input all my info:

This is what I would have liked to see in the first place

.... But wait, now I have to add a new support subscription?

After some digging I found the contract number and access id in partner center, I'm supposed to have 20 incidents and 50hrs of support left:

I now felt like I had finally found everything and could send the request, but when I try to add this contract to the support request I get another error message which tells me to either retry at a later time or... contact support ........ What do you think I've been trying to do for the last two hours?

I tried typing it, to make sure there are no hidden characters, I tried swapping Access Id and Contract Id (you never know...) - no luck so far.

Remind me again, why am I paying gold partner fees?

I know that you, Marco, personally are not responsible for the mess I'm in and are doing the best you can. And I'm sorry that you are on the receiving end.

Once more I am frustrated with the Microsoft support experience.

What can I do to finally open a support ticket using the existing support contract?

Kind regards,

Jakob

PS.: I tried it multiple times today and just now it finally worked!!!

I'll post my mistake once it's resolved
Suggested answer

Marco Mels on at

Like (0)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hello,

Yes, it is Partner Center. Here is a screenshot of a selection I made:

If you continue, you will be asked to logon using your contract details. As an ISV, there should be no problem for you.

Thanks.
Jakob Theiner 42 on at

Like (0)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hi Marco,

thanks for your support.

The AAD Tenant Id is 6aa47755-0666-4a7b-aef3-fd66e36f9d43

This is the Business Central manifest:

[embed:dc8ab71f-3b98-42d9-b0f6-e21e02a0f8e2:2a5fc7b5-8756-438b-9f11-4982c0b01b00:type=json&text=%7B%0D%0A%09%22id%22%3A%20%222094b9ee-6291-4a9f-ad0a-7b6ba48f7764%22%2C%0D%0A%09%22acceptMappedClaims%22%3A%20null%2C%0D%0A%09%22accessTokenAcceptedVersion%22%3A%20null%2C%0D%0A%09%22addIns%22%3A%20%5B%5D%2C%0D%0A%09%22allowPublicClient%22%3A%20true%2C%0D%0A%09%22appId%22%3A%20%22821ba44a-a427-472e-9cc9-12b89bf42c08%22%2C%0D%0A%09%22appRoles%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22allowedMemberTypes%22%3A%20%5B%0D%0A%09%09%09%09%22User%22%2C%0D%0A%09%09%09%09%22Application%22%0D%0A%09%09%09%5D%2C%0D%0A%09%09%09%22description%22%3A%20%22Ability%20to%20access%20Business%20central%20On%20Prem%22%2C%0D%0A%09%09%09%22displayName%22%3A%20%22Financials%22%2C%0D%0A%09%09%09%22id%22%3A%20%2246c5f6dc-869a-45e1-965f-bb243f245e6d%