You’re offline. This is a read only version of the page.
Announcements
15
Hi,
We have an Azure AD application that calls the Dynamics Business Central REST API. When setting up delegated permissions in the Azure portal, it seems like there are 2 choices:
Either one seems to work. Is there a difference between these?
Reason for asking is for security: we'd like to choose the least privileged permission that still gets the job done.
Any help would be much appreciated!
Hi, just adding some info.
hope the following helps as well.
https://docs.microsoft.com/en-us/graph/permissions-reference#financials-permissions
Thanks.
ZHU
Thanks, that's useful context. I'm still not 100% sure if there is a difference, but we've gone with Financials.ReadWrite.All as that permission applies specifically to the cloud version of BC, which is what we are using. Thank you for your help.
Hello,
There may be a difference in how consent is configured between the two:
docs.microsoft.com/.../configure-user-consent
In this case I suggest you follow documentation where Financials.ReadWrite.All is needed, you add this permission and where it is not required you add user_impersonation (typically for OnPrem).
Hope it answers the question.
Thanks for your reply. I'm not sure I fully understand. We are using the cloud/online version of BC, so the REST API is already exposed. We can choose between user_impersonation and Financials.ReadWrite.All. Perhaps there's just no difference on the cloud version.
Hello,
You can use user_impersonation within yourself created Azure AD App registration. Microsoft created for the cloud version of BC Financials.ReadWriteAll. The user_impersonation will only become available after you expose the API.
Thank you.
Thank you for your reply.
The link only describes application permissions and not delegated permissions/user_impersonation vs Financials.ReadWrite.All. However, that same blog author also wrote this article regarding delegated permissions: https://www.kauffmann.nl/2022/02/23/configuring-business-central-for-azure-active-directory-authentication-and-oauth-2/
The author explains how Financials.ReadWrite.All does not apply to on premises BC, and user_impersonation does. I wonder whether that's the only difference between the two.
Ultimately it is down to the permissions granted within BC. Check this out for more guidance: www.kauffmann.nl/.../
#1
André Arnaud de Cal...
294,217
Super User 2025 Season 1
#2
Martin Dráb
232,978
Most Valuable Professional
#3
nmaenpaa
101,158
Moderator
Share
Report
All responses (
Answers (
