Dynamics 365 Finance & Operations Connector
Overview
The Dynamics 365 Finance & Operations (F&O) connector integrates D365 production data with MachineMetrics. The connector runs on a MachineMetrics Edge Device and exchanges data in both directions:
- From D365 → MachineMetrics: Production orders and routing operations are imported, making jobs available for tracking on the shop floor.
- From MachineMetrics → D365: Labor data is written back to D365 as route card journal entries after production activity is recorded.
The connector authenticates to D365 F&O using OAuth 2.0 through an Azure-registered service principal. No interactive user sessions are required.
Requirements
- D365 F&O running as a cloud-hosted SaaS deployment. On-premise Dynamics AX is not supported.
- The Production Control module is licensed (included with the Supply Chain Management license).
- Access to the Azure Portal with permissions to create app registrations and grant admin consent.
- System Administrator access in D365 F&O.
- A MachineMetrics Edge Device (physical or virtual) that can reach the D365 environment URL.
No additional API licenses are required. OData REST API access is included with all D365 F&O cloud subscriptions.
Setup Guide
Three configuration steps in Azure and D365, performed in order, before configuring the connector.
Step 1: Register the Application in Azure Entra ID
Who does this: Azure AD / Entra ID administrator Where: Azure Portal → Microsoft Entra ID → App Registrations
- Click New registration.
- Enter a name (e.g.,
MachineMetrics Connector). - Set it as a single-tenant application.
- Click Register.
Create a client secret
- Go to Certificates & secrets → New client secret.
- Set an expiration period (12–24 months recommended).
- Click Add.
- Copy the secret value immediately. It is only displayed once.
Add API permissions
- Go to API permissions → Add a permission → APIs my organization uses.
- Search for Dynamics ERP and select it. (Do not select "Dynamics CRM" or "Business Central".)
- Add these three permissions:
Access Dynamics AX Custom ServiceAccess Dynamics AX dataAccess Dynamics AX online as organization users
- Click Grant admin consent for [your tenant]. A tenant administrator must perform this step.
- Confirm each permission shows a green checkmark under "Status".
After this step, collect:
| Item | Where to find it |
|---|---|
| Tenant ID | Azure Portal → Microsoft Entra ID → Properties → Tenant ID |
| Client ID | App registration → Overview → Application (client) ID |
| Client Secret | Copied during secret creation above |
Step 2: Create a Service Account in D365 F&O
Who does this: D365 System Administrator Where: D365 F&O → System Administration → Users → Users
Create a dedicated user account for the integration. Use a service account (e.g., mm-integration@yourdomain.com) rather than a named user to avoid conflicts with interactive sessions.
Assign security roles
Option A: Standard Roles
| Role | Module | What it grants |
|---|---|---|
| Production supervisor | Production Control | Read: ProductionOrderHeaders, ProductionOrderRouteOperations, OperationsResources, RouteCardProductionJournalEntries |
| Released product maintenance | Product Information Management | Read: ReleasedProductsV2 |
| Human resource assistant | Human Resources | Read: HcmWorkerEntity |
| Production operator | Production Control | Write: RouteCardProductionJournalEntries |
The Production operator role is only needed when Write LTs to D365 is enabled.
Option B: Custom Integration Role (recommended)
Create a role (e.g., MachineMetrics Integration) with explicit Data Services privileges:
| Privilege | Entity | Integration Mode | Grant |
|---|---|---|---|
HcmWorkerEntityView | HcmWorkerEntity | DataServices | Read |
OpResOperationsResourceEntityView | OperationsResources | DataServices | Read |
ProdProductionOrderHeaderEntityView | ProductionOrderHeaders | DataServices | Read |
ProdRouteOperationsEntityView | ProductionOrderRouteOperations | DataServices | Read |
EcoResReleasedProductV2EntityView | ReleasedProductsV2 | DataServices | Read |
ProdRouteCardJournalEntryEntityView | RouteCardProductionJournalEntries | DataServices | Read |
ProdRouteCardJournalEntryEntityMaintain | RouteCardProductionJournalEntries | DataServices | Delete (grants Create + Update + Delete) |
The last row is only needed when Write LTs to D365 is enabled.
After this step, note the User ID of the service account.
Step 3: Link the App Registration to the Service Account
Who does this: D365 System Administrator
Where: D365 F&O → search for Microsoft Entra → Microsoft Entra ID applications
You can navigate directly using:
https://{your-environment}.operations.dynamics.com/?cmp={company-code}&mi=SysAADClientTable
- Click + New.
