Friday, September 26, 2025

Understanding Telemetry Pricing for Dynamics 365 Finance & Operations (D365FO)



UNDERSTANDING TELEMETRY PRICING FOR DYNAMICS 365 FINANCE AND OPERATIONS (D365FO)

CONTENT

Introduction
D365FO Telemetry Capabilities
Key Pricing Components (Billing Categories) for D365FO Telemetry
Pricing and Average Monthly Costs
Conclusion

INTRODUCTION 

Telemetry plays a vital role in managing and optimizing Dynamics 365 Finance & Operations (D365FO). Microsoft collects system events, user activities, and performance data, then streams them into Azure Monitor (Log Analytics) so administrators and auditors can gain insights.

For many organizations, telemetry is not only a technical tool but also a compliance requirement and a cost driver. SOX auditors rely on telemetry to confirm system integrity, IT teams use it for performance troubleshooting, and business leaders depend on it to measure adoption.

While telemetry is powerful, it’s important to understand that it isn’t free. Azure Monitor charges for the storage and analysis of this data, and without proper planning, costs can escalate quickly. This article explains which pricing components actually apply to D365FO telemetry, removing the noise from general Azure Monitor capabilities.

D365FO TELEMETRY CAPABILITIES

When you enable telemetry streaming in Dynamics 365 Finance & Operations (FO), the system sends diagnostic data to Azure Application Insights. This data allows administrators, developers, and auditors to analyze performance, troubleshoot issues, and even measure user adoption.

However, the telemetry that FO sends is not unlimited — it’s predefined into several categories that you can enable or disable in system parameters. Each category corresponds to a type of activity or event inside the system.

Below we break down each category in detail, how it works, and why it matters.



1. Metrics (Custom Metrics)

Numeric values that represent performance or system activity.

The system or custom code emits counts, averages, or durations. Unlike page views or errors, metrics aren’t descriptive logs but structured numbers.

Examples:

  • Number of records processed in a batch job.
  • Duration of a purchase order posting routine.
  • Throughput of data integrations (rows per second).

Metrics allow you to set performance baselines. For instance, you can measure how long posting a sales order takes and detect when it suddenly slows down.

App Insights equivalent: customMetrics.

2. Form Runs (Page Views)

Logs every time a user opens a form in FO.

When the form lifecycle starts, FO generates a telemetry event.

Examples:

  • User opens the All vendors form.
  • User navigates to the Customer invoice journal form.

Helps identify which forms are used most often → supports licensing and role design.

Helps measure form performance → slow load times can be traced to SQL queries or customizations.

App Insights equivalent: pageViews.

3. User Sessions

Tracks when users log in, start a session, and when their session ends.

FO automatically generates events tied to user session lifecycle.

Examples:

  • Session started for user contoso\david.
  • Session ended after 30 minutes of inactivity.

Useful for audit trail of activity (who logged in and when). Helps estimate active user counts and adoption.

In App Insights, these look like custom events, but FO does not support free-form trackEvent() like a custom Azure app. You only get session tracking, not button clicks or arbitrary user actions.

4. X++ Exceptions (Failures)

Captures errors and exceptions thrown by X++ code.

Whenever business logic fails unexpectedly, FO logs it.

Examples:

  • Null reference exception during invoice posting.
  • Divide by zero error in a custom calculation.

Identifies coding issues or customization bugs. Essential for SOX and ITGC monitoring — recurring errors may indicate risk in financial postings.

App Insights equivalent: exceptions.

5. Custom Traces (Traces)

Developer-added messages for debugging or monitoring.

Developers call Trace::WriteLine("message") in X++ code. These messages then appear in telemetry.

Examples:

  • “Workflow approval reached step X.”
  • “Batch job: 500 records processed successfully.”

Lets you track business events that FO does not log by default. Can be used as a workaround to monitor button clicks or process checkpoints (since FO does not capture clicks out-of-the-box).

App Insights equivalent: traces.

