Set up Azure Active Directory (AAD) authentication

Description

Let's set up AAD authentication

Overview

1. Limitations

Barcode login is not suited for use with AAD as it will require two barcodes and generally lacks security.

2. Prerequisites

This guide only applies to Business Central Online and Nav and Business Central OnPrem
Note that the OnPrem setup requires an additional step (step 7), which should not be done for Business Central Online
An Administrator user account associated with the Customers Business Central environment
Extension version MOB5.18
Android App 1.5.0

3. Creating Microsoft Azure App Registration

To access Business Central using AAD authentication, you must grant client access to this service.

Log into https://portal.azure.com using an administrator user associated with the Customers Business Central environment
Navigate to “Azure Active Directory” -> “App registrations”:
Select “New registration” and name it Mobile WMS

4. Configure Redirect URI

Go to Redirect URI
Select “Public client/native (mobile & desktop)” (Do not select "Web")

Enter this URI: https://businesscentral.dynamics.com/

Select “Register”

5. Configuring the Application Registration

Navigate to “API permissions”
Select “Add a permission”
Select "Dynamics 365 Business Central"
Select "Delegated permissions"
Select “user_impersonation”

6. Gathering Information

This section outlines how to gather the data required for the mobile devices to connect using AAD.

Tasklet Factory needs the following data from you:

TenantId
ClientId
Soap URL

Please Note

If TenantId is not a part of the Soap URL, ite means that the App Registration has been set up in the wrong AAD

Get ID's

Navigate to "Azure active directory"
Select "Manage"
Select "App registration"
Select the new "Mobile WMS" registration
Please copy and save the values marked in red

Get Application (client) ID

Get the Directory (tenant) ID

Get SOAP URL

Log into Business Central
Go to Web services page and
Find the entry for MOB WS Dispatcher
Please copy the SOAP URL field

7. Configure the Service Tier

Only OnPrem

Note that this section is only for OnPrem Installations.

On the service tier that you are using for the Mobile Devices, find the section called Azure Active Directory (Azure AD) - see below.

In the Valid Audiences field enter https://api.businesscentral.dynamics.com

It is possible to have several inputs in this field, they can be separated by a semicolon.

The value is a semicolon-separated list of audiences.

8. Updating Mobile Configuration

Using the Service Desk please send us the TenantId, ClientId and Soap URL on the project ticket or raise a new ticket

or

if this is for your own partner device, see below and just fill in the info in the placeholders for Tenant ID, Client Id + Soap URL.

Example and Template for Start.cfg -file

Modify in the red marked sections with the gathered information.

<endpoints>

</endpoints>

9. Define Scopes if connecting to OnPrem installation or different product family (e.g. LS Central or Wiise)

Prerequisites

Android App 1.6.0.1

When connecting to OnPrem installation or a different product family like LS Central or Wiise, we will use the standard scope of Business Central to authenticate against in Azure AD. For this we will need to add the scopes attribute as shown below to the start.cfg file.

Modify in the red marked sections with the gathered information.

<endpoints>

</endpoints>

10. Troubleshooting Login Issues

I cannot log in from mobile device

Set up Azure Active Directory (AAD) authentication

Description

Overview

1. Limitations

2. Prerequisites

3. Creating Microsoft Azure App Registration

4. Configure Redirect URI

5. Configuring the Application Registration

6. Gathering Information

Get ID's

7. Configure the Service Tier

8. Updating Mobile Configuration

Example and Template for Start.cfg -file

9. Define Scopes if connecting to OnPrem installation or different product family (e.g. LS Central or Wiise)

10. Troubleshooting Login Issues

Next

Overview