In this article I will demonstrate how to establish connection from Azure Data Factory Linked Service to the Dynamics 365 BC with the help of Service Principal and OAuth flow.
The process consist of following activities:
- Create and configure AAD application (Service Principal)
- Set the Dynamics 365 BC environment access for the application
- Register application in the D365 BC admin center
- Finally create new ADF Linked Service
Create new application (Service Principal)
All the steps will be executed in the Azure Portal (with screenshots), but they can be executed using Azure API.
1. Go to your Azure Active Directory (AAD) Tenant in Azure Portal, under Manage click App registration
2. In “Register an application” provide the app name, respecting your organization naming convention and click “Register”.
I have left the default option of “Who can use this application or access this API?” marked as ‘Single tenant’:
3. When all setup, you should see confirmation message: “Successfully created application …”
4. From the App registration menu under Manage choose Authentication and under “Platform configurations” click on “Add a platform”:
5. From a “Configure Platform” panel (pops up), under “Web applications”, choose “Web”.
6. Next, in the field “Redirect URIs” provide following URL https://businesscentral.dynamics.com/OAuthLanding.htm and click “Configure”:
7. When all done, you should see confirmation like: “Successfully updated …”
8. Next you need to create an application certificate or secret. I will use the second one. From the App registration menu under Manage choose Certificates & secrets and choose the second tab called “Client secrets”. Next click on “New client secret”:
9. From an “Add a client secret” panel (pops up), provide the description and when it will expire. Recommended (by Azure) option is the 6 months (180 days). When set, click “Add”:
10. When all done, you should see confirmation like: “Successfully updated application … credentials”
Moreover and most importantly, you should be able to see and copy the secret value. This is the only chance to do it now – after leaving the page the secret value will not be accessible any more. I recommend to preserve the secret in a Azure Key Vault, from which it will be retrieved later on.
11. From the App registration menu under Manage choose API permissions and under “Platform configurations” click on “Add a permission”:
12. From a “Request API permissions” panel (pops up), under the “Microsoft APIs” find the “Dynamics 365 Business Central” and click on it:
Hint: you can use an alternative way, by switching to the “APIs my organization use” tab, and use the search option.
13. Next, when asked “What type of permissions does your application require?” choose “Application permissions” and mark “API.ReadWrite.All” option, then click “Add permissions”:
Hint: If the application will be used also for automation, then choose also the option ‘Automation.ReadWrite.All”.
14. When all done, you should see confirmation like: “Successfully saved permissions for …” and configured permissions:
Please mark the warning under the Status – it indicated a missing organization admin consent for this app.
15. Next you need to complete the granting the organization admin consent to your application. Depend on the your organization Security/roles & responsibilities model, it will be made by dedicated Team or…. if you are in a position to complete it on your own, do it by clicking at the “Grant admin consent for ….” and confirm it:
16. When all done, you should see confirmation like: “Successfully saved permissions for …” and see the granted organization consent:
17. From the App registration menu Overview, preserve basic application properties (Display name, Application (client) ID, Object ID and Directory (tenant) ID) which you will need on later stages:
Dynamics 365 Business Central environment access
To be able to use previously configured AAD application (reminder: I have named it “Dynamics365BC-Test-EU”), the application has to be authorized to connect to Dynamics 365 BC environment. It’s a matter of expert setting up the Dynamics 365 BC in your organization, but in most cases the access to each environment is protected by an AAD security group. Following and completing below steps ensures the required authorization.
1. Sign-in into the Dynamics 365 Business Central.
2. Click on the gear symbol (close to the user profile; right upper corner) and choose the option “Admin Center”:
Hint: apart from a valid license, special permission are required to access the Admin Center. In my case I was able to active my eligible role “Dynamics 365 Administrator”.
3. From the left pane menu choose Environments, then click on an appropriate environment on the list:
4. From the group “Details” obtain the value of the “Security Group”:
5. Next, go to the Azure Active Directory Portal, then “Groups”. Search for the security group from the point (4) and click on it. From the menu pane (left side) choose Manage and Members and click on “Add members”:
Hint: you need to be privileged to add AAD security group member (User Administrator).
