Azure App Registration

How do I register a Web Type Azure App in a SaaS environment?

How do I register a Mobile Type Azure App in a SaaS environment?

How do I register a Web Type Azure App in an on-premises environment?

How do I register a Mobile Type Azure App in an on-premises environment?

How do I fill the fields of the OAuth Settings page properly?

Tip

Summary: This guide provides detailed instructions on how to register Azure applications for use with OAuth authentication in both SaaS and on-premises environments. It covers the process for registering both Web and Mobile type applications, highlighting key differences and steps for each environment.

To use your SaaS or on-premises (OnPrem) environment with OAuth authentication, set up your Azure app registration and COSMO Mobile Solution (Business Central extension) as described in this topic.

Note

The app registration can be done using the Microsoft Entra admin center or Azure Portal. This content demonstrates how to do it in the Azure Portal but the process is generally the same in the Microsoft Entra admin center.

The different registration types based on the SaaS/OnPrem environments are designated in the separate tabs below.

App Registration and OAuth Overview

COSMO Mobile Solution supports two Azure app registration types: Web and Mobile. Both can be used in SaaS and on‑premises environments. App registration is required when using OAuth authentication.

Key Differences

Client secret usage
Handling of MFA location checks

Web Type (recommended in most cases)

When to use: Location checks are enabled but can be ignored, or are not required. Use Web type if Azure location checks would block access for COSMO Mobile Solution.
Behavior: Ignores MFA location checks, so it works even if Business Central or the Intermediate Layer runs in a non‑trusted location while the user is in a trusted location (or vice versa).
Characteristics: Requires a client secret with an expiration date; MFA location checks are ignored.
Mobile Solution Settings: Set OAuth without Client Secret = OFF and enter the client secret in the app registration.

Mobile Type (use when MFA location checks must be enforced)

When to use: Your Azure environment requires MFA location checks to be enforced.
Potential issues: If Business Central or the Intermediate Layer runs in a non‑trusted location while the user is in a trusted location (or vice versa), sign‑in issues may occur, as COSMO Mobile Solution currently cannot handle location checks.
Characteristics: No client secret required; MFA location checks must pass.
Mobile Solution Settings: Set OAuth without Client Secret = ON; no client secret needed.

Why Separate Tabs in This Documentation

Setup steps differ between SaaS and on‑premises:

On‑premises: Specific Business Central service settings are required.
SaaS: These service settings are not required.

Separate tabs are provided by app registration type (Web/Mobile) and environment (SaaS/on‑premises).

Summary

Type	Client Secret	MFA Location Checks	Setting
Web	Required	Ignored	OAuth without Client Secret = OFF
Mobile	Not required	Enforced	OAuth without Client Secret = ON

To register a Web type application in a SaaS environment, follow the steps listed below.

Choose the icon, enter Mobile Solution Settings and choose the related link.
Ensure that the OAuth without Client Secret toggle is turned off.

3.* Choose the OAuth Settings action to open the OAuth Settings page. Keep this page open during the app registration process.

Open a new tab in your browser and go to Microsoft Azure portal and log in with your admin account.
Enter App registrations in the search bar.
Choose New registration.
Fill in the required data and then choose the Register button:
- Name: it can be anything, e.g., OAuthTest.
- Supported account types: the first option is set by default; however, it can be selected regarding your company settings.
- Redirect URI (optional): leave it blank, it will be set later.
Next, you'll be redirected to your App registrations window. Copy the Application (client) ID value (1), open the OAuth Settings page in Business Central and paste it in the Client ID field (2). Go back to Microsoft Azure and choose Endpoints (3).
In the Endpoints window:
- copy the following endpoint values:
- open the OAuth Settings page in Business Central and paste them in the Authorization Endpoint and Token Endpoint fields.
Go back to Microsoft Azure. In the navigation pane, choose Authentication and then choose Add a platform.
In the Configure platforms window, choose the Web application.
After selecting Web, the Configure Web window opens. Enter http://localhost in the Redirect URIs field, then choose the Configure button.
Go back to the Authentication tab. In the Web section (which shows your previously added localhost URI), choose Add URI. Copy and paste your Business Central communication URI: https://businesscentral.dynamics.com/OAuthLanding.htm Choose the Save button.
Open the OAuth Settings page in Business Central and paste it in the Callback URL field.
Go back to Microsoft Azure. In the navigation pane, choose API permissions and then choose Add a permission.
In the Request API permissions window, choose the Dynamics 365 Business Central API.
Select Delegated permissions as the permission type, check the Financial.ReadWrite.All option under the Financials drop-down, and then click Add permissions. After adding, ensure you grant admin consent for both User.Read and Financial.ReadWrite.All permissions by choosing the Grant admin consent for... action among the listed permissions.
In the navigation pane, choose Certificates & secrets and then choose New client secret.
In the Add a client secret window, enter a description of the client secret, set the expiration date, and then choose the Add button.
Copy the client secret value, open the OAuth Settings page in Business Central, and paste it in the Client Secret field. Once the secret is created, its value will no longer be accessible after the page is closed in Microsoft Azure.
In the OAuth Settings page, paste the following scope value in the Scopes field: https://api.businesscentral.dynamics.com/Financials.ReadWrite.All offline_access

Ensure that the " offline_access" section of the URL is included in the copied value (with a space before "offline").
In case of a non-production environment, choose the icon, enter Extension Management and choose the related link.
Locate and open COSMO Mobile Solution and then turn on the Allow HttpClient Requests toggle in the Extension Settings page.

