Single Sign-on using Azure AD for On-Premise Dynamics NAV


I was working on a Design/Implementation for Dynamics NAV to be used as Payroll and Human Resources system.  The customer originally didn’t think about integrating it with Azure AD and considering they’re using Office 365 it was quite obvious for me to do so.


  • An Azure AD
  • A Dynamics NAV installation. I implemented this using the 2017 Version. See Below

  • An account with privileges to create the Application in Azure AD
  • The most recent version of Powershell
  • The Azure and MSonline modules installed, with the commands:

  • A test user, not mandatory but better to test with a dummy element.
  • A publicly signed certificate for the web instance of NAV, strictly speaking, it can be done over port 80 but Let’s Encrypt provides them for FREE and getting one is seamless. I used Certify the Web to get one. It was ultra-simple.
  • If using Let’s Encrypt make sure to add the A record before requesting the certificate otherwise it will fail.

Step by Step

In the Operating System

Import the certificate in the Personal Container, right click on it and Select Manage Private Keys.. as shown in the picture

Give the NETWORK SERVICE; Full Control and Read permission, as shown below

Once you have the Certificate it must be installed in the following containers :

  1. Personal
  2. Trusted Certificate Authorities
  3. Enterprise Trusted Publishers
  4. Trusted People

Map the hostname to the Web Client Site

In Azure AD

Create the Application

Set the homepage of the Application, the URL where they sign in

The reply sign in URL is fundamentally important as after being signed-in the AUTH token will be sent back for validation.

Reference: What is application access and single sign-on with Azure Active Directory:

The reply URL is a must

In the NAV User management Console

As this is an SSO implementation, all users must have an authentication email which in reality is the UserID in Azure AD. The one used for signing in to the Office 365/Azure AD tenant.Users can have both a Windows User Name and an Authentication Email, this will allow users to seamlessly login all the way through.


In Powershell

To get the certificate thumbprint using Powershell, run the line

then import the NAV modules

The following is the instruction which does all the magic


-AuthenticationEmail: An account in the Azure AD with Administrative permissions

-NavServerInstace: The name of the running NAV installation

-NavWebServerInstanceName: Name of the Web Server Instance where NAV web is running

-NavUser: The user in NAV being enabled for SSO can be a Windows User or a NAV user

NavWebAddress: The actual URL for signing-in to NAV over the Web

-AuthenticationEmailPassword: The password for the -AuthenticationEmail account provided

-NavServerCertificateThumbprint: The thumbprint for the Cert which goes into the Web Server Instance

There will a reply from the AAD with a URL:

This will go in the NAV client Config File

In the Windows ClientUserSettings.config file

This file can be found in:

C:\Users\<your_user_name\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\100

The two most important lines are:

How does it look

Using a Web Browser

My account has double-factor, obviously

Success 😎

In the Windows Client.

In the Windows NAV Client

Both Interfaces, Web and Windows Client