22%2C%0D%0A%09%09%09%22isEnabled%22%3A%20true%2C%0D%0A%09%09%09%22lang%22%3A%20null%2C%0D%0A%09%09%09%22origin%22%3A%20%22Application%22%2C%0D%0A%09%09%09%22value%22%3A%20%22Financials.ReadWrite.All%22%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22oauth2AllowUrlPathMatching%22%3A%20false%2C%0D%0A%09%22createdDateTime%22%3A%20%222021-05-07T11%3A01%3A21Z%22%2C%0D%0A%09%22disabledByMicrosoftStatus%22%3A%20null%2C%0D%0A%09%22groupMembershipClaims%22%3A%20null%2C%0D%0A%09%22identifierUris%22%3A%20%5B%0D%0A%09%09%22api%3A%2F%2F821ba44a-a427-472e-9cc9-12b89bf42c08%22%0D%0A%09%5D%2C%0D%0A%09%22informationalUrls%22%3A%20%7B%0D%0A%09%09%22termsOfService%22%3A%20null%2C%0D%0A%09%09%22support%22%3A%20null%2C%0D%0A%09%09%22privacy%22%3A%20null%2C%0D%0A%09%09%22marketing%22%3A%20null%0D%0A%09%7D%2C%0D%0A%09%22keyCredentials%22%3A%20%5B%5D%2C%0D%0A%09%22knownClientApplications%22%3A%20%5B%5D%2C%0D%0A%09%22logoUrl%22%3A%20null%2C%0D%0A%09%22logoutUrl%22%3A%20null%2C%0D%0A%09%22name%22%3A%20%22RELion10%20DP%20Connection%20ServerInstance%22%2C%0D%0A%09%22oauth2AllowIdTokenImplicitFlow%22%3A%20true%2C%0D%0A%09%22oauth2AllowImplicitFlow%22%3A%20true%2C%0D%0A%09%22oauth2Permissions%22%3A%20%5B%5D%2C%0D%0A%09%22oauth2RequirePostResponse%22%3A%20false%2C%0D%0A%09%22optionalClaims%22%3A%20null%2C%0D%0A%09%22orgRestrictions%22%3A%20%5B%5D%2C%0D%0A%09%22parentalControlSettings%22%3A%20%7B%0D%0A%09%09%22countriesBlockedForMinors%22%3A%20%5B%5D%2C%0D%0A%09%09%22legalAgeGroupRule%22%3A%20%22Allow%22%0D%0A%09%7D%2C%0D%0A%09%22passwordCredentials%22%3A%20%5B%5D%2C%0D%0A%09%22preAuthorizedApplications%22%3A%20%5B%5D%2C%0D%0A%09%22publisherDomain%22%3A%20%22reliondev.onmicrosoft.com%22%2C%0D%0A%09%22replyUrlsWithType%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22url%22%3A%20%22https%3A%2F%2Fxxx%2FSignin%22%2C%0D%0A%09%09%09%22type%22%3A%20%22Web%22%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22requiredResourceAccess%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22resourceAppId%22%3A%20%2200000003-0000-0000-c000-000000000000%22%2C%0D%0A%09%09%09%22resourceAccess%22%3A%20%5B%0D%0A%09%09%09%09%7B%0D%0A%09%09%09%09%09%22id%22%3A%20%22e1fe6dd8-ba31-4d61-89e7-88639da4683d%22%2C%0D%0A%09%09%09%09%09%22type%22%3A%20%22Scope%22%0D%0A%09%09%09%09%7D%0D%0A%09%09%09%5D%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22samlMetadataUrl%22%3A%20null%2C%0D%0A%09%22signInUrl%22%3A%20%22https%3A%2F%2Fxxx%2FSignin%22%2C%0D%0A%09%22signInAudience%22%3A%20%22AzureADMyOrg%22%2C%0D%0A%09%22tags%22%3A%20%5B%5D%2C%0D%0A%09%22tokenEncryptionKeyId%22%3A%20null%0D%0A%7D]