- Enter the Client ID from Step 1.
- Enter a name (e.g.,
MachineMetrics). - Enter the User ID from Step 2.
- Click Save.
Configuration Reference
Configure these variables on the Edge Services screen. Variables marked with a lock icon are masked in the UI.
D365 Connection
| Label | Required | Description |
|---|---|---|
| D365 Environment Host | Yes | Hostname of the D365 F&O environment, without protocol. Example: contoso.operations.dynamics.com. |
| D365 Tenant Id | Yes | Azure AD tenant ID from the app registration (Step 1). |
| D365 Client Id | Yes | Application (client) ID from the app registration (Step 1). |
| D365 Client Secret | Yes | Client secret from the app registration (Step 1). |
MachineMetrics Platform
| Label | Required | Description |
|---|---|---|
| Mapping Service Token | Yes | Authentication token for this connector instance. Provided by MachineMetrics during deployment. |
| Mapping Service URL | Yes | Base URL for the MachineMetrics ERP mapping service. Provided by MachineMetrics during deployment. |
| Mapping Auth Service URL | Yes | Base URL for the MachineMetrics authentication API. Provided by MachineMetrics during deployment. |
Site and Legal Entity
| Label | Required | Description |
|---|---|---|
| D365 Default Site Id | Yes | D365 site code for the production site. Found in D365 → Warehouse management → Setup → Sites. Example: 110. |
| D365 Default Data Area Id | Yes | D365 dataAreaId (legal entity / company code). Found in D365 → System Administration → Legal entities. Example: usmf. |
Sync Behavior
| Label | Required | Description |
|---|---|---|
| Import LTs to MM | No | true to import labor tickets from D365 into MachineMetrics. Default: false. |
| Write LTs to D365 | No | true to write labor tickets from MachineMetrics back to D365. Default: false. |
| Job or Operation Journals | No | Whether to use job journals or operation journals when writing to D365. Options: job, operation. |
| D365 Journal Posting Mode | No | How route card journals are posted after creation. Options: action (post immediately), batch_job (D365 batch job posts on schedule), manual (left unposted for manual review). Default: batch_job. |
| D365 Reconciliation Window | No | How far back the reconciliation sweep looks. Accepts values like 1y, 6m, 90d. Default: 1y. |
Scheduler
| Label | Required | Description |
|---|---|---|
| From ERP Interval | No | How often the connector pulls data from D365. Default: 10 min. |
| To ERP Interval | No | How often labor data is pushed to D365. Only relevant when Write LTs to D365 is enabled. Default: 5 min. |
Logging and Diagnostics
| Label | Required | Description |
|---|---|---|
| Log Level | No | Log verbosity. Options: error, warn, info, debug. Default: info. Use debug during initial setup. |
| MM API Retry Attempts | No | Retries for failed MachineMetrics API calls. Default: 3. |
| MM API Timeout Seconds | No | Timeout in seconds for MachineMetrics API calls. Default: 30. |
Sending Credentials Securely
To send Azure AD credentials to another party, use MachineMetrics SnapPass:
- Go to https://snappass.service.machinemetrics.com/
- Paste the Tenant ID, Client ID, Client Secret, and environment URL.
- Set an expiration (1 day is typical) and send the generated one-time link.
Do not send credentials via email, Slack, Teams, or any other unencrypted channel.
Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
| Work orders not appearing | D365 query returns no results | Verify D365 Default Site Id and D365 Default Data Area Id match actual D365 values. Set Log Level to debug for OData query details. |
| 403 errors in logs | Service account missing permissions | Confirm all required Data Services privileges are assigned to the service account. See Option B in Step 2. |
| Authentication failure | Invalid credentials or expired secret | Verify Tenant ID, Client ID, and Client Secret. Regenerate the client secret in Azure if expired. |
| Labor tickets not writing to D365 | Write-back not enabled or missing permissions | Confirm Write LTs to D365 is true and the service account has the Maintain privilege on RouteCardProductionJournalEntries. |
FAQ
Does D365 F&O include API access, or is that a separate license? API access is included with all D365 F&O cloud subscriptions. The OData REST API is a core platform feature.
What if the environment is on-premise? This connector requires cloud-hosted D365 F&O. On-premise Dynamics AX is not supported.
How long does the client secret last? The expiration is set during creation in Azure. 12–24 months is recommended. When a secret expires, create a new one in Azure and update the D365 Client Secret value in the connector configuration.
Can the same app registration be used for sandbox and production? It is possible, but separate registrations are recommended to keep credentials independent and simplify rotation.