Creating an Azure AD Application with Service Principal

Microsoft Dynamics 365 Business Central supports Service Principal-based authentication, which is role-based. If you wish to use a Service Principal to authenticate to Microsoft Dynamics 365 Business Central you must create a custom Azure AD application as described here.

To use Azure Service Principal authentication, you must set up the ability to assign a role to the authentication application, then register an application with the Azure AD tenant to create a new Service Principal. That new Service Principal can then leverage the assigned role-based access control to access resources in your subscription.

Authenticating with an Azure Service Principal

In https://portal.azure.com:

1. In the left-hand navigation pane, select Azure Active Directory > App registrations.
2. Click New registration.
3. Enter a name for the application.
4. Select the desired tenant setup. Since this custom application is for Azure Service Principal, choose Any Microsoft Entra ID tenant - Multi Tenant.
5. To register the new application, click Register. An application management screen displays.
   Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant.
6. Navigate to Certificates & Secrets and define the application authentication type. There are two types of authentication available: certificate (recommended) or client secret.
   • For creating a new client secret: In Certificates & Secrets, select New Client Secret for the application and specify its duration. After the client secret is saved, Microsoft Dynamics 365 Business Central displays the key value. This value is displayed only once, so record it for future use. (This value becomes the OAuthClientSecret.)

7. Navigate to the Authentication tab and select the Access tokens option.
8. Save your changes.
9. If you have specified the use of permissions that require admin consent, you can grant them from the current tenant on the API Permissions page.

Granting Admin Consent

Some custom applications require administrative permissions to operate within an Azure Active Directory tenant. Admin consent can be granted when creating a new custom Azure AD application, by adding relevant permissions that are already marked with "Admin Consent Required". Admin consent is also required to use Client Credentials in the authentication flow.

To grant admin consent:

1. Have an admin log in to https://portal.azure.com.
2. Navigate to App Registrations and find the custom Azure AD application you created.
3. Under API Permissions, click Grant Consent.

This gives your application permissions on the tenant under which it was created.