6. From a “Add member” pane (pops up) type the application name in the search field – in my case it was “Dynamics365BC-Test-EU”, click on it and finally click on “Select”:
7. When all done, you should see confirmation like: “Dynamics365BC-Test-EU is now a member …”
Now the application is a member of the security group guarding the access to the D365 BC environment.
Register application in the D365 Business Central admin center
Each Azure AD application working in and with Dynamics environment has be authorized – that is valid also in this case.
1. Sign-in into the Dynamics 365 Business Central.
2. Click on the gear symbol (close to the user profile; right upper corner) and choose the option “Admin Center”.
3. From the left pane menu choose Authorized AAD Apps, then click “Authorize Azure AD app”:
4. From an “Authorize Azure AD App” pane (pops up) type in the “Application (Client) ID” field the “Application (client) ID” property of the application (preserved earlier and still accessible in application Overview property pane). Next click on “Save”:
5. When all done, you should see the application on the apps list:
6. Finally grant the application an organization admin consent by clicking at “Grant” link. Follow all the wizard steps to complete.
Hint: organization admin permissions are required to complete this step.
Grant accesses for AAD Application in D365 Business Central environment – Access Management
Each Azure AD application working in and with Dynamics has to be registered (as an account) on each environment and have granted access (a set of roles). Before I recommend to get some knowledge on D365 BC roles model, but in this case, we will focus on just few of them.
1. Sign-in into the Dynamics 365 Business Central.
2. Click on a loop icon, close to the environment indicator.
3. In the search input type “Azure” and click the option “Azure Active Directory Applications”:
4. Click on “New”:
5. On the “Azure Active Directory Application Card” provide application parameters (Client ID and Description), then change the “State” to “Enabled”:
Remark: the “User information” including “User ID” and “User Name” will be populated automatically after providing all required information.
6. Remaining on the card (Azure Active Directory Application), scroll down to the “User Permission Sets” and add following sets:
Remark: It’s important to consult and ensure, that the account created for the application has the right permissions to be used with API, same time be compliant with your company’s security rules, policies and best practices.
7. Click on back arrow (top left corner) and confirm application account has been configured properly:
Azure Data Factory – Linked Service
1. Sign in into Azure Portal and open Azure Data Factory Studio. Ensure you have access to the Data Factory in the “Data Factory Contributor” role.
2. Go to “Manage”. From the menu pane (left side), under “Connections”, choose “Linked services” and “New”:
3. In the search input type “OData”, choose “OData” and click “Continue”:
4. Name the linked service accordingly to the naming conventions and rules.
5. Provide or choose following inputs:
- Description: (optional) linked service description
- Connect via integration runtime: leave the default option “AutoResolveIntegrationRuntime”
Important: if a dedicated Self Hosted Integration Runtime is in place and should be used to D365 BC connection, then please choose it instead of the default.
- Service URL: https://api.businesscentral.dynamics.com/v2.0/{environment}/api/v2.0/
where {environment} is the D365 BC environment name
- Authentication type: Service Principal with Key
- AAD resource: https://api.businesscentral.dynamics.com
- Tenant: Your AAD Tenant ID – can be copied from general application properties in AAD
- Service Principal ID: the Application (Client) ID of your AAD application
- Service Principal Key / Azure Key Vault: Application secret or a Key Vault, where the secret it stored
- Azure cloud type: leave the default option “Data Factory’s cloud type”
- Auth Headers:
- Add “Authorization”. The Value hast to be obtained before, and pasted directly (not recommended) or as a variable (recommended):
6. Click “Test connection” and next “Create”.
References:
- https://www.encorebusiness.com/blog/how-to-use-an-odata-connection-with-service-principal-authentication-for-dynamics-365-business-central/
- https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-develop-connect-apps
- https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/api-reference/v2.0/
- https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/api-reference/v2.0/endpoints-apis-for-dynamics
- https://learn.microsoft.com/en-us/answers/questions/401692/the-credentials-provided-are-incorrect-bc-oauth-2.html
- https://www.kauffmann.nl/2021/07/06/service-to-service-authentication-in-business-central-18-3-how-to-set-up/