Set Up Authentication Method = OAuth 2.0

If the Authentication Method is set to OAuth 2.0, then you must set up an app registration in the Microsoft Entra admin center or Azure Portal, which is a standard process of Microsoft authentications.

Note

The app registration must be done in the Microsoft Entra/Azure account that manages the users who will use COSMO Graphical Extension. Therefore, in customer environments, registration must be done in the customer's Active Directory. Domain administrator rights are mandatory for completing the app registration.

This section provides step-by-step instructions for setting up the OAuth 2.0 authentication method for use with COSMO Graphical Extension. To gain further insight into the standard process of Microsoft authentications, see Get started developing Connect apps for Dynamics 365 Business Central in the Microsoft Dynamics 365 Business Central Help.

To set up an app registration

The steps for setting up an app registration differ depending on whether you are using the Microsoft Entra admin center or the Azure Portal. Additionally, some steps are different based on whether you are using a SaaS or On-Premises environment.

  1. Sign into Microsoft Entra admin center.

    Microsoft Entra admin center

  2. Log into your Microsoft Entra account if not already logged in.

  3. In the navigation pane, choose Applications > App registrations.

    Open App Registrations in Microsoft Entra ID

  4. On the action bar, choose New registration.

    Create new registration in Microsoft Entra ID

  5. In the Register an application window, enter a display name for the application. Users might be able to see this name during sign in.

    Prepare to register an application

  6. The options in the Supported account types section determine who will have access to the registered application. Choose Help me choose for help with selecting the best option.

    Due to the nature of this application, we recommend using the default Accounts in this organizational directory only ... option.

  7. Ignore the Redirect URI section.

  8. Choose the Register button.

    Register the application

  9. The registered application window opens and the Essentials section shows various IDs for the application.

  10. Use the Copy docs that opens the Copy to clipboard feature icon at the end of the following IDs to copy and then paste the IDs somewhere (like Notepad) for easy retrieval later in the process:

    • Application (client) ID
    • Directory (tenant) ID

    Copy client and tenant IDs

  11. In the navigation pane, choose API permissions.

    Open API Permissions

  12. In the API Permissions window, choose Add a permission.

    Add an API Permission

  13. In the Request API permissions window, choose the Dynamics 365 Business Central tile.

    Choose the Business Central API

  14. In the next window, choose the Delegated permissions tile.

    Assign delegated permissions to the application

  15. In the Select permissions section, under Other permissions, select the check box for user_impersonation.

  16. Choose the Add permissions button.

    Select API permission

  17. In the navigation pane, choose Certificates & secrets.

    Open Certificates and Secrets

  18. The Certificates & secrets window opens. In the Client secrets section, choose New client secret.

    Create new client secret

  19. Enter a description, such as App secret.

  20. Set the expiration of the client secret. Set the expiration of the client secret. The longest period possible is two years from the current date.

  21. Choose the Add button.

    Add client secret

  22. At the end of the Value field, choose the Copy docs that opens the Copy to clipboard feature icon and paste the key to the same location as the IDs in step 7.

    Copy client secret

    Important

    Copy the key for the Client Secret as soon as it is shown and paste it to a safe place. It will not be shown again after it is generated.

  23. Before moving to the next step, ENSURE that you have copied and saved the Client Secret to a safe location.

Now you must enter the Redirect URL, which is a Business Central URL.

  1. In the navigation pane, choose Authentication.

    Open authentication to add Redirect URL

  2. In the Authentication window, under Platform configurations, choose Add a platform.

    Add a platform

  3. In the Configure platforms window, choose the Web tile.

    Choose Web platform

  4. In the Redirect URIs section, enter this URL: https://businesscentral.dynamics.com/OAuthLanding.htm for SaaS environments or http[s]://<hostname>/<instance>/OAuthLanding.htm for On-Premises environments. Ensure that OAuthLanding is written using this syntax.