6. DMF Errors

Errors from the Data Management Framework (DMF), used for imports/exports.

DMF job execution is instrumented, and failures generate telemetry.

Examples:

  • Import failed because a required column was missing.
  • Export timed out due to large file size.

Critical for monitoring integration pipelines. Helps teams react quickly when a nightly job fails.

App Insights equivalent: Stored as exceptions, flagged under DMF context.

7. Warehouse Events

Telemetry from warehouse operations, primarily mobile device workflows.

Warehouse mobile device activities generate structured telemetry.

Examples:

  • Worker started a picking list.
  • Barcode scanning failed.
  • Work step “Put” completed at location A-101.

Provides visibility into warehouse execution performance. Helps identify bottlenecks (e.g., scanning errors, slow work completion).

App Insights equivalent: Shows up as customEvents or traces with warehouse metadata.

Key Takeaways

  • FO telemetry ≠ Full App Insights
  • FO sends only a subset of Application Insights data: metrics, form loads, sessions, traces, exceptions, DMF errors, and warehouse events.
  • Detailed tracking like button clicks, field changes, or custom workflows must be customized manually.
  • Telemetry systems identify which queries or processes are causing performance issues by collecting and analyzing a combination of metrics, logs, and traces (often called the "pillars of observability"). By correlating this data, they can pinpoint the source of a problem, such as a slow database query or a struggling application service.
  • Telemetry monitors batch jobs for failures and unexpected durations by collecting data points like start/stop timestamps, logging events, and process status codes. The system analyzes this information against established benchmarks to generate alerts when a job deviates from its normal behavior. 
  • Telemetry understands what activities users are performing in a system by collecting, transmitting, and analyzing multiple types of data, often categorized as Metrics, Events, Logs, and Traces (MELT). Software agents or instrumentation embedded within the system capture this data, which is then sent to a centralized location for analysis.
  • Telemetry creates an audit trail for SOX compliance by automatically collecting, storing, and analyzing system data related to financial reporting processes. This data is essential for proving the integrity and reliability of financial information during annual audits. By continuously logging events and activity, telemetry provides a secure and verifiable history of system behavior that auditors can review.

All of these insights come from telemetry data stored and analyzed in Azure Monitor. Understanding the pricing model ensures you can keep this capability under control and align costs with compliance needs.



KEY PRICING COMPONENTS (BILLING CATEGORIES) FOR D365FO TELEMETRY

Azure Monitor pricing page lists every monitoring feature, but only a handful are directly relevant for D365FO.

1. Log Ingestion: D365FO telemetry data (errors, traces, diagnostics, performance counters) flows into an Azure Log Analytics workspace.

How pricing works: You are billed per GB ingested. This is the single largest cost driver, especially if you capture detailed telemetry across production, UAT, and development environments.

Every user action, performance event, or error written to telemetry is billed as ingestion:

  • Form runs: Opening forms like All vendors or Customer invoice journal.
  • System events: SQL wait times, service call performance, batch durations.
  • User actions: Button clicks, navigation, error messages. (CUSTOM)
  • Environment health: AOS or database performance warnings.

2. Log Retention: By default, telemetry is stored in Log Analytics for a limited free period (commonly 30–90 days depending on the log type).

How pricing works: Short-term storage is included without extra cost. If you need to keep logs for compliance (e.g., SOX requires longer audit trails), you pay a monthly fee per GB beyond the free retention period.

Costs apply when keeping telemetry longer than the free retention period:

  • Keeping page view history for adoption analysis.
  • Retaining batch job logs for SOX audits.
  • Storing error traces for a fiscal year as part of audit evidence.

3. Queries & Dashboards: Queries on certain tables are charged per GB of data scanned. All queries in Log Analytics are written using KQL (Kusto Query Language).

D365FO telemetry data in Log Analytics is queried using Kusto Query Language (KQL) (Microsoft Docs – Log queries overview). KQL is the standard way to search, filter, and visualize telemetry in Azure Monitor dashboards.

