web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Small and medium business | Business Central, N... / Machine to machine ser...
Small and medium business | Business Central, N...
Answered

Machine to machine server-side authentication using an Azure App Oauth2

(0) ShareShare
ReportReport
Posted on by ARS 5

Hello,

I am building an app that requires access to Business Central APIs and pages that must run in the background with no user interaction and using Oauth2.

I followed ALL documentation regarding this issue, with no success, no matter what the token do not have enough permissions. This sum up conclusions I have got so far and steps:

  • Create an Azure App and grant it Business Central API Application permissions==> app_access. Approve as admin. (I tried giving it all available too) and get client secret.
  • Go to Azure Active Directory Applications in Business Central, and register the application with the client_id and details provided from step 1. Configure the permissions as SUPER for the target company, grant permission to the app.
  • From Postman, get a token:

URL:login.microsoftonline.com/.../token

body:

According to this article, https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/upgrade/deprecated-features-w1, the web service key is deprecating soon, so I don't want to use Basic authorization. The top endpoints beta and automation are being deprecated too. ¿How I am supose to authenticate to Business Central in this scenario? I tried absolutely all the options available at this time.

I have the same question (0)
  • Verified answer
    Chris Bulson Profile Picture
    Chris Bulson on at

    Hello,

    Service to Service is only supported with Business Central automation API's - docs.microsoft.com/.../itpro-introduction-to-automation-apis

    It is not supported for direct interaction with customer data.

    You have to authenticate as a Licensed Business Central user for access to API's that interact with application data\customer data.

    docs.microsoft.com/.../devenv-develop-connect-apps

  • Suggested answer
    ajkauffmann Profile Picture
    ajkauffmann 117 on at

    As Chris Bulson already said, the client credentials flow is only supported for automation APIs.

    However, I've heard it will become available for direct data access as well. I've not seen any date, but it should be well before basic authentication will be deprecated. So either wave 1 or wave 2 this year.

    At this moment your only option is the authorization code grant flow or device code flow. Resource owner password flow also works, but that's not a very secure alternative.

    I would recommend to use basic authentication for now, which is more secure compared to resource owner password flow, but it doesn't require any user interaction. Switch to client credentials flow when it becomes available. That way you don't waste time on implementing a flow that you need to change again in the not so far future.

  • ARS Profile Picture
    ARS 5 on at

    Thanks, I guess I will just go basic until new functionality is release. Do we have any estimates if this is going to be available anytime soon? I am thinking in something like D365 with application users.

  • ARS Profile Picture
    ARS 5 on at

    Thanks Arend-jan, guess will go with basic meanwhile, it was my backup option.

  • Suggested answer
    ajkauffmann Profile Picture
    ajkauffmann 117 on at

    I haven't seen it in the release notes for wave 1. But I wouldn't be surprised if it will be included. If not, then I guess it will be wave 2 this year.

    The way it works for automation apis is with application users indeed. They are unlicensed though, and that's exactly the reason we don't have it yet. Microsoft needs to come up with a good licensing model for these application users.

  • QBD Profile Picture
    QBD 5 on at

    I saw the warning regarding deprecation of web service access keys this week and decided I should get a jump start on migrating our integration application to using a non-delegated permission on an  AAD application, like we do for our F&O offering.  After 12 hours yesterday of code attempts and pouring over various posts and youtube videos, I found some hints that it might not be available.  I was sure I was doing something wrong, after all Microsoft announced the deprecation and has this non-delegated API permission that seems like it would do what I wanted.  Every sample I found used delegated access, which doesn't work in our environment.  I hope Microsoft resolves this before they deprecated in 2022.

    Anyway, I was "excited" to find this post, so I can stop spinning my wheels.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Small and medium business | Business Central, NAV, RMS

#1
OussamaSabbouh Profile Picture

OussamaSabbouh 2,917

#2
Jainam M. Kothari Profile Picture

Jainam M. Kothari 1,161 Super User 2025 Season 2

#3
YUN ZHU Profile Picture

YUN ZHU 1,025 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans