Unable to import users in Cloud Hosted Environment

At one of my customers I just set up a couple of new Cloud Hosted Environments (version 10.0.37 which turns out to be important) and when I tried to import the users from EntraID/AzureAD I got the following error

Cannot Find Thumbprint by Certificatename

After some troubleshooting och looking through Yammer I saw others that had the same issue. Apparently the issue had started happen after 15:th November (which also turned out to be important).

It turns out that Microsoft had discovered a potential security issue in the template used for creating the Cloud Hosted Environments. There used to be a connection in every Cloud Hosted Environment that allowed it to make lookups toi Azure AD/EntraID to be able to import users. For security reasons, this connection is no longer there by default. You will still be able to manually add users, but if you want to import users you will need to create the connection in the Virtual Machine.

1. Create a new App Registration in EntraID

2. In the Cloud Hosted VM run the following PowerShell Snippet (in an elevated Powershell prompt, aka Run as Administrator) to create a new Certificate.

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "CHECert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -KeySpec Signature -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotBefore (Get-Date -Year 2020 -Month 5 -Day 1) -NotAfter (Get-Date -Year 2033 -Month 12 -Day 31)

3. Start “Manage Computer Certificates” and find your newly created Cert. It should be in Local Computer – Personal – Certificates and it should be called “CHECert”. Export the certificate with default settings (Right-Click – All Tasks – Export) and save it in a folder you remember.

4. Go back to the App Registration you created in Step one, Go to Certificates and Secrets. Under Certificated, click upload certificate and choose you exported certificate

5. You need to add an Redirect URI to the AppRegistration. Go to Authentication, click Add a platform – Web and past the URL for the Cloud Hosted Dynamics environment

6. Add the following permissions to API Permissions and then click Grand admin concent…

7. In the Cloud Hosted VM, go back to “Manage Computer Certificates” and Right-Click (the Certificate) – All Tasks – Manage Private Keys. Give NETWORK SERVICE permissions to use the Certificate

8. In the Cloud Hosted VM, start Notepad as Admin and edit K:\AOS service\Webroot\web.config file. Edit the following keys:

<add key="Aad.Realm" value="spn:[TheAppIDfromStep1]" />
<add key="Infrastructure.S2SCertThumbprint" value="[YTheThumbPrintfromStep2]" />
<add key="GraphApi.GraphAPIServicePrincipalCert" value="[YTheThumbPrintfromStep2]" />

9. In the Cloud Hosted VM, start an elevated Command Prompt and run and iisreset

Validate by trying to import users

Secure one-box development environments

Cannot access form Sales charge codes

I had an issue today at a customer… We were not able to open the Charge code form in one of our environments.

When we tried to open the form we also got a couple more error messages. tThe first saying that we could not read Retail Headquarter Parameters which lead us to try that form and we got an error which looks like: Parameter record does not exist.

Turns out that this was a bug introduced in 10.0.37 and which will be fixed in 10.0.38 related to the feature called Enable proper tax calculation for returns with partial quantity. When this feature is enabled the system is not able to create a line in the parameter table for Retail Headquarters due to a default value is not allowed.

The workaround is to disable the feature temporarily, initiate the creation of Retail parameters in the affected companies and then re-enable the feature.

Good luck

Details for issue 849710 (dynamics.com)

Issues with DBsync step during deploy

Today, when I was deploying customization package to a newly deployed config environment, I had an issue with a step not working correctly. The environment had not yet been used for anything so I hadn´t even copied a database to it. When I deployed the customization package to it I got the following error in the runbook log and the deploy failed:

Table Sync Failed for Table: SQLDICTIONARY. Exception: System.NotSupportedException: TableID not yet generated for table: AmcBankReconciliations

The sync step in the runbook is failing because there is no TableID for the table AmcBankReconciliations. And I thought that was exactly what the sync process was supposed to do (??).

