User & Security Role Assignments via Data Management in Dynamics 365 Finance and Operations

USER & SECURITY ROLE ASSINGMENTS VIA DATA MANAGEMENT IN DYNAMICS 365 FINANCE AND OPERATIONS

CONTENT Introduction The challenge of scale Why use data management? Demo Conclusion

INTRODUCTION

Role assignment can be a cumbersome and time-consuming process in Dynamics 365 Finance and Operations (D365FO). Identifying the appropriate future-state security roles for business users, and then ensuring those roles are correctly assigned, often involves multiple teams and a deep understanding of both business processes and security architecture. Without a structured approach, this can easily become an overwhelming task—especially during large-scale implementations, reorganizations, or security clean-up efforts.

THE CHALLENGE OF SCALE

As the number of users in the system grows, so does the complexity of managing their security role assignments. In environments with hundreds—or even thousands—of users, manually assigning or updating roles becomes highly inefficient and error-prone. It's not just the volume of users that creates difficulty, but also the variety of roles and the need to reflect organizational changes quickly and accurately.

Keeping track of which users need which roles, ensuring Segregation of Duties (SoD) compliance, and maintaining consistent role structures across business units requires a scalable solution. Relying solely on the user interface to manage role assignments simply doesn't scale well.

WHY USE DATA MANAGEMENT?

Fortunately, D365FO provides a powerful alternative through its Data Management workspace. This workspace enables administrators to manage user and security role assignments in bulk using import/export functionality. It offers a faster, more consistent way to perform updates, which is critical for both initial setup and ongoing maintenance.

The process involves a few key steps:

Prepare the Data File: Create an Excel or CSV file that includes the required fields—typically the user ID and the associated security role(s). This document serves as your template for import.

1. Upload Through Data Management: Use the "Security user role" entity within the Data Management workspace to upload the prepared file. The system processes the file and assigns roles to users based on the contents.

2. It's a time consuming process. There has to be an easy way to upload user & role assignments. Data management workspace is an excellent fit for that. First, a user & security role assignment file has to be prepared. Next step, Prepared document should be uploaded into D365FO.

This method is not only fast but also offers flexibility. For example, you can choose to delete existing role assignments before importing new ones, which is helpful during role restructuring or system refreshes. It also helps reduce manual errors and increases consistency, especially when dealing with repeatable processes or multiple environments (such as test, UAT, and production).

Benefits

• Efficiency: Assign roles to hundreds of users in a matter of minutes.
• Consistency: Reduce the risk of manual entry errors.
• Scalability: Easily handle role assignments in growing or dynamic organizations.
• Clean-Up Support: Replace outdated role assignments with updated ones using delete and import options.
• Audit Readiness: Maintain traceable and auditable documentation of role changes through import files.

By leveraging the Data Management workspace, organizations can dramatically simplify and accelerate the user role assignment process, making it a sustainable part of their overall security management strategy in D365FO.

DEMO

Intro sentence here.

1. Preparing Guide File

Navigate to Data Management workspace.

System administration >> Workspaces >> Data management.

Create a new export project and use data entity Security user role association.

Select Excel as the source data format.

Click Export.

Find the project in the job history.

Click Execution details.

Once the export job completes, locate the project in Job history, click on Execution details, and Download file.

Template contains the following columns:

• USERID: D365FO user ID.
• SECURITYROLEIDENTIFIER: Security role system name.
• ASSIGNMENTMODE: Manual or automatic role assignment indicator.
• ASSIGNMENTSTATUS: Role assignment status. Disabled line disappears from the UI and role assignment is not active anymore.
• SECURITYROLENAME: The actual role name.

2. Preparing Import File

Update the downloaded file with the future-state user and security role assignments.

Key considerations:

• Don't forget to include service accounts.
• Don't forget to include system administrators.
• Ensure each role assignment is a separate line for every user.

3. Importing User & Security Role Assignment File

Return to the Data Management workspace and create a new Import project.

Again, select the entity Security user role association, and use Excel as the source data format.

Before importing:

Set Truncate entity data parameter to Yes. This removes previous role assignments.

Set Skip staging parameter to Yes for direct import without preview.

