Using a Service Principal to create a token for ISOPlanner
Introduction
When connecting to the ISOPlanner API for production purposes, we strongly advice to use a Service Principal.
- A Service Principal is fully managed by your organization.
- A Service Principal does not depend on user interaction.
- A Service Principal has Admin permissions in ISOPlanner at no additional cost.
Possible use cases:
- Load data from ISOPlanner into your datawarehouse by using our BI endpoints.
- Create custom integrations using your workflow tool of choice.
- Connect external AI interfaces to ISOPlanner
In the following example we create a Service Principal to connect to the ISOPlanner BI endpoints and download data using Postman.
Step 1: Create an app registration in the Microsoft Azure Portal
- Log into the Azure Portal, Open the Entra ID Service and create a new App Registration.
- Give the App Registration a Name ‘BI Service’. (or whatever your use case requires)
- Select the option ‘Accounts in this organizational directory only‘
- Leave the Redirect URI blank
- Click Register.
- Go to the section ‘Manage / Certificates & Secrets‘ and create a new Client Secret.
- Copy the secret Value (Not the ID).
- Copy the Application (client) ID in the Overview section.
- Copy the Directory (tenant) ID in the Overview section.
- Go to the section ‘Manage / API Permissions‘ and click Add a Permission.
- Select tab ‘APIs my organization uses‘ and search for ‘ISOPlanner SVC‘ and select it.
- Select Application Permissions and check BI.Read.All.
- Click Add Permission
- Click Grant consent for {your org}
- In the section ‘Manage / Branding & properties‘, set-up a logo, internal notes and update the domain if needed. (Optional)
BI.Read.All allows the service principal to have read-only access to all data in ISOPlanner. When you have multiple organizational units, the service principal must be added to each of them to access data.
API.ReadWrite.All allows the service principal to call all public API endpoints including making changes like updating tasks and risks with Admin permissions.
Step 2: Create the Service Principal in ISOPlanner
- Log into ISOPlanner with a user that has the Admin role.
- Go the Administration / Users and click Add.
- In the panel that opens, click ‘Add user manually‘.
- For field ID, paste the Application (client) ID you copied earlier
- For field Name, paste the name of the app registration. This does not have to match the app registration name but it is convenient to enter the same value.
- For field Email address, type a dummy email address like ‘bi-service@contoso.app’. You can enter a valid email address but this must be unique for all ISOPlanner users.
- For field User type, choose Service Principal.
- Click Save. The user is now added to the selected users in the panel.
- Click Add selected users. The user should now appear in the list.

Step 3: Connect using Postman
Start Postman, create a new collection and go to the Auth tab to fill in the authorization details. Use the following details.
- Type: OAuth 2.0
- Add auth data to: Request headers
- Header prefix: Bearer
- Grant type: Client credentials
- Access Token URL: https://login.microsoftonline.com/{Directory (tenant) ID}/oauth2/token/
- Client ID: Application (client) ID you saved earlier
- Client Secret: The secret value you saved earlier
- Scope: .default (including the dot)
- Client Authentication: Send client credentials in body
- Advanced / Token Request: Add key Resource with Value api://9a056f37-32fc-48b0-8075-e032dec8e3ac
- Click Get new access token and apply it.
Now create a new GET request in your collection, for example for https://svc.isoplanner.app/bi/v1/tasks
After clicking Send, the call should succeed and all tasks are returned.