Microsoft Dynamics 365 | Integration, Dataverse...

How to export from BC to Azure Data factory

(2) Share

Report

Posted on by CU10041308-0

I want to connect Azure Data Factory to my Business Central sandbox to export data. When I perform Test Connection I have a Authentication_InvalidCredentials error.

In Azure Data Factory I am created a new Linked Service. Previously I created a App Registration with a secret in Azure Entra. It has these Business Central permissions:

AdminCenter.ReadWrite.All Application
API.ReadWrite.All Application
app_access Application
Automation.ReadWrite.All Application
Financials.ReadWrite.All Delegated
user_impersonation Delegated

In Business Central Admin Center I created a Authorized Microsoft Entra App with admin consent. The is Application Id e38xxxxx-xxxxx-xxxx-xxxx-xxxxxxxxc29f.

In my Sandbox environments I gave this Application user a few roles (not sure if this is needed):

Business Central Dataverse Integration
Power Platform Data Analytics Role
Power Platform Dataflows Service Role
System Administrator

I am using this JSON configuration, but I get the error below when I test the Linked Service connection:

JSON

{
    "properties": {
        "type": "OData",
        "typeProperties": {
            "url": "https://api.businesscentral.dynamics.com/v2.0/10f8xxxx-xxxx-xxxx-xxxx-xxxxxxxx2898/Sandbox/ODataV4/Company('Contoso')",
            "authenticationType": "AadServicePrincipal",
            "servicePrincipalId": "e38xxxxx-xxxxx-xxxx-xxxx-xxxxxxxxc29f.",
            "servicePrincipalKey": {
                "type": "SecureString",
                "value": "dNnxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            },
            "tenant": "10f8xxxx-xxxx-xxxx-xxxx-xxxxxxxx2898",
            "aadResourceId": "https://api.businesscentral.dynamics.com",
            "endpoint": {
                "allow": ["api.businesscentral.dynamics.com"]
            }
        }
    }
}

The error:

Failed to create odata connection to RequestUrl.

Failed to get metadata of odata service, please check if service url and credential is correct and your application has permission to the resource. Expected status code: 200, actual status code: Unauthorized, response is : {"error":{"code":"Authentication_InvalidCredentials","message":"The server has rejected the client credentials. CorrelationId: 3ecfd2dc-81f5-408f-abb6-7270c1645585."}}.

What I am missing in my configuration? Is this even supposed to work?

Categories:

Power Platform integration

I have the same question (0)

All responses (2)

Answers (0)

Suggested answer

Holly Huffman 6,538 Super User 2025 Season 2 on at

Like (0)

Report
Good morning, afternoon, or evening :) depending on your location!

The Authentication_InvalidCredentials error typically indicates a mismatch or misconfiguration in the authentication setup.

Key Areas to Verify:

App Registration Permissions:
Ensure that the permissions assigned to your App Registration in Azure Entra are sufficient. Specifically, verify that the following permissions are granted and admin consent has been provided:

Financials.ReadWrite.All (Application, not Delegated)

API.ReadWrite.All (Application)
The Delegated permissions (Financials.ReadWrite.All and user_impersonation) are typically used for user-based authentication, whereas Application permissions are required for service principal authentication.

Service Principal Configuration:
Double-check the servicePrincipalId and servicePrincipalKey in your JSON configuration. Ensure that:

The servicePrincipalId matches the Application (client) ID of your App Registration.

The servicePrincipalKey is the correct secret value generated for the App Registration.

Business Central Roles:
Assigning roles to the Application user in your Business Central sandbox is necessary. The roles you’ve assigned seem appropriate, but ensure that the System Administrator role is included, as it provides comprehensive access.

OData URL:
Verify that the url in your JSON configuration is correct. The format should be:
https://api.businesscentral.dynamics.com/v2.0/{tenantId}/{environmentName}/ODataV4/Company('{companyName}')

Replace {tenantId}, {environmentName}, and {companyName} with the actual values for your setup.

AAD Resource ID:
Confirm that the aadResourceId is set to https://api.businesscentral.dynamics.com.

Admin Consent:
Ensure that admin consent has been granted for the App Registration in the Business Central Admin Center.

Additional Troubleshooting Steps:

Test with Postman:
Use Postman to test the OData endpoint with the same credentials. This can help isolate whether the issue is with Azure Data Factory or the credentials themselves.

Check Logs:
Review the logs in Azure Data Factory and Business Central to identify any additional error details.

Update SDK/Connector:
Ensure that you are using the latest version of the OData connector in Azure Data Factory.

Example JSON Configuration:
Here’s an updated example of the JSON configuration:
{
    "properties": {
        "type": "OData",
        "typeProperties": {
            "url": "https://api.businesscentral.dynamics.com/v2.0/{tenantId}/Sandbox/ODataV4/Company('Contoso')",
            "authenticationType": "AadServicePrincipal",
            "servicePrincipalId": "{ApplicationId}",
            "servicePrincipalKey": {
                "type": "SecureString",
                "value": "{SecretValue}"
            },
            "tenant": "{TenantId}",
            "aadResourceId": "https://api.businesscentral.dynamics.com"
        }
    }
}
Replace {tenantId}, {ApplicationId}, and {SecretValue} with your actual values.

Hope this helps!

Was this reply helpful? Yes No
CU10041308-0 6 on at

Like (0)

Report

When adding new permissions to my App Registration API permissions I do not see Financials.ReadWrite.All in the Application permissions list.

I only see the Financials.ReadWrite.All permission in the list of Delegated permissions. What could be causing this?

Was this reply helpful? Yes No