How to use OAuth2.0 in Power Automate Custom Conne...

Anonymous · ‎09-07-2021

I recently discovered the Business Central Administration Center API and the Business Central Automation API. In short, these 2 types of APIs allow you to manage many aspects of a Business Central SaaS tenant, environment and company. You can do calls to get current environments, create new ones, copy Production/Sandbox environments, create new companies inside Business Central, import users, update permission sets, etc.

This intrigued me to create a Power App for a client who wanted to automate many of these features as they use BC for educational purposes. But, before starting to create the app, I started to create the flows to be triggered.

As these 2 APIs are not created as Connectors in Power Automate, I had to create 2 Custom Connectors. In the past, I have created custom connectors but all with Basic Authentication. This time, I had to use OAuth2.0 as this is the type of authentication used by the APIs.

App registration is Azure

First step is to register an application in Azure. For those of you that know how to do this, skip ahead.

Access portal.azure.com and navigate to Azure Active Directory (either using the Search bar or the icon on the Home page), App Registration.

From here, press "New registration". In the next window, give the app a name, for example "Business Central Web Service Client", leave it as Single Tenant and leave the Redirect URI empty for now, we will come back later to complete it.

Now that the app is registered, we have to do 2 things, create a client secrete and give proper permission for the app.

Client Secrete

Select "Certificates & secretes" from the sidebar. On the next screen, select "New client secrete".

Give the Client secrete a descriptive name so you know where you have used it and an expiration period. For test purposes, I allocate the maximum value which is 2 years.

Now, grab the value of the Client secrete and paste it in a Notepad. We'll need it later.

API permission

From the home screen of the app, select API Permissions. From default there is one permission added but we need 3 more. To do this, press the "Add permission" button.

On the next screen, make sure that "Microsoft APIs" is selected, after search for "Dynamics 365 Business Central".

Select it, then select "Delegated permissions".

Next, select the 2 options presented and click "Add permission".

For the last permission you have to click again "Add permission" but instead of selecting "Dynamics 365 Business Central" you need to select "Microsoft Graph". Then again, select "Delegated permission". Then add the "Read and write all groups" permission found under the "Groups" folder.

As a last step, you need to grant Admin consent by pressing the "Grant Admin consent " button.

Before heading to Power Automate, go the "Overview" tab of the app and copy the Client ID value.

For now, we are done with Azure and we can start creating our Custom Connector.

Custom Connector OAuth2.0 Authorization Setup

Access the Power Automate platform and start creating a new Custom Connector. Use "HTTPS" schema. The host should be "api.businesscentral.dynamics.com" and the Base URL "/".

Now to the tricky part, Security. Select Authentication Type "OAuth 2.0" and Identity Provider "Azure Active Directory".

The fields that are required are all form the App Registration. insert the "Client ID" and "Client Secrete" that you saved from the app in Azure. Log-in URL and Tenant ID should be left on their default values (really counterintuitive as you can get these from Azure as well, but it only works this way).

Now, the part that gave me the most headache is the "Resource URL". This has to be "https://api.businesscentral.dynamics.com". The other 2 fields should be left on their default values. Once finished, it should look like this:

Now, at the bottom you can see the last field "Redirect URL" which is currently empty. For this field to be populated you have to save the Connector. After doing so, this file will contain a URL similar to "https://global.consent.azure-apim.net/redirect". Copy the URL and head bac to the Azure Portal, and open your registered app.

Once there, click on "Authentication" and "Add new platform".

This action will open a pop-up, select "Web". Now fill in the Redirect URI with the value generated by the custom connector and click "Configure".

Now, we are completely done in Azure. Before leaving don't forget to Save the changes on the Authentication page. We will continue setting up the Custom Connector.

In the "Definition" page, create the API Call you want to use. For this blog post, I will use the Get Environments function. It is of form:

https://api.businesscentral.dynamics.com/admin/v2.7/applications/environments

I will not go into details about how to configure the call, I will write a separate blog post for that purpose. After you define the call you can test it. When you are on the test page, the first thing you have to do is create a new connection. When you press the "New connection" button, a pop-up will appear (make sure the browser is not blocking them) with the very familiar Microsoft Authentication screen. If you set up everything correctly, the connection will be created and you can start using the APIs.

Postman configuration

In order to use these APIs in Postman, you have to do a bit of a different set-up as Postman does not have Azure Active Directory OAuth 2.0 authentication, it only has the standard OAuth.

In Postman, create a new collection and define the following Security on the collection level:

Type: OAuth 2.0
Token Name: Anything will do
Callback URL: https://businesscentral.dynamics.com/
Auth URL: https://login.windows.net/YOURTENANTID/oauth2/authorize?resource=https://api.businesscentral.dynamics.com
Access token URL https://login.windows.net/YOURTENANTID/oauth2/token?resource=https://api.businesscentral.dynamics.com
Client ID: From the Azure App
Client Secrete: From the Azure App

The other setting should be left on their default setting. At the end, your configuration should look like this:

Click "Generate New Access Token" and you should be granted with a pop-up that shows he familiar Microsoft Authentication page. Once you sing in with your account, the Access Token will be generate and can be used to authenticate when for the API calls.

I hope this post helped you to get a better understanding of how to use OAuth 2.0 when creating a Power Automate flow or a Postman call. Feel free to leave comments with any questions or suggestions.

Thank you for reading!

Akos

chass · ‎09-07-2021

Great Post!

Thank you for writing it!

Chuck

dkkip · ‎03-09-2022

Thank you for this post!

I am using an OAuth 2.0 Custom Connector in Power Apps with Application Permissions in Business Central for Service to Service use. My custom connector works, but the token expires after 60 minutes, breaking the connection, and I have to grant approval again.

Is there a way to configure the custom connector in Power Apps so it retains permissions, or gets a refresh token automatically?

RicoVT98 · ‎05-24-2023

@dkkip have you found any answer to your question above? I am currnetly experiencing similar issue. Does the OAuth2 implementation in Custom Connector doesn't currently support self refresh token? And does it not support Application Flow?

krsolem · ‎06-06-2023

If I am creating a custom connector that I plan to get certified. Does the connector app registration need to be multi-tenant? And does a user in another tenant have to have the app registration provisioned/consented to in their tenant in order to use the custom connector?