And here is the consumer's manifest:

[embed:dc8ab71f-3b98-42d9-b0f6-e21e02a0f8e2:9e44f1c5-c770-483f-a913-c0043d91c12d:type=json&text=%7B%0D%0A%09%22id%22%3A%20%22e32dd418-7106-410a-816d-5fb8d0e44bf2%22%2C%0D%0A%09%22acceptMappedClaims%22%3A%20null%2C%0D%0A%09%22accessTokenAcceptedVersion%22%3A%20null%2C%0D%0A%09%22addIns%22%3A%20%5B%5D%2C%0D%0A%09%22allowPublicClient%22%3A%20null%2C%0D%0A%09%22appId%22%3A%20%22f4575994-63bf-4d11-b4ef-39645257ac3d%22%2C%0D%0A%09%22appRoles%22%3A%20%5B%5D%2C%0D%0A%09%22oauth2AllowUrlPathMatching%22%3A%20false%2C%0D%0A%09%22createdDateTime%22%3A%20%222021-05-07T11%3A09%3A14Z%22%2C%0D%0A%09%22disabledByMicrosoftStatus%22%3A%20null%2C%0D%0A%09%22groupMembershipClaims%22%3A%20null%2C%0D%0A%09%22identifierUris%22%3A%20%5B%5D%2C%0D%0A%09%22informationalUrls%22%3A%20%7B%0D%0A%09%09%22termsOfService%22%3A%20null%2C%0D%0A%09%09%22support%22%3A%20null%2C%0D%0A%09%09%22privacy%22%3A%20null%2C%0D%0A%09%09%22marketing%22%3A%20null%0D%0A%09%7D%2C%0D%0A%09%22keyCredentials%22%3A%20%5B%5D%2C%0D%0A%09%22knownClientApplications%22%3A%20%5B%5D%2C%0D%0A%09%22logoUrl%22%3A%20null%2C%0D%0A%09%22logoutUrl%22%3A%20null%2C%0D%0A%09%22name%22%3A%20%22Digitale%20Plattform%22%2C%0D%0A%09%22oauth2AllowIdTokenImplicitFlow%22%3A%20false%2C%0D%0A%09%22oauth2AllowImplicitFlow%22%3A%20false%2C%0D%0A%09%22oauth2Permissions%22%3A%20%5B%5D%2C%0D%0A%09%22oauth2RequirePostResponse%22%3A%20false%2C%0D%0A%09%22optionalClaims%22%3A%20null%2C%0D%0A%09%22orgRestrictions%22%3A%20%5B%5D%2C%0D%0A%09%22parentalControlSettings%22%3A%20%7B%0D%0A%09%09%22countriesBlockedForMinors%22%3A%20%5B%5D%2C%0D%0A%09%09%22legalAgeGroupRule%22%3A%20%22Allow%22%0D%0A%09%7D%2C%0D%0A%09%22passwordCredentials%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22customKeyIdentifier%22%3A%20null%2C%0D%0A%09%09%09%22endDate%22%3A%20%222023-06-04T18%3A37%3A35.262Z%22%2C%0D%0A%09%09%09%22keyId%22%3A%20%221fe1a88c-32f4-4e61-aabe-938d59d7b907%22%2C%0D%0A%09%09%09%22startDate%22%3A%20%222021-06-04T18%3A38%3A10.453Z%22%2C%0D%0A%09%09%09%22value%22%3A%20null%2C%0D%0A%09%09%09%22createdOn%22%3A%20%222021-06-04T18%3A38%3A10.87705Z%22%2C%0D%0A%09%09%09%22hint%22%3A%20%22bm_%22%2C%0D%0A%09%09%09%22displayName%22%3A%20%22Access%20by%20Digital%20Platform%20Team%22%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22preAuthorizedApplications%22%3A%20%5B%5D%2C%0D%0A%09%22publisherDomain%22%3A%20%22reliondev.onmicrosoft.com%22%2C%0D%0A%09%22replyUrlsWithType%22%3A%20%5B%5D%2C%0D%0A%09%22requiredResourceAccess%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22resourceAppId%22%3A%20%22821ba44a-a427-472e-9cc9-12b89bf42c08%22%2C%0D%0A%09%09%09%22resourceAccess%22%3A%20%5B%0D%0A%09%09%09%09%7B%0D%0A%09%09%09%09%09%22id%22%3A%20%2246c5f6dc-869a-45e1-965f-bb243f245e6d%22%2C%0D%0A%09%09%09%09%09%22type%22%3A%20%22Role%22%0D%0A%09%09%09%09%7D%0D%0A%09%09%09%5D%0D%0A%09%09%7D%2C%0D%0A%09%09%7B%0D%0A%09%09%09%22resourceAppId%22%3A%20%2200000003-0000-0000-c000-000000000000%22%2C%0D%0A%09%09%09%22resourceAccess%22%3A%20%5B%0D%0A%09%09%09%09%7B%0D%0A%09%09%09%09%09%22id%22%3A%20%22e1fe6dd8-ba31-4d61-89e7-88639da4683d%22%2C%0D%0A%09%09%09%09%09%22type%22%3A%20%22Scope%22%0D%0A%09%09%09%09%7D%0D%0A%09%09%09%5D%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22samlMetadataUrl%22%3A%20null%2C%0D%0A%09%22signInUrl%22%3A%20null%2C%0D%0A%09%22signInAudience%22%3A%20%22AzureADMyOrg%22%2C%0D%0A%09%22tags%22%3A%20%5B%5D%2C%0D%0A%09%22tokenEncryptionKeyId%22%3A%20null%0D%0A%7D]

I have never worked with fiddler before, but on first glance I don't get more info than I had before.

