Service To Service Authentication

The steps presented below are valid at the time of publishing this article. Any changes brought by future releases of Business Central will not be covered here.

Step 1: Update Application in AAD:

1. In Authentication add https://businesscentral.dynamics.com/OAuthLanding.htm to Redirect URIs
2. Grant the registered application API.ReadWrite.All and Automation.ReadWrite.All permission to the Dynamics 365 Business Central API as follows:
3. Select API permissions > Add a permission > Microsoft APIs.
4. Select Dynamics 365 Business Central.
5. Select Application permissions, select API.ReadWrite.All or Automation.ReadWrite.All, then select Add permissions.

Step 2: Create Application in BC

Complete these steps to set up the Azure AD application for service-to-service authentication in Business Central.

1. In the Business Central client, search for Azure Active Directory Applications and open the page.
2. Select New.
3. The Azure Active Directory Application Card opens.
4. In the Client ID field, enter the Application (Client) ID for the registered application in Azure AD from task 1.
5. Fill in the Description field.
6. Set the State to Enabled.
7. Assign permissions to objects as needed.
8. Set User Permission Sets to D365 READ and PIMICS
9. Select Grant Consent and confirm the dialog

Complete these steps to set up the Azure AD application for service-to-service authentication in Business Central.

Step 3: Call API

Ask for AccessToken

Method: POST URL: https://login.microsoftonline.com/{{Tenant}}/oauth2/v2.0/token Request Body:

• grant_type: "client_credentials"
• client_secret: "{{ClientSecret}}"
• client_id: "{{ClientId}}"
• scope: https://api.businesscentral.dynamics.com/.default

Example:

POST https://login.microsoftonline.com/96993b60-0000-4afb-afe2-ca41e8973d9b/oauth2/v2.0/token

Request Headers

User-Agent: PostmanRuntime/7.28.4
Accept: */*
Host: login.microsoftonline.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: multipart/form-data; boundary=--------------------------577535107691165842526511
Cookie: wlidperf=FR=L&ST=1616100785582; brcap=0; fpc=Apfx9HfeQRpJpxvm1PcOVZC7RxEEAgAAALQpHNkOAAAA; stsservicecookie=estsfd; x-ms-gateway-slice=estsfd
Content-Length: 629

Request Body

grant_type: "client_credentials"
client_secret: "XXXXXXX"	
client_id: "9d5c75db-0000-4d19-b94c-ae2a469002f0"
scope: "https://api.businesscentral.dynamics.com/.default"

Response Headers

Cache-Control: no-store, no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
x-ms-request-id: fea3cf24-cbf7-4616-82cf-6f3dc23d6100
x-ms-ests-server: 2.1.12197.4 - NCUS ProdSlices
Set-Cookie: fpc=Apfx9HfeQRpJpxvm1PcOVZC7RxEEAwAAALQpHNkOAAAA; expires=Thu, 09-Dec-2021 08:38:14 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Tue, 09 Nov 2021 08:38:13 GMT
Content-Length: 1473

Response Body

{
    "token_type":"Bearer",
    "expires_in":"3599",
    "ext_expires_in":"3599",
    "expires_on":"1636450694",
    "not_before":"1636446794",
    "resource":"00000002-0000-0000-c000-000000000000",
    "access_token":"eyJ0eXAi..._TJ0d_ 7s2vVzzM3v1cA" 
}

Use the token from the response as a Bearer authentication in requests to Pimics or BC API.