Microsoft Dynamics 365 Business Central – OAuth Setup - Celigo Connection Tutorial

Since there were no in-depth tutorials available on the Celigo Community, I decided to share a complete and practical guide. OAuth setup for Microsoft 365 Business Central can be tricky, so I’ve documented the full process to help you connect M365 to Celigo more easily:

Provided by Teknuro.com
For questions or implementation support, contact: nuri@teknuro.com

Background

Microsoft has deprecated the use of Web Service Access Keys for Business Central Online. Integrations must now use OAuth2.0.

This guide walks you through creating an OAuth App Registration in Azure Portal for use with Celigo integrator.io or other integration platforms.

Step-by-Step: Set up OAuth in Azure

1. Go to Azure Portal

Navigate to: https://portal.azure.com

2. Register a new application

• Search for App registrations

This image shows the Microsoft Azure portal homepage with a search bar being used to find 'app registration,' displaying related services and documentation. (Captioned by AI)1920×952 99.7 KB

• Click New registration

The image shows the Microsoft Azure App registrations page with options for new registration, endpoints, and troubleshooting. (Captioned by AI)2344×1178 212 KB

• Fill in:
  • Name: (e.g., Celigo Demo)
  • Supported account types: Choose as per your organization
• Click Register

The image shows a Microsoft Azure interface for registering an application, with fields for entering an application name and selecting supported account types. (Captioned by AI)2540×1898 326 KB

3. Configure Authentication

• Open the App by clicking on the display name:
  

  

  The image shows the Microsoft Azure App registrations page, highlighting the 'Celigo Demo' application under the 'All applications' tab. (Captioned by AI)3402×1326 272 KB

• Go to Authentication

• Click Add a platform
  

  

  The image shows a webpage for Celigo Demo app registration with sections for platform configurations, supported account types, and advanced settings, highlighting an option to add a platform. (Captioned by AI)2260×1578 400 KB

• Choose Web

The image shows a configuration panel for application authentication, highlighting options for web and mobile platforms with a red arrow pointing to the 'Mobile and desktop applications' section on the right. (Captioned by AI)2860×1474 465 KB

• For redirect URI, enter:
  https://integrator.io/connection/oauth2callback
• Click Configure

The image shows a web configuration page with a focus on setting up redirect URIs and options for implicit grant and hybrid flows. (Captioned by AI)1144×1432 121 KB

4. Set API Permissions

• Go to API permissions
• Click Add a permission

The image shows the API permissions page of a demo application where a new permission can be added and admin consent is being granted. (Captioned by AI)2634×1450 343 KB

• Choose Dynamics 365 Business Central****First:
  • Select Delegated permissions

The image shows a split-screen view of API permissions settings, highlighting 'Dynamics 365 Business Central' for programmatic access to data and functionality. (Captioned by AI)2820×1298 465 KB

The image shows a screen requesting API permissions for Dynamics 365 Business Central, highlighting 'Delegated permissions' where the application needs access as the signed-in user. (Captioned by AI)1190×970 56.7 KB

• Add required scopes (e.g., Financials.ReadWrite.All, etc.)

The image shows a request for API permissions in Dynamics 365 Business Central, highlighting options for delegated and application permissions, including user impersonation and financials access. (Captioned by AI)1720×1744 274 KB

• Second:

• Click Add a permission again

• Choose Application permissions

• Add the needed scopes
  

  

  The image displays a Microsoft Azure portal interface for managing API permissions, highlighting the option to add permissions for Dynamics 365 Business Central. (Captioned by AI)1920×1157 161 KB
  
  
  

  The image shows a request for API permissions in Dynamics 365 Business Central, highlighting application permissions for background services. (Captioned by AI)1568×1010 64.5 KB

• Click Grant admin consent for your organization

• Confirm by clicking Yes
  

  

  The image shows a Microsoft Azure interface where API permissions for Dynamics 365 Business Central are being configured, with several permissions selected and an 'Add permissions' button highlighted. (Captioned by AI)1920×1362 148 KB

