How Do I Access the Internal Azure Storage Managed by FinOps Once the Connection String is Deprecated?

Introduction

This article provides detailed information regarding the deprecation of connection strings to access the Internal Azure Storage managed by Finance and Operations (FinOps).

Microsoft intends to implement this deprecation due to security concerns, such as the risk of compromised connection strings.

It is highly recommended you start using SAS to access the Internal Azure Storage.

Note

SAS is an acronym for Shared Access Signature. In Azure, this is a secure way to grant limited access to Azure Storage resources without sharing account keys.

Using SAS (user-delegated or not) on version 10.0.41 (PU65) without a product version equal to or newer than 7.0.7352.111 will result in the following error in Lasernet FO Connector 7.1:

Error

Method not found: ‘Azure.Storage.Blobs.BlobServiceClient Microsoft.DynamicsOnline.Infrastructure.Components.SharedServiceUnitStorage.SharedServiceUnitStorage.GetSharedServiceBlobServiceClient()’.

No action is necessary if an External Azure Storage option is employed or if Document handling is not used within Lasernet FO Connector.

Currently, the Lasernet Cloud Print Connector only supports External Azure Storage options.

Using External Azure Storage options is advantageous because it enables the use of the same Lasernet configuration and reports across different environments by accessing the same Azure Storage. This can facilitate the sharing of reports among DEV, TEST, and UAT (User Acceptance Testing) environments.

Using the Internal Azure Storage managed by FinOps can simplify the handling of XML and PDF files, attachments, and documents out-of-the-box. Lasernet FO Connector 7.1 supports SAS to access the Internal Azure storage, allowing the same configuration to be used across multiple environments in both Lasernet FO Connector and Lasernet.

The deprecation of connection strings to access the Internal Azure Storage managed by FinOps is not related to any specific Product Updates (PUs) but is a measure that Microsoft could implement in the following versions:

• PU67 (10.0.43)

• PU66 (10.0.42)

• PU65 (10.0.41 versions equal to or newer than 7.0.7352.111)

Lasernet FO Connector 7.1 enables users to access the Internal Azure storage in the following ways:

• User-delegated SAS for Microsoft-managed environments;

• SAS for DEV, CHE (Cloud Hosted Environment, customer Tier1), and UDE (Unified Development Environment/Experience) environments

• Connection string for DEV, CHE, and UDE environments

Note

Microsoft will start supporting user-delegated SAS for UDE environments and will deprecate the use of connection strings to access the Internal Azure storage.

• Ad hoc SAS for DEV, CHE, and UDE

• Connection string for local DEV environments using Azurite as an emulator for the Azure Storage.

Note

A user-delegated SAS is a SAS that is secured with Microsoft Entra credentials.

Currently, a user-delegated SAS is only usable in a Microsoft-hosted environment. Lasernet FO Connector 7.1 supports the creation of a non-user-delegated SAS for CHE and UDE environments and the use of a connection string for DEV, CHE, and UDE environments.

It does not matter whether the SAS used in Lasernet is user-delegated or not. Therefore, it is possible to use the same connection across any CHE, UDE, and Microsoft-managed environments.

Prerequisites:

• Minimum Lasernet version: 10.10.1

• Minimum Lasernet FO Connector version: 7.1

It is possible to continue using an existing connection string; however, in some cases, the visible connection string shown within Lasernet FO Connector may no longer be valid. This depends on the environment settings (ESC Flight modes), which are all managed by Microsoft. This is also why it is a good idea to save all connection strings, as they might become valuable in the future.

Using SAS with Lasernet FO Connector and Lasernet

To connect to the Internal Azure Storage, a user-delegated SAS or a non-user-delegated SAS is needed. For each report, a SAS token is provided and passed to Lasernet by Lasernet FO Connector 7.1.

Note

A SAS token is a unique string containing permissions, expiration times, and other access details.

This SAS token is subsequently used within Lasernet to access files from the Internal Azure Storage.

This SAS token must be used for each report because the user-delegated SAS token has a maximum lifetime of seven days and will expire after this period. If the Lasernet service stops for more than seven days, documents might be left behind, but Lasernet FO Connector can clean up orphaned XML files.

Lasernet FO Connector will create and provide the necessary information to use a SAS (user-delegated or not) and access the Internal Azure Storage, if the environment supports it.

A basic setup only needs a connection to the Azure Service Bus Queue, as all other information is passed through an entry in the Queue.

Note

Azure Service Bus supports reliable message queuing and durable publish/subscribe messaging.

