Share via

Graph API to access Business Central using Application Client Credentials

Gareth Thom 0 Reputation points
2024-03-25T14:23:13.1366667+00:00

How do I go about connecting to the new Business Central API in the Microsoft Graph Beta version using Application Client Credentials (i.e. using a service application to connect using a client secret)?

I have setup my app registration with admin rights:

User's image

Along with the required permissions for the Client ID associated with the above App Registration in Business Central on the Microsoft Entra Application Card:

User's image

I have tested all of this works using a PowerShell script that calls "Get-MsalToken" to get a client secret token to scope "https://api.businesscentral.dynamics.com/.default" and then calling "Invoke-RestMethod" to GET "https://api.businesscentral.dynamics.com/v2.0/$environment/api/v2.0/XXX" with "Bearer [AccessToken]" header added. I can call whatever API I like here and it all works great.

However, when using the Graph Beta API with the following VB.Net code:

Dim options = New ClientSecretCredentialOptions With {
   .AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
}
Dim creds As New ClientSecretCredential(_DomainName, _ClientID, _ClientSecret, options)
Dim GraphServiceClient = New GraphServiceClient(creds, {"https://api.businesscentral.dynamics.com/.default"})
Dim Companies = Await GraphServiceClient.Financials.Companies.GetAsync

I get issued with what looks to me like a suitable bearer token:

User's image

But the last line in that code snippet results in the following exception: "Microsoft.Graph.Beta.Models.ODataErrors.ODataError: Access token validation failure. Invalid audience.".

I have also tried the same code with the default "https://graph.microsoft.com/.default" Graph scope, but that returns the following exception: "Microsoft.Graph.Beta.Models.ODataErrors.ODataError: The server has rejected the client credentials.".

I have also tried setting various base Url's but I just can't get this to work - they either result in the same errors as above or I get: "Microsoft.Graph.Beta.Models.ODataErrors.ODataError: Request data is invalid.".

Can someone please point me in the right direction of what I'm doing wrong?

Thanks,
Gareth

Microsoft Security Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 46,371 Reputation points
    2024-03-26T09:25:54.5366667+00:00

    Hi @Gareth Thom

    I noticed that you are creating a GraphServiceClient object and calling GET https://graph.microsoft.com/beta/financials/companies API, but the audience of your token is https://api.businesscentral.dynamics.com, which means it does not apply to the graph API.

    You should pass the https://graph.microsoft.com/Financials.ReadWrite.All scope to create the GraphServiceClient object, but as far as I know this endpoint does not support application permissions yet, so you cannot use the client credentials flow to request access token, use the delegated auth code flow or ROPC flow instead.

    User's image

    By the way, if you want to call GET https://api.businesscentral.dynamics.com/v2.0/$environment/api/v2.0/XXX API in VB code, then you should create httpClient object and pass token header.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.