An authentication method where a third-party app acts on behalf of a user, inheriting their permissions without storing credentials.
OAuth 2.0 Delegated Access is an authentication and authorization protocol where a third-party application (like Zentriq) acts on behalf of a signed-in user. The app inherits the user's permissions — it can only do what the user can do, nothing more.
In the context of Business Central, this means Zentriq Agent uses your BC permission sets. If you don't have permission to create Purchase Invoices, the Agent can't create them either. There's no privilege escalation and no 'super admin' access.
The flow works like this: you sign in with your Microsoft Entra ID account, Microsoft issues an access token scoped to your BC permissions, and Zentriq uses this token to make API calls to your BC environment. Your password is never shared with Zentriq.
This is considered the most secure way for third-party applications to access Business Central. It's the same method used by Microsoft's own apps and is required for AppSource certification. Tokens are short-lived and automatically refreshed — if revoked in Entra ID, access is immediately cut off.
Zentriq's AI tools automate many of the manual processes around oauth 2.0 delegated access in Business Central. Learn about the Zentriq Agent or try Zentriq PunchOut to see how AI simplifies procurement in BC.