Permission for Automation API /users(...)/Microsoft.NAV.getNewUsersFromOffice365

Does someone know which permission are needed for this bound action on the user endpoint?

I’ve the following permissions in the app registration:

And I’m trying with diff. permissions sets in the “Azure Active Directory Applications” in BC, but nothing seems to work. I’m allways getting the following error:


Is this BC online or onpremise? And which version?

Using Service to Service Authentication - Business Central | Microsoft Docs

Hi @Bert_Verbeek ,

It’s BC cloud Version 20.1.

@Bert_Verbeek ,

I have created a extension to manage permissions in different environments and I’m calling other endpoints of the automation api, for examplte to add an user to a usergroup. It’s all working fine.
The only thing that doesn’t work is this bound action Microsoft.NAV.getNewUsersFromOffice365.

Maybe I’m not understanding how to call this endpoint?
I call it like this:


And the thing I don’t really understand is, why is this a bound action? In my case I’m requesting a random user and use the userSecurityId to form my Url for the bound action call. In my opinion that should be an unbound action…

Do you have attached the D365 Automation and D365 Extension Mgt permissions sets?

Service-to-service authentication for automation APIs in Business Central 2020 release wave 2 – Kauffmann @ Dynamics 365 Business Central

The function is calling a job scedules proces that kicks of. Not sure why MS pleased it in a bound function.

@Bert_Verbeek ,

yes I’ve attached this 2 user groups.

But I think that I found the problem. It’s cause I haven’t granted consent for the Azure Active Directory Application on this environment. I’m not 100% sure but I’ll let you know after the customer has granted consent.

In my tests I had 2 environments, where I allways called the automation api endpoints in environment_2 from an extension installed on environment_1. In environment_1 the customer had just granted consent for the AAD-App, but not in environment_2. So I was able to call all the endpoints in environment_2 except the bound action Microsoft.NAV.getNewUsersFromOffice365.

Why I think that this is the problem? Cause I tried to call the action from environment_1 on environment_1 and it worked, but I’ll let you know afterwards if that was really the case.

I am a step further, but it’s not working yet.

It was not the problem of the not granted consent, i mentioned in my previous post.
It worked in one environment, cause there where no new users to create. So if there are no new users the action call works.

So i think the S2S user hasn’t the permission for this operation, but i didn’t found out which permission is needed. I tried with nearly every permission.

I’ve also executed the action manually and recorded the permissions, but also with them it’s not working.

Anyone an idea?