How To for OnBehalfOf services access sample

In order to access various services within a tenant on behalf of any user in the tenant, you'll need to set up an Azure AD Application with delegated permissions to the services, then grant admin consent to the services. Here are the steps for doing this:

Setup single tenant application:

1. Sign into Azure portal under admin user, and add Application registration:

2. Under supported Account types, specify “Accounts in this organizational directory only”, and register the application:

3. Add Redirect URI to the application, go to “Authentication” -> “Platform Configurations” -> “Add a platform”, choose “Web” and specify “Redirect Uri”. Set the Redirect Uri value to https://businesscentral.dynamics.com/OAuthLanding.htm, so it will be possible to receive information from Azure AD to acquire tokens for the application:

4. Add client secret:

5. Add Application ID URI, go to “Overview” -> “Add an Application ID URI” -> “Set”. Normally Application ID URI will be api://{Application ID}:

6. Now, add delegated permissions for this application, so it can access all needed services, such as Business Central, SharePoint, Power BI, Graph, and so on. Go to "API Permissions" -> "Add a permission", and add the required permissions:

7. After permissions are added, grant admin consent to it:

Now, the application is fully setup. It has an Application ID URI, a Secret, and a Redirect URI, and has delegated access to all needed services within the given tenant. This means that it is now possible to acquire on-behalf tokens.