The image shows a permission management screen for Dynamics 365 and Microsoft Graph APIs, highlighting admin consent requests. (Captioned by AI)2170×1540 362 KB

The image shows the API permissions page for Celigo Demo, detailing a list of configured permissions with their statuses, all granted for Teknuro B.V. (Captioned by AI)1920×1071 136 KB

5. Create Client Secret

• Go to Certificates & secrets
• Click New client secret
• Add description and expiry (e.g., 6 or 12 months)
• Click Add

The image shows a software interface for managing 'Certificates & secrets,' highlighting the option to create a new client secret in the 'Celigo Demo' application. (Captioned by AI)1666×1126 120 KB

The image shows a web interface for adding a client secret with fields for description and expiration date options. (Captioned by AI)2930×1886 318 KB

Example Output (For Reference Only)

The image shows a Celigo Demo page displaying certificates and secrets information, including a client secret named 'Celigo ClientSecret' set to expire on 31/12/2025, within a software interface. (Captioned by AI)2660×1230 294 KB

Save the Client ID and Secret Value.

Store the Client Secret securely. You cannot retrieve it again later.
Creating a Business Central connection via OAuth still uses the Azure App Registration, which may grant higher privileges than intended if the app has broad permissions — bypassing user-level scope limitations.

Create Connection in Celigo

• Go to Connections
• Create Connection
• Select Microsoft Dynamics 365 Business Central application and select for example API:

The image shows a setup screen for creating a connection in Microsoft Dynamics 365 Business Central with options for API, OData, and S2S. (Captioned by AI)1718×1278 219 KB

• Enter your Microsoft Dynamics 365 Business Central environment.
  How to retrieve the environment name:

1. Sign in to the Microsoft Dynamics 365 Business Central admin center.
2. Click Environment .
3. Copy the Environment Name

The image shows a screenshot of the Dynamics 365 Business Central interface with a settings menu open on the right side. (Captioned by AI)3316×1136 276 KB

A screenshot of the Dynamics 365 Business Central admin center showing the dashboard with environment details and a message indicating one unread message in the message center. (Captioned by AI)2530×1072 195 KB

Name here is Production, so we fill in Production:

The image shows a configuration screen for creating a new connection in Microsoft Dynamics 365 Business Central, with options for API, OData, and S2S API types, and an environment name set to 'Production.' (Captioned by AI)1222×1134 75 KB

The image shows a screenshot of a 'Create connection' form with fields for naming the connection, selecting an API type, and specifying the environment name, highlighted with red boxes and arrows pointing to a 'Save & authorize' button. (Captioned by AI)1194×1872 186 KB

Now the connection should work and you will see a online connection:

If it is not working, you can also switch to the HTTP tab in the connection to be created:

The image shows a user interface for creating a new connection, with options to select the connection type and name it 'Test Celigo 2', and an arrow pointing to the HTTP tab. (Captioned by AI)1304×1122 69.8 KB

As a base uri fill in: https://api.businesscentral.dynamics.com/v2.0/Production/api

(Production is your environment name here)

The image displays a configuration screen for creating an HTTP connection to Microsoft Dynamics 365 Business Central, featuring fields for connection name, application, mode, base URI, and HTTP headers. (Captioned by AI)1356×1712 207 KB

Then scroll down and select OAuth 2.0 as the Auth:

The image shows a configuration screen for setting up OAuth 2.0 authentication with an option to select an OAuth 2.0 client and define scope. (Captioned by AI)1520×810 37.2 KB

Click on the plus and create the iClient.
Here you will fill in a name and the client id and secret (which we generated in azure in the previous steps

The image shows a form interface for creating an iClient with fields for name, client ID, and client secret, and the options to save. (Captioned by AI)1120×1914 111 KB

Now click on Save & Authorize and it should work now:

The image displays a software configuration window for OAuth 2.0 authentication, with "Celigo Demo" set as the OAuth 2.0 client and a "Save & authorize" button highlighted. (Captioned by AI)1002×1720 89.5 KB

Notes

• This OAuth setup is required for all new integrations with Microsoft Dynamics 365 Business Central Online.
• Use these credentials to authenticate in Celigo’s HTTP connector or prebuilt Business Central connector using OAuth 2.0.