    Add Redirect URL

  5. After entering the URL, choose the Configure button.

    Sample Redirect URL added for SaaS environment

  6. In the Web section, choose Add URI.

    Add alternate Redirect URL

  7. In the new field, enter the same URL as above but add a forward slash to the end: https://businesscentral.dynamics.com/OAuthLanding.htm/ for SaaS environments or http[s]://<hostname>/<instance>/OAuthLanding.htm/ for On-Premises environments. Ensure that OAuthLanding is written using this syntax.

    Add alternate Redirect URL with forward slash at end for SaaS environment

    Note

    The slash is optional on the internet but it is not optional for the Redirect URL. An error message is shown later in the process if the slash is not entered correctly so both are entered here to avoid the error from occurring.

  8. Choose the Save action.

    Save the Redirect URL

The application registration process is complete.


Gather authentication URLs

The following URLs are added to the Graphical Extension Setup page in Business Central:

  • Callback URL – https://businesscentral.dynamics.com/OAuthLanding.htm for SaaS environments or http[s]://<hostname>/<instance>/OAuthLanding.htm for On-Premises environments
  • Authorization URL – https://login.microsoftonline.com/<Your Tenant ID>/oauth2/v2.0/authorize
  • Resource URL – https://api.businesscentral.dynamics.com

You will need to replace the <Your Tenant ID> placeholder in the URL with the Directory (tenant) ID that you saved in step 10 or 11 above, depending on which environment you are using. It may help to paste the URL to the same place and update the placeholders with the tenant ID before starting the next section.

To update OAuth 2.0 information in Business Central

  1. Open Microsoft Dynamics 365 Business Central.

  2. Choose the Lightbulb that opens the Tell Me feature icon, enter Graphical Extension Setup, and then choose the related link.

    Graphical Extension Setup

  3. In the Authentication FastTab, choose OAuth 2.0 in the Authentication Method field.

    Choose OAuth 2.0 in Authentication FastTab

  4. In the Callback URL field, paste in the following URL: https://businesscentral.dynamics.com/OAuthLanding.htm for SaaS environments or http[s]://<hostname>/<instance>/OAuthLanding.htm for On-Premises environments.

  5. In the Authorization URL field, paste in the URL using your tenant ID in the placeholder: https://login.microsoftonline.com/<Your Tenant ID>/oauth2/v2.0/authorize

  6. In the Resource URL field, paste in the following URL: https://api.businesscentral.dynamics.com

    Sample authentication URLs added for SaaS environment

  7. For On-Premises environments, in the Reverse Proxy URL field on the General FastTab, enter http[s]://<hostname:port>/<instance> to specify the OData Service URL. You can find the OData path in the Web Services page.

  8. On the Actions menu, choose the Set OAuth Client ID & Secret action.

    Set OAuth Client ID and Secret

    This tells Business Central where to find the authentication.

    GX Access OAuth 2.0 Client ID and Client Secret

  9. In the OAuth 2.0 Client ID field, enter the Application (client) ID saved in step 10 of the Microsoft Entra admin center or step 11 in the Azure Portal in To set up an app registration.

  10. In the OAuth 2.0 Client Secret field, enter the client secret saved in step 22 of the Microsoft Entra admin center or step 23 in the Azure Portal in To set up an app registration.

    Enter OAuth 2.0 Client ID and Client Secret

  11. Choose the OK button.

To check if the authentication was set up successfully

  1. On the Actions menu, choose the Test Web Service action.

    Test Web Service

  2. A Microsoft account login page opens. Choose the account to log into.

    Microsoft Account Login

  3. A new browser window opens. In the Permissions requested window, select the Consent on behalf of your organization check box.

    Give permission to sign in to the GX Registration app

    Important

    Only a domain administrator can give consent and approve the permission.

    Accept consent to give permission to sign in to the GX Registration app

  4. The browser closes and if setup was successful, a confirmation message opens and the icon is green in the Web Service field on the General FastTab.

    Successful OAuth 2.0 authentication setup

  5. Choose the OK button to close the message.

If the test failed, a message opens and the Web Service icon will be red. You will need to revisit the steps listed in this topic to determine what was possibly missed to prevent a successful setup.


Feedback
Submit feedback for this page .