Virtual entities
Virtual entities allow the virtual integration of data between Dataverse and finance and operations apps, without the need for duplicating finance and operations apps data into Dataverse. Virtual entities allow you to work with Microsoft Power Platform and use all its capabilities for finance and operations apps.
Virtual entities are virtual data sources that allow the create, read, update, and delete (CRUD) transactions to flow from Dataverse and Microsoft Power Platform. These CRUD transactions don't reside in Dataverse; instead, they continue to reside in the app where they belong. You need to make entities from finance and operations apps available as virtual entities in Dataverse so that you can perform the CRUD operations from Dataverse on data that resides in finance and operations apps.
Virtual entity architecture
The following illustration shows how the system implements the finance and operations apps provider for virtual entities.
The implementation includes six primary methods, where the first five methods are the standard CRUD operations, including Create, Update, Delete, and Retrieve or Retrieve Multiple. The implementation uses the last method, Perform Action, in addition to calling OData actions.
Calls to finance and operations apps and the virtual entity provider cause a Secure Sockets Layer (SSL)/Transport Security Layer (TLS) 1.2 secure web call to the CDSVirtualEntityService web API endpoint in finance and operations apps. This web service converts queries into calls to the associated physical entities in finance and operations apps, and then it invokes the CRUD or OData operations on those entities in question. Because the system invokes the entity in finance and operations apps in all operations, it also invokes business logic on the entity or the backing tables. The virtual entity metadata is available through the virtual entity solutions in Dataverse.
Two translations happen between Dataverse and finance and operations apps during these calls.
- The first translation occurs in the virtual entity plug-in, which translates concepts, such as translating the entity names from finance and operations to physical entity names.
- The plug-in also translates company reference concepts.
The call from the web service uses EntityCollection, Entity, and QueryExpression objects to express the performed operations by using the translated name and concepts from the plug-in.
The web API in finance and operations apps completes the translation from QueryExpression to QueryBuildDataSource and other internal language constructs.
Overall, this process is meant to be a low-code/no-code approach to using the full potential of Microsoft Power Platform by bringing the finance and operations apps data sources into the mix.
Authentication and authorization for virtual entities
After learning about virtual entities, you need to understand the authentication that's necessary for calls to work between the two systems. For more information, see Authentication and authorization.
You can implement all calls between Dataverse and finance and operations apps as service-to-service calls by using Microsoft Entra ID. You need to have access to the Dataverse virtual entity application security role. This role has several privileges for the Web API translation services. You can run virtual entities, and the service calls that the system makes for them, by using the context of the user in finance and operations apps and by looking up the user information from the Dataverse user. The calls rely heavily on the security roles that you set up in finance and operations apps for the connections, translations, and the virtual entities.
Scenarios for Microsoft Entra ID authorization and virtual entities
One scenario is where you have authenticated access, and the other scenario involves anonymous access. Both scenarios are available with virtual entities.
For authenticated access, the contact in finance and operations apps needs the security role assigned to them.
For anonymous access, nothing needs to be done from a configuration standpoint in Dataverse. However, in finance and operations apps, you need to create an anonymous portal access user ID (as you would create any anonymous service account in Microsoft Entra ID), and then you would import the user into finance and operations apps.). Then, you need to assign the security role to that user. You don't need system admin or security administration for the connection to work.