Business Central Admin Center API

Question

I'm trying to call the Admin Center API of Business Central, but I keep getting 403 Forbidden error. I'm not sure what the problem is - it could be incorrect endpoint or another way to get the required token.

I'm authorizing the same way as I would if I were to communicate with a BC API through oauth2.

I have been trying with the following endpoints in Postman after successfully receiving an access token:

https://api.businesscentral.dynamics.com/admin/v2.11/applications/environments    
https://api.businesscentral.dynamics.com/admin/v2.11/applications/businesscentral/environments

But in both cases I get the 403 Forbidden error.

Calls to regular BC API's seems to be working as expected.

Does anyone have an idea as to what I'm doing wrong or missing here?

UPDATE 1

I have now changed the registered app to use delegated permissions and have permissions to any API within BC.

Retrieving a token goes fine, just like before, but the next call results in a "Forbidden" error, just like before as well.

REQUEST (from Fiddler)

GET https://api.businesscentral.dynamics.com/admin/v2.11/applications/environments HTTP/1.1
Host: api.businesscentral.dynamics.com
Authorization: Bearer <my token>
Accept: application/json

RESPONSE (from Fiddler)

HTTP/1.1 403 Forbidden
Content-Length: 0
ms-correlation-x: 8d8d7e1c-cc1e-4866-9c1f-9708533dabd0
Access-Control-Allow-Headers: Origin, X-Requested-With, Authorization
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: ms-correlation-x
x-content-type-options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Thu, 07 Apr 2022 10:31:35 GMT

If I examine the token with jwt.io, I can't seem to find the part that describes which API the token gives access to, which could be the or part of the problem?

UPDATE 2

I don't get it, regardless of what I try, the access_token I get, doesn't include any info about what it grants access to.

I register an app and create delegated API permission for Business Central (user_impersonation and Financials.ReadWrite.All). Then I create a secret.

I use the following C# code to get a token:

    var client_id = "<client_guid>";
    var client_secret = "<client_secret>";
    var tenant_id = "<tenant_guid>";

    var token_url = "https://login.microsoftonline.com/" + tenant_id + "/oauth2/v2.0/token";

    var client = new HttpClient();

    var content = new StringContent(
        "grant_type=client_credentials"+
        "&scope=https://api.businesscentral.dynamics.com/.default"+
        "&client_id="+ HttpUtility.UrlEncode(client_id) +
        "&client_secret="+ HttpUtility.UrlEncode(client_secret));

    content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/x-www-form-urlencoded");

    var response = await client.PostAsync(token_url, content); 

The value in the "access_token" attribute i get from the response, doesn't describe any of the permissions I created when explored with jwt.io. What am I doing wrong here?

My app permissions look like this:

Answer 1

It could indicate that the permissions assigned in your access token are incorrect.

If you have the a copy of a token, you can check it on jwt.io.

I use the PowerShell module MSAL.PS to retrieve my access tokens with this scope:

https://api.businesscentral.dynamics.com/.default

---

Here is a link describing the required setup for Business Central Admin Center API