Sage 200 Native API using Microsoft Entra ID (Azure Active Directory) Tunnelling

How to set up the Sage 200 Native API in using Microsoft Entra ID Tunnelling. Note: Microsoft Entra ID formerly known as Azure Active Directory.

TIP: For a video of the onboarding process, see Sage 200 Professional-Onboarding with Microsoft 365.

When using the 200 API with Sage ID authentication and an externally facing web server, remove these settings before following the article steps.

You'll need to open Sage 200 System Administration, select API, Select Edit, deselect Enable API setting. This removes the current API access.

TLS / Sage ID changes-setup using Microsoft Entra ID (Azure Active Directory) Tunnelling is possible for Sage 200 Professional Summer 2018 RM, 2020 R1 and above.

To set up the Native API Tunnel with the same Microsoft 365 tenant used in a test environment, you'll need to disable the Native API. Go here for further steps. Come back to this article when you need to reinstall the App Proxy Installer.

---

Prerequisites for using the Sage 200 Native API

Before setting up the Sage 200 Native API, you must first ensure you have a supported Microsoft 365 licence.

To check you have a supported Microsoft 365 licence, see Sage 200 – Which version of Microsoft 365 is compatible for use with the Sage 200 API and how to check before onboarding.

If you've purchased a Microsoft 365 licence from Sage, you'll have received a "getting started" email. To onboard this licence, follow the steps in the email.

NOTE: Use a unique Microsoft 365 tenant per server, otherwise any attempt to set up a second customer against the same admin@***.onmicrosoft.com email address will result in an error "AAD Application Proxy - unknown error code - APISiteAlreadyExists". 

---

Add an existing Microsoft 365 licence to your Sage registration

1. To confirm you have a supported licence, see Sage 200 – Which version of Microsoft 365 is compatible for use with the Sage 200 API and how to check before onboarding.
2. Email Business Partner Sales via [email protected] and ask for an existing Microsoft 365 registration to be applied to your customers account. Check the Sage 200 API registration is on your licence
   NOTE: For Sage 200 Summer 2018 Enhancements and above, no API module needs to be registered on your account. Only an existing Microsoft 365 registration is required.
3. A form is sent out to you to complete on behalf of your customer. We'll add the registration once received.

CAUTION:  Sage recommends that when you connect Microsoft 365 to Sage 200 that you use the email address included with your tenant, admin@***.onmicrosoft.com. If you don't have this, continue to connect to Microsoft 365 using your account, to enable the API extra steps are required. Details are in the Setup the Native API section.

You'll be taken to the Sage Business Centre once you've accepted the Microsoft agreement and the Sage Business Centre application permissions. This will confirm that the on boarding has been successful and you can now continue to install the Sage 200 Native API application.

NOTE: During the onboarding, you could receive an error similar to this: "Cannot set up your integration. We cannot set up your Sage 200 Accounts integration with Microsoft 365 because your Microsoft account does not include the required subscriptions". To resolve this error, see Sage 200 - Office 365 Onboarding error: "Cannot set up your integration".

Only users who have Global Administrator rights can perform some activities involving Microsoft Entra ID (formerly Azure Active Directory).

 NOTE: The user must have the administrator role in Microsoft 365 to activate your account, set up the API and connected apps. Removal of the administrator role in Microsoft 365 is possible after the full setup process, if required. 

For further details, see this Microsoft article Who has permission to add applications to my Microsoft Entra instance?.

CAUTION: Sage takes no responsibility for information on external pages.

---

Connect Sage 200 to your Microsoft 365 account

TIP: For a video of this process, see Sage 200 Professional - Installing the Azure Active Directory Proxy Tunnel. 

When you've activated your Microsoft 365 license and registered it with Sage, you'll now need to install the Microsoft Azure Active Directory Proxy Connector on your Sage 200 server.

