Hi,

I was following instructions in https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/setup-app-key-vault-onprem and see some problems.

Publish-NAVApp has parameter PublisherAzureActiveDirectoryTenantId that is used to tell BC which key vaults the BC app can access, but there is no analog for launch.json. Please, add publisherAzureActiveDirectoryTenantId parameter to launch.json. Actually, I think app.json would be more appropriate because this is app configuration.

As a workaround, we can disable checks on BC side (AzureKeyVaultAppSecretsPublisherValidationEnabled = false) but then we don't have any validations during the development - we want to know that our OnPrem extensions will work.

Here is how to reproduce the problem.

1. Use the instructions from https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/setup-app-key-vault-onprem to create Azure app registration and Azure key vault. Make sure the app registration has access to key vault.

2. Create BC container using BC Container Helper. Use your own certificate path and password in the last command. You can change BC artifact version.

   $ContainerName = 'bcserver' $BcArtifactUrl = Get-BCArtifactUrl -type OnPrem -version 25 -country w1 -accept_insiderEula; $BcArtifactUrl $ContainerCredential = New-Object -TypeName pscredential -ArgumentList 'user', ('Password1.' | ConvertTo-SecureString -AsPlainText -Force) $Container = @{ accept_eula = $true accept_insiderEula = $true containerName = $ContainerName isolation = 'hyperv' updateHosts = $true artifactUrl = $BcArtifactUrl useSSL = $true installCertificateOnHost = $true assignPremiumPlan = $true enableTaskScheduler = $true auth = 'NavUserPassword' Credential = $ContainerCredential } New-BcContainer @Container $KeyVault = @{ containerName = $ContainerName pfxFile = '...pfx file...' pfxPassword = '...pfx password...' | ConvertTo-SecureString -AsPlainText -Force clientId = '...your app registration client ID...' enablePublisherValidation = $true } Set-BcContainerKeyVaultAadAppAndCertificate @KeyVault

3. Create new AL app, set key vault URL in app.json file. The instruction is not clear if AllowedBusinessCentralAppIds key vault secret is needed in on-prem case, but my test report depends on it.

   Add the following report to app code and publish app using VS Code. Running the report will show error that the BC configuration needed to access the key vault is wrong. If you instead use Publish-BcContainerApp -containerName $ContainerName -appFile $AppFile -scope Tenant -skipVerification -PublisherAzureActiveDirectoryTenantId '... your Azure active directory tenant ID...' and install the app using the web client then the key vault will be accessible.

   report 50100 "Test KV" { Caption = 'Test KV'; UsageCategory = Tasks; ApplicationArea = All; ProcessingOnly = true; InherentPermissions = X; var AzureKeyVaultSecretProvider: Codeunit "App Key Vault Secret Provider"; trigger OnPreReport() var SecretValue: SecretText; begin AzureKeyVaultSecretProvider.TryInitializeFromCurrentApp(); AzureKeyVaultSecretProvider.GetSecret('AllowedBusinessCentralAppIds', SecretValue); Message('Is empty? %1', SecretValue.IsEmpty()); end; trigger OnPostReport() begin Message('Done.'); end; }

Publishing apps from VS Code should be equivalent to publishing from Publish-NAVApp. For now, I will disable the check in BC server configuration.

Thanks.