How to: Set Up an Azure Active Directory App

  1. In a web browser, enter your organization's Azure portal (portal.azure.com).
  2. In Azure services, click Azure Active Directory.
  3. In the Manage section of the left navigation bar, click App registrations.
  4. Create the application in Azure (click New Registration).
  5. Insert a name for your app (for example LSCentral).

    Graphical user interface, text, application, email Description automatically generated

  6. Here you must make an important choice: decide if the application will be single tenant or multitenant.

    If the application will only be used inside one organization, you should choose single tenant. For example, if the application is a portal developed in-house or a self-hosted web shop.
    Choose multitenant if you develop an application that will be used by other organizations to integrate with their LS Central environment.

  7. In the Redirect URI section, select Web and then enter this URL: https://businesscentral.dynamics.com/OAuthLanding.htm

    Note: This property is case-sensitive.

  8. Click Register to create the application.

    Tip: Copy the Application (client) ID from the overview screen to a text file. You will need this later when you register the application in LS Central and when you call the APIs.

  9. Set the API permissions that the external application needs:
    1. Click API permissions in the left navigation menu, and then click Add a permission.

      Graphical user interface, text, application, email Description automatically generated

    2. From the list of commonly used Microsoft APIs, select Dynamics 365 Business Central. Since the app is going to have its own account in LS Central, you must select Application permissions. This is for applications that run as background service without a signed-in user.
    3. In the Request API permissions page, click the Application permissions button.
    4. There are three permissions available:
      • app_access - Can be ignored, is not accepted by LS Central.
      • API.ReadWrite.All - Gives full access to all LS Central APIs, including the automation APIs.
      • Automation.ReadWrite.All - Gives full access to only the automation APIs. This is useful for applications that will manage the environment, install extensions, and so on.

      Graphical user interface, application Description automatically generated

      In the Status column on the previous API Permissions page, you can see that the newly added permission has not been granted for the current organization.
      If you are registering a single tenant application, you could click the Grant admin consent action. This also makes sense, if you are registering a multitenant application that will be used in your own organization as well. In all other cases, when the application will be used by another organization, access must be granted from LS Central. For more information see How to: Create the External Application Account in LS Central.

  10. The last step in registering the app in Azure is to create a secret.
    Click Certificates & secrets in the left navigation menu, and then click the New client secret action.

    Graphical user interface, application, Teams Description automatically generated

  11. In the Add a client secret page, select an expiration period in the Expires field, and click Add.

    Note: Do not forget to copy the created secret because this is the only time you will see it.

    Tip: You cannot set an unlimited expiration period. The longest period is 24 months. This means that you must update the secret occasionally.

Graphical user interface, text, application, email Description automatically generated

You have now completed the first step to register the application in Azure. The next step is to create the application account in LS Central.