How pricing works: According to Microsoft’s pricing model, charges for queries are based on the volume of data scanned. Larger queries or longer time ranges mean more data scanned, and therefore higher costs.

Costs depend on the amount of data scanned during analysis:

  • Querying most viewed forms in the last 90 days.
  • Filtering failed batch jobs across multiple legal entities.
  • Reviewing SQL performance traces for optimization.

4. Alerts: Alerts help you detect issues in real time—for example, if a batch job fails or a performance counter exceeds a threshold or a vendor bank account is created.

How pricing works: You are charged for the alert rule execution, the data processed, and sometimes the notification channel.

Email notifications are free, but SMS, voice calls, or webhook integrations may generate additional charges.

Charges apply for rules and certain notification types:

  • Metric alert: SQL DTU usage > 80%.
  • Log alert: >10 errors in a 5-minute window.
  • User activity alert: Spike in usage of Vendor bank accounts form.

5. Data Export (Optional): Some organizations export telemetry data from D365FO into other systems for compliance, SIEM integration, or long-term archiving.

How pricing works: Continuous export to Azure Storage, Event Hub, or third-party tools incurs data transfer charges. This cost is optional—you only pay if you configure exports.

Costs apply if data is exported out of Log Analytics:

  • Exporting all telemetry to Azure Storage for 7-year SOX compliance.
  • Streaming error logs into Event Hub for Splunk integration.
  • Forwarding page view data to corporate BI teams.

PRICING AND AVERAGE MONTHLY COSTS

Telemetry pricing for D365FO is based on Azure Monitor Log Analytics rates:

  • Log ingestion: ~$2.76 per GB ingested
  • Data retention: First 31 days free; ~$0.12 per GB per month beyond that
  • Queries: ~$0.002 per GB of data scanned
  • Alerts: ~$0.10 per metric alert rule per month; log alerts depend on frequency and complexity

Typical D365FO Environment (per month) Example

Assumptions:

  • 50 GB telemetry ingested (production + sandbox)
  • 90-day retention (60 days beyond free)
  • Moderate querying (20 queries/day, scanning 1 GB each)
  • 10 active alerts

Estimated Monthly Cost

  • Log ingestion: 50 GB × $2.76 ≈ $138
  • Retention: 50 GB × 2 months × $0.12 ≈ $12
  • Queries: 20 × 30 × 1 GB × $0.002 ≈ $1.20
  • Alerts: 10 × $0.10 ≈ $1.00

📌 Total: ~$152 per month



CONCLUSION

When you enable telemetry streaming in Dynamics 365 Finance & Operations (FO), diagnostic data flows into Azure Application Insights, giving administrators, developers, and auditors the visibility they need to analyze performance, troubleshoot issues, and measure user adoption.

However, it’s important to recognize that telemetry in FO is not unlimited or arbitrary. Instead, it is structured into predefined categories that you can enable or disable through system parameters. Each category corresponds to a specific type of activity in the system:

  • Metrics capture structured performance values, such as processing counts or posting durations.
  • Form Runs (Page Views) show which forms users open and how they perform.
  • User Sessions provide a record of logins and activity periods.
  • X++ Exceptions highlight runtime errors in business logic.
  • Custom Traces let developers embed diagnostic checkpoints into processes.
  • DMF Errors expose problems in data imports/exports.
  • Warehouse Events track operational activity in mobile workflows.

From a pricing perspective, all these categories ultimately roll into Log ingestion, Retention, Queries, and Alerts in Azure Monitor. For example, a form run is billed as a PageView event, an exception as a Failure event, and a custom trace as a Trace event — all metered under Azure Monitor’s Log Analytics pricing.

For customers, this means telemetry pricing is not just about “logs in general,” but about understanding which categories you enable, how much data each generates, and how long you choose to retain it. A compliance-heavy environment may need to retain session and exception logs for extended periods, while a performance-focused environment may emphasize metrics and traces for optimization.

