Configuration of an App Registration in Azure
The following steps must be completed to create an App Registration in Document Central. An App Registration is required by Document Central to utilize all available features of Document Central.
Info
To perform this setup, it is necessary that the Administrator account exists in both Business Central and the Azure Portal, as only administrators have the necessary permissions.
Business Central (On-Premise)
The automatic creation of the App Registration from Business Central On-Premise is not possible. Therefore, the creation of the App Registration must be done manually through the Azure Portal.
Creating the Azure App Registration in the Azure Portal
The following steps guide you on how to create a new App Registration for Document Central in the Azure Portal.
- Sign in to the Azure Portal at Azure Portal.
- Click on the Azure Active Directory icon in the left navigation pane.
- Click on App registrations in the Azure Active Directory menu.
- Click on the New registration button.
- Enter the name Document Central in the Name field.
- Select the appropriate option for the Supported account types for the app registration.
- Enter the appropriate Redirect URI for your app registration. This is the URI to which Azure AD redirects the user after authentication. The URI should be set to Web for the platform and written in the following format: https://**external Business Central address/BC/OAuthLanding.htm**.
- Click the Register button to create the app registration.
- Note the Application (client) ID and Directory (tenant) ID on the app registration page. This is the unique identifier for your app registration that you will need when configuring your Document Central in Business Central.
- Click on New client secret under the Certificates & secrets tab to create a new secret that will be used to authenticate your app with Azure AD.
- Enter a description for the secret, select an expiration date, and click Add.
- Note the generated Client secret, as it will only be displayed once and cannot be retrieved later. Please note the Client secret, as it is needed to configure Document Central in Business Central.
- Click on Add permission under the API permissions tab and add the following permissions.
| Permission Group | API/Permission Name | Type | Description |
|---|---|---|---|
| Azure Service Management | user_impersonation | Delegated | Renewing the secrets or certificates of an Azure app registration. |
| Azure Service Management | user_impersonation | Delegated | Deleting an Azure app registration directly from the application. |
| Azure Service Management | user_impersonation | Delegated | Retrieving and selecting subscriptions, resource groups, and storage accounts, as well as assigning the necessary permissions when setting up an Azure Blob Storage repository. |
| Azure Service Management | user_impersonation | Delegated | Selecting existing Azure Cognitive Search Services or creating a new search service during setup. |
| Microsoft Graph | offline_access | Delegated | Allows for the automatic renewal of sign-in tokens so that users do not have to sign in again. Required for functions such as upload, download, SharePoint access, user group management, and assistants. |
| Microsoft Graph | User.Read | Delegated | Identifying the currently signed-in user and verifying the sign-in during the setup or checking of an app registration. |
| Microsoft Graph | User.Read | Delegated | Using the current user context to check permissions and administrator consents. |
| Microsoft Graph | User.Read.All | Delegated | Searching for and selecting Microsoft 365 or Entra ID users when setting up user groups. |
| Microsoft Graph | User.Read.All | Delegated | Resolving and managing users when adding or removing group members. |
| Microsoft Graph | User.Read.All | Delegated | Identifying users for preview and creation of standard or base permission groups. |
| Microsoft Graph | GroupMember.ReadWrite.All | Delegated | Creating Azure Security Groups and adding users during the user-group assistant. |
| Microsoft Graph | GroupMember.ReadWrite.All | Delegated | Adding or removing users in Azure Security Groups. |
| Microsoft Graph | GroupMember.ReadWrite.All | Delegated | Creating and managing the security groups needed for base permissions. |
| Microsoft Graph | Sites.ReadWrite.All | Delegated | Identifying SharePoint sites and site information during repository setup. |
| SharePoint | AllSites.Read | Delegated | Reading SharePoint sites, documents, and lists, as well as synchronizing repository content. |
| SharePoint | AllSites.FullControl | Delegated | Performing administrative SharePoint functions such as permission, retention, or site management tasks in the user context. |
| SharePoint | Sites.ReadWrite.All | Delegated | Uploading, downloading, editing, and deleting documents, as well as managing folders and metadata in SharePoint. |
| SharePoint | Sites.ReadWrite.All | Delegated | Synchronizing documents and SharePoint content with Document Central. |
| SharePoint | Sites.FullControl.All | Delegated | Creating new SharePoint sites directly from Business Central. |
| SharePoint | Sites.FullControl.All | Delegated | Setting up SharePoint groups, permission levels, and base permissions. |
| SharePoint | Sites.FullControl.All | Delegated | Publishing and managing permissions on SharePoint libraries, including inheritance control and group assignments. |
| SharePoint | Sites.FullControl.All | Delegated | Managing retention labels and performing record lock and unlock actions on SharePoint documents. |
| SharePoint | AllSites.Manage | Delegated | Managing permissions on SharePoint libraries, including assigning groups and enabling or resetting permission inheritance. |
- Click the Grant admin consent button to grant the permission an admin consent.