Click Import to proceed.

Once the job completes, new role assignments will be reflected in the system.

CONCLUSION

Managing user and role assignments at scale requires a structured and efficient approach, particularly in environments where accuracy and auditability are critical. Leveraging the Data Management workspace in D365FO provides a repeatable and auditable method for mass assigning or updating security roles. By exporting current assignments, preparing a controlled future-state file, and importing with the appropriate parameters, administrators can confidently maintain security alignment across environments. This approach minimizes manual input, reduces the potential for errors, and supports governance objectives tied to compliance.

Practical Guide to General Ledger Allocations in Dynamics 365 Finance and Operations

PRACTICAL GUIDE TO GENERAL LEDGER ALLOCATIONS IN DYNAMICS 365 FINANCE AND OPERATIONS

CONTENT Introduction How to fit into month-end process Use cases Allocation rule types Real Business Scenario Conclusion

INTRODUCTION

In Dynamics 365 Finance and Operations (D365FO), allocation journals are used to systematically distribute general ledger (GL) account balances across multiple accounts, departments, or financial dimensions based on predefined rules. These rules can support both fixed and variable allocations, helping automate routine distribution processes. 

This article explains the logic of the allocation process, its types, and provides an end-to-end demonstration through a real business scenario.

Let's get started.

HOW TO FIT INTO MONTH-END PROCESS

Allocation journals are used to distribute amounts from one financial dimension or account to others based on a defined logic (e.g., percentages, fixed amounts). They’re often created and posted during the month-end close for the following reasons:

• Accurate Departmental Reporting: You want each department or project to reflect its fair share of corporate costs.
• Consistent and Repeatable Process: Allocation journals can be automated using predefined rules and run at each month-end.
• Auditability: D365FO lets you post allocations as actual ledger journal entries, which helps with transparency and audit trails.

ALLOCATION RULE TYPES

1. Fixed Percentage

Distributes the source amount based on predefined percentages.

• Use case: You know the exact percentage split (e.g., 40% to Department A, 60% to Department B).
• Setup: You define a list of destination accounts/dimensions and assign a percentage to each.

Example:

You allocate $1,000 from the IT expense account:

• Dept A: 40% → $400
• Dept B: 60% → $600

2. Fixed Weight

Distributes the source amount based on weight factors, which are not percentages. D365FO calculates the distribution ratio based on the relative weights.

• Use case: You have proportional metrics (e.g., square footage, number of PCs) but not exact percentages.
• Setup: You assign weight values (like 2, 3, 5) to each destination, and D365FO does the math.

Example:

You allocate $1,000 based on weights:

• Dept A: 2
• Dept B: 3
• Dept C: 5
• Total weight = 10
• Allocated: A: $200, B: $300, C: $500

3. Equally

Splits the source amount evenly across all specified destinations.

• Use case: You want a simple equal split across all recipients.
• Setup: You list the destination dimensions, and D365FO splits the amount evenly.

Example:

You allocate $900 equally to three departments:

• Dept A: $300
• Dept B: $300
• Dept C: $300

4. Basis

Distribute the source amount based on the selected main account and/or financial dimension balances. If the account is a statistical account, the balance may reflect figures such as the total number of employees or the square footage of a facility.

• Use case: You want to distribute marketing expenses across departments based on their head counts.
• Setup: You define statistical accounts, and D365FO splits the amount based on the account balances (head counts).

Example:

You allocate $1,000 marketing expenses based on number of department employees:

• Dept A: 7 people  → $233
• Dept B: 13 people  → $433
• Dept C: 10 people  → $333

USE CASES

Here are some common use cases:

1. Monthly Overhead Allocation

Use Case: Allocate indirect costs (e.g., utilities, rent, insurance or administrative salaries) to cost centers or departments.

Example: Rent of $50,000 is allocated to departments based on square footage.

2. Marketing or Sales Campaign Cost Allocation

Use Case: Allocate campaign expenses to various products, business lines, or regions.

Example: A $100,000 campaign is split among 5 product lines based on projected revenue contribution.

3. Intercompany Cost Allocations

Use Case: Allocate costs between different legal entities within the same organization.

