Just before Christmas I received a request from a partner about a feature that personally I never had the need to implement before (at least in this way). In the current Dynamics 365 Business Central implementation they have an API that permits to an external application to post records in a custom table and after that the application also creates a task in the Task Scheduler for processing those records asynchronously.
The external application consumed the API by using Basic Authentication successfully for lots of months. But one of the work done with this partner in the last weeks was to optimize some of its services for the cloud and to move its APIs integrations from using Basic Authentication to using the recommended S2S authentication with OAuth2.
What happens now after these changes?
The API integration started failing with the following error:
"You do not have permission to create or run scheduled tasks."
The partner has also worked on changing permissions to the Azure Active Directory Application registration, but nothing changes.
Why this error? Is this a bug or not?
NO… this is by design!
As stated with the Delegated Administrators documentation, scheduled tasks must be created and executed in the context of a licensed user, so you cannot create or execute a task with the S2S authentication. For security reasons, an app registration cannot create or execute scheduled tasks (and this is absolutely correct).
The only possible way to obtain the same result as before (if you really need to do this from an external app) is to encapsulate the logic of the scheduled task in an API and then call it from a Timer Trigger Azure Function or from a Recurrence trigger of a Logic App flow (or obviously do the task scheduling via a real user):
If you’re doing similar things now, don’t be crazy if your integrations will start failing when moving to S2S authentication and just remember this post 😉