Self-service App Key Vault onboarding for AppSource apps

Business value

AppSource apps for Business Central can read secrets from Azure Key Vault owned by the publishing partner. However, in order for this feature to be available to a partner's AppSource app, they have had to go through a manual process and reach out to us, which could lead to waiting times—and Azure Key Vault availability required a new version of the app after registration. To streamline the process, we have now made onboarding to Azure Key Vault part of the AppSource submission itself, which also implies that the app can immediately use its Azure Key Vault.

Feature details

Partners who want to register a key vault for their app no longer need to send an email to us and wait until we register their Entra Tenant Id with their app.

Instead they must:

• Grant read permission to our Dynamics 365 Business Central ISV Key Vault Reader app.
• Create a special secret in their respective key vault named AllowedBusinessCentralAppIds. This secret should contain the appIds of every app that will have access to the given key vault. For multiple apps, separate by a comma ','.

Follow this path to reduce the registration waiting time and make registration faster and easier.

Note that AppSource apps that already have registered their Entra Tenant Id should also introduce the special secret before submitting higher versions of their apps. The absence of this reserved AllowedBusinessCentralAppIds secret will likely result in a submission failure in the future.

Tell us what you think

Help us improve Dynamics 365 Business Central by discussing ideas, providing suggestions, and giving feedback. Use the forum at https://aka.ms/bcideas.