Example: Corporate headquarters costs are allocated to subsidiaries.

4. Statistical Allocation Based on Ledger or Statistical Accounts

Use Case: Allocate costs based on statistical measures like machine hours, labor hours, or square footage.

Example: Maintenance costs are distributed based on machine usage hours tracked in statistical accounts.

5. Period-End Accruals and Adjustments

Use Case: Perform recurring allocations for accruals, amortizations, or revenue/cost deferrals.

Example: Amortizing an annual insurance cost monthly across the fiscal year.

6. Allocation of Payroll Costs

Use Case: Allocate salaries and wages to projects, departments, or cost centers.

Example: A project manager's salary is split 50/50 between two active projects.

7. Budget Allocations

Use Case: Distribute budgeted amounts across accounts or dimensions for planning and analysis.

Example: A marketing budget is allocated to various campaigns or geographies.

REAL BUSINESS SCENARIO

The company has $12,000 of IT expenses posted to a shared IT department. The goal is to reallocate this cost to three departments based on fixed percentages:

• Dept A – 20%
• Dept B – 30%
• Dept C – 50%

We’ll create a ledger allocation rule, and run it to generate a journal that moves the expense from the shared IT department to the other three.

Step 1: Create the Ledger Allocation Rule

Navigate to General ledger >> Allocations >> Ledger allocation rules.

Click +New.

Rule name: IT_ALLOC_FIXED.

Description: IT cost allocation by fixed percentage.

Switch to General tab.

Select the allocation method Fixed percentage.

Select the allocation journal name.

Click Source.

Click +New.

Select IT Expense Account.

Click destination.

Click +New.

Enter the Fixed percentage value as 20.

Select To account as 601410.

Select the first department.

Activate the allocation rule.

Step 2: Run the Allocation Rule

Navigate to General ledger >> Allocations >> Process allocation request.

Select the rule.

Click OK.

Step 3: Review the Allocation Journal

Navigate to General ledger >> Allocations >> Allocation journals

Note that New button is not active since an allocation journal cannot be created manually. It has to be generated by the system based on the allocation rules.

Click Lines.

Review the journal lines. These entries mean:

You’re debiting Dept A/B/C for the new allocated amounts

You’re crediting the IT Dept to remove the cost

All is happening within account 601410 in our example.

Step 4: Post the Allocation Journal

Click Validate (to check for errors) and then click Post.

Done! The allocation is now posted in your GL.

CONCLUSION

Allocation journals in Dynamics 365 Finance and Operations are essential for systematically distributing costs across financial dimensions based on predefined logic. They support a wide range of allocation methods, including fixed percentage, weight-based, equal, and basis-driven approaches, allowing organizations to align cost distribution with operational drivers. When integrated into the month-end process, these journals improve reporting accuracy, support auditability, and reduce manual adjustments. A well-defined allocation setup ensures consistency, simplifies recurring entries, and enhances the transparency of financial data across departments or legal entities.

Understanding Azure App Registration and Client Secrets in Real-Life Scenarios

UNDERSTANDING AZURE APP REGISTRATION AND CLIENT SECRETS IN REAL-LIFE SCENARIOS

CONTENT Introduction What is Azure App Registration? Understanding Client Secrets Real Business Scenario Best Practices for App Registration and Client Secrets Conclusion

INTRODUCTION

Modern businesses rely on cloud-based applications like Dynamics 365, Power Apps, and various third-party services. To ensure seamless integration, secure authentication, and automated data access, organizations need a structured approach. Azure App Registration, a component of Microsoft Entra ID (formerly Azure Active Directory), plays a crucial role in enabling applications to authenticate securely without manual user intervention.

This article provides a practical understanding of Azure App Registration and Client Secrets, explaining their significance, implementation, and real-world applications. You will learn:

• Why Azure App Registration is a must for modern business apps
• How Client Secrets facilitate secure authentication
• A real-life example demonstrating automation using there technologies
• Best practices to enhance security and operational efficiency

Let's get started.

WHAT IS AZURE APP REGISTRATION?

