/
Set up Microsoft Entra ID (formerly Azure Active Directory) authentication

Set up Microsoft Entra ID (formerly Azure Active Directory) authentication

Description

Let's set up Microsoft Entra ID authentication

Overview

 

For Business Central Online, the App Registration can be created automatically in a Sandbox using the Mobile WMS Sandbox Configuration Guide. However, for On-Premise tenants, you must create the App Registration manually.

If the Sandbox and Production tenants are in the same Entra ID (which is the typical scenario), you can use the same App Registration for both.

If you have already created an App Registration for Mobile WMS, you can find the Client ID and TenantID in the Azure Portal and proceed directly to Step 8.

1. Limitations

Barcode login is not suited for use with Entra ID as it will require two barcodes and generally lacks security.

2. Prerequisites

  • Administrator user account associated with the customer's Business Central environment

  • Minimum Extension MOB5.18

  • Minimum Android App 1.5.0 (Version 1.6.0.1 for On-Prem Installations)

  • Review Network requirements for ERP Backend

 

3. Creating Microsoft Entra ID App Registration

To access Business Central using Entra ID authentication, you must grant client access to this service.

  1. Log into https://portal.azure.com using an administrator user associated with the Customers Business Central environment

  2. Navigate to “Microsoft Entra ID” -> “App registrations”:



  3. Select “New registration” and name it Mobile WMS

     

4. Configure Redirect URI

  1. Go to Redirect URI

  2. Select “Public client/native (mobile & desktop) (Do not select "Web")

    Enter this URI: https://businesscentral.dynamics.com/



    Select “Register” 

 

5. Configuring the Application Registration

 

  1. Navigate to “API permissions”

  2. Select “Add a permission”

     

  3. Select "Dynamics 365 Business Central"



  4. Select "Delegated permissions"

     

  5. Select “user_impersonation” 

     

  6. Select "Grant admin consent"
    It might be necessary to grant admin consent for the App registration to work depending the organization settings (requires admin rights).


6. Gathering Information

This section outlines how to gather the data required for the mobile devices to connect using Entra ID.


Tasklet Factory needs the following data from you: 

  1. Tenant ID

  2. Client ID

  3. SOAP URL

Please Note

If the Tenant ID is not a part of the SOAP URL, it means that the App Registration has been set up in the wrong Entra ID

 

Get ID's

  1. Navigate to "Microsoft Entra ID"

  2. Select "Manage"

  3. Select "App registration"

  4. Select the new "Mobile WMS" registration

  5. Please copy and save the values marked in red

 

Get Application (client) ID


Get the Directory (tenant) ID



Get SOAP URL

  1. Log into Business Central

  2. Go to Web services page and

  3. Find the entry for MOB WS Dispatcher

  4. Please copy the SOAP URL field

 

7. Configure the Service Tier (Only On-Prem)

On-prem requires a higher version

  • On-prem requires Android App version 1.6.0.1

This step is only for On-Prem

On the service tier that you are using for the Mobile Devices, find the section called Azure Active Directory (Azure AD) - see below.

In the Valid Audiences field enter https://api.businesscentral.dynamics.com

It is possible to have several inputs in this field, they can be separated by a semicolon.

The value is a semicolon-separated list of audiences.

To configure SOAP and OData web services for Entra ID authentication, specify the App ID URI that is registered for your Business Central installation in Microsoft Entra ID (formerly Azure Active Directory)

 

8. Updating Mobile Configuration

Using the service desk please send us the Tenant ID, Client ID and SOAP URL on the project ticket or raise a new ticket 

 or

if this is for your own partner device, see below and just fill in the info in the placeholders for Tenant ID, Client Id + Soap URL.



Example and Template for Start.cfg -file

Modify the red-marked sections with the gathered information.

<!-- ENDPOINTS -->
<endpoints>
    <endpoint id="01" displayName="D365BC" protocol="classic" type="D365BC" address="Soap URL">
      <azureConfiguration authority="https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize" scopes="https://api.businesscentral.dynamics.com/user_impersonation" clientId="ClientId" returnUri="https://businesscentral.dynamics.com/"/>
    </endpoint>
</endpoints>

9. Define Scopes if connecting to On-Prem installation or different product family (e.g. LS Central or Wiise)

Prerequisites

Android App 1.6.0.1

When connecting to On-Prem installation or a different product family like LS Central or Wiise, we will use the standard scope of Business Central to authenticate against in Entra ID. For this we will need to add the scopes attribute as shown below to the start.cfg file.

Modify the red-marked sections with the gathered information.


<!-- ENDPOINTS -->
<endpoints>
    <endpoint id="01" displayName="D365BC" protocol="classic" type="D365BC" address="Soap URL">
      <azureConfiguration authority="https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize" scopes="https://api.businesscentral.dynamics.com/user_impersonation" clientId="ClientId" returnUri="https://businesscentral.dynamics.com/"/>
    </endpoint>
</endpoints>

10. Troubleshooting Login Issues

 

Next

Basic configuration (3/4)

 

Overview