How to activate Business Central integration
Last updated About 1 month ago
What customer is required to do in Azure and Business Central. This way nothing lives within Greenstep's environment.
The user in Azure Entra ID must have broad permissions in order to create the Azure Entra ID application and grant admin consent for API rights. In BC, the Global Admin role should be used to create the application and connect the traffic with the Azure Application. After this, Microsoft's backbone authentication can be used through the Azure application, and financial data can be accessed from the customer's BC environment through the API.
Azure:
Create an Azure Entra ID application (Azure Entra ID in Azure and from there go to App registrations -> New registration)
Name: BI Book Connector (for easy identification)
Supported account types: Accounts in any organizational directory - to ensure that it works from our side
Redirect URI: Web & https://businesscentral.dynamics.com/OAuthLanding.htm
Click Register
Navigate to the API Permissions tab of the recently created application. Click add a permission.
Select Dynamics 365 Business Central and from there:
Delegated permissions: Financials.ReadWrite.
All Application permissions: API.ReadWrite.All
When these are checked, click Add Permissions.
When the API permissions have been applied, click ‘Grant Admin Consent for {company name}’ from the API Permissions tab and approve the API permissions that were opened in the previous step.
Within the application, navigate to the Certificates & secrets tab.
Click New client secret.
Select the longest possible expiration period (24 months or custom and longer if possible) so that the connections are never interrupted. Otherwise, this must be adjusted later and the customer must remember to rotate the secrets in time and inform us when they change.
Store the secret VALUE (not secret ID) you created. This will only be visible once when you create a new secret and cannot be accessed later through the UI. If you miss the secret value, just create a new one and copy the new secret.
Within the application, navigate to the Overview tab and store the Application (client) ID and Directory (tenant) ID, because GS needs those all three values to implement authentication towards the API.
Application (client) ID
Application (client) Secret
Directory (tenant) ID
Business Central:
Create an External Application in BC.
In the search field, search for Azure Entra ID, select Azure Entra ID Applications, and create a new external application
Client ID: add Application (client) ID from that Azure Entra ID application you just did (curly brackets will come automatically, no need to worry).
Description: BI Book Connector (for easy identification)
State: Enabled
User Permission Sets:
D365 BASIC
D365 READ ALL
In both Extension Name: Base Application (if it cannot be specified, it will surely come by default)
In both Permission Scope: System (if it cannot be specified, it will surely come by default)
User ID: No definite information why would be required, should be automatically populated when Grant Consent is pressed and not really required for anything.
Click Grant Consent at the top of the BC application to be created (a pop-up opens). In order to execute the consent, the logged-in account role must have Global Administrator, Application Administrator, or Cloud Application Administrator rights. When consenting, unverified app status is fine, we just did not fill out the MPN account for the Azure application.
Finally, in order to establish the connection, GS needs the BC environment name. Note that in the case of multiple companies, some of the companies may be in different environments (but in the same Tenant), in that case, please let us know the names of all environments.
The BC API authentication will now work through the Azure Entra ID application, which has the rights to use the Business Central Financials API and is also linked to the customer's proper BC environment.