How to: Set Up an Entra ID App

See also

  1. In a web browser, enter your organization's Azure portal (portal.azure.com).
  2. In Azure services, click Microsoft Entra ID (formerly Azure Active Directory).
  3. In the Manage section of the left navigation bar, click App registrations.
  4. Create the application in Azure (click New Registration).
  5. Insert a name for your app (for example LSCentral Auth).

    Graphical user interface, text, application, email

Description automatically generated

  6. Here you must make an important choice: decide if the application will be single tenant or multitenant.

    If the application will only be used inside one organization, you should choose single tenant. For example, if the application is a portal developed in-house or a self-hosted web shop.
    Choose multitenant if you develop an application that will be used by other organizations to integrate with their LS Central environment.

  7. In the Redirect URI section, select Web and then enter this URL: https://businesscentral.dynamics.com/OAuthLanding.htm

    Note: This property is case-sensitive.

  8. Click Register to create the application.

    Tip: Copy the Application (client) ID from the overview screen to a text file. You will need this later when you register the application in LS Central and when you call the APIs.

  9. Set the API permissions that the external application needs:
    1. Click API permissions in the left navigation menu, and then click Add a permission.

      Graphical user interface, text, application, email

Description automatically generated

    2. From the list of commonly used Microsoft APIs, select Dynamics 365 Business Central. Since the app is going to have its own account in LS Central, you must select Application permissions. This is for applications that run as background service without a signed-in user.
    3. In the Request API permissions page, click the Application permissions button.
    4. Select the following permissions:
      • API.ReadWrite.All - Gives access to APIs and Web Services.
      • Automation.ReadWrite.All - Gives access to Automation APIs. This is useful for applications that will manage the environment, install extensions, and so on.

      Graphical user interface, application

Description automatically generated

      In the Status column on the previous API Permissions page, you can see that the newly added permission has not been granted for the current organization.
      If you are registering a single tenant application, you could click the Grant admin consent action. This also makes sense, if you are registering a multitenant application that will be used in your own organization as well. In all other cases, when the application will be used by another organization, access must be granted from LS Central. For more information see How to: Create the External Application Account in LS Central.

  10. The last step in registering the app in Azure is to create a secret.
    Click Certificates & secrets in the left navigation menu, and then click the New client secret action.

    Graphical user interface, application, Teams

Description automatically generated

  11. In the Add a client secret page, select an expiration period in the Expires field, and click Add.
    Note: Do not forget to copy the created secret because this is the only time you will see it.

    Important: The secret is in the column named Value (not in the column named Secret ID).

    Graphical user interface, application, Teams

Description automatically generated

    Tip: You cannot set an unlimited expiration period. The longest period is 24 months. This means that you must update the secret occasionally.

    Graphical user interface, text, application, email

Description automatically generated

You have now completed the first step to register the application in Azure. The next step is to create the application account in LS Central.

See also

Video Tutorial: S2S Authentication - Step 1

Microsoft Learn - Using Service-to-Service (S2S) Authentication