Azure Active Directory (AAD) OAuth Configuration for Warehouse Insight 2.8+

Home/Azure Active Directory (AAD) OAuth Configuration for Warehouse Insight 2.8+

Azure Active Directory (AAD) OAuth Configuration for Warehouse Insight 2.8+

You are here:

Login Types

These instructions are only applicable to Software as a Service (SaaS) implementations of Warehouse Insight.

Currently, this process is required for the following two OAuth login methods in Warehouse Insight 2.8 and later:

  • OAuth – Service-to-Service (S2S)
  • OAuth – User Impersonation

For more information on different types of login methods for Warehouse Insight, please see OAuth Login Options for Warehouse Insight 2.8.

The following steps describe the process of creating an app registration, using the Azure Graphical User Interface (GUI), and how to do any product-specific setup that requires the information collected in these steps.

  • Create an App Registration in Azure
  • Grant Login Permissions
  • Collect the Client ID, Tenant ID, and Client Secret
  • Grant Consent in Business Central (Optional)
  • Signing Into the Handheld

Create an App Registration in Azure

To create an App Registration in Azure, you must be signed in with an account that has the appropriate permissions to create the App Registration. Complete the following to create the entry:

  1. Navigate to portal.azure.com and select Azure Active Directory.
  2. Select App Registrations.
  3. Click New Registration.
  4. Choose a name for this app registration (e.g., Insight-Works-WHI).
  5. Select Accounts in this organizational directory only (Default Directory only – Single tenant) (limits the use of the app registration to the tenant).
  6. Put in a Redirect URI (there are two required for Warehouse Insight):
    • https://businesscentral.dynamics.com/OAuthLanding.htm
    • https://whi/callback

Grant Login Permissions

If you are using the Service to Service, Business Central Permissions are necessary; however, for User Impersonation, you can skip these steps.

There are two types of relevant permissions:

  • Role Assignment
  • API Permissions

Role Assignment

This step is for User Impersonation logins with different access requirements.

You can assign roles for each instance for a more granular level of controlled access.

You can find detailed descriptions of each level of access in Microsoft’s Assign Azure roles using the Azure portal article.

API Permissions

Read and write permissions are necessary to access the API. Complete the following:

  1. Return to the App Registration screen.
  2. Select API Permissions and select + Add a Permission.
  3. Locate the Dynamics 365 Business Central and Microsoft Graph boxes and allow both the delegated and application permissions below.
  4. Grant consent.
API / Permissions name Type Description Admin Consent Required? Status
Dynamics 365 Business Central (3)
API.ReadWrite.All Application Full access to web services API No Granted for Insight Works
app_access Application Access according to the application’s permissions in Dyna… No Granted for Insight Works
User_impersonation Delegated Access as the signed-in user No Granted for Insight Works
Microsoft Graph (1)
User.Read Delegated Sign in and read user profile No Granted for Insight Works

For more information, please see Microsoft’s Permissions and consent in the Microsoft identity platform article.

Collect the Client ID, Tenant ID, and Client Secret

The GUI only allows for the creation of a client secret that will expire after two years. While it is possible to use PowerShell to set up a client secret which will not expire for much longer, using the GUI and having a timed expiry is highly recommended for increased security.

Collect the Client Secret

Complete the following to collect the Client Secret while still in the app registration’s menu:

  1. Navigate to Certificates & Secrets.
  2. Select + New Client Secret.
  3. Enter a description and expiry (maximum 24 months).
  4. Select Add.
  5. Navigate back to the Certificates & Secrets to copy the Secret ID and the Client Secret Value (Client Secret).

Collect the Client ID and Tenant ID

Complete the following to collect the Client ID and Tenant ID:

  1. Navigate back to Overview of the app registration.
  2. Copy the IDs from the following fields:
    • Application (client) ID (Client ID)
    • Directory (tenant) ID (Tenant ID)

You are now able to sign in using Service to Service (S2S) authentication for Warehouse Insight.

