A Business Central private app is a Microsoft Entra application that signs in as itself, so Data Panda reads your ERP through OAuth without a named user in the loop. From that one connection we build dashboards, automations, AI workflows and small apps your team uses every day.
A private app is how Business Central lets an outside service sign in as itself instead of borrowing someone's account. You register an application in your Microsoft Entra tenant, give it a client ID and a secret, grant it the API.ReadWrite.All permission on the Dynamics 365 Business Central API, and add it on the Microsoft Entra applications page inside Business Central. Microsoft calls this service-to-service authentication, and it runs the client-credentials OAuth 2.0 flow.
The reason it matters for reporting: a connection tied to a person breaks the day that person changes their password, switches on MFA, or leaves the company. A registered app keeps reading customers, items, sales orders, G/L entries and dimensions on its own schedule, scoped to the exact companies and environments you point it at. That data is worth more in a warehouse next to your CRM, your webshop and your bank feed than it is behind a login that can expire.
Dashboards that refresh on schedule because the app, not a colleague, holds the login.
Background syncs that run overnight without an MFA prompt waiting for someone to tap a phone.
An app-scoped read can sweep years of ledger entries the moment you turn it on.
Light tools that read through the app's permission, so viewers do not each need a Business Central licence.
A list of concrete reports, automations and AI features we have built on MS Business Central Private app data. Pick the one that matches your situation.
Whose login is our Business Central reporting actually running on?
With a private app, the answer is nobody's. The connection runs on a registered Microsoft Entra application using client-credentials OAuth, so it reads customers, items and ledger entries as itself. No personal account is borrowed, and no refresh stops the day someone changes a password or leaves.
Can we report across every company and environment without separate setups?
Yes. The Business Central v2.0 API addresses each company by id and each environment by name in the URL, so the same registered app reads production and sandbox, and every company in the tenant, through one connection. Group P&L, AR and stock then run on one warehouse model instead of a per-company export.
How much access did we actually hand over?
Only what you assign. The app gets the API.ReadWrite.All permission on the Business Central API and then the specific permission sets you pick inside Business Central, never the SUPER set. Its calls show up in web service telemetry under one named principal, so you can see exactly what it touched.
Month-end reporting refreshes on its own because the feed runs on the app, not on a controller's account. Dimension-level P&L, working capital and multi-company roll-up land in the warehouse without anyone re-authenticating the morning of the close.
Live stock and quote margin reach reps without a Business Central seat each, because the app reads on their behalf under one permission. Pipeline-to-order-to-invoice timing stays current overnight rather than waiting for someone to run a refresh.
Stock, vendor reliability and fulfilment SLA stay fed by an unattended sync, so the warehouse list is current at the start of the shift. IT keeps the app on least privilege and rotates its secret without touching the reports built on top.
Closed-won Salesforce opportunities become Business Central sales orders, and order, invoice and payment status flow back to the account. Because the write runs on the service principal, the handoff keeps working overnight and after the admin who built it has moved on.
Closed-won HubSpot deals create a Business Central quote with the right contact, items and pricing, and invoice and payment status flow back to the deal. The app posts these in the background, so campaign ROI lines up with booked revenue without anyone signed in to push it.
Shopify orders land in Business Central as sales orders with items, pricing and tax handled, and refunds push back as credit notes. The registered app does the pull and the write, so the webshop and the ledger stay in step every night rather than on a manual import file.
The app reads Business Central into the warehouse once, and Power BI builds on the modelled tables there instead of hitting the ERP per refresh. Reports stay fast at month-end, and the BC API stays free for the work that has to write back.
Groups with Business Central in one entity and Exact Online in another get both sets of GL, AR and AP into the same warehouse, with a shared chart-of-accounts mapping. The BC side is read by the registered app, so consolidation refreshes on its own schedule across both systems.
The app watches Business Central for an invoice going overdue, a sales order missing its promised date or stock falling below safety, and posts to the right Slack channel. Because the watch runs unattended, the alert lands the same hour rather than at the next manual report cycle.
You keep the reporting tool you already have. We connect it to the warehouse where your MS Business Central Private app data lives.
OAuth authentication. Read-only by default. We sign a DPA and your admin keeps the keys.
Data flows into your warehouse on your schedule. Near real time or nightly, your call. You own the data.
We build the first dashboard, workflow or AI feature with you, then hand over the keys. Or we stay on for ongoing delivery.
We set up the foundation. Your team builds on top.
Best fit Teams that already have a BI analyst or data engineer and want to own the build.
We build the whole thing, end to end.
Best fit Teams without in-house BI or dev capacity. You tell us what you need and we deliver it.
You do. It lands in your warehouse, on your cloud account. We don't resell or aggregate it. If you stop working with us, the warehouse stays yours and keeps running.
Near real time for most operational systems. For heavier sources we schedule hourly or nightly. You pick based on what the reports need.
No. If you don't have one, we help you pick one and set it up as part of the first delivery. Common starting points are Snowflake, Microsoft Fabric, or a small Postgres start.
Yes, once. An admin grants the app the API.ReadWrite.All permission on the Dynamics 365 Business Central API and consents to it, either from the Azure portal or from the Microsoft Entra applications page inside Business Central. After that one-time consent, the app reads on its own and no further sign-in is needed.
No. That is the whole point of a private app. The connection authenticates as a registered Microsoft Entra application with its own client ID and secret, not as a named user, so a departure, a password reset or a new MFA policy does not stop the sync. If you ever need to rotate the client secret, that happens on the app without rebuilding the warehouse on top.
You decide. Inside Business Central the app is assigned permission sets like the standard automation and extension-management sets, and it cannot be given the SUPER set at all. Point it at read-only permissions on the companies you care about and it reads only those, with every call traceable in web service telemetry.
We review your MS Business Central Private app setup and the systems around it. Together we pick the first thing worth building.