On October 1st, 2022, Microsoft is removing access to web services using Basic authentication. This week, many users have received a notification telling them they have a problem. In this video, I take a look at how to figure out what is going on, check it out:
The Telemetry Query needed:
traces
|where timestamp > ago(7d)
|where operation_Name == "Web Services Call"
or customDimensions.eventId == "RT0008"
|where tostring(customDimensions.httpHeaders) contains "Basic"
|project timestamp
, aadTenantId = customDimensions.aadTenantId
, environmentName = customDimensions.environmentName
, environmentType = customDimensions.environmentType
, companyName = customDimensions.companyName
, alObjectId = customDimensions.alObjectId
, alObjectName = customDimensions.alObjectName
, alObjectType = customDimensions.alObjectType
, category = customDimensions.category
, endpoint = customDimensions.endpoint
, httpStatusCode = customDimensions.httpStatusCode
, httpHeaders = customDimensions.httpHeaders
, executionTime = customDimensions.serverExecutionTime
, executionTimeInMS = toreal(totimespan(customDimensions.serverExecutionTime))/10000If you’ve been working with Business Central recently, chances are you (or your support team) have been flooded with messages like this: “Web service access key is no longer supported. Contact your administrator immediately to resolve the problem.” This video covers what’s actually happening with the deprecation of basic authentication for web services, why everyone is seeing these warnings, and — most importantly — how to use Application Insights telemetry to identify exactly which environments and endpoints are still using basic authentication so you can fix them before the October 1st deadline.
What’s Actually Happening?
About a year ago, Microsoft announced that web service access keys were going away. But to be more precise, it’s basic authentication to web services that’s being deprecated. The web service access key is simply the password used in basic authentication — when you call a web service, you provide a username and password, and the access key serves as that password.
The replacement is OAuth, which is a more secure way of authenticating. There are several videos on the channel covering how to set up OAuth if you haven’t already made the switch.
The Timeline
Microsoft originally planned to stop supporting basic authentication in April. However, after looking at telemetry data and seeing how many tenants were still using it, they extended the deadline by six months. Now that those six months have almost passed, Microsoft is ramping up the pressure with in-app warnings to all users — not just administrators or super users, but everyone.
The result? Every user sees the warning and dutifully calls their admin saying, “Hey, it tells me I have a problem and I need to contact you to get it fixed.” So thanks for keeping us at work, Microsoft!
The Problem with the Warning Message
The warning message is both helpful and unhelpful at the same time. It tells you: “One or more of your environments are using web service access key.” But which one? What endpoint? What integration? The “Learn more” link just takes you to a documentation page, which doesn’t really help you pinpoint the problem.
Let’s look at how to actually get to the bottom of this using telemetry.
Setting Up Application Insights
To diagnose which integrations are still using basic authentication, you need to have Application Insights connected to your Business Central environment. Here’s the setup process:
- Go to the Azure portal at portal.azure.com
- Open Application Insights and create a resource (if you haven’t already)
- Copy the connection string from your Application Insights resource
- Paste that connection string into your Business Central Admin Center for the relevant environment
- Let it collect data for a few days so you have meaningful information to query
The Telemetry Query
Once you have data flowing into Application Insights, navigate to the Logs section in the Azure portal and run the following query:
traces
| where timestamp > ago(7d)
| where operation_Name == "Web Service Called"
or customDimensions.eventId == "RT0008"
| where tostring(customDimensions.httpHeaders) contains "Basic"
| project
timestamp,
tenantId = customDimensions.aadTenantId,
environmentName = customDimensions.environmentName,
environmentType = customDimensions.environmentType,
companyName = customDimensions.companyName,
endpoint = customDimensions.endpoint,
statusCode = customDimensions.httpStatusCode,
headers = customDimensions.httpHeaders,
executionTime = customDimensions.serverExecutionTime
How the Query Works
Let’s break down what this query does:
- traces — Whenever something happens in Business Central, a trace is recorded in Application Insights
- timestamp > ago(7d) — We look at the last seven days, which is a good window to catch integrations that might only run periodically
- operation_Name == “Web Service Called” — Filters for web service call events
- customDimensions.eventId == “RT0008” — An alternative event ID for these traces
- contains “Basic” — This is the key filter. The HTTP headers are stored as a JSON structure, and if the word “Basic” appears in the authorization header, it means basic authentication was used
- The project clause pulls out the useful fields: timestamp, tenant ID, environment name, environment type, company name, endpoint, HTTP status code, headers, and execution time
This query is adapted from the BCTech GitHub repository examples, modified slightly for this specific use case.
Analyzing the Results
When you run this query on an environment that has basic authentication calls, you’ll get results showing exactly which endpoints are being called. You can export the results to Excel for further analysis.
In a real-world example from a partner who had the error, the results revealed:
- High-frequency calls to page 5050 through OData V4 on their production environment — this turned out to be a Continia integration that hadn’t been switched over to OAuth
- Calls to a customer info endpoint — an integration that was already identified and fixed
- Calls to purchase approval request entries — also part of the Continia installation
- Calls to general ledger entry — likely an old Power BI query created years ago that was still running periodically and pulling data for a report using basic authentication
Note that the actual username and password are redacted in the telemetry (you’ll see “Basic [REDACTED]” in the authorization headers), so there’s no security concern with this data.
A Tip on Filtering Results
You can ignore results that only show endpoints like /company or /metadata — many things query those all the time, and they don’t help you identify specific integrations. Focus on the specific page or API endpoints to figure out what external system or integration is making those calls.
What to Do Next
Once you’ve identified the offending endpoints and integrations:
- Identify the calling system — Use the endpoint information to determine which external application or integration is making the basic auth calls
- Switch to OAuth — Update each integration to use OAuth authentication instead of basic authentication with web service access keys
- Verify — Re-run the telemetry query after making changes to confirm basic auth calls have stopped
- Do it before October 1st — That’s the hard deadline when basic authentication will stop working entirely
Conclusion
The in-app warning message telling you that “one or more of your environments” are using web service access keys is frustratingly vague. But by connecting Application Insights to your Business Central environments and running the telemetry query shared above, you can pinpoint exactly which environments, which endpoints, and which integrations are still relying on basic authentication. This is tremendously more useful than a generic warning message. Now you know what environment, what endpoints, and that gives you a clear path to resolving everything before the October 1st cutoff. Get the query from the video description, run it against your environments, and start migrating those integrations to OAuth today.