This request was made using the Business Central Enterprise Application's Id as the resource:

[embed:dc8ab71f-3b98-42d9-b0f6-e21e02a0f8e2:4f33c238-4642-4c2d-949e-f8cfcf9e6dca:type=text&text=CONNECT%20xxx%20HTTP%2F1.1%0D%0AUser-Agent%3A%20PostmanRuntime%2F7.28.0%0D%0AAccept%3A%20%2A%2F%2A%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0D%0AConnection%3A%20keep-alive%0D%0Ahost%3A%20xxx%0D%0A%0D%0AA%20SSLv3-compatible%20ClientHello%20handshake%20was%20found.%20Fiddler%20extracted%20the%20parameters%20below.%0D%0A%0D%0AVersion%3A%203.3%20%28TLS%2F1.2%29%0D%0ARandom%3A%2062%20BE%20BD%208F%20BD%2079%207B%2019%2039%2069%2084%20BD%2055%2001%20A3%20B7%2059%2002%20B3%20ED%2012%2014%2026%20D0%20C5%20E1%20E2%202B%2058%20EB%201C%20F5%0D%0A%22Time%22%3A%2002.06.2046%2020%3A28%3A50%0D%0ASessionID%3A%2084%20F9%20FF%20C6%2013%2074%2049%207E%2025%20E8%2064%208A%20E3%2069%20CE%200B%2002%20DD%20A9%20CF%2093%20C2%207C%203C%2073%20D0%20BC%208F%20A7%2088%2091%20E3%0D%0AExtensions%3A%20%0D%0A%09server_name%09xxx%0D%0A%09extended_master_secret%09empty%0D%0A%09renegotiation_info%0900%0D%0A%09supported_groups%09x25519%20%5B0x1d%5D%2C%20secp256r1%20%5B0x17%5D%2C%20secp384r1%20%5B0x18%5D%0D%0A%09ec_point_formats%09uncompressed%20%5B0x0%5D%0D%0A%09SessionTicket%09empty%0D%0A%09signature_algs%09ecdsa_secp256r1_sha256%2C%20rsa_pss_rsae_sha256%2C%20rsa_pkcs1_sha256%2C%20ecdsa_secp384r1_sha384%2C%20rsa_pss_rsae_sha384%2C%20rsa_pkcs1_sha384%2C%20rsa_pss_rsae_sha512%2C%20rsa_pkcs1_sha512%2C%20rsa_pkcs1_sha1%0D%0A%09key_share%0900%2024%2000%201D%2000%2020%205C%20CF%2044%2057%20DA%20DA%207F%20DF%20C5%2012%2089%20C2%204D%20BB%209F%2065%2033%20E6%20B9%20A4%2056%20C2%20D8%20D6%20DF%20AF%204C%2005%20EE%204E%207E%200F%0D%0A%09psk_key_exchange_modes%0901%2001%0D%0A%09supported_versions%09Tls1.3%2C%20Tls1.2%2C%20Tls1.1%0D%0A%09padding%09%09244%20null%20bytes%0D%0ACiphers%3A%20%0D%0A%09%5B1301%5D%09TLS_AES_128_GCM_SHA256%0D%0A%09%5B1302%5D%09TLS_AES_256_GCM_SHA384%0D%0A%09%5B1303%5D%09TLS_CHACHA20_POLY1305_SHA256%0D%0A%09%5BC02F%5D%09TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5BC02B%5D%09TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5BC030%5D%09TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5BC02C%5D%09TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5BCCA9%5D%09TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256%0D%0A%09%5BCCA8%5D%09TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256%0D%0A%09%5BC009%5D%09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%0D%0A%09%5BC013%5D%09TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%0D%0A%09%5BC00A%5D%09TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%0D%0A%09%5BC014%5D%09TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%0D%0A%09%5B009C%5D%09TLS_RSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5B009D%5D%09TLS_RSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5B002F%5D%09TLS_RSA_WITH_AES_128_CBC_SHA%0D%0A%09%5B0035%5D%09TLS_RSA_WITH_AES_256_CBC_SHA%0D%0A%09%5B000A%5D%09SSL_RSA_WITH_3DES_EDE_SHA%0D%0A%0D%0ACompression%3A%20%0D%0A%09%5B00%5D%09NO_COMPRESSION%0D%0A%0D%0A%0D%0A%0D%0AHTTP%2F1.1%20200%20Connection%20Established%0D%0AFiddlerGateway%3A%20Direct%0D%0AStartTime%3A%2013%3A18%3A52.292%0D%0AConnection%3A%20close%0D%0A%0D%0AEncrypted%20HTTPS%20traffic%20flows%20through%20this%20CONNECT%20tunnel.