By carefully choosing telemetry categories, controlling retention, and optimizing queries, you can achieve the right balance: enough visibility to meet audit and performance needs, without unnecessary ingestion and storage costs.

Friday, September 12, 2025

Privileged User Management in Dynamics 365 Finance and Supply Chain Management (D365F&SCM)



PRIVILEGED USER MANAGEMENT IN DYNAMICS 365 FINANCE AND SUPPLY CHAIN MANAGEMENT (D365F&SCM)

CONTENT

Introduction
Importance of time-bound security role assignment
Enabling time-bound security role assignment
Configuring time-bound security role assignment
Temporary Role Management
Privileged User Management
Demo
Conclusion

INTRODUCTION 

Managing privileged access is one of the most critical aspects of ERP security. In many organizations, users occasionally require elevated permissions—for example, to troubleshoot, perform testing, or complete month-end tasks. The problem arises when these elevated permissions remain active longer than necessary, creating security risks, compliance issues, and audit findings.

To address this challenge, Dynamics 365 Finance & Supply Chain Management (D365F&SCM) introduces time-bound role assignments as part of the User Security Governance module. 

  • This feature allows administrators to grant elevated roles to users only for a defined period via Temporary role management form.  Once the time expires, the system automatically revokes access.
  • At the same time, all activities performed under temporary access are tracked and logged, giving organizations the transparency needed for compliance and governance via Privileged user management.

In this article, we will cover why time-bound assignments matter, how to set them up, walk through a demo scenario, and explore how to monitor and audit their usage.

IMPORTANCE OF TIME-BOUND ROLE ASSIGNMENTS

Time-bound assignments are a practical answer to the problem of “standing” privileged access. Here’s why they are so important:

1. Compliance and Auditability: Regulations such as SOX and internal ITGC frameworks require organizations to demonstrate that elevated access is both controlled and temporary. Permanent administrator rights are a common audit finding because they create opportunities for inappropriate or undocumented activity.

Time-bound roles directly support compliance by ensuring access is limited to a defined window, automatically revoked afterward, and fully logged. This provides auditors with clear evidence that access management controls are designed and operating effectively.

From a segregation of duties (SOD) perspective, temporary assignments can also help organizations prove that conflicts are managed. If a role temporarily grants a user conflicting capabilities (e.g., vendor setup and payment release), the short validity period and audit trail demonstrate that the risk was identified, limited, and monitored.

2. Reduced Risk: Long-term administrator or finance manager roles create opportunities for fraud or unauthorized changes. Temporary assignments reduce this risk by limiting access to the minimum necessary time.

3. Operational Flexibility: Users can still be granted elevated roles to complete tasks without waiting for lengthy manual processes. The system handles the removal automatically.

4. Transparency: Security teams and auditors can easily review who had privileged access, for how long, and what actions they performed. This closes the loop between granting access and proving it was used responsibly.

ENABLING TIME-BOUND SECURITY ROLE ASSIGNMENT

Before you can use this functionality, ensure that the User Security Governance feature is enabled:

1. Go to System administration > Workspaces > Feature management.

2. Search for User security governance.

3. Select Enable now.











Once enabled, the feature is available under:

System administration > Security > Security governance > Temporary role management

and

System administration > Security > Security governance > Privileged user management

CONFIGURING TIME-BOUND SECURITY ROLE ASSIGNMENT

A complete solution consists of two configuration components:

  • Assigning temporary security roles to users through the Temporary Role Management form.
  • Monitoring and tracking their system activities using Privileged User Management.



Temporary Role Management

Temporary role management lets system administrators assign temporary roles to a specific user account for a specific amount of time (known as a session). This feature is useful when a user in a company is away from work for a period, or if a role must temporarily be divided among multiple users. When the session ends, the user account returns to its original roles.

Note: Do not forget to add System user, otherwise below error will appear



Privileged User Management

Privileged user management lets system administrators schedule a session for selected user accounts. All user interactions are recorded in Dynamics 365 finance and operations apps during that session, if the user decides to continue using Dynamics 365 finance and operations after reading the consent on the landing page. This feature is useful when some elevated privileged accounts are used for auditing purposes. It helps ensure that users aren't performing any unauthorized activities in the system and keeps a recording of it, in case it's later needed for audit or compliance reviews.

