www.goldenedi.com

Entra Application Security

How our Entra (Azure AD) application integrates with Microsoft 365 for Business Central. Details scope, security measures and compliance.

Introduction

This page details how we access business central from our Cloud Integration Platform and which security measures exists to make sure that your Business Central environment stays safe.

Summary

  • Our Entra (Azure AD) Application has been scoped to only ask for access to be able to sign-in and access Business Central. It does not ask request, nor is it granted, permissions to other Microsoft 365 services (e.g. Exchange, SharePoint, Teams).

  • All calls to Business Central are mode over secure (HTTPS) connections and is authenticated with OAuth, with a short-lived token that is refreshed often. The client secret used to generate the access token is also limited in lifespan to avoid having any long lived keys.

  • All access keys are stored securely in vaults and can only be accessed by our Cloud Integration Platform. No other system is allowed access to this vault.

  • Our Cloud Integration Platform must also have a configured connection to actual access any Business Central environment. Without this no requests to the environment will be made.

  • Possibility to scope the permissions further in Business Central to allow access only to certain companies and tables. By default it's limited to a limited set of Golden EDI tables, only what is required by the intergration.

  • We follow Microsoft best practices and utilize their standard identity and consent frameworks for the communication. This ensures adherence to security policies and standards.

Entra (Azure AD) Application Scope

Client ID:

We have explicitly limited the Entra Application (named Golden EDI) to a limited set of API permissions that scopes it to only allow sign-ins and access to Business Central. They are the minimum required set of permissions to allow services to access Business Central APIs.

The Graph API we request is used for delegated login towards Business Central and it's what allows us to login as an unlicensed user. This user is configured inside Business Central on the Entra Application card and can be scoped to tables and companies as desired by using standard permissions.

Permissions

  • Microsoft Graph - User.Read - Delegated Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. It further allows access to your Business Central as user Golden EDI.

  • Dynamics 365 Business Central - API.ReadWrite.All - Application Grants full access to the Business Central web services APIs. These APIs provide the capability to call web services APIs and modify Business Central data.

Consent

During the grant consent procedure you will be shown dialog that shows which permissions that we ask for and it will (and should) show a blue seal next to our organisation name showing that we are identified publishers.

The consent dialog also shows the requested permissions for validation

Entra Application Consent

Before our Entra Application is allowed to access any Business Central environment a user must grant consent. This is a manual action taken by someone with Entra administrator permissions in the Entra tenant that contains the Business Central environment.

Entra Tenant - A secure, dedicated instance of Microsoft's identity and access management service. It defines the boundaries for the organisation and contains and manages identities, services and permissions.

Business Central Environment - An instance of Business Central that is isolated with its own database, companies, settings, users, and customizations. There can be one or more environments within one Entra Tenant.

If consent is not given or if it has been revoked no further access to Business Central will be possible until the procedure is redone.

This action is initiated from within the Business Central environment that one wants to allow Golden EDI to access. It can be started from the "Entra Applications" page or by running the assisted setup "Golden EDI - Initialize", which must be called to register the application.

User must have SUPER and SECURITY in Business Central and must be an administrator within the Entra tenant.

Within the "Microsoft Entra Applications" list our app should be present, if not, it can be added by using the assisted setup or manually by clicking new and entering all relevant details. During registration of the application the system will automatically create a user with the same name. This is the user used by our Cloud Service and it can be scoped as normal in Business Central using permissions.

The page "Microsoft Entra Applications" lists all added applications.

Clicking on the listed application show a card page showing all the relevant details and permissions for the Entra Application. Here you can also initiate the "Grant Consent" procedure if it wasn't done during the initialization.

The card shows the details for the registered application and allows consent to be granted by clicking "Grant Consent".

When this action is initiated the user will be presented with a dialog that they will have to accept, assuming they have adequate permissions within both Business Central and Entra. Any permissions not listed in the dialog will not be granted.

The dialog presented during the consent procedure, only by clicking "Accept" will access be granted.

Entra Application User and Permissions

When the Entra Application is created a user will be automatically created in Business Central. This user is what the Cloud Integration Platform will use for identification purposes when making calls to the Business Central environment.

This user will by default, if added through our assisted setup, have a purpose made permission set that builds upon the standard "D365 BASIC" and "D365 AUTOMATION" permission set, with a few of our tables and pages included. This permission set is named "GEDI CLOUD PLATFORM" and can be added to the user if it isn't already added.

When other ISV applications are installed into the same Business Central environment further permissions might be necessary. This is due to the way most application does license checks which requires our user to have, at minimum, read access to the license tables in the respective application.

The permissions can be found on the Entra Application card for the application. it is possible to scope the permission to limit the rights to one or more specific companies in the environment. We do not do this by default, instead opting to set the limited permissions without company scoping.

The permissions can only be adjusted by a SUPER user with SECURITY permissions.

The permissions can be found below the general part on the application card.

Below is a list of all the permissions included in the limited permission set "GEDI CLOUD PLATFORM" that we use and recommend for our application user.

Included Rights

  • Inherited rights from "D365 BASIC"

    • Allows login from APIs through OAuth, without this we can't access the system.

  • Table "GEDI Message Queue" and pages "GEDI Message Queue", "GEDI API Message Queue"

    • Used to be able to read and write messages to the message queue.

  • Table "GEDI Message Line" and pages "GEDI Message Lines", "GEDI API Message Lines"

    • Used to be able to read and write message contents for a message in the queue.

  • Table "GEDI Class Information" and page "GEDI Class Information"

    • Used to able to update the classes and their properties that are available to be used when creating mappings.

  • Table "GEDI Profile" and page "GEDI Profiles"

    • Used to read the profiles configured in the system and their connection details. This determines what Cloud Integration Platform connections are available.

  • Table "GEDI Message Code" and page "GEDI Message Codes"

    • Used to read the configured message codes and find codes that the Cloud Integration Platform should be able to read from the message queue.

  • Table "GEDI Class Setup" and page "GEDI Class Setup"

    • Used to find which message code, class and property should be used when writing a message to the queue.

  • Table "GEDI Setup"

    • Used to read setup information during handling.

  • Page "GEDI Library List"

    • Deprecated page used to interact with available libraries in the app, has been replaced.

  • Page "GEDI API Message Lines DI" and page "GEDI API Message Lines DI Part"

    • Used to do deep insert writes to the system, an option to write a message to the queue and bulk write the lines for the message. The Cloud Integration Platform uses this when writing messages in the newer versions of the application instead of "GEDI API Message Queue" and "GEDI API Message Lines".

Cloud Integration Platform Security

During the normal operations of the Cloud Integration Platform it will need to login and make calls towards Business Central frequently. To ensure both adequate performance and security we've made sure to optimize the storage of the tokens used for authentication.

The longer lived security key and tokens, used to generate the ephemeral access token, is stored securely in a key vault. This vault is limited to only grant access to the Cloud Integration Platform, and no other system has access.

The shorter lived access token is stored in a state database. The standard lifetime for these, as enforced by Microsoft, is twenty minutes. When these have expired we request a new token using the security details.

PreviousModify Email MessagesNextTransaction Tables

Last updated