How to Set Up Business Central Service-to-Service Authentication (API Guide)

Introduction

This guide will walk you through setting up Service-to-Service Authentication Flow (S2S) in Microsoft Business Central.

This process involves creating a new Microsoft Business Central integration.
Business Central service-to-service authentication allows applications to connect and interact with Business Central APIs without requiring a user login. This is especially useful for automated integrations, background processes, and external system connections.

If you’re trying to integrate Business Central with another system (like a CRM, eCommerce platform, or custom application), understanding service-to-service authentication is essential. It uses Azure Active Directory (Azure AD) and the client credentials flow to securely authenticate applications.

In this guide, you’ll learn exactly how to set up service-to-service authentication in Business Central, along with common issues and best practices.

Quick Summary

• Service-to-service authentication allows API access without user login
• Uses Azure Active Directory (Azure AD) for authentication
• Based on OAuth 2.0 client credentials flow
• Ideal for integrations, automation, and background jobs
• Requires app registration and permission setup

What is Service-to-Service integration?

Service-to-Service is the integration between any two platforms or services in a secure way that doesn’t require any human intervention once set up.

It can function in an automated way. A lot of platforms have the functionality to integrate in such a way.

When to use service-to-service authentication for Business Central?

As mentioned above, service-to-service authentication should be used in cases where we need to integrate a third-party service with Business Central in a way that once that service is set up it can work automatically and securely.

A third can exchange data with Business Central using service-to-service authentication in an automated way.

Prerequisites

To complete the Business Central integration, you will need the following two things

• Administrative access to Business Central.
• Administrative access to Azure Portal Account that has an active subscription.

When Do You Need Service-to-Service Authentication?

You should use service-to-service authentication in Business Central when:

• You are building API-based integrations with external systems
• You want to automate processes without user intervention
• You need secure backend communication between applications
• You are syncing data between Business Central and other platforms

For example, if you are integrating a CRM or eCommerce platform with Business Central, service-to-service authentication ensures secure and uninterrupted data exchange.

How Service-to-Service Authentication Works

At a high level, the authentication flow works as follows:

• An application is registered in Azure Active Directory
• The application requests an access token using client credentials
• Azure AD validates the request and issues a token
• The application uses this token to access Business Central APIs

Common Errors and How to Fix Them

1. Invalid Client Credentials
   Ensure that your client ID and client secret are correct and not expired.
2. Missing API Permissions
   Make sure the required permissions are assigned in Azure AD and granted admin consent.
3. Unauthorized Access Errors
   Check if your Business Central environment has the correct application access enabled.
4. Token Generation Failure
   Verify that the OAuth endpoint and tenant details are correctly configured.

Real-World Use Case

A common use case for service-to-service authentication is integrating Business Central with external platforms such as CRMs, eCommerce systems, or reporting tools.

For example, a business can automatically sync customer data from a CRM to Business Central or push order data from an eCommerce platform without requiring manual login or intervention.

Conclusion

Setting up service-to-service authentication in Business Central is essential for building secure and scalable integrations. By using Azure Active Directory and the client credentials flow, you can enable applications to interact with Business Central APIs without relying on user credentials.

This approach not only improves security but also supports automation, making it ideal for modern business workflows and system integrations.

If you’re planning to integrate Business Central with external systems or automate your processes, implementing service-to-service authentication is a critical first step.

Step-by-Step: Set Up Business Central Service-to-Service Authentication

1. Register a Microsoft Entra application in the Azure Portal Account

   1. To begin the API integration process, Sign in to the Azure portal and register an application for Business Central in the Microsoft Entra tenant. Make sure you log in to the default directory.
      
   2. Register the application for custom integration
      
      
   3. Once registered, an overview of the new application will be displayed in the portal.
   4. Copy the Application (client) ID and Directory (tenant) ID of the registered application. You’ll need this later. You can get this value from the Overview page.
      
   5. Select Certificates & secrets > New client secret to generate a secret key for the API integration.
   6. Add a description, select a duration, and select Add.
      
   7. It will generate values. Copy the secret’s value to use it later.
      
   8. Add API permissions by selecting: API permissions > Add a permission > Microsoft APIs > Dynamics 365 Business Central.
      
   9. Select the permissions for your custom integration and click on “Add Permissions”
      
   10. Grant the registered application permission for the directory.
       

2. Set up the Microsoft Entra application in the Business Central Account

   1. 2In the Business Central client, search for “Microsoft Entra applications” and open the page.
      