System administrators can choose to enable or disable the given user account once the session begins. As soon as the session ends, the account returns to its original state.



DEMO

Scenario

A specific user (Dogan) requires the Accountant role for 30 minutes to perform troubleshooting.

To maintain compliance, the System administrator will temporarily assign this role and record the user’s activities to ensure that no configuration changes are made that could create material impact

Solution Overview

The solution requires two configurations:

  • Assign the role temporarily via the Temporary role management form.
  • Record user activities via the Privileged user management form.

Assigning the Accountant Role Temporarily

Navigate to System administration > Security > Security governance > Temporary role management

1. Create a new entry and assign the User ID.

2. Choose whether the temporary role will be merged with existing roles or replace them.

3. Enter the start and end time of the assignment. 

In this scenario, the role is assigned for 30 minutes (4:00 - 4:30)

4. Select the temporary roles to be assigned (Accountant and System user).

5. Change the entry's status to Planned so that batch job can process it.

Note: Original roles can be viewed in the Original roles fast tab.

Required setup is as shown below:



The next step is to configure a recurring batch job that processes pending temporary role assignments:

  • This setup is a one-time task.
  • Once scheduled, the batch job will periodically run and update assignments based on entries in the Temporary role management form.






When processed, the entry status will be updated to Active.



The role assignment will then appear as shown:



Privileged User Management

Navigate to System administration > Security > Security governance > Privileged user management

1. Create a new line and assign the User ID.

2. Enter the start and end time for task recording. In this scenario, recording runs for 25 minutes (4:05 - 4:30).

3. Change the entry's status to Approved so that batch job can process it.

4a. Setup the batch job if there isn't one working actively.

4b. No need to setup a batch job if there is one working actively.







Note that batch job runs and updates entry status to Approved.



At this point, the user receives a notification that their session is being recorded.



When the temporary role assignment  expires, the entry status becomes Finished.



When task recording expires, privileged user management entry's status becomes Ended.



Reviewing Recorded Activities

Recorded file can now be downloaded.



Downloaded recording file can now be uploaded into Security diagnostics for task recording form.

Navigate to System administration > Security > Security diagnostics for task recordings



Select Open from this PC.



Click Browse.



Select downloaded recording file.



After upload completes, the system displays all recorded security entry points and the screens visited by the user.

At this point, the demonstration is complete: the user was granted temporary access, their session was recorded, and the resulting file was analyzed for transparency. This end-to-end process illustrates how D365FO provides both operational flexibility and the necessary audit trail to support compliance requirements.



Conclusion

Temporary role assignments and privileged user activity recordings provide organizations with a structured way to balance operational needs and compliance requirements. By enabling short-term access to sensitive roles and automatically tracking the resulting activities, D365FO helps ensure that users can perform troubleshooting or exception handling without creating long-term segregation of duties risks. From a SOX and internal controls perspective, this capability is critical because it demonstrates that access is both time-bound and monitored, reducing the likelihood of unauthorized configuration changes or material misstatements. Establishing this governance framework not only strengthens audit readiness but also promotes a culture of accountability and transparency across the organization.

Monday, September 1, 2025

User Security Governance in Dynamics 365 Finance and Supply Chain Management (D365F&SCM)

















USER SECURITY GOVERNANCE IN DYNAMICS 365 FINANCE AND SUPPLY CHAIN MANAGEMENT (D365F&SCM)

CONTENT

Overview
User security governance features
Conclusion

OVERVIEW

User Security Governance in Dynamics 365 Finance and Operations (D365FO) provides organizations with a structured framework to define, monitor, and manage user access, ensuring users have only the permissions necessary for their roles. This new Security Governance feature is available in the System administration module. It was introduced in preview with version 10.0.43 (2025 release wave 1) and became generally available with version 10.0.44, requiring activation in the Feature Management workspace.