NOTE: When you're logged in as a Windows user who exists within Sage 200 and they're already attached to a role within Azure, otherwise there will likely be an error when accessing the API tab in System Administration. Install the Azure Active Directory Proxy Tunnel when using Azure Virtual Desktop within the session desktop into the Azure Environment.

This sets up a connection to your Sage 200 server using Microsoft Entra ID (Azure Active Directory) authentication, to allow you to "tunnel" in and out of your network securely.

The Microsoft Azure Active Directory Proxy Connector requires Microsoft Windows 8.1, Windows Server 2012 R2, or later versions of Windows.

1. For 2024 R2 download the Entra Private Network Connector Installer.
2. For 2024 R1 download the Azure Application Proxy Installer.
3. For 2023 R2 or below download the Azure Application Proxy Installer.
4. Extract the contents of the downloaded zip file.
5. Run the AppProxyInstaller.exe.

6. Select Install and Configure.

   

7. This starts the Microsoft Azure Active Directory Proxy Connector installer.

   Select Install.

   

8. Sign into your Microsoft Azure account.
9. Select Close when the Microsoft Azure Active Directory Proxy Connector setup is complete.
10. Sign into your Microsoft Azure account again.
11. The installer is populated with information to create your enterprise applications within Microsoft Entra ID (Azure Active Directory).

    TIP: The Windows user you're currently logged in as is used to activate the API in System Administration. The user's Azure AD email address will be set to the Microsoft account that was signed in with.

---

Set up the Native API

1. Go to entra.microsoft.com/, sign in using the email address used to install the Azure Application Proxy Installer.
2. Select Identity > Applications > Enterprise applications.
3. Select New application.
4. Select Add an on-premises application.
5. Enter the details for the on-premises application.
   • Name: Copy and paste the Native Name from the Microsoft Azure Active Directory Proxy Connector installer.
   • Internal Url: Copy and paste the Native Internal Url from the Microsoft Azure Active Directory Proxy Connector installer.
6. Set Pre Authentication to Passthrough.
7. Select Create to create the application.

After creating the on-premises application, you'll see a notification.

TIP: Using an email address that isn't admin@***.onmicrosoft.com won't automatically enable the API. PendingAuthorisation will be the status in System Administration on the API tab.

In this instance your Business Partner will have to contact Technical Support to enable your API registration with the following information:

1. The site name.
2. The site URL.
3. The email address used during the setup.

If you have issues finding any of these, contact Sage 200 technical support first. (The site name and site url are found in Sage System Administration on the API tab.)

Once enabled, you'll receive an email confirming this, and you can then proceed to the next step.

To set up the connection with a different administrator account, use Reconfigure to change the Microsoft 365 account the application is associated with.

NOTE: Enter the Microsoft 365 email address for each user account in Sage 200. See Set up user email addresses in Sage 200.

To give a user access to the Sage 200 API, they'll require a valid Sage ID. The currently logged in user will also have Azure AD ticked and the Azure ID entered automatically in the API tab in System Administration.

1. Open System Administration.
2. Select the Users list.
3. Right-click the user and select Properties.
4. Select the API tab.
5. Enable Sage ID, enter the user's Sage ID email address (used for authentication when using the API).
6. Confirm the Sage ID created in step 4 can log in successfully to the my.sage.co.uk web page - accept the MySage terms and conditions before proceeding.

---

Test the API has been successfully configured

Once you’ve set the API up and installed the Native API proxy installer, you can test to see whether the API successfully returns any information.

We have an API Test tool for you to use to confirm whether you can successfully return sites. To download and use this tool, see Sage 200 - API Test Tool.

Now that the API is enabled successfully, you may wish to look at further documentation:

• API endpoint documentation: Sage API.
• How to make an API request using Postman: Using Postman with the Sage 200 RESTful API.
• How to set up Power BI to connect to your data: Set up Power BI.
• How to set up Power Automate: Set up Microsoft Power Automate with Sage 200.
• Common Queries and Frequently Asked Questions: Sage 200 API - Common Queries and Frequently Asked Questions.

---

---