Caution
Removing or disabling individual permissions may cause certain features of Document Central to no longer function correctly or to fail completely.
Since individual functions depend on different permissions, we strongly recommend not removing any of the provided permissions. Otherwise, it cannot be ensured that Document Central will function properly with future updates or the use of additional features.
Creating a Certificate
Creating a Client Certificate allows Document Central to authenticate with SharePoint without impersonating the user. This also avoids the issue of token expiration that can occur when working with a user context. Using a Client Certificate is optional. However, if you wish to use a Client Certificate for authentication with SharePoint, follow the steps below to create a Client Certificate for Document Central.
- Navigate to Certificates and follow the steps to create a Client Certificate. The .pfx file and the .cer files will be needed. Please note the password of the .pfx file, as it is required to configure Document Central in Business Central.
- Navigate to the created Azure App Registration for Document Central.
- Click on the Certificates tab under Certificates & secrets.
- Click on Upload certificate, then upload the .cer file and write a description.
- Click on Add to save the certificate.
- The pfx file will be uploaded in the Document Central Configuration.
Adding a Role to a Subscription
Assigning a role for the Document Central App in a subscription is necessary to enable the creation and configuration of a Storage Account for Azure Blob Storage. However, if Azure Blob Storage is not used in Document Central in the subscription, this step can be skipped.
Info
The role assignment can only be performed by an administrator account.
- Sign in to the Azure Portal at Azure Portal.
- Search for Subscriptions using the search bar.
- If you have multiple subscriptions, select the one intended for Azure Blob Storage, as a storage account must have a subscription.
- Go to the Access control (IAM) tab and click on the Role assignments tab.
- Click the Add button and select Add role assignment.
- Under the Role tab, select the Contributor role and click Next.
- Under the Members tab, click the Select members button and add Document Central.
- Click on Review + assign to complete the role assignment process.
Inputting the Azure App Registration Information in Business Central
The following steps guide you on how to configure the App Registration for Document Central using the App Registration Wizard.
- Navigate to Document Central - Module Setup.
- In the Document Central - Module Setup, click on the Configure App Registration action to proceed.
- An App Registration Wizard will appear. Click on Start to begin the configuration.
- To proceed with this step, it is necessary to have already prepared an App Registration for Document Central. If you have not yet created an App Registration for Document Central, please refer to the section Creating the Azure App Registration in the Azure Portal.
- Fill in the fields App Registration Name, Client ID, Client Secret, Tenant ID, and Redirect URL.
- Once all fields are correctly filled out, click Next to continue with the configuration.
- The configuration page for the Client Certificate will be displayed. This step is optional and can be skipped by clicking Next. However, if you wish to use a Client Certificate for authentication with SharePoint, a Certificate must be prepared.
- Click on the Certificate key field to open a popup that allows you to select the .pfx file created in the Creating a Certificate step.
- Enter the password of the .pfx file in the Certificate key password field and click Next to continue with the configuration.
- After clicking Finish, the changes to the App Registration settings in Document Central will be applied.
Warning
- If the App Registration is not configured correctly, Document Central may not function properly in some areas.
- Existing App Registrations will be overwritten upon completion of the App Registration Wizard.