Create full D365FO CHE Entra integration #D365FO

Readme.md

The PowerShell scripts in this gist in combination with the Microsoft.Graph and d365fo.tools PowerShell modules can be used as a scripted guide through the multi-step process of https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/secure-developer-vm#external-integrations

New-FullEntraIntegration.ps1 is your starting point after downloading all the scripts and installing the modules.

New-AzureAppRedirectURLs.ps1

# Add additional redirect URLs to an Azure Application.
# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true, HelpMessage = "The object ID of the Azure Application.")]
    [String]
    $AppObjectId,

    [Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")]
    [String[]]
    $RedirectURLs
)

# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

Import-Module -Name Microsoft.Graph.Authentication -RequiredVersion 2.17.0 # As of 2026-03-26. In case of errors, try updating it to the latest version.

# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

$Application = Get-MgApplication -ApplicationId $AppObjectId

$RedirectURLs = $Application.Web.RedirectUris + $RedirectURLs

Update-MgApplication -ApplicationId $AppObjectId -Web @{ RedirectUris = $RedirectURLs } -Verbose

New-AzureAppRegistration.ps1

<#
To execute the steps of the entra integration setup, the id of an Azure application is required.
This script creates an Azure application registration with the required API permissions.
The application must have the following API permissions:

        - Dynamics ERP - This permission is required to access finance and operations environments.
        - Microsoft Graph (User.Read.All and Group.Read.All permissions of the Application type).
        - Dynamics Lifecylce service (permission of type Delegated)
#>

# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true, HelpMessage = "The name of the Azure Application.")]
    [String]
    $ApplicationName = "D365FO-CHE-Entra-Integration",

    [Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")]
    [String[]]
    $RedirectURLs
)

# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

Import-Module -Name Microsoft.Graph.Authentication -RequiredVersion 2.17.0 # As of 2026-03-26. In case of errors, try updating it to the latest version.

# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

$Description = "https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/secure-developer-vm#external-integrations"

# API permissions

$DelegatedType = "Scope"
$ApplicationType = "Role"

## Dynamics ERP
$AXFullAccess = @{
  Id = "6397893c-2260-496b-a41d-2f1f15b16ff3"
  Type = $DelegatedType
}
$ConnectorFullAccess = @{
  Id = "add75854-3691-457b-84bc-76bc249f1b6f"
  Type = $ApplicationType
}
$CustomServiceFullAccess = @{
  Id = "ad8b4a5c-eecd-431a-a46f-33c060012ae1"
  Type = $DelegatedType
}
$OdataFullAccess = @{
  Id = "a849e696-ce45-464a-81de-e5c5b45519c1"
  Type = $DelegatedType
}
$DynamicsERP = @{
  ResourceAppId = "00000015-0000-0000-c000-000000000000"
  ResourceAccess = @($AXFullAccess, $ConnectorFullAccess, $CustomServiceFullAccess, $OdataFullAccess)
}

## Microsoft Graph
$UserReadAll = @{
  Id = "5b567255-7703-4780-807c-7be8301ae99b"
  Type = $ApplicationType
}
$GroupReadAll = @{
  Id = "df021288-bdef-4463-88db-98f22de89214"
  Type = $ApplicationType
}
$MicrosoftGraph = @{
  ResourceAppId = "00000003-0000-0000-c000-000000000000"
  ResourceAccess = @($UserReadAll, $GroupReadAll)
}

## Dynamics Lifecycle Services
$UserImpersonation = @{
  Id = "a8737248-d2c2-4a7c-9759-3dfaad5c2f19"
  Type = $DelegatedType
}
$DynamicsLifecycle = @{
  ResourceAppId = "913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0"
  ResourceAccess = @($UserImpersonation)
}

$RequiredResourceAccessList = @($DynamicsERP, $MicrosoftGraph, $DynamicsLifecycle)

