OAuth 2.0 Service-to-Service

Endpoint management authentications allow setting up a Service-to-Service (sometimes refered to as S2S or Server-to-Server) authorization.

There are three fundamental steps in an S2S configuration:

  1. Configuring an App registration in Azure Active Directory
  2. Adding the application in your ERP or CRM
  3. Adding a corresponding authentication in Dynamicweb

To add an app registration go to https://portal.azure.com/ > App registrations > New registration, choose single tenant application acces and give your application a suitable name.

Next, copy the Application (client) ID and the Directory (Tenant) ID from the App overview screen and go to Certificates & secrets to add a new Client secret. Make sure to copy the value of the client secret once it is added, since this will be hidden henceforth.

Go to API permissions to add the relevant permissions to your app registration. The exact permissions needed may differ from scenario to scenario, but generally, an S2S authorization uses Application permissions rather than deligated permissions. Please note that application permissions require Azure AD admin consent. 

If you intend to use the S2S authentication to integrate with a Plug-in unit with custom fields, you need to add the dedicated DYNAMICWEBPERMISSION included in Business Central plug-in unit version

Finally add the URL of your Dynamicweb solution to the list of redirect URIs in Authentication. For S2S authorization to a Business Central client, you should also add the URL https://businesscentral.dynamics.com/OAuthLanding.htm to the same list. 

Check out this Microsoft learn article more information on Azure app registrations.

To add your new application to your Business Central instance, open BC and search for Azure Active Directory.

Click new, paste the Client ID of your application and change the state to enabled. Please notice that your Business Central user needs SECURITY persmission to change states of Azure AD apps. 

The official details on the using S2S with Business Central can be found here.

To add your Azure AD application in Finance & Operations, search for Azure Active Directory Applications, click new, add the Client ID of your application, a suitable name and select a user (you can select the ADMIN user or any available user with the required permissions).

To add your Azure AD application to your CRM instance, go to the Power Platform Admin Center, select your enviroment and open S2S apps.

Add a new app user, and select your Azure AD application from the list of available apps.

In Dynamicweb, go to Settings > Integration > Endpoint Management and click Add authentication.

Give your authentication a suitable name and select OAuth 2.0 - Service-to-Service as type.

Paste the Tenant ID, Client ID and Client Secret from your Azure AD application and save. 

Unlike the OAuth 2.0 - User impersonation flow, the S2S authentication does not prompt the user for log in, in order to obain an acces token. Instead the token is exchanged between Dynamicweb and the remote system as a background service, sometimes refered to as a daemon.