Create-AadAppsForNav.ps1 - configuration for the apps up to date?

[DobbyNator94]

Describe the issue I tried to use the Create-AadAppsForNav.ps1 and doesnt get a connection with an Excel add-in or PowerBI and Exchange 365 Online.

Scripts used to create container and cause the issue

Create-AadAppsForNav.ps1 doesn't work flawless anymore.
Microsoft edited the requirements for the app registrations:

https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/register-app-azure?source=recommendations

I think there is only the need of these Azure AD apps:

- SSO
- Excel
- Azure Services (like Exchange 365 Online, PowerBI, OneDrive, Exchange Contact Sync, Outlook Add-In, Universal Print) 

The links:

- Exchange 365 Online: https://learn.microsoft.com/de-de/dynamics365/business-central/admin-how-setup-email#setting-up-email-for-business-central-on-premises

- SSO: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/authenticating-users-with-azure-ad-openid-connect

- Excel: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/configuring-excel-addin

- All other services (including Exchange 365 connection through Extension "Microsoft 365 connector":
https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/register-app-azure?source=recommendations

The following fixes the Excel app for me:

Adding an AppID URI on SSO app.
Excel App: Changing Type from WEB to SPA

Thank you very much for your work and response!

[DobbyNator94]

And when I want to use an AppIDURI (like: https://WindowsPC/webserverinstance) it doesn‘t work because the Azure don‘t know the domain (because it is a standalone pc). But in my opinion it must be possible without a registered domain on the Azure tenant.

All of this is possible without the registered domain or right dns-suffix, when I dont use the appiduri parameter.

[RHaest]

Perhaps related to this, not sure: with the latest BC version it is possible to assign permission with Azure AD Security Groups. However, I can't get the lookup / validation to work (allthough Azure AD signon does work), it gives me an unspecified error. Any relation to this issue?

[freddydk]

I will go through these and check the apps with the various BC versions.

on The AppIdURI - just grab the domain part of your Azure AD account and add that like https://windowspc.mydomain.onmicrosoft.com/instance - then it works. The function doesn't support all scenarios - it is just supposed to make things easier for the mainstream scenario.

[freddydk]

BTW - The Create-AadAppsForBC will be deprecated and replaced by New-AadAppsForBc, which uses the Microsoft Graph api instead of the Azure AD api (which is deprecated)

[RHaest]

Hi Freddy, will the integration with Azure AD groups work as well with the Graph api? Thx.

[freddydk]

Not sure I understand the question? could you elaborate?

[RHaest]

If we spin up a new container with bccontainerhelper, OAuth / AAD authentication works just fine, however if we try to use the new Azure AD Security Groups we get an unspecified error, so I'm not sure if it's related to this issue.

[freddydk]

I think the Azure AD security groups is an online only feature - not something we can use in Containers (as far as I know).

[freddydk]

In 5.0.1 and the next version of the ARM templates - these things will be fixed in New-AadAppsForBC

It is still necessary to use an AdAppUri which is owned by you (including your AAD username domain) - I don't know how I can avoid that.

If somebody knows, they are welcome to create a PR, making New-AadAppsForBC work without the need for that - but please test that https://aka.ms/getbc still works with everything, thanks.

[freddydk]

New functionality can be tested now using the https://aka.ms/getbc2

[freddydk]

Shipped in https://aka.ms/getbc

uses New-AadAppsForBC, which uses MS.Graph and follows the new principles of creating AAD apps.