Guides

BC2Fabric Prerequisites

Introduction

To enable secure access from BC2Fabric to your Business Central (BC) environment, you need to register an application in Microsoft Entra ID (formerly Azure AD), assign the correct permissions, and securely store the credentials using Azure Key Vault. This guide walks you through the complete setup step-by-step.

What You Need

Before you begin, make sure you have the following:

  • Microsoft Azure Subscription
  • Permissions to register applications (e.g., Application Administrator or Cloud Application Administrator role)
  • Permissions to create a Key Vault (e.g., Contributor role on the subscription)
  • Business Central Account
  • A user account with the "Dynamics 365 Business Central Administrator" role.
  • Microsoft Fabric
  • An account with a Microsoft Power BI License to access Fabric (normally “Power BI Pro” or “Power BI Premium per User”)
  • A Fabric Workspace that you are admin of with a Fabric Capacity assigned (can be a trial capacity)

Microsoft Entra application

Step 1: Create a Microsoft Entra Application

  1. Sign in to the Azure Portal (https://portal.azure.com).
  2. Go to Microsoft Entra ID > App registrations.
  3. Click + Add and choose “App registration”.
  4. Enter a name for the app (e.g., “BC2Fabric Read from BC App”).
  5. Leave the default option selected for supported account types (Single tenant).
  6. Under Redirect URI, choose Web and enter: https://businesscentral.dynamics.com/OAuthLanding.htm
  7. Click Register.

Step 2: Add API Permissions

  1. Open your newly created application.
  2. Under Manage, select API permissions.
  3. Click “+ Add a permission”.
  4. Choose Dynamics 365 Business Central from the list.
  5. Select “Application permissions”, then check “API.ReadWrite.All”.
  6. Click Add permissions.

Note that the status shows that we have not granted permissions in Business Central yet.

Step 3: Create a Client Secret

A client secret of a Windows Entra App acts as a password used for authentication and therefore should be kept secret. We will store this secret later in an Azure Key Vault.

  1. In your app registration, go to Certificates & secrets.
  2. Click "+ New client secret"
  3. Set a description (e.g., BC2Fabric Read App Secret) and choose an expiration period (e.g., 730 days or a custom date).
  4. Click Add.
  5. Important: Immediately copy the Value field and save it securely. This is your client secret (password). You won’t be able to retrieve it again.

Note: You do not need the Secret ID.

Step 4: Copy the Client ID

Apart from this we need the Id of the Application we just created (Client ID).

  1. Go to App registrations and select your app.
  2. Copy the Application (client) ID from the overview page. You'll need it in the next step.

Azure Key Vault

Step 5: Store the Client Secret in Azure Key Vault

To securely store your client secret, use Azure Key Vault. You can use an existing Key Vault or create a new one. Azure Key Vault is a low-cost resource. the usage in this context).

Create a New Azure Key Vault

  1. In the Azure portal (https://portal.azure.com/), search for “Key Vault” and select “Key vaults”.
  2. Click + Create.
  3. Set the following:
    • Subscription: Choose your Azure subscription (you need Contributor role).
    • Resource group: Select or create one.
    • Region: Choose the desired location
  4. Leave other settings as default.
  5. Click Review + Create, then Create.

Note: Azure Key Vault is a low-cost resource.

Assign Key Vault Officer Permissions

  1. Open the Key Vault resource and select Access control (IAM).
  2. Click Add > Add role assignment.
  3. In the Role tab, search for and choose Key Vault Secrets Officer to grant permission to manage secrets.
  4. Click Next, then choose User, group, or service principal.
  5. Select the user (or service principal) that will add and maintain the BC2Fabric secrets, then click Review + assign.

Add Client Secret to Key Vault

  1. After deployment, open the Key Vault.
  2. Go to Secrets and click + Generate/Import.
  3. As name enter “bc2fabric-bc-api-secret”.
  4. Paste the Value (client secret from earlier) into the Secret value field.
  5. Click Create.
  6. Go to Overview and copy the Vault URI — you'll need this for your BC2Fabric configuration.

Business Central configuration

Step 6: Install BC2Fabric BC Extension from Microsoft AppSource

If you have not already, install the BC Extension BC2Fabric from Microsoft AppSource in the environment that should be used for synchronization.

Step 7: Assign Authorization in Business Central

Before the App can read any data from Business Central the authorization in the Business Central App must be set.

  1. Sign in to Business Central using your Admin account.
  2. Search for and open Microsoft Entra Applications.
  3. Click + New and fill in the following:
    • Client ID: Paste the Application (client) ID from the previous step.
    • Set a description: e.g., “BC2Fabric Read from BC App”.
    • State: Set to “Enabled”.
  4. Under User Permission Sets, click the ellipsis in the first cell and select “NBI BC2FAB READER”.
  5. This Permission Set provides the service principal (App) with access to “D365 READ” Permission Set and permissions for BC2Fabric-specific objects.

    6. Optional — Access to custom tables. If your mirrored endpoints include custom (non-Microsoft) tables, extend the app's user permission set with permission sets that grant read access to those tables. You can also assign the “SUPER (Data)” permission set, but granting only the minimum required permissions is recommended.

  6. Optionally, restrict access to specific companies using the Company column. If left empty, all companies will be accessible. Later in the installation process you can select which companies should be synchronized to Fabric.
  7. Click “Grant Consent”.
  8. Sign in with your Business Central Admin account when prompted.

Download the full installation guide (PDF)