%20HTTPS%20Decryption%20is%20enabled%20in%20Fiddler%2C%20so%20decrypted%20sessions%20running%20in%20this%20tunnel%20will%20be%20shown%20in%20the%20Web%20Sessions%20list.%0D%0A%0D%0ASecure%20Protocol%3A%20Tls12%0D%0ACipher%3A%20Aes256%20256bits%0D%0AHash%20Algorithm%3A%20Sha384%20%3Fbits%0D%0AKey%20Exchange%3A%20ECDHE_RSA%20%280xae06%29%20255bits%0D%0A%0D%0A%3D%3D%20Server%20Certificate%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0D%0A%5BSubject%5D%0D%0A%20%20CN%3Dxxx%0D%0A%0D%0A%5BIssuer%5D%0D%0A%20%20CN%3Dxxx%0D%0A%0D%0A%5BSerial%20Number%5D%0D%0A%20%202BC9D64FF386619241FE2FE1F8BFC15E%0D%0A%0D%0A%5BNot%20Before%5D%0D%0A%20%2023.04.2021%2009%3A29%3A10%0D%0A%0D%0A%5BNot%20After%5D%0D%0A%20%2023.04.2026%2009%3A39%3A09%0D%0A%0D%0A%5BThumbprint%5D%0D%0A%20%2007E365952D4FDAC1B11842E606B81DBA45EDFA09%0D%0A%0D%0A%5BSubjectAltNames%5D%0D%0Axxx%0D%0A%0D%0A%0D%0A------------------------------------------------------------------%0D%0AGET%20https%3A%2F%2Fxxx%20HTTP%2F1.1%0D%0AAuthorization%3A%20Bearer%20eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI4MjFiYTQ0YS1hNDI3LTQ3MmUtOWNjOS0xMmI4OWJmNDJjMDgiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC82YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMvIiwiaWF0IjoxNjIzMDY0NDEwLCJuYmYiOjE2MjMwNjQ0MTAsImV4cCI6MTYyMzE1MTExMCwiYWlvIjoiRTJaZ1lCRDhZOTYxZUxlL25INm5qZVViMFU5K0FBPT0iLCJhcHBpZCI6ImY0NTc1OTk0LTYzYmYtNGQxMS1iNGVmLTM5NjQ1MjU3YWMzZCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzZhYTQ3NzU1LTA2NjYtNGE3Yi1hZWYzLWZkNjZlMzZmOWQ0My8iLCJvaWQiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJyaCI6IjAuQVlFQVZYZWthbVlHZTBxdThfMW00Mi1kUTVSWlZfU19ZeEZOdE84NVpGSlhyRDJCQUFBLiIsInJvbGVzIjpbIkZpbmFuY2lhbHMuUmVhZFdyaXRlLkFsbCJdLCJzdWIiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJ0aWQiOiI2YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMiLCJ1dGkiOiJad09zckx1MlBVcV9qY0o1TFI0UUFBIiwidmVyIjoiMS4wIn0.ga0ksK6oDalx7hDznP0Jb43U3y-se1qrmp4opazmsAgL7CmCrzkSjteODDwbydK4DTDudlevMrjd4a3FJVOvXIyxHJnxp1MCuokXBwjTXP8Fd-EQ0nJuej1uSZyPO7pEIJnKYGC3SPQMwfORDLeXdUC4BeSxOySSEpjcZ548jzYdP81rFt2ulAmslNFSMAB5nsb3AnHOSIjqENzhXlOuEsxi67VpCdAifs65MFbs_zjABSZxAEwdJ-BNI55vMvWZkPPkYLbhJy0yKUai4z9fSO58k3gSojXtKOQghyFNXntLPyH82w8Z28ZITzv_M2wyyR35QwWH7wsvYcrhNA4xnw%0D%0AUser-Agent%3A%20PostmanRuntime%2F7.28.0%0D%0AAccept%3A%20%2A%2F%2A%0D%0APostman-Token%3A%2051ad02eb-380a-4e6a-b734-d346622cf7ea%0D%0AHost%3A%20xxx%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0D%0AConnection%3A%20keep-alive%0D%0A%0D%0A%0D%0AHTTP%2F1.1%20500%20IDX10231%3A%20Audience%20validation%20failed.%20Delegate%20returned%20false%2C%20securitytoken%3A%20%27%5BPII%20is%20hidden%5D%27.%0D%0ATransfer-Encoding%3A%20chunked%0D%0AContent-Type%3A%20application%2Fjson%3B%20charset%3Dutf-8%0D%0AContent-Encoding%3A%20gzip%0D%0AServer%3A%20Microsoft-HTTPAPI%2F2.0%0D%0AAccess-Control-Allow-Origin%3A%20%2A%0D%0AAccess-Control-Allow-Credentials%3A%20true%0D%0AAccess-Control-Expose-Headers%3A%20Date%2C%20Content-Length%2C%20Server%2C%20OData-Version%0D%0Arequest-id%3A%20e215bd66-2b63-4c42-9e11-cd68fb80a6df%0D%0ADate%3A%20Mon%2C%2007%20Jun%202021%2011%3A18%3A56%20GMT%0D%0A%0D%0Aa%0D%0A%1F%EF%BF%BD%08]

