Small and medium business | Business Central, N...

How to disable user access to list companies in /api/v2.0/companies

(3) Share

Report

Posted on by PU-21010544-0

Hello, I am trying to emulate a problem, thing is I have setup an oauth2 flow with microsoft dynamics 365, currently, I have the flow working and I am able to get for example companies listing using the endpoint

GET https://api.businesscentral.dynamics.com/xxxxxxxxxxxxxxxx/api/v2.0/companies

Now I have a problem, some of my users are unable to query this endpoint, and i would like to create a user that also is unable to query this endpoint but is able to do all other operations under companies, e.g

api/v2.0/companies(xxxxxxxxxxxxxxxxxxxxxxxxxx)/accounts,

i have basically removed all permissions except login for a test user so as i can produce an account that will not have permission to list companies. Yet i am still able to get a company listing instead of a 401 on that companies endpoint. Any idea please how that is possible, clearly permission set does not seem to provide me with a solution, see for example here this user has only login permission.

Categories:

Dynamics 365 Business Central

I have the same question (0)

All responses (6)

Answers (0)

Sort by

Waed Ayyad 9,141 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!

Moved to Business Central Forum.

Was this reply helpful? Yes No
Gerardo Rentería Ga... 27,054 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!

Hi

You should check the Microsoft Entra application and see what you have configured. Can you do it?

Best

GR

Was this reply helpful? Yes No
Suggested answer

Khushbu Rajvi. 22,792 Super User 2026 Season 1 on at

Like (1)

Report
Copy link

Link copied!

Hope this helps: https://community.dynamics.com/forums/thread/details/?threadid=4bd215ed-6ab5-4163-b264-775bc01ca19f

Was this reply helpful? Yes No
Suggested answer

Nitin Verma 21,812 Moderator on at

Like (0)

Report
Copy link

Link copied!

in this case LOGIN permission set doesn’t explicitly block the /companies endpoint, and the OAuth token’s scope grants broad API access that overrides the expected restriction. meaning /companies endpoint is a top-level resource in the BC Web Services API. It doesn’t directly map to a specific table or object in BC but rather serves as an entry point to enumerate available companies.

Was this reply helpful? Yes No
Suggested answer

Teddy Herryanto (Th... 14,306 Super User 2026 Season 1 on at

Like (1)

Report
Copy link

Link copied!

I believe you are not looking at the right place.

To access API endpoint, you need OAuth2.

The OAuth2 is not linked to the User Card.

It is linked to the Microsoft Entra Applications.

Here's a link to setup OAuth2.

https://thatnavguy.com/d365-business-central-setup-oauth2-authentication/

Was this reply helpful? Yes No
Suggested answer

YUN ZHU 101,995 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!

Hi, hope the following helps as well.

Using OAuth to connect Business Central APIs and Web Service in Postman

https://yzhums.com/20690/

Thanks.

ZHU

Was this reply helpful? Yes No