App registration setup for Business Central web services OAuth authentication
Open portal.azure.com, search for App registrations:
Click New registration:
Fill the necessary fields:
Name – logical name for the Application
Supported account types – select Single Tenant Redirect URL
Redirect URI
It is important to add a Web redirect URI
Click Register and choose API permissions menu, then add a new permission:
When registering API permissions, you have two options to choose from: Delegated permissions and Application permissions.
Delegated permissions use a user's Microsoft 365 account as a validation type. Because of that, user needs to log in with a Microsoft account via the graphical user interface and provide credentials. Permissions are delegated from the logged-in user, and every action is logged and recorded as a user action.
Application permissions are commonly used for external services (API calls), which can run in the background and do not require a user account (Service-to-Service approach). This permission flow allows customizing permissions and is not linked to any specific Microsoft user account. Because of that, for validation, it does not require being able to log in to any Microsoft account using a graphical user interface, and for authentication, it requires a Application (Client) ID and a Secret key.
Add these permissions for API access:
If Power BI integration will be used add these permissions also:
After adding the permissions, click Grant admin consent for . If everything is set up correctly, the status column should have a green icon in each permission row.
Next go to Certificates & secrets and create a new client secret. Copy Value and save it for use later. You will not be able to see that value again if you exit from this tab:
Next go to Overview menu and copy Application (Client) ID, save this value for use later:
Now we have all the credentials necessary for OAuth authentication:
Azure Tenant ID (structure: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
Application (Client) ID (from Overview tab) (structure: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
Secret Value (from Certificates & secrets tab) (structure: xxxxx~xxxxxx-xxxxxxx-xxxxxx~xxxxxxxxxxxx)
App registration setup in Business Central:
In Business Central, open the „Microsoft Entra Applications“ page and create a new card for the Entra application.
In the Microsoft Entra application card, enter the Client ID (Application ID from Azure app registration) and name in the Description field. Add required permission sets and change the State from Disabled to Enabled. After completing these actions, the global administrator needs to click the Grant Consent button to grant access to this Entra Application.
Calling the Business Central external API using Postman
Create a new Postman collection. In the collection‘s authorization tab, select Auth type as OAuth 2.0
Following settings
Field | Value |
|---|---|
Add auth data to | Request Headers |
Header Prefix | Bearer |
Configuring New Token
Field | Value |
|---|---|
Grant Type | Client Credentials |
Access Token URL | https://login.microsoftonline.com/{{Tenant}}/oauth2/v2.0/token |
Client ID | {{ClientID}} |
Client Secret | {{ClientSecret}} |
Scope | https://api.businesscentral.dynamics.com/.default |
Client Authentication | Send client credentials in body |
Variables
The values: {{ClientID}}, {{ClientSecret}}, {{Tenant}} are collection variables with values from the Azure Application.
To test if values are correct, you can create a new token by clicking „Get New Access Token“ and a new access token will be generated.
To execute and test a request, you can create a GET request in the current collection to get the environments companies. You can use this URL structure:
https://api.businesscentral.dynamics.com/v2.0/{{Tenant}}/{{EnvironmentName}}/api/{{APIVersion}}/companies/
URL Structure
Part of URL | Explanation |
|---|---|
https://api.businesscentral.dynamics.com/v2.0/ | URL base |
{{Tenant}} | Tenant ID |
{{EnvironmentName}} | Name of the environment |
{{APIVersion}} | API version, current API version „v2.0“ |
Companies | API endpoint name |
In the authorization tab, select Auth type – Inherit auth from parent (Will automatically add access token)
Calling other Standard Business Central API
URL Structure: https://api.businesscentral.dynamics.com/v2.0/{{Tenant}}/{{EnvironmentName}}/api/{{APIVersion}}/companies({{CompanyId}})/{{Endpoint}}
Part of URL | Explanation |
|---|---|
https://api.businesscentral.dynamics.com/v2.0/ | URL base |
{{Tenant}} | Tenant ID |
{{EnvironmentName}} | Name of the environment |
{{APIVersion}} | API version, current API version „v2.0“ |
companies({{CompanyId}}) | Id of the selected company retrieved from the Companies endpoint |
{{Endpoint}} | Endpoint name |
All of the standard API Endpoints with all available fields are mentioned in the Microsoft documentation, which you can view it here:
Welcome to the API (v2.0) for Business Central
If you are using E-Invoice please refer to products documentation: