Category: Business CentralRead time: 7 MinsPublished on: 13 Jan 2026

Setting Up OAuth 2.0 for Business Central Integration

  1. Home
  2. Blog
  3. Setting Up OAuth 2.0 for Business Central Integration

In the world of Microsoft Dynamics 365 Business Central, security is no longer an "optional" feature, it’s the foundation. With Microsoft officially deprecating legacy Web Service Access Keys (Basic Auth), moving to OAuth 2.0 is no longer just a best practice; it is a requirement for any modern integration.

However, moving from a simple username-and-password setup to a token-based framework can feel like a daunting task. Between navigating the Microsoft Entra ID (formerly Azure AD) portal, choosing the right "Grant Type," and configuring the correct API permissions, there are many places where things can go wrong.

OAuth is an open standard used to authorize access to web services and APIs. Business Central uses the OAuth protocol for both SOAP and OData web services, allowing users to authenticate with their Microsoft 365 or Microsoft Entra credentials when accessing Business Central web services.

Our Business Central consultants provide detailed instructions on enabling and configuring OAuth 2.0 on the Azure Portal. It also includes steps for generating and testing the OAuth token for Business Central Web Services using Postman.

1. Setting up OAuth 2.0 for Business Central Integration

Enabling and Configuring OAuth on the Azure Portal

STEP 1: Login to the Azure portal (https://portal.azure.com/)

Microsoft Azure portal home page showing search bar, options for Azure free trial, Microsoft Entra ID management, student benefits, and icons for services like App registrations, Storage accounts, SQL databases, SQL servers, App Services, and Storage browser

STEP 2: In the Azure portal, find "App registrations" or use the search function to find it.

Azure portal search results for 'app registrations,' highlighting the App registrations service option, with other services like App Services, Azure Cosmos DB, and Azure Database for MySQL servers also listed.

STEP 3: On the App registrations page, click on “New registration”.

Azure portal App registrations page showing the 'New registration' button highlighted, with tabs for Endpoints, Troubleshooting, Refresh, Download, and a search bar for filtering owned applications.

STEP 4: Choose a name for the application and who can use this app or access API. In this example we are using single tenant. In the Redirect URL select the web and enter the business central URL to register your application.

Azure portal 'Register an application' page showing fields for application name, supported account types (single tenant, multitenant, personal accounts), optional redirect URI, and a blue Register button at the bottom.

STEP 5: Next, we need to grant the API permission. Click on “API permissions” on the menu and then click “Add a permission”

Azure portal API permissions page for BC Integration app, showing the 'Add a permission' button highlighted, configured permissions list, and navigation menu with API permissions selected on the left.

STEP 6: After clicking “Add a permission”, the available API permissions will pop up. If you can’t see Business Central, it is because the user doesn’t have a valid license.

Screenshot of the Azure portal showing the API permissions configuration for a BC Integration app registration.

STEP 7: Click on Delegated Permissions and add “user_impersonation” and “Financials.ReadWrite.All”.

Azure portal Request API permissions screen showing delegated permissions selected, with user_impersonation and Financials.Read Write. All checked for access as signed-in user.

STEP 8: Repeat STEP 6 to add application permissions. Click on Application permissions and check “app_access”, “API.ReadWrite.All”, and “Automation.ReadWrite.All”.

Screenshot of a BC app interface for requesting API permissions, showing options to select delegated or application permissions with application permissions highlighted.

STEP 9: After adding permissions, we go back to the API permissions page. We will click on “Grant admin consent

Azure portal showing configured API permissions for an app, with 'Grant admin consent for Congruent Software (usa) Inc.' checked and various permissions like API.ReadWrite.All, app_access, and user_impersonation listed with their consent status.

STEP 10: Click on “Yes” to grant admin consent. All permissions will display “Granted for”

Azure portal showing API permissions for Dynamics 365 Business Central and Microsoft Graph, with all permissions status marked as 'Granted for '.

STEP 11: Next, we need to add the new client secret, for that go to the "Certificates and secrets" in the menu, and click on "New client secret".

Azure portal Certificates & secrets page for BC Integration app, highlighting the 'New client secret' button under Client secrets tab, with no client secrets created yet.

STEP 12: Enter client secret description and assign when it expires. 

STEP 13: After adding the client secret we can see that our client secret is added in the "Certificates and secrets" page, now copy and save the client secret value in the notepad, as we will need it later for token generation in Postman. Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.

STEP 14: Now, go back to the Overview section. Copy and save the Application (client) ID in the notepad as well, this Id is also required for token generation in Postman.

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

STEP 15: Click on the Endpoints in the Overview page to find authorization and token URLs. These URLs will be used to authorize and generate a token for the request

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

2. Register Microsoft Entra Applications

The Microsoft Entra Applications page is used to register an Azure or Entra App within BC. This setup enables external services to authenticate via OAuth using the app’s Client ID and Tenant ID and ensures they receive the appropriate permissions.

STEP 1: Login to Business Central and Search for Microsoft Entra Applications. Click on New to register your app.

STEP 2: Copy the Application (client) ID from the Azure portal into the Client ID field in Business Central, then set the State to Enabled. The system will automatically populate the User ID, Username, and User Telemetry ID fields.

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

STEP 3: Assign the appropriate User Permission Sets directly to the user and ensure they have sufficient access rights. You can use D365 BUS BASIC for standard access or select other module-specific permission sets as needed, avoiding the use of the SUPER permission set.

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

3. Testing the OAuth token using Postman

STEP 1: Login to Business Central and Search for the Web Service

STEP 2: Now, copy the OData V4 URL for any of the services that you want to test.

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

STEP 3: In Postman, create a new request, and paste the OData V4 URL that you have just copied. Then, in the Authorization tab and select "OAuth 2.0" as the type.

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

STEP 4: Enter the Token Name the name of the app that we created on azure, and then specify the grant type as "Authorization Code".

STEP 5:  For the Callback URL, enter “https://businesscentral.dynamics.com/”

STEP 6: Copy the Auth URL from Azure portal (refer STEP: 15 from “Enabling and configuring OAuth on the Azure Portal”). The Auth URL should be in the format " https://login.microsoftonline.com/[TENANT_ID] /oauth2/v2.0/authorize” where you need to replace [TENANTID] with your TENANT ID.

STEP 7: The Access Token URL should also be in a similar format: as "https://login.microsoftonline.com/[TENANTID]/oauth2/v2.0/token?resource=https://api.businesscentral.dynamics.com" replace the [TENANTID] with your TENANT ID.

STEP 8: "Client ID" is the "Application (client) ID" we copied in notepad from the azure portal

STEP 9: "Client Secret" is the client secret value that we copied in STEP 13.

STEP 10: Provide the scope as “https://api.businesscentral.dynamics.com/.default”

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

STEP 11: After entering all parameters, click on “Get New Access Token”, it will take us to the login screen. Just enter the user ID and password that we use for the Business Central login, after that we will see Authentication complete message.

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

STEP 12: Use generated token and send the request

Power BI interface showing the initial 'Add data to start' screen with the 'Get Data' icon highlighted.

Contact our experts if you have any questions on setting up Oauth 2.0 for Business Central.