This request was made using the Business Central Enterprise Application's appIdUri as the resource:

[embed:dc8ab71f-3b98-42d9-b0f6-e21e02a0f8e2:45e51cc1-2234-4500-9cff-660bee4b2cde:type=text&text=CONNECT%20xxx%20HTTP%2F1.1%0D%0AUser-Agent%3A%20PostmanRuntime%2F7.28.0%0D%0AAccept%3A%20%2A%2F%2A%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0D%0AConnection%3A%20keep-alive%0D%0Ahost%3A%20xxx%0D%0A%0D%0AA%20SSLv3-compatible%20ClientHello%20handshake%20was%20found.%20Fiddler%20extracted%20the%20parameters%20below.%0D%0A%0D%0AVersion%3A%203.3%20%28TLS%2F1.2%29%0D%0ARandom%3A%20B9%203C%20E6%201C%2034%20A5%209F%20A7%2047%2033%20D8%20CA%20A8%20F5%204A%20CF%2026%20B0%2091%2082%2014%20B3%2083%20E5%2003%20F0%2076%20B6%2018%209D%2084%20A8%0D%0A%22Time%22%3A%2013.05.1985%2018%3A47%3A53%0D%0ASessionID%3A%20A3%20D0%20FA%209F%204F%2093%2011%2096%2094%2080%20D4%2008%203D%2043%20F1%20CB%207D%201C%20AF%2080%2092%20ED%207F%20DB%20CD%20DB%2010%20D2%20BB%20DF%20A4%2073%0D%0AExtensions%3A%20%0D%0A%09server_name%09xxx%0D%0A%09extended_master_secret%09empty%0D%0A%09renegotiation_info%0900%0D%0A%09supported_groups%09x25519%20%5B0x1d%5D%2C%20secp256r1%20%5B0x17%5D%2C%20secp384r1%20%5B0x18%5D%0D%0A%09ec_point_formats%09uncompressed%20%5B0x0%5D%0D%0A%09SessionTicket%09empty%0D%0A%09signature_algs%09ecdsa_secp256r1_sha256%2C%20rsa_pss_rsae_sha256%2C%20rsa_pkcs1_sha256%2C%20ecdsa_secp384r1_sha384%2C%20rsa_pss_rsae_sha384%2C%20rsa_pkcs1_sha384%2C%20rsa_pss_rsae_sha512%2C%20rsa_pkcs1_sha512%2C%20rsa_pkcs1_sha1%0D%0A%09key_share%0900%2024%2000%201D%2000%2020%204F%2025%20B3%20C4%2014%207C%20E6%204C%205A%2077%2014%2058%20E2%20E7%207B%2057%205C%207F%2073%20D3%20C3%20DF%2046%200E%208A%20F0%2004%20C4%20AC%201F%202D%2034%0D%0A%09psk_key_exchange_modes%0901%2001%0D%0A%09supported_versions%09Tls1.3%2C%20Tls1.2%2C%20Tls1.1%0D%0A%09padding%09%09244%20null%20bytes%0D%0ACiphers%3A%20%0D%0A%09%5B1301%5D%09TLS_AES_128_GCM_SHA256%0D%0A%09%5B1302%5D%09TLS_AES_256_GCM_SHA384%0D%0A%09%5B1303%5D%09TLS_CHACHA20_POLY1305_SHA256%0D%0A%09%5BC02F%5D%09TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5BC02B%5D%09TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5BC030%5D%09TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5BC02C%5D%09TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5BCCA9%5D%09TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256%0D%