Search code examples
azure-active-directoryterraformdynamics-business-central

Dynamics 365 Business Central terraform scopes

I am trying to create a terraform script that will register an application in Azure AD.

I have been successful when generating a script that only reads from Microsoft Graph scopes. But I am having trouble figuring out what the equivalent of those scopes are in Business Central (Cloud version).

For Microsoft Graph I have these permissions:

  • email
  • offline_access
  • openid
  • profile
  • Financials.ReadWrite.All
  • User.Read

And I read them like this in terraform:

provider "azuread" {
  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
  version         = "~> 0.10"
  subscription_id = var.subscription_id
}

data "azuread_service_principal" "graph-api" {
  display_name = "Microsoft Graph"
}

locals {
  MAIL_PERMISSION                  = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("email"))[0]}"
  USER_READ_PERMISSION             = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("User.Read"))[0]}"
  FINANCIALS_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  OFFLINE_PERMISSION               = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("offline_access"))[0]}"
  OPENID_PERMISSION                = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("openid"))[0]}"
  PROFILE_PERMISSION               = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("profile"))[0]}"
}

Which seems to be working fine. I am just struggling to find the similar way of doing this for the Dynamics 365 Business Central

I am interested in these:

  • app_access
  • Financials.ReadWrite.All
  • user_impersonation

Does anybody know what that endpoint might look like? The documentation is very limited.

EDIT:

This is the final script for anybody interested in setting up an Business Central application registration

variable "subscription_id" {
  type = string
}
variable "app_name" {
  type = string
}
variable "app_homepage" {
  type = string
}
variable "app_reply_urls" {
  type = list(string)
}

provider "azuread" {
  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
  version         = "~> 0.10"
  subscription_id = var.subscription_id
}

data "azuread_service_principal" "graph-api" {
  display_name = "Microsoft Graph"
}

data "azuread_service_principal" "d365bc" {
  display_name = "Dynamics 365 Business Central"
}

locals {
  APP_ACCESS_PERMISSION                 = "${matchkeys(data.azuread_service_principal.d365bc.app_roles.*.id, data.azuread_service_principal.d365bc.app_roles.*.value, list("app_access"))[0]}"
  USER_IMPERSONATION_PERMISSION         = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("user_impersonation"))[0]}"
  BC_FINANCIALS_READ_WRITE_PERMISSION   = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  GRAPH_FINANCIAL_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
  MAIL_READ_PERMISSION                  = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("User.Read"))[0]}"
  MAIL_PERMISSION                       = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("email"))[0]}"
  OFFLINE_PERMISSION                    = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("offline_access"))[0]}"
  OPENID_PERMISSION                     = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("openid"))[0]}"
  PROFILE_PERMISSION                    = "${matchkeys(data.azuread_service_principal.graph-api.oauth2_permissions.*.id, data.azuread_service_principal.graph-api.oauth2_permissions.*.value, list("profile"))[0]}"
}

resource "azuread_application" "businessCentral" {
  name                       = var.app_name
  homepage                   = var.app_homepage
  identifier_uris            = []
  reply_urls                 = var.app_reply_urls
  available_to_other_tenants = true
  type                       = "webapp/api"

  required_resource_access {
    resource_app_id = data.azuread_service_principal.graph-api.application_id
    resource_access {
      id   = local.GRAPH_FINANCIAL_READ_WRITE_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.MAIL_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.MAIL_READ_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.OFFLINE_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.OPENID_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.PROFILE_PERMISSION
      type = "Scope"
    }
  }

  required_resource_access {
    resource_app_id = data.azuread_service_principal.d365bc.application_id
    resource_access {
      id   = local.APP_ACCESS_PERMISSION
      type = "Role"
    }
    resource_access {
      id   = local.USER_IMPERSONATION_PERMISSION
      type = "Scope"
    }
    resource_access {
      id   = local.BC_FINANCIALS_READ_WRITE_PERMISSION
      type = "Scope"
    }
  }

  app_role {
    allowed_member_types = [
      "Application"
    ]
    description  = "Admins can manage roles and perform all task actions"
    display_name = "Admin"
    is_enabled   = true
    value        = "Admin"
  }
}

One thing to note is that the app_access is Role and the rest of the API permissions are Scope.

You can call the above terraform with:

terraform plan -var="subscription_id={your_scription_id}" -var='app_reply_urls={your_urls_array}' -var="app_name={your_app_name}" -var="app_homepage={your_app_homepage}"
Solution

  • Try this:

    provider "azuread" {
  # Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
  version = "=0.10.0"
}

data "azuread_service_principal" "d365bc" {
  application_id = "996def3d-b36c-4153-8607-a6fd3c01b89f"
}

locals {
  APP_ACCESS_PERMISSION            = "${matchkeys(data.azuread_service_principal.d365bc.app_roles.*.id, data.azuread_service_principal.d365bc.app_roles.*.value, list("app_access"))[0]}"
  USER_IMPERSONATION_PERMISSION    = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("user_impersonation"))[0]}"
  FINANCIALS_READ_WRITE_PERMISSION = "${matchkeys(data.azuread_service_principal.d365bc.oauth2_permissions.*.id, data.azuread_service_principal.d365bc.oauth2_permissions.*.value, list("Financials.ReadWrite.All"))[0]}"
}

    996def3d-b36c-4153-8607-a6fd3c01b89f is the client id of Microsoft Dynamics 365 BC service principal.

    app_access is app permission so we need to use "app_roles" rather than "oauth2_permissions" here.