Technical Tasks for Dooap UAT D365 Deployment

1. Grant App Registration consents

The Dooap Team will provide you with a link which authorizes login to the Dooap application.
- Use this link to complete the consent wizard.
- The user completing and approving the consent must be a Global Administrator.
- The Global Administrator’s account must be a native user in the same Azure AD tenant where the D365 environment is hosted.
- Follow the steps in the wizard all the way through until you are prompted to log out.

2. Deploy Dooap D365 package

Download the package — The Dooap Team will provide you with the download link.
Deploy the package to D365 by following Microsoft’s official deployment documentation:
- https://docs.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/aio-deployable-packages
- https://docs.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/manage-runtime-packages#deployable-packages-from-third-parties

The Dooap package does not modify standard D365 functionality. It is safe to install even if older third-party AP solutions are still in use.

The deployable package includes four models containing Dooap’s custom service integration code. All four models must be deployed:

- Dooap
- DooapAPIs
- DooapBufferRecordFramework
- DooapChangedEntityFramework

3. Create Dooap integration accounts

Create system user accounts in the same Entra ID (Azure AD) domain used to deploy D365.
Separate accounts should be created for UAT and PROD for added security.
A full D365 Finance license is required for each integration account.
- Note: The exact license name varies by subscription model.
- A Team Member license is not sufficient per Microsoft licensing guidelines.
Create account: “Dooap UAT integration account”
- For example: dooapintegration-test@customer.onmicrosoft.com
- The password must not expire.
- Multifactor authentication (MFA) must be disabled when using the username + password integration method.
  - However, if the integration uses the Client ID + secret value authentication method (step 3.1), MFA can be enabled.

Create account: “Dooap PROD integration account”
- For example: dooapintegration-prod@customer.onmicrosoft.com
- The password must not expire.
- Multifactor authentication (MFA) must be disabled when using the username + password integration method.
  - However, if the integration uses the Client ID + secret value authentication method (step 3.1), MFA can be enabled.

Apply high throttling priority for both integration users. More detailed instructions can be found in this article.

After the accounts are created, securely deliver the credentials of both integration accounts (username + password) to the Dooap Team.

If ClientID + Secret authentication is used, only username of both integration accounts are necessary to deliver to Dooap.

3.1 Optional: Set up ClientID + secret value

Dooap allows using ClientID + Secret authentication layer in addition to the standard username + password method. This optional authentication layer does not affect functionality.

Integration user accounts (UAT + PROD) are still required.

Create an Application and Secret in Entra ID (Azure AD) by following Microsoft’s documentation.
Link the application to D365FO.
Provide the Application (client) ID, secret value, and secret expiration date to the Dooap Team securely.
More detailed instructions can be found here: D365 Enroll with ClientID & Secret.

4. Grant D365 access to Dooap integration accounts

Add both Dooap integration accounts to D365 UAT environment.
- This will prevent UAT credentials from being overwritten when refreshing test data.
Grant roles to both integration accounts:
- Dooap
- Dooap parameters
- Dooap integration
Ensure access to all legal entities in D365, including those outside the Dooap processing scope — access must not be restricted.

5. Grant D365 access to Dooap consultants

Consultant accounts are required for implementation and ongoing support. You can provide access in one of two ways:

Invite Dooap consultants ( @dooap.com ) as guest users to your Entra ID tenant (preferred).
Create consultant accounts under your own domain ( @customer.onmicrosoft.com ).

After the accounts exist:

Add the user to D365.
Assign the following roles:
- Dooap
- Dooap parameters

If permitted by your internal policies, the System administrator role will be used during the implementation phase.

6. Assign a worker to the integration account

A designated D365 worker (employee record) is required for auto-approval of invoice journals created by Dooap.

Step 1 — Create a Worker

Create a new worker in:

Human Resources > Workers > Workers

Use the following guidelines:

Name: Any descriptive name (e.g., “Dooap”)
Personnel Number: Any available number
Employment Start Date: Today’s date

Step 2 — Link the Worker to the Integration Account

Navigate to:

System administration > Users

Then:

Search for the Dooap UAT Integration User and select it.
Add the newly created Dooap Worker in the Person field.

7. Create a new invoice journal

Dooap uses a specific journal to post all Non-PO invoices.

Add this journal to each legal entity using Dooap.

General Ledger > Journal Setup > Journal names
- Name: Dooap
- Description: Dooap
- Journal type: Vendor invoice recording
- Voucher series: Continuous and company-specific, for example your existing AP Invoice number series
- Amounts include sales tax: Yes

8. Whitelisting

If your environment has access restrictions, please whitelist the Netherlands region, as our global management platform is hosted in Azure West Europe (backup France).

D365 UAT data refresh

When you refresh your D365 data from PROD to UAT, users rights will also be overwritten, which will break the Dooap integration in UAT.

Pre-emptively adding UAT user to the PROD environment in disabled state allows you to restore the functionality by simply re-enabling the UAT integration account after the refresh.

See the more detailed instructions here.