Access Business Central API’s in Azure

Business Central comes with a set of API’s that you can access from other applications. When running BC in Azure you can choose between basic authentication and Oath 2.0. The latter is preferable since the requesting app does not need to store user name and password. The user will input these when giving consent for the app to access the BC API’s. The problem with Oath 2.0 is that you receive a token for access that expires.

Using basic authentication you store a user name and a web access key in the requesting app and does not have to deale with expiring tokens. Basic authentication does work in production even thoug Microsoft says that Oath shall/should (they actually say both in the same document) be used in production.

AAD authentication

First we take a look at AAD authentication/Oath and how to set that up. The main tasks are:

  1. Create an app in Azure AD
  2. Get the Access Token in Postman
  3. Use the Access Token in Postman to access the API

1. Create the App in Azure AD

The AAD App act’s like a contract between the BC API and the requesting app.

  1. Login to Azure Active Directory
  2. Select App Registrations
  3. Click “New registration”
  4. In “Register an application”:
    1. Give the app a name
    2. Select from where your app is supposed to be accessed in “Supported Account Types”
    3. Set “” as redirect URL
    4. Click on “Register” to create the app.
  5. Click on “Certificates & Secrets”
  6. Click on “New Client Secret”
  7. In “Add a client secret”:
    1. Select if and when the client secret expires
  8. Copy the secret and save it. You will need this in Postman.
  9. Click on “API permissions”
  10. Click on “Add a permission”
  11. In “Request API permissions”:
    1. Click on “Dynamics 365 Business Central”
    2. Click on “Delegated permissions”
    3. Select “user_impersonation”
    4. Click on “Add permissions” in the bottom of the page
  12. Back in “API permissions”:
    1. Click on “Grant admin consent for <organization name>”
    2. Click on “Yes” to confirm.
  13. Click on “Overview” and copy the “Application (client) ID”. You will need this in Postman.

2. Get the Access Token in Postman

In this step you will create a collection in Postman and request an access token that is used in the requests you create in the collection.

  1. Create a new collection in Postman
  2. Give the collection a name and select the Authorization tab
  3. Select Type = Oauth 2.0
  4. Click on “Get New Access Token”
  5. Fill in the following:
    1. A Token Name
    2. “Grant Type” = “Authorization Code”
    3. “Callback URL” = “”
    4. “Auth URL” = “”
    5. “Access Token URL” = “”
    6. “Client ID” = <your client ID>
    7. “Client Secret” = <your client secret>
    8. “Scope” = “”
  6. Click on “Request Token”
  7. Authenticate with a valid user and password.
  8. Click on “Use Token”
  9. Click on “Create” to create the collection

3. Access the API

In this step we will create requests in the collection. The requests will inheret the authorization from the collection. Our aim is to retrieve a list of customers.

My example is based on the environment “sandbox”. Change that to whatever environment you want to access (e.g. “production”).

  1. Expand the collection in the list of collections
  2. Create a request to list companies in the BC database
    1. Click on “Add requests” or the three dots at the right and select “Add request”
    2. Give the request a name (e.g. “Companies”)
    3. Click on “Save to <your collection name>”
    4. Select the request in the left pane
    5. Type in “” as the URL
    6. Click on “Send” and you should get a list of companies.
    7. Copy the id of one of your companies. You will need it in the next step
    8. Click on “Save” to save the request
  3. Create another request
    1. Give the request the name “Customers”
    2. Click on “Save to <your collection name>”
    3. Type in<your company id>)/customers
    4. Click on “Send” and you should get a list of customers

Did you make it all the way down here? Good job!

What about using basic authentication? Well, that’s much easier. There’s no need to mess around in AAD.

Basic authentication

  1. Create a user in BC with a web access key
  2. Create a collection in Postman with basic authentication. The username shall not include the domain name
  3. Create a request to list your companies. The URL now follows this syntax:<domain>/<environment>/api/v1.0/companies

Basic was a bit easier 🙂 But is it supported by Microsoft in the long run? I don’t know.

No comments yet.

Leave a Reply