BusinessCentral switching login to AAD

We hade set Windows login in Business Central on premises instance and during database refresh was requested to add login via Microsoft Entra.

The process has nothing to do with the database. All configuration is local. It is well described in this official documentation. What I did.

1. IIS site, tab Authentication, Windows Authentication Enabled on HTTP 401 Challenge
2. IIS site file root
1. find file navsettings.json in C:\inetpub\wwwroot\BCDEVname\
   
2. switch ClientServicesCredentialType to value "AccessControlService"
3. restart IIS
   
3. Microsoft Entra App registration settings
1. create new registration https://entra.microsoft.com
   
2. set redirect URI https://xxx.xx/SignIn
3. api permissions for "User.Read"
4. expose an API
1. set application ID uri to the format of https://xxx.xx/ ideally
5. go back to overview and click button "Endpoints" to see URLs
   
4. MMC console for Business Central button edit
1. Tab general
   
1. Credential Type: AccessControlService
2. Uncheck "Disable Token-Signing Certificate Validation"
2. Tab Azure Active Directory
1. Application Client ID: <insert ID from App registration in Azure>
2. WS-Federation login endpoint: https://login.microsoftonline.com/<tenantID>/wsfed?wa=wsignin1.0%26wtrealm=<applicationApiIdUri>%26wreply=https://xxx.xx/SignIn
3.  Metadata endpoint: https://login.microsoftonline.com/<tenantID>/FederationMetadata/2007-06/FederationMetadata.xml
5.  save and restart BC instance
1. if errors then check event viewer on server: Windows logs / Application.

Next time you open https://xxx.xx/ you will be redirected to AAD Entra login page.