User-based authentication for the Warehouse Management mobile app

The Warehouse Management mobile app supports the following types of user-based authentication:

• Device code flow authentication
• Username and password authentication

Scenarios for managing devices, Microsoft Entra ID users, and mobile device users

The Warehouse Management mobile app uses Microsoft Entra ID to authenticate with Dynamics 365 Supply Chain Management. Choose one of two scenarios for managing Microsoft Entra ID accounts. In both scenarios, each warehouse worker has a warehouse worker record in the Warehouse management module with one or more mobile device user accounts.

Use one Microsoft Entra ID user account per device

In this scenario, each mobile device has its own Microsoft Entra ID account. Workers don't need individual Microsoft Entra ID accounts.

It works like this:

1. The admin configures the app with device code flow or username/password authentication by using the device's Microsoft Entra ID account.
2. After the app authenticates, workers sign in by using their mobile device user account credentials (user ID and password).
3. When a worker signs out, the app stays authenticated with Supply Chain Management and shows the sign-in page for the next worker.

This approach works best when multiple workers share devices at a location.

Use one Microsoft Entra ID user account per worker

In this scenario, each worker has their own Microsoft Entra ID account linked to their warehouse worker record in Supply Chain Management.

It works like this:

1. The worker signs in with their Microsoft Entra ID credentials.
2. If a default user ID is configured for the worker's warehouse worker account, this single sign-in authenticates the app and signs them in as a worker in one step.
3. The same Microsoft Entra ID session can be shared across other apps on the device (such as Microsoft Teams or Outlook).

This approach supports single sign-on (SSO) and is best when workers use dedicated devices or when you need tighter identity controls.

Device code flow authentication

When you use device code authentication, the Warehouse Management mobile app generates and shows a unique device code. The admin who is setting up the device must then enter this device code into an online form, together with the credentials (name and password) for a Microsoft Entra ID user account that represents either the device itself or the human worker who is signing in (depending on how the admin implements the system). In some cases, depending on how the Microsoft Entra ID user account is configured, an admin might also have to approve the sign-in. In addition to the unique device code, the mobile app shows the URL where the admin must enter the code and the credentials for the Microsoft Entra ID user account.

Device code authentication simplifies the authentication process, because users don't have to manage certificates or client secrets. However, it introduces a few extra requirements and restrictions:

• Create a unique Microsoft Entra ID user account for each device or human worker. In addition, strictly limit these accounts so that they can perform only warehouse mobile device user activities.
• While a worker is signing in by using the Warehouse Management mobile app, the app shows a generated device code. This code expires after 15 minutes and is then hidden by the app. If the code expires before sign-in is completed, the worker must generate a new code by selecting Connect again in the app.
• Devices are automatically signed out if they're not used or accessed for 90 days. Signed out devices must be reauthenticated before they can be used again. Learn more in Refresh tokens in the Microsoft identity platform.
• Single sign-on (SSO) isn't supported when you use device code flow authentication together with a mobile mass deployment (MDM) system (such as Intune) to distribute the Warehouse Management mobile app. You can still use an MDM system to deliver the app to each mobile device and deliver a connections.json file that sets up connections using device code. The only difference is that workers must manually sign in when they start to use the app. (This step is required only once.)

Username/password authentication

When you use username/password authentication, each human worker must enter the Microsoft Entra ID username and password associated either with the device or with themselves (depending on the authentication scenario you're using). They might also need to enter a mobile device user account ID and password, depending on their warehouse worker record setup. This authentication method supports single sign-on (SSO), which also enhances the convenience of mobile mass deployment (MDM).

Manually create an application registration in Microsoft Entra ID

The Warehouse Management mobile app uses a Microsoft Entra ID application registration to authenticate and connect to your Supply Chain Management environment. You can use a global application that's provided and maintained by Microsoft, or you can register your own application in Microsoft Entra ID by following the procedure in this section.

The following procedure shows one way to register an application in Microsoft Entra ID. For detailed information and alternatives, use the links after the procedure.

1. In a web browser, go to https://portal.azure.com.

2. Enter the name and password of the user who has access to the Azure subscription.

3. Use the search field at the top of the page to find and open the Microsoft Entra ID service.

4. Make sure that you're working with the instance of Microsoft Entra ID that's used by Supply Chain Management.

5. On the left navigation pane, expand Manage and select App registrations.

6. On the toolbar, select New registration to open the Register an application wizard.

7. Enter a name for the application, select the Accounts in this organizational directory only option, and then select Register.

8. Your new app registration opens. Make a note of the Application (client) ID value, because you'll need it later. This ID is referred to later in this article as the client ID.

9. In the Manage list, select Authentication.

10. On the Authentication page for the new app, open the Settings tab, set Allow public client flows to Enabled, and select Save.

11. Open the Redirect URI configuration tab and select Add redirect URI.

12. In the dialog, select Mobile and desktop applications.

13. Set the input field to the following value, where {clientId} is the client ID that you copied earlier in this procedure:

    ms-appx-web://microsoft.aad.brokerplugin/{clientId}
    

    Note

    If you still have devices running the deprecated version 3.x of the app, you must also add the following redirect URI:

    ms-appx-web://microsoft.aad.brokerplugin/S-1-15-2-3857744515-191373067-2574334635-916324744-1634607484-364543842-2321633333

    Select Configure to save your settings and close the dialog to return to the Authentication page, which now shows your new platform configurations.

