Configure Multiple OAuth Service-to-Service Connections in Shop Floor Insight

Configure Multiple OAuth Service-to-Service Connections in Shop Floor Insight

You are here:

This article describes how to configure multiple OAuth Service-To-Service (S2S) for multiple Shop Floor Insight windows services. The following instructions are included:

  • Create an App Registration in Azure
  • Collect the Client Secret, Client ID, and Tenant ID
  • Configure the Specialized IDs
  • Grant Consent in Business Central

Create an App Registration in Azure

To create an App Registration in Azure, sign in with an account that has the appropriate permissions to create the App Registration. Complete the following to create the entry:

  1. Navigate and log into Azure (if needed).
  2. Select More Services to access Azure Active Directory and select App Registrations under the Identity section.
  3. Select +New registration.
  4. Input a Name (e.g., ShopFloorInsight-TimezoneA).
  5. Select Accounts in this organizational directory ([Default Directory] only – Single tenant) under Support account types (limits the use of the app registration to the tenant).
  6. Configure and register the following Redirect URI (required for Shop Floor Insight):
  7. Navigate to the Authentication section for the app registration.
  8. Configure the following Redirect URI (LS Central only):
  9. Select Register.
  10. Navigate to the App registrations and select All Applications.
  11. Locate and select your new entry.
  12. Select Authentication and select Add a platform.
  13. Select Mobile and desktop applications.
  14. Check the boxes ON for all three entries.
  15. Ensure the entry below appears:
  1. Select API Permissions and select + Add a Permission.
  2. Locate the Dynamics 365 Business Central and Microsoft Graph boxes and enable both the delegated and application permissions below (gives Business Central access permissions).
API / Permissions name Type Description
Dynamics 365 Business Central (3)
API.ReadWrite.All Application Full access to web services API
app_access Application Access according to the application’s permissions in Dynamics 365 Business Central
Financials.ReadWrite.All Delegated Access Dynamics 365 Business Central as the signed-in user.
User_impersonation Delegated Access as the signed-in user
Microsoft Graph (1)
User.Read Delegated Sign in and read user profile
  1. Grant consent.

Collect the Client Secret, Client ID, and Tenant ID

The GUI allows you to create a client secret that expires after two years. For increased security, we recommend using the GUI and having a timed expiry rather than using PowerShell to set up a client secret with an extended expiration date.

Collect the Client Secret

Complete the following to collect the client secret while still in the app registration’s menu:

  1. Navigate to Certificates & Secrets.
  2. Select + New Client Secret.
  3. Input a description and expiry (maximum 24 months).
  4. Select Add.
  5. Navigate to Certificates & Secrets.
  6. Copy the Client Secret Value (Client Secret).

Collect the Client ID and Tenant ID

  1. Navigate to Overview of the app registration.
  2. Copy the IDs from the following fields:
    1. Application (client) ID (Client ID) (this is a GUID)
    2. Directory (tenant) ID (Tenant ID)

Configure the Specialized IDs

  1. Edit the IW.TimeCollectionModule.Service.exe.config file.
  2. Add the following XML into the settings XML area:

<setting name=”OAuthClientID” serializeAs=”String”>

<value>Put in the client ID collected from the previous steps, this will be a guid</value>


<setting name=”OAuthClientSecret” serializeAs=”String”>

<value>Put in the secret value collected from the previous steps</value>


<setting name=”OAuthTenant” serializeAs=”String”>

<value>Put in the tenant ID collected from the previous steps</value>


Grant Consent in Business Central

When the user selects Grant Consent, the user must have sufficient permissions on the tenant to grant consent. This login is held back from partners but is available to the customer or their IT department.

  1. Navigate to the Azure Active Directory Applications (Microsoft Entra Applications) Card in Business Central.
  2. Select + New.
  3. Enter the:
    • Client ID: used in App ID (collected in Collect the Client ID and Tenant ID above)
    • Description
  4. Change the state to Enabled.
  5. Enter the following (minimum) permissions under the appropriate Fast Tab:
    • D365 BUS PREMIUM
    • Sufficient permissions to perform the required Shop Floor Insight tasks (e.g., for jobs, give permissions for jobs; for fixed assets, give permissions for fixed assets; for production orders, give permissions for what they plan on using with production orders).
  6. Grant consent and follow the prompts (ensure you are logged in with the appropriate administrative user).
Was this article helpful?
5 out Of 5 Stars

1 rating

5 Stars 100%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Need help?

Leave A Comment

Go to Top