Grant Consent in Business Central (Optional)

When selecting Grant Consent, the logged in Business Central user needs to have sufficient permissions on the tenant to grant consent. This login is often held back from partners, but is available to the customer or their IT department.

  1. Navigate to the Azure Active Directory Applications Card in Business Central and select + New.
  2. Enter the Client ID, created in Collect the Client ID, Tenant ID, and Client Secret above, and a description (does not have to match the name of the App Registration).
  3. Change the state to Enabled.
  4. Enter the following permissions under the appropriate Fast Tab:
    • D365 BUS PREMIUM
    • IWORKS COMMON
    • WHI – ALL
  5. Grant consent and follow the prompts.

You are now able to sign in on the handheld.

Signing into the Handheld

Service to Service

  1. Press Menu > Configure (Default password is “1234”) > Menu > Logins.
  2. Change the Login Method to “OAuth – Service to Service”.
  3. Enter the Client ID, Tenant ID, and Client Secret generated in your Azure Active Directory account.
  4. Enable the Use Additional Insight Works User Login toggle (optional).
  1. Press Clear Credentials to clear the memory of previously entered credentials.
  2. Press Menu > Close > Yes (to save).
  3. Enter your credentials to sign in if Use Additional Insight Works User Login toggle is enabled.

User Impersonation

There are two types of logins required for User Impersonation:

  • Access Permissions Account: This account sets the permissions for the user signing into the device, as they match the permissions set for this account in Business Central. An existing admin or device user’s licensed account can be used if it also has permissions set in Azure Active Directory.
  • Insight Works User Account (Device User): This account is used to track who is using the Warehouse Insight scanner app. It can be any Insight Works user set up in Business Central.

Setting Up the Access Permissions Account

The following steps can be followed to create an Access Permissions Account:

  1. Add a user to Azure Active Directory if there is no separate account for generic use (details on how to add users here).
  2. Assign app permissions and licenses as if this were another employee using Business Central.
  3. Ensure that permissions for this user are the minimum required to use these services (details on how to manage permissions and licenses here).
  4. Sign into Business Central using this new account.
  5. Assign this user the following permissions:
    • IWORKS – COMMON
    • WHI – ALL
  1. Navigate to the Warehouse Employees Card.
  2. Assign this user to relevant warehouse locations and give license plating permissions if applicable.

Configuring the Warehouse Insight Device App

Complete the following to sign in using User Impersonation:

  1. Press Menu > Configure (Default password is “1234”) > Menu > Logins.
  2. Change the Login Method to “OAuth – User Impersonation”.
  3. Enter the Client ID, Tenant ID, and Client Secret generated in your Azure Active Directory account.
  4. Ensure the Use Additional Insight Works User Login toggle is enabled (optional).
  1. Press Clear Credentials to clear the memory of previously entered credentials.
  2. Press Menu > Close > Yes (to save).

Logging into the Warehouse Insight Device App

Log into the device:

  1. Enable the Remember Me toggle.
  1. Enter your Access Permissions Account credentials and log in.
  2. Enable the Remember Me toggle.
  3. Enter your Device User (Insight Works User) credentials.

You are now logged in with “OAuth – User Impersonation”.

Logging out of the Warehouse Insight Device App

When a user is finished with the scanner, they need to log out manually.

  1. Press Menu and press Sign Out.

Change Permissions for the Device User

Once the Access Permissions Account is used to log in for the initial set up, these credentials are not asked for again if a user signs in. The next user of that device will have the permissions of the same Access Permissions Account as the previous user.

Complete the following to change the permissions of the device user:

  1. Press Menu > Configure (Default password is “1234”) > Menu > Logins.
  2. Ensure that the Login Method remains “OAuth – User Impersonation”.
  3. Ensure that the Client ID, Tenant ID, and Client Secret generated in your Azure Active Directory account are still entered in the fields.
  4. Ensure the Use Additional Insight Works User Login toggle is enabled.
  5. Press Clear Credentials to clear the memory of previously entered credentials.
  6. Press Menu > Close > Yes (to save).
Was this article helpful?
0 out Of 5 Stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Need help?

Leave A Comment

Go to Top