OAuth 2.0 Service-to-Service

Endpoint management authentications allow setting up a Service-to-Service (sometimes referred to as S2S or Server-to-Server) authorization.

There are three fundamental steps in an S2S configuration:

  1. Configuring an App registration in Microsoft Entra
  2. Adding the application in your ERP or CRM
  3. Adding a corresponding authentication in Dynamicweb

To add an app registration go to https://entra.microsoft.com/ > App registrations > New registration, choose single tenant application acces and give your application a suitable name.

Next, copy the Application (client) ID and the Directory (Tenant) ID from the App overview screen and go to Certificates & secrets to add a new Client secret. Make sure to copy the value of the client secret once it is added, since this will be hidden henceforth.

Go to Authentication and a new web platform. Add the URL of your Dynamicweb solution to the list of redirect URIs.

For S2S authorization to a Business Central client, you should also add the URL https://businesscentral.dynamics.com/OAuthLanding.htm for cloud hosted Business Central instance, or you are using an on-prem version, the URL of your Business Central browser client, followed by /oauthlanding.htm - for example: https://MyServer/BC200/OAuthLanding.htm 

Finally, go to API permissions and add a new permission for the application (Dynamics 365 Business Central/Dynamics ERP/Dynamics CRM). The type of permission should be set to Application permission. Select the appropriate permissions from the available options. The required permission is most likely API.ReadWrite.All but please refer to the official Azure Active Directory API permission documentation to learn more.

Check out this Microsoft learn article more information on Microsoft Entra app registrations.

To add your new application to your cloud hosted Business Central instance, open BC and search for Microsoft Entra Applications.

In here, click new, paste the Client ID of your application and change the State to enabled. Please notice that your Business Central user needs SECURITY persmission to change states of Microsoft Entra apps. 

 

Figure 3.1 The application card general settings in Business Centralq

Adding the application to an on-prem Business Central instance is achieved through a CMD with admin rights by following steps 3 and 4 in this Microsoft Learn article. 

The official details on the using S2S with Business Central can be found here.

To configure what is exposed through the Microsoft Entra Application:

  • Go to the User Permissions Sets menu at the bottom of the Application Card
  • Add the D365 BUS FULL ACCESS permission to the list of User Permission Sets.

To use the S2S authentication with a DynamicWeb Plug-in unit exposing custom fields, you also need to add the dedicated DYNAMICWEBPERMISSION (Business Central plug-in unit version 1.2.0.29 or later required)

To complete the setup of your Microsoft Entra application, you (or a member of the organization with the appropriate privileges) must grant consent for the application to expose data. There are two possible ways of doing this:

The first way is to click the Grant Consent button in the Application Card from within the Business Central Web interface. This will bring up a log-in window, where you can use your Microsoft Entra credentials to grant consent.

However, granting consent requires one of the following three Azure Active Directory roles:

  • Global Administrator
  • Application Administrator
  • Cloud Application Administrator

If you have not been assigned such a role in Azure Active Directory, it is possible to let an administrator of one of the aforementioned kinds grant consent through the Azure Active Directory web interface instead.

Consent is granted in the API permissions area of Active Directory as shown below.

To add your Entra application in Finance & Operations, search for Microsoft Entra Applications, click new, add the Client ID of your application, a suitable name and select a user (you can select the ADMIN user or any available user with the required permissions).

To add your Entra application to your CRM instance, go to the Power Platform Admin Center, select your enviroment and open S2S apps.

Add a new app user, and select your Entra application from the list of available apps.

In Dynamicweb, go to Settings > Integration > Endpoint Management and click Add authentication.

Give your authentication a suitable name and select OAuth 2.0 - Service-to-Service as type.

Paste the Tenant ID, Client ID and Client Secret from your Microsoft Entra application and save. 

If connecting to an on-premice solution, write the appropriate for either BC, F&O or CRM as stated in the hint text.

Unlike the OAuth 2.0 - User impersonation flow, the S2S authentication does not prompt the user for log in, in order to obain an acces token. Instead the token is exchanged between Dynamicweb and the remote system as a background service, sometimes refered to as a daemon. 

When the S2S application has been registered in Microsoft Entra and has been added to your on-prem Business Central solution, you can utilize the authentication from within your Dynamicweb connector service (version 2.2.0 or later) by setting the config like in the example below:

XML
<NavConnector> <add key="NavEndpoint" value="https://d365bcsandbox2:7047/BC/WS/CRONUS%20Nederland%20BV/Codeunit/DWWebService" /> <!-- SET CREDENTIAL TYPE TO S2S HERE --> <add key="ClientCredentialType" value="S2S" /> <!-- Options for Not OAuth mode --> <add key="UserName" value="" /> <add key="Password" value="" /> <add key="Domain" value="" /> <!-- Set IgnoreCertificateWarnings to true for https endpoints using self-signed or untrusted certificates. Useful for testing. Should be avoided in production. --> <add key="IgnoreCertificateWarnings" value="True" /> <!-- PROVIDE YOUR OAUTH S2S CREDENTIALS HERE --> <add key="TenantId" value="7dd45d63-24fc-4edd-8ad8-5fd66b6f9733" /> <add key="ClientId" value="6945a908-9a4b-44fa-9ced-6fa84bd4a866" /> <add key="ClientSecret" value="pHm8Qkfc9bBLQVbZu" /> <add key="EnableOAuthLog" value="false" /> </NavConnector>