Skip to content
logo Knowledgebase

Set up the Sage 200 Native API using Microsoft Entra ID (Azure Active Directory) Tunnelling

Created on  | Last modified on 

Summary

How to set up the Sage 200 Native API in using Microsoft Entra ID Tunnelling. Note: Microsoft Entra ID was formerly known as Azure Active Directory.

Resolution

TIP: For a video of onboarding process, see Sage 200 Professional - Onboarding with Microsoft 365.

If you already use the 200 API using Sage ID authentication and an externally facing web server, you will need to remove these settings before following the steps in this article.

To do this, open Sage 200 System Administration, then select API. Select Edit and then deselect the Enable API setting. This will remove the existing setup for API access.


Due to TLS / Sage ID changes, this setup using Microsoft Entra ID (Azure Active Directory) Tunnelling setup is only supported in Sage 200 Professional Summer 2018 RM, 2020 R1 and above.

If you are looking to set up the Native API Tunnel with the same Microsoft 365 tenant as used in a test environment, you may need to disable the Native API, which is covered in this article Sage 200 - Disabling and Enabling the Native API. You may come back to this article when you wish to reinstall the App Proxy Installer.


Prerequisites for using the Sage 200 Native API


Before setting up the Sage 200 Native API, you must first ensure you have a supported Microsoft 365 licence.


To check you have a supported Microsoft 365 licence, see Sage 200 – Which version of Microsoft 365 is compatible for use with the Sage 200 API and how to check before onboarding.


If you have purchased an Microsoft 365 licence from Sage, you will have received a "getting started" email. To onboard this licence, follow the steps in the email.

NOTE: A unique Microsoft 365 tenant must be used per server, otherwise any attempt to setup a second customer against the same admin@***.onmicrosoft.com email address will result in an error "AAD Application Proxy - unknown error code - APISiteAlreadyExists". 


Add an existing Microsoft 365 licence to your Sage registration

  1. To confirm you have a supported licence, see Sage 200 – Which version of Microsoft 365 is compatible for use with the Sage 200 API and how to check before onboarding.
  2. Email Business Partner Sales via [email protected] and ask for an existing Microsoft 365 registration to be added to your customers account. You will also need to the Sage 200 API registration is enabled on your licence
    NOTE: Please note that for Sage 200 Summer 2018 Enhancements and above, you will not require the API module to be registered on your account. You will only need to have the existing Microsoft 365 registration added.
  3. A form will be sent out to you to fill in behalf of your customer, return this form and the registration will be added in due course.

CAUTION:  Sage recommends that when you connect Microsoft 365 to Sage 200 that you use the admin@***.onmicrosoft.com email address that is included with your tenant. If you do not have this email address, you can continue to connect Microsoft 365 using your account, however there will be additional steps to ensure the API is enabled. These are detailed in the Set up the Native API section.

Once you have accepted the Microsoft agreement and the Sage Business Centre application permissions, you will be taken to the Sage Business Centre. This will confirm that the on boarding has been successful and you can now continue to install the Sage 200 Native API application.

NOTE: During the onboarding, you may receive an error similar to this: "Cannot setup your integration. We cannot setup your Sage 200 Accounts integration with Microsoft 365 because your Microsoft account does not include the required subscriptions". To resolve this error, see Sage 200 - Office 365 Onboarding error: "Cannot setup your integration".

Some activities involving Microsoft Entra ID (formerly Azure Active Directory) can only be performed by users who have Global Administrator rights.

 NOTE: The user must have the administrator role in Microsoft 365 to activate your account, set up the API and connected apps. Once the full setup process is completed, the administrator role in Microsoft 365 can be removed from the user if required. 

For further details about what is required, see this Microsoft article Who has permission to add applications to my Microsoft Entra instance?.

CAUTION: Sage takes no responsibility for information on external pages.


Connect Sage 200 to your Microsoft 365 account

TIP: For a video of this process, see Sage 200 Professional - Installing the Azure Active Directory Proxy Tunnel. 