From version 7.1 onward, Lasernet FO Connector will, for each document, pass to Lasernet the following properties for the SAS using the Azure Service Bus Queue:

• SASToken_documents: Grants access to Attachments and Document handling.

• SASToken_lasernet: Grants access to the container name and instance for XML/PDF files (the lasernet suffix is dynamic and reflects the used container name and instance).

• SASAccountName: Storage account name

Different properties can be passed for the suffix lasernet in SASToken_lasernet depending on the container name and instance used within Lasernet FO Connector. For example, in the following image, archive has been configured as the container name and instance within Lasernet FO Connector:

Hence, the SASToken_archive is included as a property for the entry within the Azure Service Bus Queue:

Values in the Azure Service Bus Queue are used in Lasernet via JobInfo substitution to connect to the FinOps-managed Azure Storage.

Lasernet 10.10.1 is the minimum version that supports JobInfo substitution for the information required to access the storage via SAS (Blob Container/Queue and SAS Token).

JobInfo substitution is optional for the Storage account name, as this depends on the setup within Lasernet FO Connector (Lasernet > Setup > Parameters > Performance > D365FO storage access using SAS tokens (Azure storage managed by FinOps) > Send storage account name).

• Storage account name: #SASAccountName#

• Blob Container/Queue: #SASContainer#

• SAS Token: #SASToken#

The following two connections are used as “fallback” within the default configuration provided by Formpipe, and if no connection is specified within Lasernet FO Connector:

• Azure Storage

• Azure Storage SAS

The configuration will automatically determine whether to use SAS for the connection if Lasernet FO Connector provides one.

Basic Setup for Environments Supporting SAS

The simplest configuration involves establishing a connection with an Azure Service Bus Queue. All other parameters are controlled through the properties defined for an entry within the Queue.

This approach will work for CHE, DEV, UDE, and Microsoft-managed environments, whereas a connection string is required for local DEV environments.

Therefore, the same configuration can be reused across environments that support user-delegated SAS (Microsoft-managed environments) and non-user-delegated SAS (CHE, UDE). A connection via a connection string is required for environments that do not support SAS (local DEV environments).

Formpipe's default configuration includes the following two connections, which are used in case no connections are specified for the Azure Storage within Lasernet FO Connector:

• Azure Storage: Used for local DEV environments.

• Azure Storage SAS: Used for DEV, CHE, (UDE), and Microsoft-managed environments.

The latest default configuration supplied by Formpipe with Lasernet FO Connector 7.1 incorporates the necessary adjustments. However, existing configurations can be modified to achieve similar functionality. To do so, follow this guide.

It is still possible to specify within Lasernet FO Connector which connections should be used in Lasernet. Ensure the id/name used within Lasernet FO Connector matches the one used in Lasernet and that the information for the SAS/connection string in Lasernet matches the one used in Lasernet FO Connector.

Additionally, ensure that SAS (user-delegated or not) is used if the environment supports it. Use a connection string for other environments that do not support SAS.

Document Handling (Attachments and Archive)

The Document handling feature within Lasernet FO Connector requires the use of the Internal Azure storage.

Document handling is supported via a connection string in local DEV environments and via SAS (user-delegated or not) in all other environments. Accessing environments other than the local development environment via a connection string may be possible, depending on whether such access is permitted by the Flight settings for the environment.

Attachments From archive are also supported via user-delegated SAS, non-user-delegated SAS, or a connection string:

Using External Azure Storage options for Document handling will result in an error when attempting to preview the report within the Attachments.

This error occurs because Document handling is only compatible with the Internal Azure Storage. To access the Internal Azure storage, use a user-delegated SAS, a non-user-delegated SAS, or a connection string, depending on the type of environment.

Error

ErrorMessageAn error occurred reading from Azure storage.

This error occurs when using External Azure Storage options rather than Internal Azure Storage.

For CHE, UDE, or Microsoft-hosted environments, employ user-delegated or non-user-delegated SAS to access the Internal Azure Storage when using Document handling. For local DEV environments, employ a connection string. It is also possible to use the default configuration and leave the fields empty. Lasernet FO Connector and Lasernet will automatically identify whether to use the Azure Storage or Azure Storage SAS connection in Lasernet.

Within the Lasernet Monitor, it is possible to verify which connection is being used and whether it is failing:

The following error usually occurs when an incorrect connection string is used:

Error

Object name (DatabaseConnections / Azure Storage SAS) does not exist

Configuration in Lasernet FO Connector

If the environment supports SAS, Lasernet FO Connector will provide the necessary information to access the Internal Azure Storage via user-delegated SAS or non-user-delegated SAS through the Azure Service Bus Queue.

