Guide on Service-to-Service (S2S) Authentication Flow for Business Central Integration
Chintan Prajapati This guide will walk you through setting up Service-to-Service Authentication Flow (S2S) in Microsoft Business Central. This process involves creating a new Microsoft Business Central integration.
What is Service-to-Service integration?
Service-to-Service is the integration between any two platforms/services in a secure way that doesn’t require any human intervention once set up. It can function in an automated way. A lot of platforms have the functionality to integrate in such a way.
When to use service-to-service authentication for Business Central?
As mentioned above, service-to-service authentication should be used in cases where we need to integrate a 3rd party service with Business Central in a way that once that service is set up it can work automatically and securely. A third can exchange data with Business Central using service-to-service authentication in an automated way.
Prerequisites
To complete the Business Central integration, you will need the following two things
- Administrative access to Business Central.
- Administrative access to Azure Portal Account that has an active subscription.
Steps to Set Up Service-to-Service (S2S) Authentication Flow
Register a Microsoft Entra application in the Azure Portal Account
- To begin the API integration process, Sign in to the Azure portal and register an application for Business Central in the Microsoft Entra tenant. Make sure you log in to the default directory.
- Register the application for custom integration
- Once registered, an overview of the new application will be displayed in the portal.
- Copy the Application (client) ID and Directory (tenant) ID of the registered application. You’ll need this later. You can get this value from the Overview page.
- Select Certificates & secrets > New client secret to generate a secret key for the API integration.
- Add a description, select a duration, and select Add.
- It will generate values. Copy the secret’s value to use it later.
- Add API permissions by selecting: API permissions > Add a permission > Microsoft APIs > Dynamics 365 Business Central.
- Select the permissions for your custom integration and click on “Add Permissions”
- Grant the registered application permission for the directory.
- To begin the API integration process, Sign in to the Azure portal and register an application for Business Central in the Microsoft Entra tenant. Make sure you log in to the default directory.
Set up the Microsoft Entra application in the Business Central Account
- 2In the Business Central client, search for “Microsoft Entra applications” and open the page.
- Create a New Microsoft Entra Application Card.
- In the Client ID field, enter the Application (Client) ID for the registered application in Microsoft Entra ID from step 1.
- Fill in the Description and Status to Enabled.
- Assign Admin permissions.
- https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/automation-apis-using-s2s-authentication
- 2In the Business Central client, search for “Microsoft Entra applications” and open the page.
Also Read: Guide to Integration with Microsoft Dynamics 365 Business Central for System Integrator
Calling an API in Postman
- To verify the API integration, generate an access token using the following values
- Application (client) ID (Microsoft Entra)
- Directory (tenant) Id (from Business Central)
- Client Secret Value (Microsoft Entra)
- Use this access token to call Business Central APIs, such as retrieving the account’s companies, to ensure the Business Central integration functions correctly.
- To verify the API integration, generate an access token using the following values
Here’s the C# code to generate the access token and refresh token.
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.Net.Http;
using System.Threading.Tasks;
namespace BusinessCentral.Authentication
{
internal class BusinessCentralIntegration
{
public string ClientId { get; set; }
public string ClientSecret { get; set; }
public string TenantId { get; set; }
public string Scope { get; set; }
public string LoginUrl { get; set; }
}
internal class BusinessCentralToken
{
[JsonProperty("access_token")]
public string AccessToken { get; set; }
[JsonProperty("expires_in")]
public string ExpiresAfterSeconds { get; set; }
}
internal class BusinessCentralAuthenticationHelper
{
private readonly BusinessCentralIntegration bcCredentials;
private readonly string tokenEndPointUrl;
private readonly HttpClient httpClient;
public BusinessCentralAuthenticationHelper(BusinessCentralIntegration bcCredentials, HttpClient httpClient)
{
this.bcCredentials = bcCredentials;
tokenEndPointUrl = $"{bcCredentials.LoginUrl}{bcCredentials.TenantId}/oauth2/v2.0/token";
this.httpClient = httpClient;
}
public async Task<BusinessCentralToken> GetAccessToken()
{
var requestParams = new List<KeyValuePair<string, string>>
{
new KeyValuePair<string, string>("grant_type", "client_credentials"),
new KeyValuePair<string, string>("client_id", bcCredentials.ClientId),
new KeyValuePair<string, string>("client_secret", bcCredentials.ClientSecret),
new KeyValuePair<string, string>("scope", bcCredentials.Scope)
};
var httpRequest = new HttpRequestMessage(HttpMethod.Post, tokenEndPointUrl)
{
Content = new FormUrlEncodedContent(requestParams)
};
var httpResponse = await httpClient.SendAsync(httpRequest);
var responseJson = await httpResponse.Content.ReadAsStringAsync();
if (!httpResponse.IsSuccessStatusCode)
{
throw new Exception($"Authentication failed for the following reason: {responseJson}");
}
BusinessCentralToken token = JsonConvert.DeserializeObject<BusinessCentralToken>(responseJson);
if (token == null)
{
throw new Exception($"Authentication failed. Can't deserialize response: {responseJson}");
}
return token;
}
}
}
Ensure that the token is created and the API is called properly.
Download the source code of my application here, you need to replace the blank values in the configuration.