   2. Create a New Microsoft Entra Application Card.
   3. In the Client ID field, enter the Application (Client) ID for the registered application in Microsoft Entra ID from step 1.
   4. Fill in the Description and Status to Enabled.
   5. Assign Admin permissions.
      
   6. https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/automation-apis-using-s2s-authentication

   Also Read: Guide to Integration with Microsoft Dynamics 365 Business Central for System Integrator

3. Calling an API in Postman

   1. To verify the API integration, generate an access token using the following values
      • Application (client) ID (Microsoft Entra)
      • Directory (tenant) Id (from Business Central)
      • Client Secret Value (Microsoft Entra)
      
   2. Use this access token to call Business Central APIs, such as retrieving the account’s companies, to ensure the Business Central integration functions correctly.
      

Here’s the C# code to generate the access token and refresh token.

using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.Net.Http;
using System.Threading.Tasks;

namespace BusinessCentral.Authentication
{
    internal class BusinessCentralIntegration
    {
        public string ClientId { get; set; }
        public string ClientSecret { get; set; }
        public string TenantId { get; set; }
        public string Scope { get; set; }
        public string LoginUrl { get; set; }

    }

    internal class BusinessCentralToken
    {
        [JsonProperty("access_token")]
        public string AccessToken { get; set; }

        [JsonProperty("expires_in")]
        public string ExpiresAfterSeconds { get; set; }
    }

    internal class BusinessCentralAuthenticationHelper
    {
        private readonly BusinessCentralIntegration bcCredentials;
        private readonly string tokenEndPointUrl;
        private readonly HttpClient httpClient;

        public BusinessCentralAuthenticationHelper(BusinessCentralIntegration bcCredentials, HttpClient httpClient)
        {
            this.bcCredentials = bcCredentials;
            tokenEndPointUrl = $"{bcCredentials.LoginUrl}{bcCredentials.TenantId}/oauth2/v2.0/token";
            this.httpClient = httpClient;
        }

        public async Task<BusinessCentralToken> GetAccessToken()
        {
            var requestParams = new List<KeyValuePair<string, string>>
            {
                new KeyValuePair<string, string>("grant_type", "client_credentials"),
                new KeyValuePair<string, string>("client_id", bcCredentials.ClientId),
                new KeyValuePair<string, string>("client_secret", bcCredentials.ClientSecret),
                new KeyValuePair<string, string>("scope", bcCredentials.Scope)
            };

            var httpRequest = new HttpRequestMessage(HttpMethod.Post, tokenEndPointUrl)
            {
                Content = new FormUrlEncodedContent(requestParams)
            };

            var httpResponse = await httpClient.SendAsync(httpRequest);

            var responseJson = await httpResponse.Content.ReadAsStringAsync();
            if (!httpResponse.IsSuccessStatusCode)
            {
                throw new Exception($"Authentication failed for the following reason: {responseJson}");
            }

            BusinessCentralToken token = JsonConvert.DeserializeObject<BusinessCentralToken>(responseJson);

            if (token == null)
            {
                throw new Exception($"Authentication failed. Can't deserialize response: {responseJson}");
            }

            return token;
        }
    }
}

  

Ensure that the token is created and the API is called properly.

Download the source code of my application here, you need to replace the blank values in the configuration.

FAQ

How do I set up service-to-service authentication in Business Central?

You can set up service-to-service authentication by registering an application in Azure Active Directory, assigning API permissions, generating a client secret, and using the client credentials flow to obtain an access token.

Can I access Business Central APIs without a user login?

Yes, Business Central allows API access without user login using service-to-service authentication, where applications authenticate using Azure AD instead of user credentials.

What is the client credentials flow in Business Central authentication?

The client credentials flow is an OAuth 2.0 method where an application uses its client ID and client secret to authenticate and access Business Central APIs without user involvement.

Why is my Business Central API authentication failing?

Authentication failures usually occur due to incorrect client credentials, missing API permissions, invalid tenant configuration, or expired client secrets.

What permissions are required for Business Central service-to-service authentication?

You need to assign appropriate API permissions in Azure Active Directory and grant admin consent to allow the application to access Business Central data securely.

How do I generate an access token for Business Central API?

You can generate an access token by sending a request to the Azure AD token endpoint using your client ID, client secret, and tenant details as part of the OAuth 2.0 client credentials flow.

Is service-to-service authentication in Business Central secure?

Yes, it is a secure method as it uses Azure Active Directory and token-based authentication, ensuring that only authorized applications can access your Business Central environment.

When should I use service-to-service authentication instead of user-based authentication?

You should use service-to-service authentication for automated processes, backend integrations, and system-to-system communication where user interaction is not required.