UPDATE: Microsoft will be disabling the Web Service Access Key feature of Dynamics 365 Business Central for hosted clients on October 1st, 2022. Learn more here.
by Nicholas Jackson, TrinSoft Senior Dynamics Consultant
Microsoft recently announced that it will end support for Web Service Access Key authentication to Dynamics 365 Business Central (BC) with 2022 release wave 1, which rolled out earlier this month, and many users are concerned with the potential impact. What does this change mean, why is it happening, how might it impact your organization, what are the alternatives, and what do you need to do?
What is the Web Service Access Key?
Many users in BC will just interact with the application through the web browser. However, if you have a 3rd party tool that needs to integrate with BC, there needs to be a way to control which applications have access to your system. Ideally, you do not give the application your username/password, and instead, another secret value that is used for granting access.
Web service access keys provide just that. They are a unique secret key that are tied to a user’s account. Any application using that access key to access BC can perform any action that the user’s account has permissions for.
Why is Microsoft Removing This Feature?
Web service access keys are easy to use, but they provide many security risks:
- The access key is tied to a user’s account. Anyone with that key can perform any action that the associated user can. Often, these keys are tied to an account with SUPER access, meaning anyone with the key can perform any action in BC.
- Access keys are difficult to manage. Since only one access key can be created on a per-user basis, resetting the access key for one application means resetting the access key for all applications.
- Access keys don’t expire. If an access key is compromised and a malicious user is accessing your system without you knowing, they will forever be able to access your system.
How Might This Impact Your Organization?
If you are using a 3rd party tool that integrates with BC and is using an access key, once this update is installed, your 3rd party tool will no longer integrate with BC. Common 3rd parties include AP automation tools, eCommerce integrations, and shipping software integrations. By now, your 3rd party integration should have switched away from access keys to the new standard, OAuth2.
What are the Alternatives?
Fortunately, Microsoft has implemented the most well-known and widely accepted authentication method for 3rd parties: OAuth 2.0. OAuth is a protocol for authenticating applications and users from 3rd parties to access systems like BC. It solves all the security risks mentioned above but does have a bit more of a learning curve associated with it.
What Do You Need to Do?
The good news is that the normal end user of BC should not see any change with this implementation. However, if you are a BC administrator and you have any 3rd party integrations, check with your 3rd party to ensure they are no longer using web service access keys. Your main point of contact for the integration will be able to tell you if they are using web service access keys.
Overall, Microsoft is taking a step in the right direction with this change, ensuring your BC data is securely accessed by parties you authorize. OAuth is the industry standard for a reason, and it is good that BC is requiring its adoption.
Do you have 3rd parties not using OAuth, and need assistance with the implementation? Do you have a system you’d like to integrate with BC using OAuth? Contact TrinSoft today, and one of our experienced consultants will answer any questions you have about OAuth in BC.