Share
ReportAfter spending a full day debugging Universal Print on BC v27 on-premises with Entra ID (hybrid setup), here's what we found needed to be done beyond the official documentation. Your mileage may vary, but hopefully this saves someone a day of debugging.
The symptoms
The assisted setup wizard fails with "We couldn't connect to Universal Print using your Microsoft Entra application registration", and the event log shows either AADSTS500011: resource principal not found, The server did not return any auth endpoint, or AADSTS50194: usage of the /common endpoint is not supported.
What the docs missed in our case
1. The App Registration may need to be set to Multitenant.
In our client's environment, BC's internal token flow for Universal Print was calling the /common endpoint, which Entra ID rejects for single-tenant apps created after October 2018. Setting Supported account types to Accounts in any organizational directory (Multitenant) resolved this. Alternatively, it may be possible to configure BC to use a tenant-specific endpoint instead, but we did not find a straightforward way to do so.
2. PublicWebBaseUrl must match the Application ID URI registered in Entra ID.
In our case, BC was using the value of PublicWebBaseUrl as the resource identifier when requesting access tokens for Universal Print. The value was set to the web client URL, which was not registered as an Application ID URI in Entra ID. Setting it to api://<your-client-id> and restarting the server instance resolved the issue. The key point is that whatever value you use here must match a registered Application ID URI.
3. Allow HttpClient Requests must be explicitly enabled for the Universal Print extension.
On-premises BC blocks outbound HTTP calls per extension by default. In our client's environment this had not been set, which silently prevented Universal Print from reaching Entra ID at all. Update the NAV App Setting table:
UPDATE [dbo].[NAV App Setting]
SET [Allow HttpClient Requests] = 1
WHERE [App ID] = '2654D7E7-9AFD-4947-9E02-6BB8F3E0CD04'
4. A scope and Universal Print as an Authorized Client Application must be added under Expose an API.
In our case, BC's AL Url Helper was unable to resolve an auth endpoint until we added a scope named access_as_user under Expose an API and authorized the Universal Print service principal (da9b70f6-5323-4ce6-ae5c-88dcc5082966) as a client application for that scope.
5. Azure AD Mgt_ Setup must have a record per company.
This table is company-specific. In our client's environment, one company was missing a record — likely because the database had been copied from another instance. This caused a "Azure AD Auth Flow provider is not initialized" error. For any company where the table is empty, insert a record with Auth Flow Codeunit ID = 6303 and Azure AD User Mgt_ Codeunit ID = 9010:
INSERT INTO [dbo].[YourCompany$Azure AD Mgt_ Setup$437dbf0e-84ff-417a-965d-ed2bb9650972]
([Primary Key], [Auth Flow Codeunit ID], [Azure AD User Mgt_ Codeunit ID],
[$systemId], [$systemCreatedAt], [$systemCreatedBy], [$systemModifiedAt], [$systemModifiedBy])
VALUES ('', 6303, 9010, NEWID(),
'1753-01-01 00:00:00.000', '00000000-0000-0000-0000-000000000000',
'1753-01-01 00:00:00.000', '00000000-0000-0000-0000-000000000000')
None of these steps are mentioned in Microsoft's official documentation for Universal Print on-premises. If you're hitting similar errors, hope this helps.
All responses (
99,905
