Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

(0) Share

Report

Posted on by Nick22

Hi,

We have an Azure AD application that calls the Dynamics Business Central REST API. When setting up delegated permissions in the Azure portal, it seems like there are 2 choices:

user_impersonation
Financials.ReadWrite.All

Either one seems to work. Is there a difference between these?

Reason for asking is for security: we'd like to choose the least privileged permission that still gets the job done.

Any help would be much appreciated!

I have the same question (0)

All responses (8)

Answers (2)

Suggested answer

JAngle 121 on at

Like (0)

Report

RE: Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

Ultimately it is down to the permissions granted within BC. Check this out for more guidance: www.kauffmann.nl/.../

Was this reply helpful? Yes No
Nick22 15 on at

Like (0)

Report

RE: Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

Thank you for your reply.

The link only describes application permissions and not delegated permissions/user_impersonation vs Financials.ReadWrite.All. However, that same blog author also wrote this article regarding delegated permissions: https://www.kauffmann.nl/2022/02/23/configuring-business-central-for-azure-active-directory-authentication-and-oauth-2/

The author explains how Financials.ReadWrite.All does not apply to on premises BC, and user_impersonation does. I wonder whether that's the only difference between the two.

Was this reply helpful? Yes No
Suggested answer

Marco Mels on at

Like (0)

Report

RE: Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

Hello,

You can use user_impersonation within yourself created Azure AD App registration. Microsoft created for the cloud version of BC Financials.ReadWriteAll. The user_impersonation will only become available after you expose the API.

Thank you.

Was this reply helpful? Yes No
Nick22 15 on at

Like (0)

Report

RE: Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

Thanks for your reply. I'm not sure I fully understand. We are using the cloud/online version of BC, so the REST API is already exposed. We can choose between user_impersonation and Financials.ReadWrite.All. Perhaps there's just no difference on the cloud version.

Was this reply helpful? Yes No
Verified answer

Marco Mels on at

Like (0)

Report

RE: Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

Hello,

There may be a difference in how consent is configured between the two:

docs.microsoft.com/.../configure-user-consent

In this case I suggest you follow documentation where Financials.ReadWrite.All is needed, you add this permission and where it is not required you add user_impersonation (typically for OnPrem).

Hope it answers the question.

Was this reply helpful? Yes No
Nick22 15 on at

Like (0)

Report

RE: Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

Thanks, that's useful context. I'm still not 100% sure if there is a difference, but we've gone with Financials.ReadWrite.All as that permission applies specifically to the cloud version of BC, which is what we are using. Thank you for your help.

Was this reply helpful? Yes No
Verified answer

YUN ZHU 93,155 Super User 2025 Season 2 on at

Like (0)

Report

RE: Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

Hi, just adding some info.

hope the following helps as well.

https://docs.microsoft.com/en-us/graph/permissions-reference#financials-permissions

Thanks.

ZHU

Was this reply helpful? Yes No
Nick22 15 on at

Like (0)

Report

RE: Azure AD permissions for API: user_impersonation or Financials.ReadWrite.All?

Thank you for the additional info.

Was this reply helpful? Yes No