Discontinuation of Web Service Access Key in Business Central SaaS

Discontinuation of Web Service Access Key in Business Central SaaS

You are here:

Summary

Microsoft is removing the ability to log in to Business Central SaaS using a Web Service Access Key on October 1, 2022. On-premises installs are not affected by the change.

You will not be able to use Warehouse Insight or Shop Floor Insight after Microsoft updates your system if you have not switched to OAuth.

Warehouse Insight 2.5 (April 2021) and Shop Floor Insight 7.8 (October 2021) support OAuth.

Version 2.6 or newer of Warehouse Insight is required on devices that do not have Google Mobile Services (aka the Play Store) installed.

What is OAuth?

OAuth is the authentication method you are most familiar with, since it is what you use when you log into Business Central and Office 365 from a web browser or phone. You will now use that same method to log in from a handheld device or from Shop Floor Insight.

How do I set it up?

Configure OAuth for Shop Floor Insight.

Configure OAuth for Warehouse Insight.

When do I need to do it?

If you haven’t already set up your devices to use OAuth, we recommend you do it as soon as possible. You must update your configuration before October 1, 2022.

What happens if I don’t set up OAuth?

If you don’t have OAuth configured you will no longer be able to connect from Shop Floor Insight or Warehouse Insight.

Additional Security Details

Microsoft’s decision to eliminate the Web Services Access Key (WSAK) has caused a great deal of concern and additional work for application providers, customers, and anyone attempting to access Business Central. Overall, the current implementation of OAuth with Business Central is very likely to create problems in the warehouse and on the shop floor.

OAuth replaces the WSAK that has been available and widely used in NAV and Business Central for roughly 10 years. Web service access keys are still the de facto authentication mechanism for the vast majority of online web services providers.

The implied justification for removing WSAK is to improve security, but it is highly probable that using OAuth will make you far more vulnerable. OAuth relies on an Azure Active Directory user to log in, and that user account may have access to a wide range of services and systems, such as the local network, Outlook, SharePoint, OneDrive, and Business Central. This access would be inherently available from any device, including the warehouse handheld devices.

The impact of someone obtaining those credentials could be significant, as they may be able to leverage it to obtain much broader access to the overall system. The fact that these usernames and passwords are likely to be in wide circulation in a warehouse environment with potentially fewer IT controls makes the problem even worse. In contrast, the WSAK approach does not allow anyone to log into any other systems – they would only have access to the Business Central web services the underlying user has access to.

OAuth does allow for two-factor authentication to reduce the risk of someone using the login for nefarious purposes, but that also poses a challenge for warehouse and shop users. When the OAuth login expires, the system will prompt the user to log in again and trigger a two-factor verification. If the warehouse and shop users do not have access to the Authenticator to confirm the login, they will not be able to use the device or terminal until an authorized user, likely an administrator, logs them in. This could easily result in downtime and lower productivity. Microsoft will soon be making two-factor authentication mandatory.

To reduce the risk of exploit when using OAuth credentials, ensure the account being used has no access to any services other than Business Central (such as Outlook, etc.).

Also educate employees not to save the username and password on the device using Android’s built-in password management. This saved password would be available to any other application authenticating using OAuth, including Outlook, OneDrive, Teams, etc.

Consider using a system lockdown application to prevent users from accessing applications other than Warehouse Insight. Most manufacturers preinstall these applications on the devices, but there are also many options available from third parties.

Was this article helpful?
4.7 out Of 5 Stars

3 ratings

5 Stars 67%
4 Stars 33%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Need help?

4 Comments

  1. Charles Bailey
    Charles Bailey December 2, 2022 at 1:41 pm

    Hi, In the last paragraph it is mentioned to possibly “Consider using a system lockdown application”. Are there any solutions that you could recommend or even ‘stay away from’ from your opinions?

    • Steven Gaudin-Lawson
      Steven Gaudin-Lawson February 20, 2023 at 3:36 pm

      Depending on what type of handheld scanner you are using will determine what apps would be appropriate. My suggestion would be to reach out to the manufacturer of the handheld to see what applications they would recommend, and verify with your IT that the suggested apps will meet their security requirements.

  2. Gary Hughes
    Gary Hughes May 25, 2022 at 10:26 am

    Hi Is there an update in the pipeline to over come this with new setups that will be on v20.

Leave A Comment

Go to Top