$params = @{
  DisplayName = $ApplicationName
  Description = $Description
  RequiredResourceAccess = $RequiredResourceAccessList
  Web = @{
    RedirectUris = $RedirectURLs
  }
}
$app = New-MgApplication @params -Verbose

Start-Sleep -Seconds 5
$AdminConsentURL = "https://login.microsoftonline.com/$($app.PublisherDomain)/adminconsent?client_id=$($app.AppId)"
Start-Process $AdminConsentURL

Write-Output "Azure application $DisplayName was created."
Write-Output "If no browser window was opened, open the following URL to grant admin consent:"
Write-Output $AdminConsentURL
Write-Output "Use the following AppId to configure the integration:"
Write-Output $app.AppId
Write-Output "Use the application object id to upload the certificate."
Write-Output $app.Id

New-FullEntraIntegration.ps1

# Creates an Entra integration with all steps scripted.
# 1. Creates an Azure AD application registration.
# 2. Runs the New-D365EntraIntegration cmdlet which creates the certificate
# 3. Uploads the certificate to the Azure AD application registration
# 4. (Optionally or later) Add additional redirect URLs to the Azure AD application registration
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

$RedirectURLs = @(
  "https://login.microsoftonline.com/common/oauth2/nativeclient",
  # Add the following to URLs for each environment where Entra integration is to be added.
  "https://my-che-env0123456devaos.axcloud.dynamics.com",
  "https://my-che-env0123456devaos.axcloud.dynamics.com/oauth"
)
.\New-AzureAppRegistration.ps1 -ApplicationName "D365FO-CHE-Entra-Integration" -RedirectURLs $RedirectURLs

$ApplicationId = Read-Host -Prompt "Enter the Application ID of the Azure Application"
$securePassword = Read-Host -AsSecureString -Prompt "Enter a password for the entra integration certificate"
New-D365EntraIntegration -ClientId $ApplicationId -CertificatePassword $securePassword

$CertificatePath = "$env:USERPROFILE\Desktop\CHEAuth.cer"
$AppObjectId = Read-Host -Prompt "Enter the object ID of the Azure Application"
.\Upload-Certificate.ps1 -AppObjectId $AppObjectId -CertificatePath $CertificatePath

$AdditionalRedirectURLs = @(
  "https://my-2nd-che-env0223456devaos.axcloud.dynamics.com",
  "https://my-2nd-che-env0223456devaos.axcloud.dynamics.com/oauth"
)
.\New-AzureAppRedirectURLs.ps1 -AppObjectId $AppObjectId -RedirectURLs $AdditionalRedirectURLs

Upload-Certificate.ps1

# Uploades the certificate to the Azure Application
# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true, HelpMessage = "The object ID of the Azure Application.")]
    [String]
    $AppObjectId,

    [Parameter(Mandatory = $true, HelpMessage = "The path to the certificate file.")]
    [String]
    $CertificatePath
)

# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

Import-Module -Name Microsoft.Graph.Authentication -RequiredVersion 2.17.0 # As of 2026-03-26. In case of errors, try updating it to the latest version.

# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificatePath)
$KeyCredentials = @{
  Type = "AsymmetricX509Cert"
  Usage = "Verify"
  Key = $Certificate.RawData
}
Update-MgApplication -ApplicationId $AppObjectId -KeyCredentials $KeyCredentials -Verbose

On the "New-FullEntraIntegration.ps1" when I update the RedirectURL section with my Tier 1 URLs and try to run it, I am getting New-AzureAppRegistration.ps1 : Cannot process argument
transformation on parameter 'RedirectURLs'. Cannot convert value to type System.String.
Not sure what I am doing wrong here.

I think I see the issue. The $RedirectURLs parameter should be an array of strings, not just a string, like in New-AzureAppRedirectURLs.ps1. Sorry about that, I will try to fix and test that in the next few days.

@fwilkinson Try it now, New-AzureAppRegistration.ps1 has been fixed.