The connection string and the Azure Storage connection in Lasernet will be employed only when an Outgoing connection (ASB) is entered and a local DEV environment is being used.

The Azure Storage SAS connection will be employed in CHE, UDE, and Microsoft-managed environments (TEST, UAT, Prod) – Tier-2+/ServiceFabric.

Lasernet will determine whether to use Azure Storage or Azure Storage SAS based on the adjustments or the default configuration provided by Formpipe with Lasernet FO Connector 7.1 and onward:

When overriding any of the two fields below within the Server setup, ensure that the connections used in Lasernet match those used within Lasernet FO Connector. Use a connection string for environments that cannot produce a non-user-delegated SAS or user-delegated SAS, such as a local DEV environment.

Use SAS (#SASAccountName#, #SASContainer#, #SASToken#) for environments that can produce a non-user-delegated SAS or a user-delegated SAS.

It is possible to reuse the same SAS connection across configurations, environments, and customers in both Lasernet FO Connector and Lasernet.

CHE, UDE, and Microsoft-Hosted Environments

These environments require SAS to access the Internal Azure Storage.

A connection string may also be used, depending on the environment’s Flight settings.

Local DEV Environments

Local development environments must access Internal Azure Storage through a connection string.

Examples

The examples below are based on the default configuration provided by Formpipe for Lasernet FO Connector 7.1. However, it is possible to adjust existing configurations to obtain similar results.

This guide explains the adjustments needed for Lasernet when using an older existing Formpipe default configuration.

The ASB Connection id in Lasernet FO Connector defines a connection to an Azure Service Bus Queue:

In the examples below, two connections are available in Lasernet (Tools> Commands > Connections).

• The Azure Storage connection is used for local DEV environments.

The Azure Storage connection uses a connection string in Lasernet to communicate with FinOps.

The Name + Key credentials come from the local DEV environment and are needed when using Azurite as an emulator for Azure Storage.

• The Azure Storage SAS connection is used for CHE, UDE, and Microsoft-hosted environments.

Azure Storage SAS uses a SAS connection and Shared Access Signature token, which are needed for both user-delegated SAS and non-user-delegated SAS.

Information is provided through the Azure Service Bus Queue. JobInfo substitution is used within Lasernet to ensure the values are correct:

• Storage account name: #SASAccountName#

• Blob Container/Queue: #SASContainer#

• SAS Token: #SASToken#

Example 1: ASB and Internal Azure Storage

The following environments connect to an Azure Service Bus Queue and use its properties to access the Internal Azure Storage.

CHE, UDE, and Microsoft-Managed Environments (ServiceFabric)

1. Lasernet FO Connector creates and passes the required information to Lasernet for the non-user-delegated SAS or user-delegated SAS to access the Internal Azure Storage.

2. Lasernet accesses the Internal Azure storage using the Azure Storage SAS connection and the properties received via the Azure Service Bus Queue.

Local DEV Environments

Lasernet uses the Azure Storage connection and a connection string to access the Internal Azure Storage.

Example 2: ASB and Designated Name in Lasernet for the Internal Azure Storage

CHE, UDE, and Microsoft-Managed Environments

1. Lasernet FO Connector passes all SAS-related information via the Azure Service Bus Queue to Lasernet.

2. Lasernet uses these values for the Intern Azure storage via SAS connection and accesses the Internal Azure Storage via SAS.

Local DEV Environments

1. Lasernet FO Connector does not pass any SAS-related information because local DEV environments can only support connection strings. Therefore, a connection string is required.

2. Lasernet uses the connection string defined in Intern via Connection-string.

Example 3: External Azure Storage Used for Communication and Internal Azure Storage Used for Document Handling

Extern Azure storage facilitates communication between Lasernet FO Connector and Lasernet through XML files and attachments. Intern via Storage SAS is used for Document handling via SAS.

CHE, UDE, Microsoft-Managed Environment

The connection string specified for Extern Azure storage will be used in both Lasernet FO Connector and Lasernet for XML files and attachments.

Intern via SAS will be used for Document handling.

Local DEV Environments

The connection string specified for Extern Azure storage will be used in both Lasernet FO Connector and Lasernet.

If the environment is not managed by Microsoft, a connection string such as the one for Intern via Connection-string is used for Document handling.

Example 4: Additional Connection for XML and Attachments

It is possible to employ an External Azure Storage option to use Azure for communication between Lasernet FO Connector and Lasernet (for XML files and attachments) and another storage type for reports (such as PDF files).

