OAuth 2.0 Service-to-Service

Endpoint management authentications allow setting up a Service-to-Service (sometimes referred to as S2S or Server-to-Server) authorization.

There are three fundamental steps in an S2S configuration:

Configuring an App registration in Azure Active Directory
Adding the application in your ERP or CRM
Adding a corresponding authentication in Dynamicweb

App registration in Azure AD

To add an app registration go to https://portal.azure.com/ > App registrations > New registration, choose single tenant application acces and give your application a suitable name.

Next, copy the Application (client) ID and the Directory (Tenant) ID from the App overview screen and go to Certificates & secrets to add a new Client secret. Make sure to copy the value of the client secret once it is added, since this will be hidden henceforth.

Go to Authentication and a new web platform. Add the URL of your Dynamicweb solution to the list of redirect URIs. For S2S authorization to a Business Central client, you should also add the URL https://businesscentral.dynamics.com/OAuthLanding.htm to the same list.

Finally, go to API permissions and add a new permission for the application (Dynamics 365 Business Central/Dynamics ERP/Dynamics CRM). The type of permission should be set to Application permission. Select the appropriate permissions from the available options (most likely API.ReadWrite.All depending on the scenario).

Check out this Microsoft learn article more information on Azure app registrations.

Business Central - adding the application

To add your new application to your Business Central instance, open BC and search for Azure Active Directory.

Click new, paste the Client ID of your application and change the state to enabled. Please notice that your Business Central user needs SECURITY persmission to change states of Azure AD apps.

To use the S2S authentication with a Dynamicweb Plug-in unit a few configurations to the Azure AD application must be made inside Business Central.

Select the Dynamicweb Plug-In Unit from the list of installed extensions, by clicking the App ID field under general settings.
Add the D365 BUS FULL ACCESS permission to the application cards User Permission Sets.
To integrate with a Plug-in unit with custom fields, you also need to add the dedicated DYNAMICWEBPERMISSION included in Business Central plug-in unit version 1.2.0.29.

Figure 3.1 The application card general settings in Business Centralq

The official details on the using S2S with Business Central can be found here.

Figure 3.2 The list of extensions

Finance & Operations - adding the application

To add your Azure AD application in Finance & Operations, search for Azure Active Directory Applications, click new, add the Client ID of your application, a suitable name and select a user (you can select the ADMIN user or any available user with the required permissions).

Dynamics CRM - adding the application

To add your Azure AD application to your CRM instance, go to the Power Platform Admin Center, select your enviroment and open S2S apps.

Add a new app user, and select your Azure AD application from the list of available apps.

Add the authentication in Dynamicweb

In Dynamicweb, go to Settings > Integration > Endpoint Management and click Add authentication.

Give your authentication a suitable name and select OAuth 2.0 - Service-to-Service as type.

Paste the Tenant ID, Client ID and Client Secret from your Azure AD application and save.

Unlike the OAuth 2.0 - User impersonation flow, the S2S authentication does not prompt the user for log in, in order to obain an acces token. Instead the token is exchanged between Dynamicweb and the remote system as a background service, sometimes refered to as a daemon.