Thanks, I will! Ford Wilkinson Phone: (901) 412-2982 | Fax: (970) 704-6069 ***@***.******@***.***> [Text Description automatically generated] From: Florian Hopfner ***@***.***> Sent: Thursday, March 13, 2025 10:47 AM To: FH-Inway ***@***.***> Cc: Mention ***@***.***> Subject: Re: FH-Inway/New-AzureAppRedirectURLs.ps1 CAUTION: This email originated outside of Sonata. Do not click links or open attachments unless you recognize the sender and know the content is safe. @FH-Inway commented on this gist.

…

________________________________ @fwilkinson<https://github.com/fwilkinson> Try it now, New-AzureAppRegistration.ps1 has been fixed. — Reply to this email directly, view it on GitHub<https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3#gistcomment-5490575> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKU4PDYLYAUYCGY7IUQXVH32UGSARBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTGMBXGMZDQNJXU52HE2LHM5SXFJTDOJSWC5DF>. You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. Disclaimer: "The materials contained in this email and any attachments may contain confidential or legally privileged information. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sonata is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt" Disclaimer: "The materials contained in this email and any attachments may contain confidential or legally privileged information. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sonata is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt"

That looks like it fixed it. Quick question, I think this will do everything mentioned in the MS docs, right? There isn't anything that has to occur after successfully executing the PS scripts to get the Entra integration running, so I should be able to click Import Users again? I'm spinning up a new CHE to test it on now but figured I would ask. Thanks for the quick response and help!

Never mind -- I was able to run it and it works great. The only thing that needed to be done was in the App Registration / API Permissions -- we had to manually do the "Admin consent", after that it works great. Thanks again

@fwilkinson Great to see this worked for you!

In theory, the admin consent should be handled by the scripts insofar as a browser window should pop pup where the admin consent can be granted. Lines 96 and 97 of New-AzureAppRegistration.ps1 should be doing that. In practice, I did not get this to work reliably. Sometimes it works, sometimes it doesn't. I will add a message in the script to that effect so the consent can be granted manually like you did.

Thanks for reporting the issues!

Good day, Just to follow up, your script did try to do the admin consent, we just closed the browser when it popped up! Since it had never been launched it went through the typical startup screens so we just thought it was a random pop-up browser window. This last time, I actually clicked through those initial first time startup browser screens, then it had me log in and viola, consent was granted. Ford Wilkinson Phone: (901) 412-2982 | Fax: (970) 704-6069 ***@***.******@***.***> [Text Description automatically generated] From: Florian Hopfner ***@***.***> Sent: Friday, March 14, 2025 2:25 PM To: FH-Inway ***@***.***> Cc: Mention ***@***.***> Subject: Re: FH-Inway/New-AzureAppRedirectURLs.ps1 CAUTION: This email originated outside of Sonata. Do not click links or open attachments unless you recognize the sender and know the content is safe. @FH-Inway commented on this gist.

…

________________________________ @fwilkinson<https://github.com/fwilkinson> Great to see this worked for you! In theory, the admin consent should be handled by the scripts insofar as a browser window should pop pup where the admin consent can be granted. Lines 96 and 97 of New-AzureAppRegistration.ps1<https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3#file-new-azureappregistration-ps1-L94-L97> should be doing that. In practice, I did not get this to work reliably. Sometimes it works, sometimes it doesn't. I will add a message in the script to that effect so the consent can be granted manually like you did. Thanks for reporting the issues! — Reply to this email directly, view it on GitHub<https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3#gistcomment-5494211> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKU4PD7QYQ2C646RWI465QL2UMUJPBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTGMBXGMZDQNJXU52HE2LHM5SXFJTDOJSWC5DF>. You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. Disclaimer: "The materials contained in this email and any attachments may contain confidential or legally privileged information. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sonata is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt" Disclaimer: "The materials contained in this email and any attachments may contain confidential or legally privileged information. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sonata is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt"

@Splaxi Thanks for reporting that version 2.17.0 of Microsoft.Graph.Authentication is required to run these scripts.