SECURING DYNAMICS 365 F&O WITH AZURE ACTIVE DIRECTORY GROUP MANAGEMENT
CONTENT Introduction Enable the Active Directory security groups feature Setup Active Directory security groups Import Active Directory security groups Assign D365FO security roles to Active Directory Groups Managing users in Dynamics 365 Finance and Operations |
Introduction
Microsoft Active Directory (AD) Security Groups are a long-established feature in Microsoft’s identity management framework, designed to centralize the management of users, roles, and organizational assignments. By assigning users to specific AD security groups, administrators can map those groups to corresponding roles or permissions within Dynamics 365 Finance and Operations (D365 F&O). This ensures consistent access control across the organization, reducing the manual effort of managing individual user permissions.
A key benefit of AD Security Groups in D365 F&O is Just-in-Time (JIT) provisioning. JIT allows new users to be automatically created and assigned appropriate roles based on their AD group membership when they first sign into the system. This simplifies onboarding and ensures that access is aligned with their organizational role from the start.
While AD Security Groups are a valuable tool, they are considered a legacy option compared to modern identity management solutions like Azure Active Directory (Azure AD). Azure AD offers enhanced features, such as conditional access and multi-factor authentication, which provide more robust security options. However, organizations with existing AD infrastructure can still leverage AD Security Groups for efficient role-based access control in their D365 environments.
The purpose of AD security groups is to streamline access control within a network by allowing administrators to assign rights and permissions to multiple users simultaneously. This method ensures uniform access to resources such as files, folders, and applications. For example, an AD security group for a department like "Finance" can be assigned specific permissions, and all members of that group will inherit the same access rights, simplifying permission management.
Over time, security groups also make it easy to manage changing user roles or onboarding new users. By adding or removing users from a group, administrators can adjust permissions without needing to update each user individually. This helps maintain security, reduces errors, and ensures compliance with regulatory standards.
Administrators can utilize Azure Active Directory (Azure AD) groups to efficiently control user permissions within Dynamics 365 Finance and Operations (D365FO). This guide outlines the process for configuring and managing access in D365FO. It’s important to note that the configuration of Azure AD itself falls under the purview of the IT department.
Enable the Active Directory security groups feature
To enable the feature, go to System administration > Setup > License configuration. You can find the Microsoft Entra ID (Active Directory) security group configuration key in the Administration folder.
Configuration keys can be edited only in maintenance mode.
- Microsoft Entra is the name for the product family of identity and network access solutions.
- Microsoft Entra ID is one of the products within that family.
- Acronym usage isn't encouraged, but if you must replace AAD with an acronym due to space limitations, use ME-ID.
Setup Active Directory security groups
The next step is to create Azure Active Directory groups and assign members to them. This can be done in the Microsoft 365 admin center, the Office 365 admin center, or the Azure portal.
Import Active Directory security groups
After the feature is enabled, a new Groups page is available at System administration > Users > Groups.
Once the group structure and memberships are ready, proceed with the configuration in Microsoft Dynamics 365. Go to System administration > Users > Groups.
To start to import Azure Directory security groups, select Import groups, and then select the groups to import.
The ID field requires custom input.
After the import is completed, you can maintain role and organization assignments on the Groups page. The process resembles the process that's used on the Users page.
Assign D365FO security roles to Active Directory Groups
Next is to assign security roles to the AD groups in D365FO. Users who are members of the Azure Active Directory (AD) groups will inherit the assigned security roles.
- Roles are not directly assigned to the individual users, roles are assigned to AD security groups.
- A user can belong to multiple groups, and in such cases, they will receive cumulative access across all their group memberships.
Managing users in Dynamics 365 Finance and Operations
If security is set up through AD groups, SOD risk analysis will not work. The solution is to assign security roles directly to users as usual.
If workflows include security roles in their setup, they will not function properly either. The solution is to assign security roles directly to users as usual.
User can have AD security group and security role direct assignment at the same time. In this case, user will grant access to all permissions cumulatively.