@nuriensing You've been such a great part of the Celigo Connective community from its inception and this post is another great example of your awesome partnership. Thank you for taking the time to share your knowledge in such a detailed and thoughtful way!

Thank you so much for the kind words, I truly appreciate it!

Separately, I've sent this to @stephenbrandt and his docs team to improve our docs around this! As you can imagine, doing this for all 800 connections is a challenge so we appreciate the help!

I just need to highlight one more part.

When creating a connection via Celigo > Microsoft 365 Business Central using OAuth 2.0, the process still opens a Microsoft consent screen — a pop-up that asks the user to grant permissions to the app.

Even if the OAuth app in Azure is configured with limited scopes (e.g., Financials.ReadWrite), the connection still results in full read/write access within Business Central. This behavior suggests that the actual access granted may exceed the scope requested, which is concerning.

Feel free to add insights about this.

Super helpful!! Thank you for doing this!

This is weird, do you think it’s a Microsoft bug or our bug? If you setup the same thing in Postman do you get the same outcome?

Nuri,
I am not 100% sure, as I have not tested this myself, but this could have to do with the permissions type that you set on the app.
Microsoft has the ability for you to define Delegated or Application.

Depending on how the app was configured, if you are using delegated and then logging in with an Admin user it could be inheriting permissions from the user.
As per the comparison below delegate permission is "Limited to what the user could do (plus any extra scopes granted). Can be further constrained by Conditional Access or RBAC targeted at the user."

I would suggest trying to setup a specific user in Azure, such as app_login@mycompany.com, with only the specific access you want to grant and use that to login in Integrator.IO when setting up the connection.

===============================================================================
In Azure AD (and therefore Microsoft Entra ID and Microsoft Graph), “Delegated” and “Application” designate the two fundamental permission types an app can ask for. They differ in whose identity is used, how tokens are issued, what appears inside the token, and who can grant consent.

Key points explained

1. User context vs. app context

   • With delegated permissions the access token represents both the user and the application, so every call happens “through” the user. If that user loses access (e.g., disabled account), the call fails because the user can no longer sign in. (Microsoft Learn)
   • With application permissions the token represents only the application. The user factor is irrelevant; the app still works even when no one is logged in. (Microsoft Learn)

2. Consent and security posture

   • Delegated scopes can be granted by individual users for low-impact data (for example, an Outlook add-in requesting Mail.Read). More sensitive scopes, or scopes in tenants where user consent is disabled, require an administrator. (Microsoft Learn)
   • Application permissions bypass user-level checks, so Azure always requires an administrator to approve them. Apply the least-privilege principle: request only the narrowest app role your service really needs. (Microsoft Learn, Microsoft Learn)

3. Token differences

   • Delegated token → scp claim lists granted scopes.
   • Application token → roles claim lists granted app roles. These claims tell Microsoft Graph (or any API that trusts Entra ID) which operations are allowed. (Microsoft Learn)

4. Example
   Suppose you have a nightly export service that copies every user’s OneDrive content to an archive bucket:

   • You’d register an app with Files.Read.All application permission and run it with the client-credentials flow—no user ever signs in.
     Conversely, if you’re building a Teams add-in that shows the signed-in person’s recent files, you’d request Files.Read delegated scope. Each user consents the first time the add-in runs, and the token only lets the add-in see that user’s files.

Choosing the right type

• Need a signed-in user? → Delegated.
• Run headless / server-to-server? → Application.
• Want to limit access to exactly what the user can already do? → Delegated.
• Need tenant-wide or cross-user access? → Application, plus extra guardrails (e.g., restrict the service principal via Azure RBAC or resource-specific consents in SharePoint/Teams).

Understanding the distinction is crucial for designing secure solutions and passing Azure’s consent review.