UAT Test Plan — PO Email Notification
| Field | Value |
|---|
| Version | 1.0 |
| Date | March 16, 2026 |
| Project | Bestway BC Development |
| Environment | Business Central Sandbox |
This test plan covers version 1.1.0.0 of the PO Email Notification extension. Before beginning UAT, confirm that: (1) v1.1.0.0 is published to the sandbox, (2) the PO Email Setup page has been configured with valid Graph API credentials, (3) the Custom Purchase Emails email scenario is mapped to an active outbound account, and (4) the PoEmailPermissionSet permission set is assigned to the test user.
Overview
This test plan validates the PO Email Notification extension for Microsoft Dynamics 365 Business Central. The extension sends automated email notifications to Supply Chain team members at three milestones in the Purchase Order lifecycle: when a PO is released (Created), when a Warehouse Receipt is registered (Shipped), and when a Warehouse Receipt is posted or a PO is received directly (Arrived). Recipients are configured per-PO using a semicolon-separated list of email addresses in the Send E-mail To field. Email addresses are resolved by searching Entra ID via the Microsoft Graph API. All email delivery uses Email.Enqueue so that delivery failures do not block or roll back BC transactions.
Extension Object Summary
| Object | ID | Extends | Purpose |
|---|
| Codeunit | 80100 | N/A | AzureAdMailLookup — authenticates with Microsoft Graph API and searches Entra ID users by display name or email. |
| Table | 80100 | N/A | Temp Email Results — in-memory buffer for email lookup results. TableType = Temporary; never written to the database. |
| Table | 80101 | N/A | PO Email Setup — singleton setup record storing Graph API tenant ID, client ID, and secret-stored flag. Client secret held in Isolated Storage. |
| Page Extension | 80101 | Purchase Order | Adds the Send E-mail To field and Entra ID email address lookup action to the Purchase Order page. |
| Page | 80101 | N/A | PO Email Setup — administration page for configuring Graph API credentials. Accessible via Search. |
| Codeunit | 80103 | N/A | PO Email Helper — builds HTML email bodies and enqueues messages via Email.Enqueue (non-blocking). |
| Codeunit | 80104 | N/A | PO Email Subscribers — event subscribers connecting PO/WR lifecycle events to the email helper. |
| Permission Set | 80100 | N/A | PoEmailPermissionSet — required for users accessing the email lookup action or the PO Email Setup page. |
Prerequisites
Test Area 1: PO Email Setup — Configuration
Requirement: Credentials for Microsoft Graph API must be configurable through BC without requiring source code changes.
Verify that the PO Email Setup page is accessible, credentials can be saved, and the client secret is not retrievable after saving.
TC-1.1: PO Email Setup Page Is Accessible
| Step | Action | Expected Result |
|---|
| 1 | As a user with the PoEmailPermissionSet, open BC and search for 'PO Email Setup'. | The PO Email Setup card page opens without error. |
| 2 | Observe the page layout. | The page shows fields for Graph Tenant ID, Graph Client ID, Client Secret (masked), and a read-only Client Secret Stored indicator. Save Secret and Clear Secret actions are visible. |
TC-1.2: Credentials Can Be Saved
| Step | Action | Expected Result |
|---|
| 1 | On the PO Email Setup page, enter a valid Graph Tenant ID and Graph Client ID. | Values are accepted and displayed. |
| 2 | Enter a client secret value in the masked Client Secret field. | The value is entered but displayed as masked (dots or stars). |
| 3 | Click Save Secret. | A confirmation message 'Client secret saved.' is displayed. The Client Secret field clears. The Client Secret Stored indicator changes to Yes/true. |
TC-1.3: Client Secret Is Not Retrievable After Saving
This test verifies the security requirement that the client secret cannot be read back once stored. Do not skip this test.
| Step | Action | Expected Result |
|---|
| 1 | After saving the secret in TC-1.2, close and reopen the PO Email Setup page. | The page reopens. The Client Secret field is blank (not pre-populated with the stored value). |
| 2 | Inspect the BC OData API or developer tools for any endpoint that returns the client secret value. | The client secret value is not accessible via any API or developer tool. Client Secret Stored shows Yes, but the actual value cannot be retrieved. |
TC-1.4: Client Secret Can Be Cleared
| Step | Action | Expected Result |
|---|
| 1 | On the PO Email Setup page with a secret stored, click Clear Secret. | A confirmation dialog appears: 'Remove the stored client secret?' |
| 2 | Click Yes. | A message 'Client secret cleared.' is displayed. The Client Secret Stored indicator changes to No/false. |
Test Area 2: Email Address Lookup
Requirement: Users must be able to search for email addresses from Entra ID directly from the Purchase Order page without entering addresses manually.
