Setup walkthrough
A ~10–15 minute guide that grants Amplio read-only access to review your Business Central setup across all your companies. There are two parts: Part A creates an app in Microsoft Entra (Azure AD) so it can sign in; Part B registers that app inside Business Central so it is allowed to read your data. You need both. You will collect four values to send back to Amplio.
At a glance
Two short jobs. Part A needs a Microsoft Entra (Azure AD) Global Admin; Part B needs a Business Central admin.
Create the app & sign-in identity
- Register the app (single tenant)
- Copy Tenant ID & Client ID
- Add BC API permissions → Grant admin consent
- Create a client secret → copy its Value
Authorise the app to read your data
- Open Microsoft Entra Applications
- New → paste the Client ID + a description
- Assign a permission set (Company = blank = all)
- Grant Consent → set State = Enabled
401 Authentication_InvalidCredentials.What you'll do
- Before you start — what you need
- Part A — Microsoft Entra (Azure AD)
- Sign in to the Azure portal in the right tenant
- Create the App registration (single tenant)
- Copy the Tenant ID and Client ID
- Add the Business Central API permissions & grant admin consent
- Create the client secret (copy the Value)
- Part B — Business Central
- Open "Microsoft Entra Applications" in BC
- Create the application entry (paste the Client ID)
- Assign the permission set (across all companies)
- Grant Consent, then set State = Enabled
- Finish
- Send the four values to Amplio
- Troubleshooting
Before you start
Confirm these points first — skipping any of them is the most common cause of a stalled review.
- You can register an app in your Entra ID tenant — a Global Administrator, or Application Administrator + Cloud Application Administrator combined (needed to grant admin consent in Part A).
- You can sign in to Business Central as an admin — enough rights to open the Microsoft Entra Applications page and Grant Consent (Part B).
- You know the BC environment name you want reviewed (e.g.
Production, or a chosen Sandbox). - You have a password manager or secure note open — Azure shows the client secret Value only once.
- You're using Edge or Chrome signed in with the admin account of the right directory. Sign out of any other Microsoft accounts first (or use a private/incognito window).
Part A — Microsoft Entra (Azure AD)
Portal: entra.microsoft.com (or portal.azure.com → Microsoft Entra ID). This creates the app and its sign-in credentials.
1Sign in to the Azure portal in the right tenant
Open a private / incognito window so you don't pick up a stale Microsoft session from a different tenant. Go to https://entra.microsoft.com and sign in with the admin account of the directory that hosts your Business Central environment.
Click the avatar (top-right) to confirm the directory name. If it's the wrong tenant, click Switch directory and pick the right one before continuing.
2Create the App registration (single tenant)
In the left nav go to Applications → App registrations, then click + New registration and fill it in:
- Name:
Amplio BC System Review— makes it obvious this is a review identity. - Supported account types: Accounts in this organizational directory only (Single tenant). The scanner doesn't need multi-tenant, and the tighter scope is safer.
- Redirect URI: leave it blank. The scanner uses the client-credentials (app-only) OAuth flow, which never redirects a browser.
Click Register. Azure lands you on the app's Overview page.
3Copy the Tenant ID and Client ID
On the app's Overview page, find the Essentials box and copy:
- Directory (tenant) ID — this is value ① Tenant ID.
- Application (client) ID — this is value ② Client ID.
Both are UUIDs like 11111111-2222-3333-4444-555555555555 (36 characters incl. hyphens). Save both to your password manager.
4Add the Business Central API permissions & grant admin consent
In the app's left nav click API permissions → + Add a permission. In the blade:
- Open the APIs my organization uses tab and search Dynamics 365 Business Central; select it.
- Choose Application permissions (not Delegated) — app-only is what the client-credentials flow needs.
- Tick:
API.ReadWrite.All— required (full access to the BC web-services API).Automation.ReadWrite.All— required for full setup coverage.
- Click Add permissions.
- Back on the API permissions page click Grant admin consent for <your org> and confirm. Each permission's Status must turn to a green Granted tick.
API.ReadWrite.All scope; there is no narrower published equivalent. The permission is granted to the app you own — Amplio's scan code is read-only and never calls a write endpoint.API.ReadWrite.All + Automation.ReadWrite.All under Dynamics 365 Business Central, each with a green Granted for <org> tick.5Create the client secret (copy the Value)
In the app's left nav click Certificates & secrets → Client secrets → + New client secret:
- Description:
Amplio BC Review - Expires: 12–24 months (do not pick Never — long-lived secrets are an audit liability).
Click Add, then immediately copy the Value — this is value ③ Client secret.
Value, NOT the Secret ID. The Value is a longer string of letters/digits/symbols and is shown only once — leave the page and you can't see it again (you'd create a new secret). The Secret ID is a GUID and will not work.Part B — Business Central
Sign in to Business Central as an admin. This is what authorises the app to read your data — do it once per environment you want reviewed.
6Open "Microsoft Entra Applications" in BC
In Business Central, click the search 🔍 (Tell me what you want to do), type Microsoft Entra Applications and open it.
7Create the application entry (paste the Client ID)
On the Microsoft Entra Applications list, click New:
- Client ID — paste the Application (client) ID from step 3 (the app's ID, not the secret).
- Description — e.g.
Amplio System Review(free text, for your reference). - Leave State = Disabled for now — you enable it at the end (step 9), after consent + permissions are set.
8Assign the permission set (across all companies)
On the application card, find the User Permission Sets lines (lower part of the page). Add a line and pick a permission set:
D365 READ— read-only across BC; the least-privilege option for a review-only app (recommended).- or
D365 BUS PREMIUM— full functional access; what Amplio verified end-to-end. Fine for a trusted review.
Leave the Company field on the line blank so the set applies to all companies (a value there would limit the app to that one company).
SUPER. Business Central blocks SUPER for Entra Applications — use D365 READ or D365 BUS PREMIUM instead.D365 READ (or D365 BUS PREMIUM) line and the Company column left blank.9Grant Consent, then set State = Enabled
On the application card, click Grant Consent (in the actions / ribbon). A Microsoft sign-in opens — sign in as a Global / BC admin and approve. BC records the consent.
Then set State = Enabled and save.
401.10Send the four values to Amplio
You should now have four values. Paste them into the Free BC Review form (or send them securely — not plain email):
| # | Value | Where it came from |
|---|---|---|
| ① | Tenant ID (Directory ID) | Entra app Overview — step 3 |
| ② | Client ID (Application ID) | Entra app Overview — step 3 |
| ③ | Client secret (the Value) | Entra → Certificates & secrets — step 5 |
| ④ | Environment name | Business Central (e.g. Production) |
Amplio confirms it can read your setup and emails a branded report within one business day.
Troubleshooting
AADSTS7000215: Invalid client secret- The Secret ID (a GUID) was sent instead of the secret Value. Re-do step 5 and copy the Value.
- Token has no roles /
roles: null - Admin consent wasn't granted in step 4. Open API permissions and click Grant admin consent.
401 Authentication_InvalidCredentialsfrom Business Central- The app isn't registered in BC (Part B), its State isn't Enabled, or no permission set is assigned. Check steps 7–9.
- Most companies read, but a few fail with "licence has expired / trial ended"
- Those specific companies are usually in a genuine trial-expired / evaluation state (common for throwaway test companies), or the permission set doesn't cover them. Confirm the company is licensed; a tenant-wide read set (
D365 READ) with Company blank covers every company the app can sign into.
Still stuck? Email reviews@ampliosolutions.co.uk with a screenshot of the step you're on. We reply within one working day.