Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

(0) Share

Report

Posted on by Nick22

Hi,

We have an Azure AD application that calls the Dynamics Business Central REST API. When setting up delegated permissions in the Azure portal, it seems like there are 2 choices:

user_impersonation
Financials.ReadWrite.All

Either one seems to work. Is there a difference between these?

Reason for asking is for security: we'd like to choose the least privileged permission that still gets the job done.

Any help would be much appreciated!

I have the same question (0)

All responses (8)

Answers (2)

Sort by

Suggested answer

JAngle 159 on at

Like (0)

Report
Copy link

Link copied!

Ultimately it is down to the permissions granted within BC. Check this out for more guidance: www.kauffmann.nl/.../

Was this reply helpful? Yes No
Nick22 15 on at

Like (0)

Report
Copy link

Link copied!

Thank you for your reply.

The link only describes application permissions and not delegated permissions/user_impersonation vs Financials.ReadWrite.All. However, that same blog author also wrote this article regarding delegated permissions: https://www.kauffmann.nl/2022/02/23/configuring-business-central-for-azure-active-directory-authentication-and-oauth-2/

The author explains how Financials.ReadWrite.All does not apply to on premises BC, and user_impersonation does. I wonder whether that's the only difference between the two.

Was this reply helpful? Yes No
Suggested answer

Marco Mels Microsoft Employee on at

Like (0)

Report
Copy link

Link copied!

Hello,

You can use user_impersonation within yourself created Azure AD App registration. Microsoft created for the cloud version of BC Financials.ReadWriteAll. The user_impersonation will only become available after you expose the API.

Thank you.

Was this reply helpful? Yes No
Nick22 15 on at

Like (0)

Report
Copy link

Link copied!

Thanks for your reply. I'm not sure I fully understand. We are using the cloud/online version of BC, so the REST API is already exposed. We can choose between user_impersonation and Financials.ReadWrite.All. Perhaps there's just no difference on the cloud version.

Was this reply helpful? Yes No
Verified answer

Marco Mels Microsoft Employee on at

Like (0)

Report
Copy link

Link copied!

Hello,

There may be a difference in how consent is configured between the two:

docs.microsoft.com/.../configure-user-consent

In this case I suggest you follow documentation where Financials.ReadWrite.All is needed, you add this permission and where it is not required you add user_impersonation (typically for OnPrem).

Hope it answers the question.

Was this reply helpful? Yes No
Nick22 15 on at

Like (0)

Report
Copy link

Link copied!

Thanks, that's useful context. I'm still not 100% sure if there is a difference, but we've gone with Financials.ReadWrite.All as that permission applies specifically to the cloud version of BC, which is what we are using. Thank you for your help.

Was this reply helpful? Yes No
Verified answer

YUN ZHU 101,995 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!

Hi, just adding some info.

hope the following helps as well.

https://docs.microsoft.com/en-us/graph/permissions-reference#financials-permissions

Thanks.

ZHU

Was this reply helpful? Yes No
Nick22 15 on at

Like (0)

Report
Copy link

Link copied!

Thank you for the additional info.

Was this reply helpful? Yes No