Configure Lifecycle Services connectivity for Finance + Operations (on-premises) deployments
An on-premises local agent is used to orchestrate the deployment and servicing of Microsoft Dynamics 365 Finance + Operations (on-premises) through Microsoft Dynamics Lifecycle Services. To establish connectivity from Lifecycle Services to the Finance + Operations (on-premises) tenant, you must configure a certificate that enables the local agent to act on behalf of your Microsoft Entra tenant (for example, contoso.onmicrosoft.com).
Use either the on-premises agent certificate that you acquired from a certification authority (CA) or the self-signed certificate that you generated by using the infrastructure scripts. The on-premises agent certificate could previously be reused across multiple sandbox and production environments per tenant. However, we no longer recommend that approach for the new authentication process.
New authentication process (Bring-your-own Microsoft Entra service principal)
First-time setup
The user who runs the script must have privileges to create Microsoft Entra applications in their tenant. The script creates a new application and service principal in the tenant. It then registers a certificate. This certificate serves as the credential that is used for authentication.
To help reduce the impact of a security incident that is caused by a compromised certificate, we recommend that every environment has its own Microsoft Entra application, service principal, and certificate.
To create the Microsoft Entra application and service principal, and to register the certificate, follow these steps.
Run the following command to create the Microsoft Entra application and service principal, and to register the certificate.
# If you have issues downloading the Azure PowerShell Az module, run the following: # [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Install-Module Az -RequiredVersion 12.3.0 .\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ApplicationDisplayName 'Display name of the application'
Note
If multiple tenants are associated with the sign-in account, you can run the following command to pass the tenant ID as a parameter. In this way, you ensure that the context is set to the correct tenant.
.\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ApplicationDisplayName 'Display name of the application' -TenantId 'xxxx-xxxx-xxxx-xxxx'
Certificate renewal
Eventually, your certificate will expire. You must then renew the certificate and update the service principal with the new certificate.
To renew the certificate and update the service principal with the new certificate, follow these steps.
Renew the certificate by using the same process that you used to create the original certificate.
Run the following command to update the service principal with the new certificate.
.\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -RotateCertificate
Validating that the certificate is correctly registered
To validate that the certificate is correctly registered, run the following command.
.\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -Test
Deprecated authentication process (ERP service principal)
Note
The following steps are for the deprecated authentication process. This process is supported only for a limited time and will be retired soon. If you're using the new authentication process, follow the steps in the New authentication process (Bring-your-own Microsoft Entra service principal) section earlier in this article.
Only user accounts that have the Global Administrator directory role can add certificates to the ERP service principal. By default, the person who signs up for Microsoft 365 for your organization is the global administrator for the directory. If you aren't the global administrator, you must work with the global administrator to complete the following steps.
Important
- You must configure the certificate exactly one time per tenant. All on-premises environments under the same tenant must use the same certificate to connect with Lifecycle Services.
- If you run the following script on a server machine (for example, a machine that is running Windows Server 2019), you must temporarily turn off Internet Explorer Enhanced Security Configuration. Otherwise, the content on the Azure sign-in page is blocked.
Sign in to the Azure portal to verify that you have the Global Administrator directory role.
From the infrastructure folder, run the following commands to determine whether the certificate is already registered.
# If you have issues downloading the Azure PowerShell Az module, run the following: # [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Install-Module Az -RequiredVersion 7.4.0 .\Add-CertToServicePrincipal.ps1 -CertificateThumbprint 'OnPremLocalAgent Certificate Thumbprint' -TestImportant
If you previously installed AzureRM, you should remove it, because it might not be compatible with any existing AzureRM installations in Windows PowerShell 5.1. Learn more in Migrate Azure PowerShell from AzureRM to Az.
If the script indicates that the certificate isn't registered, run the following command.
.\Add-CertToServicePrincipal.ps1 -CertificateThumbprint 'OnPremLocalAgent Certificate Thumbprint'
Note
If multiple tenants are associated with the sign-in account, you can run the following command to pass the tenant ID as a parameter. In this way, you ensure that the context is set to the correct tenant.
.\Add-CertToServicePrincipal.ps1 -CertificateThumbprint 'OnPremLocalAgent Certificate Thumbprint' -TenantId 'xxxx-xxxx-xxxx-xxxx'