Azure App Registration provides a secure method for applications to authenticate and interact with Microsoft services such as Dynamics 365, Microsoft 365, and Azure resources. By registering an application in Microsoft Entra ID, you establish its identity and enable secure API access:

• Client ID: A unique identifier for the registered application, like a driver’s license number.
• Client Secret: A confidential key used for authentication (similar to a password for the application).
• Tenant ID: A unique identifier that associates the application with an organization’s Microsoft Entra ID directory.

Why Does Your Business Need It?

Businesses rely on secure, automated data exchange between applications to reduce manual work and improve efficiency. Without a structured authentication method, organizations often resort to insecure or inefficient workarounds, such as shared passwords or manual exports.

Azure App Registration ensures:

• Automated Access – Business applications can retrieve and update data without user intervention.
• Stronger Security – Eliminates the risks of storing user credentials in applications.
• Seamless Integration – Power Apps, Power BI, and third-party tools can connect securely to Microsoft services.
• Regulatory Compliance – Ensures controlled access to sensitive data, supporting SOX and GDPR requirements.

By implementing Azure App Registration, businesses can streamline operations while maintaining security and compliance.

UNDERSTANDING CLIENT SECRETS

A Client Secret is a confidential key used by an application to authenticate itself when requesting access to Microsoft services. Unlike a user's password, a Client Secret is used for application-only authentication, meaning the app, not a person, is granted access to resources.

How Authentication Works with Client Secrets?

When an application wants to connect to a Microsoft service (such as Dynamics 365 or Microsoft Graph API), it follows these steps:

1. The application sends a request to the Microsoft Entra ID token endpoint, including:

• Client ID (to identify the app)
• Client Secret (to prove its identity)
• Tenant ID (to specify the organization’s Azure directory)
• Scope (defining the level of access requested)

2. Microsoft Entra ID verifies the credentials and, if valid, issues an OAuth 2.0 access token.

3. The application uses this token to securely interact with Microsoft services (e.g., retrieving user-role data from D365FO).

4. The access token expires after a set period, requiring the app to request a new token using the same process.

Security Considerations

• Do not store Client Secrets in source code or environment variables.
• Use Azure Key Vault to store and manage Client Secrets securely.
• Implement token expiration policies and regularly rotate secrets.
• Consider Managed Identities as a more secure alternative for Azure-hosted applications, eliminating the need for Client Secrets altogether.

REAL BUSINESS SCENARIO

Let’s dive into a scenario of how companies use Azure App Registration and Client Secrets to tackle real-world problems.

Scenario: Automating D365FO User Access Reviews

Problem Statement: A financial services company using Dynamics 365 Finance & Operations (D365FO) needs to conduct periodic user access reviews for SOX compliance. The challenges include:

• User-role assignments must be reviewed periodically, but manually exporting the data is time-consuming.
• IT cannot grant auditors direct access to sensitive security data.
• Managers require an intuitive way to review and approve access assignments without using complex processes/reports.

Solution: Automating Access Reviews with Power Platform

• By leveraging Azure App Registration, Power Automate, and Power BI, the company automates user access reviews as follows.
• The company needs an automated process to extract user-role assignments, store them in Power Apps for review, and visualize them in Power BI for compliance reporting.

This solution automatically extracts user-role assignments from D365FO, stores them in Dataverse (Power Apps Table), and provides a Power BI dashboard for monitoring. 

Main solution steps are as follows:

• Register an App in Azure AD for Secure Access
• Extract User-Role Assignments from D365FO
• Store and Process Data in Power Apps
• Generate Power BI Dashboards for Compliance Teams

Step 1: Register an App in Azure AD for Secure Access

To access D365FO data via APIs, we need to register an application in Azure AD.

1. Go to Azure AD:

• Open Azure Portal.
• Navigate to Microsoft Entra ID.

• Click + Add > App registration.

2. Register the App:

• Name: D365FO User Access Review App
• Supported account types: Choose Single Tenant (if internal) or Multi-Tenant (if external users need access). The purpose of this selection is to let a internal or a third party application to communicate.  Select Single Tenant for internal use.
• Redirect URI (optional): Leave this field blank, as it is not required for this scenario. It is only needed in user login scenarios where a Power App relies on a human user signing in with their own Microsoft credentials (e.g., their D365FO or Microsoft 365 login) to access data. In contrast, this setup involves the app running independently with its own credentials (Client ID and Secret). Technically, such user-based authentication falls under a “delegated permissions” scenario, where the app acts on behalf of the user by using their identity to authenticate.
• Click Register.

