Discontinuation of Web Service Access Key in Business Central SaaS

Summary

Microsoft is removing the ability to log in to Business Central SaaS using a Web Service Access Key on October 1, 2022. On-premises installs are not affected by the change.

You will not be able to use Warehouse Insight or Shop Floor Insight after Microsoft updates your system if you have not switched to OAuth.

Warehouse Insight 2.5 (April 2021) and Shop Floor Insight 7.8 (October 2021) support OAuth.

Version 2.6 or newer of Warehouse Insight is required on devices that do not have Google Mobile Services (aka the Play Store) installed.

What is OAuth?

OAuth is the authentication method you are most familiar with, since it is what you use when you log into Business Central and Office 365 from a web browser or phone. You will now use that same method to log in from a handheld device or from Shop Floor Insight.

How do I set it up?

Configure OAuth for Shop Floor Insight.

Configure OAuth for Warehouse Insight.

When do I need to do it?

If you haven’t already set up your devices to use OAuth, we recommend you do it as soon as possible. You must update your configuration before October 1, 2022.

What happens if I don’t set up OAuth?

If you don’t have OAuth configured you will no longer be able to connect from Shop Floor Insight or Warehouse Insight.

Additional Security Details

Microsoft’s decision to eliminate the Web Services Access Key (WSAK) has caused a great deal of concern and additional work for application providers, customers, and anyone attempting to access Business Central. Overall, the current implementation of OAuth with Business Central is very likely to create problems in the warehouse and on the shop floor.

OAuth replaces the WSAK that has been available and widely used in NAV and Business Central for roughly 10 years. Web service access keys are still the de facto authentication mechanism for the vast majority of online web services providers.

The implied justification for removing WSAK is to improve security, but it is highly probable that using OAuth will make you far more vulnerable. OAuth relies on an Azure Active Directory user to log in, and that user account may have access to a wide range of services and systems, such as the local network, Outlook, SharePoint, OneDrive, and Business Central. This access would be inherently available from any device, including the warehouse handheld devices.

The impact of someone obtaining those credentials could be significant, as they may be able to leverage it to obtain much broader access to the overall system. The fact that these usernames and passwords are likely to be in wide circulation in a warehouse environment with potentially fewer IT controls makes the problem even worse. In contrast, the WSAK approach does not allow anyone to log into any other systems – they would only have access to the Business Central web services the underlying user has access to.

OAuth does allow for two-factor authentication to reduce the risk of someone using the login for nefarious purposes, but that also poses a challenge for warehouse and shop users. When the OAuth login expires, the system will prompt the user to log in again and trigger a two-factor verification. If the warehouse and shop users do not have access to the Authenticator to confirm the login, they will not be able to use the device or terminal until an authorized user, likely an administrator, logs them in. This could easily result in downtime and lower productivity. Microsoft will soon be making two-factor authentication mandatory.

To reduce the risk of exploit when using OAuth credentials, ensure the account being used has no access to any services other than Business Central (such as Outlook, etc.).

Also educate employees not to save the username and password on the device using Android’s built-in password management. This saved password would be available to any other application authenticating using OAuth, including Outlook, OneDrive, Teams, etc.

Consider using a system lockdown application to prevent users from accessing applications other than Warehouse Insight. Most manufacturers preinstall these applications on the devices, but there are also many options available from third parties.