Here, Extern Azure storage is used for XML files and attachments, while the Azure Storage SAS or Azure Storage connections are used for reports (PDF files) and for Document handling:

Using an additional connection requires a script adjustment, which is not part of the default configuration for Lasernet FO Connector 7.1.

This option is commonly used for SharePoint and to avoid throttling. It enables using Azure for communication between Lasernet FO Connector and Lasernet, and SharePoint for archiving purposes.

In Lasernet, edit the downloadAzureServiceBusResponseXML() function with the following script (Tools > Scripts> downloadAzureServiceBusResponseXML):

// Write script code here. Functions will be available elsewhere in Lasernet
function downloadAzureServiceBusResponseXML()
{
	var prefix = 'AzureServiceBusResponse'; 
	//setDatabaseConnection(prefix); 		                                // <-- Comment this when using an additional Azure storage for the XML/files  
	job.setJobInfo('DatabaseConnection', 'Extern Azure storage', true); 	// Use this if using XML input storage different from report storage
	attachDocumentGeneric(prefix, '');
    job.setJobData(job.getJobInfoBinary(prefix));
}

If archiving is enabled, XML files are saved in External Azure storage, and PDFs are stored in Internal Azure storage.

When using Internal Azure storage or an additional storage option, it is necessary to either set the JobInfos based on the required SAS information or employ the setDatabaseConnection(prefix) function.

This is not a standard setup, as it would mean leaving the following field empty:

Using Extern Azure storage for the connection does not provide the necessary SAS access information for an environment supporting SAS.

In this situation, Lasernet uses the Azure Storage connection instead of the Azure Storage SAS connection, even if the environment supports SAS.

If no lookup is displayed, copy the connection string value from Lasernet. The availability of a lookup relies on the connection between Lasernet FO Connector and Lasernet.

Enter the connection string or SAS token into Azure Storage Explorer to check if the connection is working.

Advanced Settings for the SAS Within Lasernet FO Connector

Lasernet FO Connector 7.1 includes advanced settings for user-delegated SAS and SAS tokens that can be used to enhance security.

These settings can be used to lower the lifetime within the SAS token lifetime (hours) field. However, this value cannot be higher than 168 hours (seven days).

The SAS token recycle window (hours) field specifies how many hours before a SAS token expires, a new token should be generated.

The default for the SAS token lifetime (hours) is 168 hours, and the default for the SAS token recycle window (hours) is 24 hours.

SETTINGS

• Send SAS tokens: This defines whether SAS tokens should be added as a property for the entry within the Azure Service Bus Queue. The default setting is Yes, but Lasernet FO Connector will also validate whether it is possible to provide information for the user-delegated SAS (managed Identity) or non-user-delegated SAS.

• Send storage account name: This defines whether the Storage account name should be included as a property for the entry within the Azure Service Bus Queue. The default setting is Yes. If this toggle button is set to No, manually add the Storage account name to Lasernet.

The Storage account name can be found in Lasernet > Setup > Parameters > Performance:

Copy this value into Lasernet if it is not included in the Azure Service Bus Queue when the Send storage account name toggle button is set to No.

Permissions

The same permissions are used for all instances and containers created within the Connections form (Lasernet > Setup > Administration > Connections):

• Read

• Write

• Delete

• List

Read, Write, and Delete permissions are necessary for the communication between Lasernet FO Connector and Lasernet, while only the List permission is needed when using Azure Storage Explorer.

The required permissions for Lasernet are Read, Write, and Delete.

The required permissions for Azure Storage Explorer are Read, Write, Delete, and List.

Additionally, the SAS token can be generated and used to test the SAS functionality in Lasernet:

A SAS token provides access to a specific entity and container within Azure Storage.

Fill in the Storage account name and Blob Container fields, and paste the previously copied value into the SAS Token field (SAS tokens provide access to a specific entity and container within Azure Storage):

Security

Disabling the Send storage account name setting increases security by ensuring that knowing the SAS token(s) and container name is insufficient to access the storage.

Similarly, disabling List permissions ensures that no files or blobs within the containers can be listed.

Furthermore, if a highly secure setup is required, it is advisable to lower the values for the SAS token recycle window (hours) and SAS token lifetime (hours).

SAS vs Ad Hoc SAS

Lasernet FO Connector 7.1 supports two types of SAS: one that creates and uses policies and another for which policies are provided through SAS tokens.

Policies are used for SAS, whereas permissions are part of the SAS token when using ad hoc SAS.