0A%09%5BCCA8%5D%09TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256%0D%0A%09%5BC009%5D%09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%0D%0A%09%5BC013%5D%09TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%0D%0A%09%5BC00A%5D%09TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%0D%0A%09%5BC014%5D%09TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%0D%0A%09%5B009C%5D%09TLS_RSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5B009D%5D%09TLS_RSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5B002F%5D%09TLS_RSA_WITH_AES_128_CBC_SHA%0D%0A%09%5B0035%5D%09TLS_RSA_WITH_AES_256_CBC_SHA%0D%0A%09%5B000A%5D%09SSL_RSA_WITH_3DES_EDE_SHA%0D%0A%0D%0ACompression%3A%20%0D%0A%09%5B00%5D%09NO_COMPRESSION%0D%0A%0D%0A%0D%0A%0D%0AHTTP%2F1.1%20200%20Connection%20Established%0D%0AFiddlerGateway%3A%20Direct%0D%0AStartTime%3A%2013%3A22%3A48.682%0D%0AConnection%3A%20close%0D%0A%0D%0AEncrypted%20HTTPS%20traffic%20flows%20through%20this%20CONNECT%20tunnel.%20HTTPS%20Decryption%20is%20enabled%20in%20Fiddler%2C%20so%20decrypted%20sessions%20running%20in%20this%20tunnel%20will%20be%20shown%20in%20the%20Web%20Sessions%20list.%0D%0A%0D%0ASecure%20Protocol%3A%20Tls12%0D%0ACipher%3A%20Aes256%20256bits%0D%0AHash%20Algorithm%3A%20Sha384%20%3Fbits%0D%0AKey%20Exchange%3A%20ECDHE_RSA%20%280xae06%29%20255bits%0D%0A%0D%0A%3D%3D%20Server%20Certificate%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0D%0A%5BSubject%5D%0D%0A%20%20CN%3Dxxx%0D%0A%0D%0A%5BIssuer%5D%0D%0A%20%20CN%3Dxxx%0D%0A%0D%0A%5BSerial%20Number%5D%0D%0A%20%202BC9D64FF386619241FE2FE1F8BFC15E%0D%0A%0D%0A%5BNot%20Before%5D%0D%0A%20%2023.04.2021%2009%3A29%3A10%0D%0A%0D%0A%5BNot%20After%5D%0D%0A%20%2023.04.2026%2009%3A39%3A09%0D%0A%0D%0A%5BThumbprint%5D%0D%0A%20%2007E365952D4FDAC1B11842E606B81DBA45EDFA09%0D%0A%0D%0A%5BSubjectAltNames%5D%0D%0Axxx%0D%0A%0D%0A%0D%0A------------------------------------------------------------------%0D%0AGET%20https%3A%2F%2Fxxx%2Fxxx%2FCompany%28xxx%27%29%2FCustomers%20HTTP%2F1.1%0D%0AAuthorization%3A%20Bearer%20eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiJodHRwczovL21uenJlbGF1YXAwMi5hZC5hYXJlb24uY29tOjQ0MzMvUkVMaW9uMTBfRVhURU5TSU9OU19PRGF0YV9PYXV0aDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC82YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMvIiwiaWF0IjoxNjIzMDY0NjU4LCJuYmYiOjE2MjMwNjQ2NTgsImV4cCI6MTYyMzE1MTM1OCwiYWlvIjoiRTJaZ1lManBlV2pDeWlidmlNKzNKbnhPL2lzNkNRQT0iLCJhcHBpZCI6ImY0NTc1OTk0LTYzYmYtNGQxMS1iNGVmLTM5NjQ1MjU3YWMzZCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzZhYTQ3NzU1LTA2NjYtNGE3Yi1hZWYzLWZkNjZlMzZmOWQ0My8iLCJvaWQiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJyaCI6IjAuQVlFQVZYZWthbVlHZTBxdThfMW00Mi1kUTVSWlZfU19ZeEZOdE84NVpGSlhyRDJCQUFBLiIsInJvbGVzIjpbIkZpbmFuY2lhbHMuUmVhZFdyaXRlLkFsbCJdLCJzdWIiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJ0aWQiOiI2YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMiLCJ1dGkiOiJBTEVyb09HZjdFdUpjQUZCU25sc0FBIiwidmVyIjoiMS4wIn0.gTq44dkrZ3oW7SZaoqm9-k4Iulw9xFzuNVJ839kWo1Cgf-CUbqbbRATgvBjcV3aOu78koGvPNgznz6h0dAe-PNwXHi7ThEIF-nBtCGMcX46DbBIjmhMBeGvICckC2T1nofiFvne5I3ZuSBq9MwQNDML9XEFk-tsFHb2OcHHZvxg6cFUlBgLhcdZf1VO9kqEkb0aiHL75Fji_jk7wCBMg1wDNwY1K9CmBLULf8mIeAYXnpPWF5Zs4t2DKKzmkwjORuOPi8ut6uZrAQa8gMfmSQ87sjgqyZTpalQI5DCUetgjZfMv2zcDrc7nXxOAZUcx66eENgaWQYMwi-Q543oeaPQ%0D%0AUser-Agent%3A%20PostmanRuntime%2F7.28.0%0D%0AAccept%3A%20%2A%2F%2A%0D%0APostman-Token%3A%2063da876e-152e-463e-913a-76ab54d912f0%0D%0AHost%3A%20xxx%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0D%0AConnection%3A%20keep-alive%0D%0A%0D%0A%0D%0AHTTP%2F1.1%20401%20The%20server%20has%20rejected%20the%20client%20credentials.%0D%0ATransfer-Encoding%3A%20chunked%0D%0AContent-Type%3A%20application%2Fjson%3B%20charset%3Dutf-8%0D%0AContent-Encoding%3A%20gzip%0D%0AServer%3A%20Microsoft-HTTPAPI%2F2.0%0D%0AAccess-Control-Allow-Origin%3A%20%2A%0D%0AAccess-Control-Allow-Credentials%3A%20true%0D%0AAccess-Control-Expose-Headers%3A%20Date%2C%20Content-Length%2C%20Server%2C%20OData-Version%0D%0Arequest-id%3A%2097bead39-42e5-4197-93fd-0af71efe60b8%0D%0ADate%3A%20Mon%2C%2007%20Jun%202021%2011%3A22%3A48%20GMT%0D%0A%0D%0Aa%0D%0A%1F%EF%BF%BD%08]

I work for an ISV in Germany, how would I go about opening a support case? Is Partner Center also the right choice? If so, what's the correct "problem type"? I get a massive list, but nothing that's really technical imho:

Thanks again, I'm looking forward to hearing from you.

Kind regards,

Jakob
Marco Mels on at

Like (0)

Report

RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

Hello,

A possible hint to troubleshoot this further is to analyze a Fiddler trace? If you want Microsoft to look at this, we would need the Azure AD app manifest files.

Thanks.