To register a Mobile type application in a SaaS environment, follow the steps listed below.

Choose the icon, enter Mobile Solution Settings and choose the related link.
Ensure that the OAuth without Client Secret toggle is turned on.
Choose the OAuth Settings action to open the OAuth Settings page. Keep this page open during the app registration process.
Open a new tab in your browser and go to Microsoft Azure portal and log in with your admin account.
Enter App registrations in the search bar.
Choose New registration.
Fill in the required data and then choose the Register button:
- Name: it can be anything, e.g., OAuthTest.
- Supported account types: the first option is set by default; however, it can be selected regarding your company settings.
- Redirect URI (optional): leave it blank, it will be set later.
Next, you'll be redirected to your App registrations window. Copy the Application (client) ID value (1), open the OAuth Settings page in Business Central and paste it in the Client ID field (2). Go back to Microsoft Azure and choose Endpoints (3).
In the Endpoints window:
- copy the following endpoint values:
- open the OAuth Settings page in Business Central and paste them in the Authorization Endpoint and Token Endpoint fields.
Go back to Microsoft Azure. In the navigation pane, choose Authentication and then choose Add a platform.
In the Configure platforms window, choose the Mobile and desktop applications application.
After selecting Mobile and desktop applications, the Configure Desktop + devices window opens. Enter http://localhost in the Custom redirect URIs field, then choose the Configure button.
Go back to the Authentication tab. In the Mobile and desktop applications section (which shows your previously added localhost URI), choose Add URI. Enter your Business Central communication URI: https://businesscentral.dynamics.com/OAuthLanding.htm
Choose the Save button.
Open the OAuth Settings page in Business Central and paste it in the Callback URL field.
Go back to Microsoft Azure. In the navigation pane, choose API permissions and then choose Add a permission.
In the Request API permissions window, choose the Dynamics 365 Business Central API.
Select Delegated permissions as the permission type, check the Financial.ReadWrite.All option under the Financials drop-down, and then click Add permissions. After adding, ensure you grant admin consent for both User.Read and Financial.ReadWrite.All permissions by choosing the Grant admin consent for... action among the listed permissions.
Open the OAuth Settings page in Business Central and paste the following scope value in the Scopes field:
https://api.businesscentral.dynamics.com/Financials.ReadWrite.All offline_access

Ensure that the " offline_access" section of the URL is included in the copied value (with a space before "offline").
In case of a non-production environment, choose the icon, enter Extension Management and choose the related link.
Locate and open COSMO Mobile Solution and then turn on the Allow HttpClient Requests toggle in the Extension Settings page.

To register a Web type application in an on-premises environment, follow the steps listed below.

Choose the icon, enter Mobile Solution Settings and choose the related link.
Ensure that the OAuth without Client Secret toggle is turned off.
Choose the OAuth Settings action to open the OAuth Settings page. Keep this page open during the app registration process.
Go to Microsoft Azure portal and log in with your admin account.
Enter App registrations in the search bar.
Choose New registration.
Fill in the required data and then choose the Register button:
- Name: it can be anything, e.g., MobSolTest.
- Supported account types: choose the first option if the Business Central server is in the same domain as your Azure App Registration, or the second option if they are in different domains.
- Redirect URI (optional): leave it blank, it will be set later.
Next, you'll be redirected to your App registrations window. Copy the Application (client) ID value (1), open the OAuth Settings page in Business Central and paste it in the Client ID field (2). Go back to Microsoft Azure and choose Endpoints (3).
In the Endpoints window:
- copy the following endpoint values:
- open the OAuth Settings page in Business Central and paste them in the Authorization Endpoint and Token Endpoint fields.
Go back to Microsoft Azure. In the navigation pane, choose Authentication and then choose Add a platform.
In the Configure platforms window, choose the Web application.
After selecting Web, the Configure Web window opens. Enter http://localhost in the Redirect URIs field and then choose the Configure button.
Go back to the Authentication tab. In the Web section (which shows your previously added localhost URI), choose Add URI. Copy and paste your Business Central communication URI, based on the following structure: https://'server name'/'YourEnvironment Name'/OAuthLanding.htm
Choose the Save button.
Open the OAuth Settings page in Business Central and paste it in the Callback URL field.
Go back to Microsoft Azure. In the navigation pane, choose Expose an API and then set your Application ID URI. Copy its value to the valid audiences in the Business Central instance settings. For information about configuring Business Central on-premises web server instances, see the configuration guide in the Microsoft Documentation.
A new window opens which contains your Application (client) ID starting with an api:// prefix. Leave it as it is by default and choose the Save button.
Choose Add a scope.
In the Edit a scope window, set the following values, and then choose the Save button:
- Scope name: user_impersonation
- Who can consent: Admins and users
- Admin consent display name: set any value (e.g., Full access to web services API)
- Admin consent description: set any value (e.g., Grants full access to the Business Central web services APIs. These APIs provide the ability to call web services APIs and modify Business Central data.)
- User consent display name: set any value (e.g., Full access to web services API)
- User consent description: set any value (e.g., Grants full access to the Business Central web services APIs. These APIs provide the ability to call web services APIs and modify Business Central data.)
- State: Enabled
Open the OAuth Settings page in Business Central and paste the following scope value in the Scopes field: api://'yourClientId'/user_impersonation offline_access