Having no clue about why this happened I first turned to Google (as one does) and when I could not find anything there I asked my awesome colleagues and one of the said:

“I have seen newly deployed environments behaving strangely and my solution usually is to start Visual Studio and perform a DB Sync”

This was a bit strange since it was the Sync Step that failed but I thought I would give it a try. Since this was a config environment that is not going to use Visual Studio, I instead opted for using the amazing [d365fo.tools](GitHub – d365collaborative/d365fo.tools: Tools used for Dynamics 365 Finance and Operations) to do the sync

Invoke-D365DBSync -Verbose

When the sync had finished I tried resuming the deploy and to my surprise it finished perfectly… Nice 🙂

Interview – André Arnaud de Calavon

This time we interview Community Legend André Arnaud de Calavon. André has been Microsoft Business Applicartions MVP for the latest 10 years and has also supplied more than 33000 answers on the Microsoft Dynamics Community over the years.


We discussed why the community is important for Dynamics 365 and how you can engage and give back to the community.


Authentication Method deprecation D365FO WMS

I got an email from a customer the other day explaining the he got an error message from his WMS mobile app saying:

This device uses an authentication method that will soon be discontinued. Your organization should prepare to move to device code flow authentication before then.

Here is a short step by step guide on what needs to be done to switch

  1. In the Azure Portal, find the App registration that you are using for authentication and make sure Enable the following mobile and desktop flows is set to Yes
  1. In Application Registration go to API Permissions and verify these settings:
  1. Still in the Azure Portal, go to Microsoft Entra ID – Enterprise Applications. Find the same Client ID as above and open it. Make sure that the Assignment Required and Visible to users is set as below

  1. Click Users and Groups, add all users (or groups of users) that will have permission to register new new WMS Devices

I noticed you also need to delete the existing connection from the WMS app and create a new one. The simplest way is to create a new connection file and import it or generate a new QR code. Use this file as a template:

    "ConnectionList": [
            "ConnectionName": "Tier2 Warehouse",
            "ActiveDirectoryResource": "https://xxxx.sandbox.operations.dynamics.com/",
            "ActiveDirectoryTenant": "https://login.windows.net/tenantdomain.com",
            "Company": "USMF",
            "IsEditable": false,
            "IsDefaultConnection": true,
            "ConnectionType": "devicecode"


User-based authentication – Supply Chain Management | Dynamics 365 | Microsoft Learn

QR Generator



Time for a new episode. This time we discuss the news in 10.0.37:

– Payment Reporting (PAIN)
– Approved By on Invoice Register (non  mandatory)
– Electronic Reporting
– Feature Recommendations
– Calculate Line ammount
– File Bugs!!!
– Onhand in Commerce







Interview – Elif Item

In this episode we speak to Elif Item, CEO and founder  of Item by Item, and Microsoft Business Applications MVP. We talk about the importance of training in a project, what the different ways we can manage training and the importance of continous learning.

We also ask the eternal question: “Why is the training budget the first we cut and why is Canada better?”.


You can find more information about Elif here:



Back again after Vacation with the following topics:

  • Issues in the first version of 10.0.36
  • Inventory Visibility 
  • Loyalty Cards
  • Bundles
  • Archiving
  • One Dynamics One Platform
  • Reciept Number Sequences
  • DMF Job history cleanup
  • Warehouse WiFi Strength in App Insights
  • Automatic Import of Bank Statement
  • DMF Staging Cleanup
  • Financial Tags on Sales Orders
  • Dataverse interoperability


In this summer episode Johan and Gustav discusses the upcoming update of 10.0.35 which among other things contain:

Process Mining
Electronic Invoicing in France
On-Behalf ordering
Asynchrounous Customer Orders Cancellation
Azure Application Insights Monitoring for Supply Chain
Location Directives Optimization
Warehouse User Session Monitoring Improvements
Processessinig for Warehouse
User Protection Limit

Have a great vacation

Gustav & Johan