3. Grant API Permissions for D365 Finance and Operations Access:

• Go to API Permissions > + Add a permission
• Select Dynamics ERP.
• Choose permission type:
• Application Permissions: Use this if your Power App runs without a user logging in (e.g., a Power Automate flow pulling data automatically). This is “app-only” access, using the Client ID and Secret. This fits best in our scenario.
• Delegated Permissions: Use this if a user signs into the Power App and it pulls data on their behalf (e.g., they click a button to refresh the list). This uses the user’s login.
• Go to API Permissions > + Add a permission
• Select the permission level.
• Click Add permissions.
• Grant admin consent: Azure AD requires an admin to approve these permissions before they’re active. This ensures only authorized apps get access to D365FO. 
• If you are admin, click Grant admin consent for <your tenant>.

4. Generate Authentication Credentials

• Go to Certificates & secrets > Client secrets.
• Click + New client secret.
• Set an expiration date.
• Click Add.
• Copy the Secret Value. It won't be visible later.

5. Store the Credentials Securely

• Save Client ID, Tenant ID, and Client Secret in a secure location (Azure Key Vault recommended).

Step 2: Extract User-Role Assignments from D365FO

Once the Azure AD app is registered, you can extract security role assignments from D365FO using data entities.

1. Identify the Data Entity:

• Use System administration >> Data management workspace in D365FO.
• Locate the entity "Security user role association"(SecurityUserRoleAssociations).

2. Export data manually for testing.

3. Automate data extraction

• Use the OAuth 2.0 token obtained from Microsoft Entra ID.
• Call the OData API endpoint to fetch security role data.

Automate data extraction with OData API: Power Apps (or any external service) needs to use OAuth 2.0 authentication to securely access the SecurityUserRoleAssociations data entity in D365 Finance & Operations (D365FO).

• You must construct an OAuth 2.0 access token using your Client ID, Client Secret, and Tenant ID before making API calls to D365FO.
• Extract data in JSON or CSV format for further processing.

4. Schedule Automated Extraction

• Schedule periodic data extraction using Power Automate or Azure Logic Apps.

Step 3: Store and Process Data in Power Apps

1. Use Dataverse to store extracted data securely.

2. Create a Power App that allows compliance teams to:

• Review user-role assignments (by sending D365FO security data to Power Apps) in an interactive interface.
• Approve or reject access changes based on predefined policies.

3. Automate Review Notifications: Use Power Automate to trigger notifications to compliance teams:

• Send alerts when new roles are assigned.
• Flag high-risk role assignments for immediate review.
• Generate audit logs for tracking access reviews.

Step 4: Generate Power BI Dashboards for Compliance Teams

1. Connect Power BI to Dataverse to visualize access review data dynamically.

2. Create Key Reports displaying:

• Users with excessive roles.
• Pending access approvals by managers.
• Trends in security role assignments over time.

3. Enable Automated Report Generation

• Set up scheduled reports for audit teams.
• Generate compliance reports with key risk indicators.

BEST PRACTICES FOR APP REGISTRATION AND CLIENT SECRETS

1. Use Azure Key Vault to store Client Secrets securely.

2. Enable Role-Based Access Control (RBAC) to restrict secret access.

3. Implement token expiration policies and rotate Client Secrets periodically.

4. Prefer Managed Identities for Azure-hosted applications to avoid using Client Secrets.

5. Use Conditional Access Policies to limit app access based on security conditions.

CONCLUSION

Azure App Registration and Client Secrets play a vital role in enabling secure, automated application authentication in Microsoft environments. By understanding how to configure them properly and following best practices, businesses can streamline operations, enhance security, and ensure compliance.

Through real-world scenarios like automating D365FO user access reviews, organizations can see the tangible benefits of leveraging these technologies efficiently. With proper implementation and security controls, Azure App Registration provides a robust solution for modern enterprise applications.