Now you have activated your Microsoft 365 license and registered it with Sage, you will now need to install the Microsoft Azure Active Directory Proxy Connector on your Sage 200 server.

NOTE: Ensure you are logged in as a Windows user who exists within Sage 200 and they are already attached to a role within Azure, otherwise there will likely be an error when accessing the API tab in System Administration. If you're using Azure Virtual Desktop, ensure that the Azure Active Directory Proxy Tunnel is installed within the session desktop into the Azure Environment.

This sets up a connection to your Sage 200 server using Microsoft Entra ID (Azure Active Directory) authentication, to allow you to "tunnel" in and out of your network securely.

The Microsoft Azure Active Directory Proxy Connector requires Microsoft Windows 8.1, Windows Server 2012 R2, or later versions of Windows.

  1. Download the Azure Application Proxy Installer.
  2. Extract the contents of the downloaded zip file.
  3. Run the AppProxyInstaller.exe.
  4. Select Install and Configure.

  5. This starts the Microsoft Azure Active Directory Proxy Connector installer.

    Select Install.

  6. You will be asked to sign into your Microsoft Azure account.
  7. Select Close when the Microsoft Azure Active Directory Proxy Connector setup is complete.
  8. You will be asked to sign into your Microsoft Azure account again.
  9. The installer will now populate with information for you to create your enterprise applications within Microsoft Entra ID (Azure Active Directory).

    TIP: The Windows user you are currently logged in as will be used to activate the API in System Administration, and your user's Azure AD email address will be set to the Microsoft account that you signed in with.


Set up the Native API

  1. Go to entra.microsoft.com/ and sign in using the same email address that you used when you installed the Azure Application Proxy Installer.
  2. Select Identity > Applications > Enterprise applications.
  3. Select New application.
  4. Select Add an on-premises application.
  5. Enter the details for the on-premises application.
    • Name: Copy and paste the Native Name from the Microsoft Azure Active Directory Proxy Connector installer.

    • Internal Url: Copy and paste the Native Internal Url from the Microsoft Azure Active Directory Proxy Connector installer.

  6. Set Pre Authentication to Passthrough.
  7. Select Create to create the application.


 You'll see a notification when the on-premises application has been created.


TIP: If you have gone through this process with an email address which is not admin@***.onmicrosoft.com, the API will not be automatically enabled. In System Administration on the API tab, the status will be set to PendingAuthorisation.

In this instance your Business Partner will have to contact Technical Support to enable your API registration with the following information:

  1. The site name.
  2. The site URL.
  3. The email address used during the setup.

If you have issues finding any of these, contact Sage 200 technical support first. (Both site name and site url can be found in Sage System Administration on the API tab.)

Once this has been enabled, you will receive an email confirming this has been done, and you can proceed to the next step.

If you need to set up the connection with a different administrator account, use Reconfigure to change the Microsoft 365 account the application is associated with.

NOTE: You must also enter the Microsoft 365 email address for each user account in Sage 200. See Set up user email addresses in Sage 200.

To give a user access to the Sage 200 API they will require a valid Sage ID. The currently logged in user will also have Azure AD ticked and the Azure ID entered automatically in the API tab in System Administration.

  1. Open System Administration.
  2. Select the Users list.
  3. Right-click the user and select Properties.
  4. Select the API tab.
  5. Enable Sage ID and enter the user's Sage ID email address (this is used for authentication when using the API).
  6. Ensure the Sage ID created in step 4 can login successfully to the my.sage.co.uk web page - ensuring the MySage terms and conditions have been accepted before proceeding.

Test the API has been successfully configured

Once you’ve set the API up and installed the Native API proxy installer, you can test to see whether the API successfully returns any information.

We have an API Test tool for you to use to confirm whether you can successfully return sites. To download and use this tool, see Sage 200 - API Test Tool.

Now that the API is enabled successfully, you may wish to look at further documentation:


Image

Benefits for your employees
We want to help your business where we can. That's why we're offering Sage Employee Benefits for free to Sage customers for the first three months.

Leave your details

Image