14. On the Redirect URI configuration tab, select Add redirect URI.

15. In the dialog, select Android. Then set the following fields:

    • Package name – Enter the following value (case sensitive):

      com.Microsoft.Warehousemanagement
      

    • Signature hash – Enter the following value:

      Xo8WBi6jzSxKDVR4drqm84yr9iU=
      

    Select Configure to save your settings and close the dialog to return to the Authentication page, which now shows your new platform configurations.

16. Repeat the previous two steps to add another Android platform configuration, but this time set the following values:

    • Package name – Enter the following value (case sensitive and different from the previous configuration):

      com.microsoft.warehousemanagement
      

    • Signature hash – Enter the following value:

      hpavxC1xAIAr5u39m1waWrUbsO8=
      

    Tip

    • The first signature hash (Xo8WBi6jzSxKDVR4drqm84yr9iU=) enables brokered authentication and is required for features such as Conditional Access and SSO. The second hash (hpavxC1xAIAr5u39m1waWrUbsO8=) supports older versions of the app. Include both to ensure full compatibility.
    • The values for Package name are case sensitive and the required casing is different for each Android platform configuration. The values are otherwise similar.

17. On the Redirect URI configuration tab, select Add redirect URI.

18. In the dialog, select iOS / macOS.

19. Set the Bundle ID field to the following value:

    com.microsoft.WarehouseManagement
    

20. Select Configure to save your settings. Close the dialog to return to the Authentication page, which now shows your new platform configurations.

21. On the left navigation pane, expand Manage and select API permissions.

22. Select Add a permission.

23. In the Request API permissions dialog, on the Microsoft APIs tab, select the Dynamics ERP tile and then the Delegated permissions tile. Under CustomService, select the CustomService.FullAccess checkbox. Finally, select Add permissions to save your changes.

24. Use the search field at the top of the page to find and open the Microsoft Entra ID service.

25. On the left navigation pane, expand Manage and select Enterprise applications. Then, in the new Manage list, select All applications.

26. In the search form, enter the name that you entered for the app earlier in this procedure. Confirm that the Application ID value for the app that's found matches the client ID that you copied earlier. Then select the link in the Name column to open the properties for the app.

27. On the left navigation pane, expand Manage and select Properties.

28. Set the Assignment required? option to Yes and the Visible to users? option to No. Then select Save on the toolbar.

29. On the left navigation pane, expand Manage and select Users and groups.

30. On the toolbar, select Add user/group.

31. On the Add Assignment page, select the link under the Users heading.

32. In the Users dialog, select each user that you'll use to authenticate devices with Supply Chain Management.

33. Select Select to apply your settings and close the dialog. Then select Assign to apply your settings and close the Add Assignment page.

34. In the Security list, select Permissions.

35. Select Grant admin consent for <your tenant>, and grant admin consent on behalf of your users. If you lack the necessary permissions, return to the Manage list, open Properties, and set the Assignment required? option to False. Each user can then provide consent individually.

For more information about how to register an application in Microsoft Entra ID, see the following resources:

• For instructions that show how to use Windows PowerShell to register an application in Microsoft Entra ID, see Use Azure PowerShell to create a service principal with a certificate.

• For complete details about how to manually register an application in Microsoft Entra ID, see the following articles:

  • Register an application in Microsoft Entra ID
  • Register a Microsoft Entra app and create a service principal

Set up employee, user, and warehouse worker records in Supply Chain Management

Before workers can sign in by using the mobile app, each Microsoft Entra ID account that you assign to the enterprise app in Azure must have a corresponding employee record, user record, and warehouse worker record in Supply Chain Management. For information about how to set up these records, see Mobile device user accounts.

Single sign-on

Single sign-on (SSO) lets workers sign in to the Warehouse Management mobile app without entering a password. It works by reusing credentials from another app on the device, such as Intune Company Portal, Microsoft Authenticator, or Microsoft Teams.

Enable SSO

To enable SSO, configure brokered authentication by using one of the following methods:

• Manual connection setup – Enable the Brokered Authentication option on the app's Edit connection page.
• JSON file or QR code – Include "UseBroker": true in your connection configuration.

Prerequisites for SSO

The following table lists the broker apps that must be installed on a device for SSO to work:

Remove access for a device that uses user-based authentication

If a device is lost or compromised, revoke its access to Supply Chain Management immediately. Disabling the associated Microsoft Entra ID user account revokes access for all devices that use that account. This limitation is why the one account per device approach is recommended. It lets you isolate and revoke access for a single device without affecting others.

To revoke access, follow these steps:

1. Sign in to the Azure portal.
2. On the left navigation pane, select Microsoft Entra ID, and ensure that you're in the correct directory.
3. In the Manage list, select Users.
4. Find the user account that's associated with the device code, and select the name to open the user's profile.
5. On the toolbar, select Revoke sessions to revoke the user account's sessions.

Related information

• User-based authentication FAQ
• Install the Warehouse Management mobile app