The solution focuses on core capabilities such as detailed reporting for segregation of duties (SOD) and privileged access, process-based role and duty management, creation of new roles from existing objects, temporary role assignments, and privileged user management for time-bound access. These features simplify permission setup, particularly during new implementations, help prevent unauthorized activity, reduce errors, and support regulatory compliance with built-in audit and reporting tools. By aligning user roles with appropriate license types, organizations can also achieve cost efficiency while maintaining control and transparency across their security model.

USER SECURITY GOVERNANCE FEATURES

User security governance provides the following functionality:

Design process-based security roles, duties and privileges: A process hierarchy provides a way to organize and manage the business processes in your company. After you define the process hierarchy for your company, you can assign various tasks, and define roles, entry points, and privileges according to the business requirements. This feature has 2 components.

Security category: Security categories are custom-defined labels or tags used within “Process roles maintain” to group and categorize roles by business stream, department, function, or any logical grouping relevant to your organization. My sample categories are as follows.

Go to System administration > Security > Security governance > Security category


Process hierarchy: The process hierarchy is the foundation of organizing security role components in Dynamics 365 Finance and Operations. This step is critical because it ensures that security design aligns with how the business actually operates. Organizations should invest sufficient time in analyzing and identifying the tasks that are relevant to their specific business processes.








Once the applicable tasks are defined, the system provides the framework to configure and fine-tune security roles.

Go to System administration > Security > Security governance > Security process roles maintain

Within this screen, you can:

  • Create new roles.
  • Rename and restructure existing roles.
  • Organize tasks under the appropriate role.
  • Create duties and privileges manually.
  • Generate duties and privileges automatically from task recordings.










By carefully managing the process hierarchy, companies establish a clear and logical security structure that not only meets compliance requirements but also simplifies ongoing maintenance and scalability of security in D365FO

Lastly, synchronize function syncs any changes done directly into security duties and privileges on the Core security configuration page.

When duties, privileges, and roles are created from Security governance and published to core security configuration, users can edited them in Security configuration by either adding or removing entry points. By doing this, the security object is different between two pages.

To restore changes from security configuration into security governance, use the Synchronize feature by selecting a process hierarchy level.

Go to System administration > Security > Security governance > Security process role maintain.

On the header, select Synchronize to use the feature.







Other Features

This new module allows admins to 

  • Grant time-bound elevated privileges to dedicated accounts through privileged user management. We will discuss this in the next article in detail.
  • Continuously monitor segregation of duties and separation of privileges. Define a threshold, and control the creation of duties/privileges that have overlapping entry points.
  • Use the security audit trail to track changes that are made in user security governance.

CONCLUSION

User Security Governance in D365F&SCM introduces a governance framework that links security design directly to business processes. By leveraging a process hierarchy, organizations can create meaningful security models that align with how operations are actually performed, rather than relying on generic role structures. The module also addresses long-standing challenges such as managing privileged accounts, offering time-bound elevated access that reduces risk exposure while supporting operational needs.

Built-in monitoring and reporting, including segregation of duties analysis and audit trails, provide the transparency required for compliance and external reviews. At the same time, features such as task-based duty generation and synchronization with core security simplify ongoing maintenance and keep design consistent across environments. When combined with licensing optimization, these capabilities deliver both stronger controls and measurable cost efficiency.

In practice, this module helps organizations balance usability, compliance, and scalability. It reduces manual effort, minimizes audit risks, and provides a flexible structure that can evolve with the business. For companies seeking to strengthen their control environment in Dynamics 365 while streamlining administration, User Security Governance represents a significant step forward.

Understanding Telemetry Pricing for Dynamics 365 Finance & Operations (D365FO)

UNDERSTANDING TELEMETRY PRICING FOR DYNAMICS 365 FINANCE AND OPERATIONS (D365FO) CONTENT Introduction D365FO Telemetry Capabilities Key Pric...