Verify that the email lookup searches Entra ID and returns matching users.
TC-2.1: Email Lookup Returns Results for a Valid Search
| Step | Action | Expected Result |
|---|
| 1 | Open a Purchase Order. Locate the Send E-mail To field. | The field is visible on the Purchase Order page. |
| 2 | Click the lookup button (ellipsis) next to the Send E-mail To field. In the search box, enter a partial display name of a known Entra ID user (e.g., first 3 letters of a name). | A lookup dialog opens with a search box. |
| 3 | Observe the results list. | A list of matching users is displayed, showing display name and email address. The list contains at least one entry matching the search text. |
| 4 | Select a user from the results. | The user's email address is added to the Send E-mail To field on the Purchase Order. |
TC-2.2: Multiple Recipients Can Be Added
| Step | Action | Expected Result |
|---|
| 1 | With one email address already in the Send E-mail To field, open the lookup again. | The lookup dialog opens. |
| 2 | Search for and select a second user. | The second user's email is appended to the field, separated from the first by a semicolon. |
| 3 | Inspect the field value. | The field contains both addresses in the format: user1@domain.com;user2@domain.com |
TC-2.3: Lookup Search Is Not Case-Sensitive
| Step | Action | Expected Result |
|---|
| 1 | Open the lookup and search using all lowercase letters for a name that is mixed-case in Entra ID. | Results are returned. The matching user appears in the results regardless of case. |
Test Area 3: PO Created Notification (On Release)
Requirement: When a Purchase Order is released, an email listing the PO lines must be sent to the addresses in Send E-mail To.
Verify the PO Created email is sent on release and contains accurate line information.
TC-3.1: PO Created Email Is Sent on Release
| Step | Action | Expected Result |
|---|
| 1 | Create or locate a Purchase Order with at least 2 item lines. Ensure the Send E-mail To field contains at least one valid email address. | The PO is in Draft status with item lines and recipients configured. |
| 2 | Release the Purchase Order. | The PO is released successfully. No error dialog appears. |
| 3 | Check the email inbox of the recipient address (or BC's Email Outbox if direct inbox access is not available). | An email with subject 'PO {No.} Created' is present in the outbox or delivered to the inbox. |
| 4 | Open the email and review the content. | The email body lists all item lines from the PO in a table with columns: Item No., Description, Qty, Location. The PO number matches. |
TC-3.2: No Email Sent If Send E-mail To Is Blank
| Step | Action | Expected Result |
|---|
| 1 | Create a Purchase Order with item lines but leave the Send E-mail To field blank. | PO is in Draft with no recipients. |
| 2 | Release the Purchase Order. | The PO is released successfully. No error dialog appears. |
| 3 | Confirm no email is sent. | No email is present in the Email Outbox for this PO. The release completes without notification. |
Test Area 4: PO Shipped Notification (On WR Registration)
Requirement: When a Warehouse Receipt is registered for a PO, an email listing the receipt lines must be sent to the PO's Send E-mail To recipients.
Verify the PO Shipped email fires when a Warehouse Receipt is created for a PO with recipients.
TC-4.1: PO Shipped Email Is Sent on Warehouse Receipt Registration
| Step | Action | Expected Result |
|---|
| 1 | Create and release a Purchase Order with item lines and a Send E-mail To address. Create a Warehouse Receipt for the PO. | The Warehouse Receipt is created for the PO. |
| 2 | Register the Warehouse Receipt. | The receipt is registered successfully. No error dialog appears. |
| 3 | Check the Email Outbox or recipient inbox. | An email with subject 'PO {No.} Shipped' is present. |
| 4 | Review the email content. | The email lists the item lines on the Warehouse Receipt (not all PO lines — only lines on this receipt). If an ETA date is present on the PO, it is displayed in the body. |
TC-4.2: Shipped Email Includes ETA When Present
| Step | Action | Expected Result |
|---|
| 1 | On the test PO, set the Expected Receipt Date field to a date in the future before registering the WR. | ETA date is set on the PO header. |
| 2 | Register the Warehouse Receipt. | No error. |
| 3 | Review the Shipped email body. | The email body includes the expected arrival date, e.g., 'The estimated arrival date is {date}.' |
Test Area 5: PO Arrived Notification (On WR Posting)
Requirement: When a Warehouse Receipt is posted, an email listing the posted receipt lines must be sent to the PO's Send E-mail To recipients.