SAS and ad hoc SAS can only be used with CHE and UDE environments, while user-delegated SAS should be used for Microsoft-managed environments. The specified permissions are used for both user-delegated SAS and ad hoc SAS. Ad hoc SAS can be used in a Microsoft-managed environment, but this requires specific Flight settings.

The Use policy toggle button and Policy field enable adding a new policy with the specified permissions for the SAS token, provided that no more than five policies have already been added and that the policy does not already exist.

The maximum number of policies for a container within the Azure Storage is five.

The name specified in the Policy field is used as the identifier for the Managed Stored Access policies for the blob container in Azure.

• Use policy: Yes (by default)

• Policy: LAC (by default)

The name of the policy is included as part of the SAS token when Use policy is toggled Yes:

Setting Use policy to No will cause an ad hoc SAS to be used for the SAS token, which will contain the permissions. For instance, in the following SAS token, the sp section contains the permissions specified: sp=rwdl – Read, Write, Delete, and List.

It is possible to identify whether a user-delegated SAS or an account key SAS is used:

• User-delegated key-generated SAS: Microsoft-managed environments and, in the future, UDE environments

• Account key-generated SAS: CHE and UDE environments

If an error such as the following occurs when using Document handling, recycle the SAS tokens for the instance name and container documents.

Error

ErrorMessageAn error occurred reading from Azure storage.

This error can occur if the policy specified within Lasernet FO Connector has been removed:

It is also possible to refresh the entity and container used for the XML/PDF file, such as lasernet in the following image:

When the system does not respond, and issues arise with Preview and Document handling, toggle the Use policy button No. This forces Lasernet FO Connector to provide an ad hoc SAS, useful if five policies already exist for one of the containers.

Azure Storage Explorer

It is possible to use or prepare a SAS to access Azure Storage Explorer. To do so, follow these steps:

1. Navigate to Lasernet > Setup > Parameters > Performance > D365FO storage access using SAS tokens (Azure storage managed by FinOps).

2. Select the Instance name for which the SAS should be created, as SAS grants permission to one specific instance and container within Azure Storage.

3. Click the copy icon to copy the SAS UrI to the clipboard.

4. Select Blob container or directory within the Azure Storage Explorer.

5. Select Shared access signature URL (SAS).

6. Paste the URL from the clipboard.

7. Enable List permissions for Azure Storage Explorer.

Lack of List permissions will cause the following error:

Error

The SAS has inadequate permissions. A service SAS with at least List permission (‘sp=l’) is required.

Validation of SAS

It is possible to validate whether a SAS can be created for an environment by using the Recycle SAS tokens feature located in Lasernet > Setup > Parameters > Performance.

An error such as the following occurs if this is not feasible:

The SAS UrI is created and shown for the Instance name if the environment supports it:

A short connection string indicates that the environment does not support connection strings. If you are unsure, copy the connection string and attempt to use it within Azure Storage Explorer. A similar approach applies to testing a user-delegated SAS or non-user-delegated SAS.

ESC Flight Modes (Managed by Microsoft)

This section provides insight into which ESC Flight modes are enabled.

The ESC Flight modes properties are shown within the Lasermet parameters page of Lasernet FO Connector and passed as properties via the Azure Service Bus Queue. However, only Microsoft can maintain them.

The two RELATED MS FLIGHT MODES are:

• EnableSharingOfValidStorageConnectionString

This Flight mode ensures that users are still able to use existing connection strings to access the Internal Azure Storage. The system will not show a valid connection string if the following Flight mode is enabled:

• EnableRegisterOfAzureStorageInterceptors

This Flight mode ensures that users can use the user-delegated SAS to connect to the Internal Azure Storage. Access will also be granted via existing connection strings if EnableSharingOfValidStorageConnectionString is enabled. However, an invalid connection string will be shown.

Access through user-delegated SAS or connection strings is not permitted if both Flight modes are disabled.

The following properties are provided for clarity but are not used in Formpipe's default configuration for Lasernet FO Connector 7.1, and they do not need to be included as part of any adjustments to other default configurations:

ESC Flight Modes

• EnableSharingOfValidStorageConnectionString: No

• EnableRegisterOfAzureStorageInterceptors: No

• EnableSharingOfValidStorageConnectionString: Yes

• EnableRegisterOfAzureStorageInterceptors: No

• EnableSharingOfValidStorageConnectionString: Yes

• EnableRegisterOfAzureStorageInterceptors: Yes

• EnableSharingOfValidStorageConnectionString: No

• EnableRegisterOfAzureStorageInterceptors: Yes

Note

Might not be applicable.