Use the Application (client) ID value as 'yourClientID'. Ensure that the " offline_access" section of the URL is included in the copied value (with a space before "offline").
Go back to Microsoft Azure. In the navigation pane, choose Certificates & secrets and then choose New client secret.
In the Add a client secret window, enter a description of the client secret, and set the expiration date, and then choose the Add button.
Copy the client secret value, open the OAuth Settings page in Business Central, and paste it in the Client Secret field. Once the secret is created, its value will no longer be accessible after the page is closed in Microsoft Azure.
In case of a non-production environment, choose the icon, enter Extension Management and choose the related link.
Locate and open COSMO Mobile Solution and then turn on the Allow HttpClient Requests toggle in the Extension Settings page.

To register a Mobile type application in an on-premises environment, follow the steps listed below.

Choose the icon, enter Mobile Solution Settings and choose the related link.
Ensure that the OAuth without Client Secret toggle is turned on.
Choose the OAuth Settings action to open the OAuth Settings page. Keep this page open during the app registration process.
Go to Microsoft Azure portal and log in with your admin account.
Enter App registrations in the search bar.
Choose New registration.
Fill in the required data and then choose the Register button:
- Name: it can be anything, e.g., MobSolTest.
- Supported account types: choose the first option if the Business Central server is in the same domain as your Azure App Registration, or the second option if they are in different domains.
- Redirect URI (optional): leave it blank, it will be set later.
Next, you'll be redirected to your App registrations window. Copy the Application (client) ID value (1), open the OAuth Settings page in Business Central and paste it in the Client ID field (2). Go back to Microsoft Azure and choose Endpoints (3).
In the Endpoints window:
- copy the following endpoint values:
- open the OAuth Settings page in Business Central and paste them in the Authorization Endpoint and Token Endpoint fields.
In the OAuth Settings page, paste the following scope value in the Scopes field: api://'yourClientId'/user_impersonation offline_access

Use the Application (client) ID value as 'yourClientID'. Ensure that the " offline_access" section of the URL is included in the copied value (with a space before "offline").
Go back to Microsoft Azure. In the navigation pane, choose Authentication and then choose Add a platform.
In the Configure platforms window, choose the Mobile and desktop applications application.
After selecting Mobile and desktop applications, the Configure Desktop + devices window opens. Enter http://localhost in the Custom redirect URIs field and then choose the Configure button.
Go back to the Authentication tab. In the Mobile and desktop applications section (which shows your previously added localhost URI), choose Add URI. Enter your Business Central communication URI, based on the following structure: https://'server name'/'YourEnvironment Name'/OAuthLanding.htm
Choose the Save button.
Open the OAuth Settings page in Business Central and paste it in the Callback URL field.
Go back to Microsoft Azure. In the navigation pane, choose Expose an API and then set your Application ID URI. Copy its value to the valid audiences in the Business Central instance settings. For information about configuring Business Central on-premises web server instances, see the configuration guide in the Microsoft Documentation.
A new window opens which contains your Application (client) ID starting with an api:// prefix. Leave it as it is by default and choose the Save button.
Choose Add a scope.
In the Edit a scope window, set the following values, and then choose the Save button:
- Scope name: user_impersonation
- Who can consent: Admins and users
- Admin consent display name: set any value (e.g., Full access to web services API)
- Admin consent description: set any value (e.g., Grants full access to the Business Central web services APIs. These APIs provide the ability to call web services APIs and modify Business Central data.)
- User consent display name: set any value (e.g., Full access to web services API)
- User consent description: set any value (e.g., Grants full access to the Business Central web services APIs. These APIs provide the ability to call web services APIs and modify Business Central data.)
- State: Enabled
In case of a non-production environment, open Business Central, choose the icon, enter Extension Management and choose the related link.
Locate and open COSMO Mobile Solution and then turn on the Allow HttpClient Requests toggle in the Extension Settings page.

Feedback
Submit feedback for this page .

Table of Contents