Verify the PO Arrived email fires on receipt posting and that posting is never blocked by email delivery failures.
The Arrived notification fires on any purchase posting that creates a posted receipt, including direct PO posting with the Receive option (not only the warehouse flow). This is by design. Test TC-5.3 validates this behavior.
TC-5.1: PO Arrived Email Is Sent on Warehouse Receipt Posting
| Step | Action | Expected Result |
|---|
| 1 | Create, release, and warehouse-receive a Purchase Order with Send E-mail To configured. Post the Warehouse Receipt. | The receipt is posted successfully. No error dialog appears. |
| 2 | Check the Email Outbox or recipient inbox. | An email with subject 'PO {No.} Arrived' is present. |
| 3 | Review the email content. | The email lists all item lines from the posted receipt with Item No., Description, Qty, and Location. The body includes the standard container unloading notice. |
TC-5.2: Posting Is Not Blocked If Email Delivery Fails
| Step | Action | Expected Result |
|---|
| 1 | Temporarily clear the client secret (Test Area 1, TC-1.4) or un-map the email scenario. Then register and post a Warehouse Receipt for a PO with Send E-mail To configured. | Note: This test may be difficult to execute without temporarily breaking production setup. Discuss with the test coordinator before proceeding. |
| 2 | Attempt to post the Warehouse Receipt. | The receipt posts successfully. No error dialog blocks the posting, even though the email cannot be sent. |
| 3 | Restore the email configuration. | Configuration is restored to working state. |
TC-5.3: Arrived Email Also Fires on Direct PO Receive
| Step | Action | Expected Result |
|---|
| 1 | Create and release a Purchase Order with item lines and a Send E-mail To address. Use 'Post' → 'Receive' (not the warehouse flow) to receive the PO directly. | The PO is received successfully. |
| 2 | Check the Email Outbox. | An email with subject 'PO {No.} Arrived' is present. This confirms the notification applies to all receiving scenarios, not only the warehouse flow. |
Test Area 6: Source Code Security
Requirement: No Azure AD credentials (client ID or secret) should appear in the extension source code.
Verify that the hardcoded credential remediation from v1.0.88.5 is confirmed in place.
This test is automated in the pytest suite (TestSecurityFixes.test_no_hardcoded_secrets_in_source). Run the automated test and record the result here.
TC-6.1: No Hardcoded Credentials in AL Source
| Step | Action | Expected Result |
|---|
| 1 | Run the automated test: cd 'PO Email Notification/test' && python -m pytest test_po_email.py::TestSecurityFixes::test_no_hardcoded_secrets_in_source -v | The test passes. Output shows: 'No hardcoded secrets found in AL source files'. |
TC-6.2: IsolatedStorage Pattern Verified in Setup Table
This test is automated in the pytest suite (TestSecurityFixes.test_isolated_storage_pattern_in_setup). Run the automated test and record the result here.
| Step | Action | Expected Result |
|---|
| 1 | Run the automated test: cd 'PO Email Notification/test' && python -m pytest test_po_email.py::TestSecurityFixes::test_isolated_storage_pattern_in_setup -v | The test passes. Output shows: 'Setup table correctly uses IsolatedStorage with SecretText'. |
Test Area 7: Regression — Purchase Order Standard Operations
TC-7.1: Standard PO Operations Are Unaffected
| Step | Action | Expected Result |
|---|
| 1 | Open a Purchase Order with no Send E-mail To value. | The PO opens normally. No unexpected fields, messages, or errors appear. |
| 2 | Add item lines, update quantities, and save. | All standard operations complete without error. |
| 3 | Release, receive, and invoice the PO using the standard workflow. | All posting steps complete successfully. No error dialogs appear at any stage. |
TC-7.2: Email Lookup Action Does Not Affect PO Data
| Step | Action | Expected Result |
|---|
| 1 | Open a Purchase Order with existing item lines. Open the email lookup, search for a user, and cancel without selecting. | The lookup dialog closes. The Send E-mail To field is unchanged. No PO data was modified. |
| 2 | Open the lookup again, select a user, and close the PO without saving. | The email address selection is discarded. No change is committed to the PO. |
TC-7.3: Extension Does Not Affect POs Without Recipients
| Step | Action | Expected Result |
|---|
| 1 | Release, warehouse-receive, and post a Purchase Order that has no value in Send E-mail To. | All operations complete successfully without any error or notification email. |
| 2 | Check the Email Outbox. | No emails are queued for this PO. |