How to authorize user via Admin Consent for a user trying to gain access to Business Central via Postman?

Jeff B 25 Reputation points
2023-06-01T16:24:46.05+00:00

I am trying to grant permission to a user (non-admin) for accessing Microsoft Business Central via Postman. I can access as the admin with no issue thus I know my headers and parameters are setup correct, e.g., Client ID, secret, callback URL, scope, etc. are all correct.

I thought granting the admin consent for the organization in the API Permissions within Azure's App Registrations would do it, but no.

User's image

...nor in the Enterprise Applications:

User's image

I keep getting an "Approval Required" notification.

User's image

Even though I repeatedly approve, the request keeps coming:

User's image

What am I missing? What do I need to check? How many more admin consents must I grant...LOL?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,453 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,246 Reputation points Microsoft Employee
    2023-06-03T00:41:25.6333333+00:00

    Hi @Jeff B ,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    You granted admin consent for the organization in the API Permissions in the App Registration, but users still received the "Approval Required" notification. The request did not show up in "Pending", and even though you repeatedly approved them, the requests kept coming and the prompts kept reappearing. All requests showed up as having an "Approved" status.

    Solution:

    Under the App registration > [app name] > API permissions you added the Dynamics 365 Business Central "user_impersonation" permission which allows users to impersonate their user account.

    If you have any other questions or are running into more admin consent issues, please let me know. I had also surfaced your issue with the product team to get clarity around the permission requirements so that we can update the documentation.

    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Jeff B 25 Reputation points
    2023-06-02T18:35:43.3033333+00:00

    I think I found a solution - maybe not the answer, but it works.

    Firstly, let me review the changes I made that did NOT work:

    • Adding the User to Admin consent requests in Enterprise application -> Consent and permissions -> Admin consent settings
    • Giving the user a permission classification and then adding that classification to the app via Enterprise application -> Consent and permissions -> Permission Classifications
    • Modifying the following manifest lines in the app under App registration -> [app name] -> Manifest
      • "allowPublicClient": true
      • "oauth2AllowIdTokenImplicitFlow": true
      • "oauth2AllowImplicitFlow": true

    What did work was under the App registration -> [app name] -> API permissions adding the Dynamics 365 Business Central "user_impersonation" permission which allows users to impersonate their user account.

    I'm not exactly sure what that means as the description seems a bit circular, i.e., "I would like to impersonate myself", but my job is not to quiz, just make it work... or whatever Tennyson said. LOL