User Security Governance in Dynamics 365 Finance and Supply Chain Management (D365F&SCM)

USER SECURITY GOVERNANCE IN DYNAMICS 365 FINANCE AND SUPPLY CHAIN MANAGEMENT (D365F&SCM)

CONTENT Overview User security governance features Conclusion

OVERVIEW

User Security Governance in Dynamics 365 Finance and Operations (D365FO) provides organizations with a structured framework to define, monitor, and manage user access, ensuring users have only the permissions necessary for their roles. This new Security Governance feature is available in the System administration module. It was introduced in preview with version 10.0.43 (2025 release wave 1) and became generally available with version 10.0.44, requiring activation in the Feature Management workspace.

The solution focuses on core capabilities such as detailed reporting for segregation of duties (SOD) and privileged access, process-based role and duty management, creation of new roles from existing objects, temporary role assignments, and privileged user management for time-bound access. These features simplify permission setup, particularly during new implementations, help prevent unauthorized activity, reduce errors, and support regulatory compliance with built-in audit and reporting tools. By aligning user roles with appropriate license types, organizations can also achieve cost efficiency while maintaining control and transparency across their security model.

USER SECURITY GOVERNANCE FEATURES

User security governance provides the following functionality:

Design process-based security roles, duties and privileges: A process hierarchy provides a way to organize and manage the business processes in your company. After you define the process hierarchy for your company, you can assign various tasks, and define roles, entry points, and privileges according to the business requirements. This feature has 2 components.

Security category: Security categories are custom-defined labels or tags used within “Process roles maintain” to group and categorize roles by business stream, department, function, or any logical grouping relevant to your organization. My sample categories are as follows.

Go to System administration > Security > Security governance > Security category

Process hierarchy: The process hierarchy is the foundation of organizing security role components in Dynamics 365 Finance and Operations. This step is critical because it ensures that security design aligns with how the business actually operates. Organizations should invest sufficient time in analyzing and identifying the tasks that are relevant to their specific business processes.

Once the applicable tasks are defined, the system provides the framework to configure and fine-tune security roles.

Go to System administration > Security > Security governance > Security process roles maintain

Within this screen, you can:

• Create new roles.
• Rename and restructure existing roles.
• Organize tasks under the appropriate role.
• Create duties and privileges manually.
• Generate duties and privileges automatically from task recordings.

By carefully managing the process hierarchy, companies establish a clear and logical security structure that not only meets compliance requirements but also simplifies ongoing maintenance and scalability of security in D365FO

Lastly, synchronize function syncs any changes done directly into security duties and privileges on the Core security configuration page.

When duties, privileges, and roles are created from Security governance and published to core security configuration, users can edited them in Security configuration by either adding or removing entry points. By doing this, the security object is different between two pages.

To restore changes from security configuration into security governance, use the Synchronize feature by selecting a process hierarchy level.

Go to System administration > Security > Security governance > Security process role maintain.

On the header, select Synchronize to use the feature.

Other Features

This new module allows admins to 

• Grant time-bound elevated privileges to dedicated accounts through privileged user management. We will discuss this in the next article in detail.
• Continuously monitor segregation of duties and separation of privileges. Define a threshold, and control the creation of duties/privileges that have overlapping entry points.
• Use the security audit trail to track changes that are made in user security governance.

CONCLUSION

User Security Governance in D365F&SCM introduces a governance framework that links security design directly to business processes. By leveraging a process hierarchy, organizations can create meaningful security models that align with how operations are actually performed, rather than relying on generic role structures. The module also addresses long-standing challenges such as managing privileged accounts, offering time-bound elevated access that reduces risk exposure while supporting operational needs.

Built-in monitoring and reporting, including segregation of duties analysis and audit trails, provide the transparency required for compliance and external reviews. At the same time, features such as task-based duty generation and synchronization with core security simplify ongoing maintenance and keep design consistent across environments. When combined with licensing optimization, these capabilities deliver both stronger controls and measurable cost efficiency.

In practice, this module helps organizations balance usability, compliance, and scalability. It reduces manual effort, minimizes audit risks, and provides a flexible structure that can evolve with the business. For companies seeking to strengthen their control environment in Dynamics 365 while streamlining administration, User Security Governance represents a significant step forward.

Strengthening Internal Controls with User Termination in D365FO

CONTENT Introduction Importance of User Termination in a SOX Environment Terminate User and Remove Their Security Roles Alternative: Disable User and Remove Their Security Roles Address Workflow Delegations Monitor Batch Jobs Monitor Disabled and Deleted Users via Database Logging Conclusion

STRENGTHENING INTERNAL CONTROLS WITH USER TERMINATION IN D365FO

Introduction

User lifecycle management is one of the most critical aspects of securing any ERP system, and Microsoft Dynamics 365 Finance and Operations (D365FO) is no exception. From the moment a user is onboarded to the time their access must be revoked, organizations must ensure that system access aligns with employment status and compliance requirements.

In a Sarbanes-Oxley (SOX) regulated environment, user termination becomes more than just a technical activity—it is a key internal control. When employees, contractors, or consultants leave the organization, their access to the system must be promptly revoked to prevent unauthorized activities, reduce fraud risk, and maintain the principle of least privilege.

This article explains the steps, options, and considerations for terminating users in D365FO. It provides practical instructions, highlights SOX compliance implications, and points out potential pitfalls if termination is not handled effectively.

Importance of User Termination in a SOX Environment

SOX Section 404 requires companies to establish and maintain adequate internal controls over financial reporting. One of these controls is ensuring that only authorized personnel have access to financial systems like D365FO.

Failure to properly terminate users creates several risks:

• Unauthorized Access: Former employees may still be able to log into the system.
• Segregation of Duties (SoD) Violations: Inactive but enabled accounts could be exploited, creating audit findings.
• Workflow Disruption: Unattended approvals may remain pending if workflow delegations are not reassigned.
• Batch Job Failures: Critical scheduled processes may stop running if they are tied to a disabled user account.

Therefore, an effective user termination process in D365FO must include technical steps (role removal, account disabling, workflow reassignment) as well as compliance checks to verify that no residual risks remain.

Terminate User and Remove Their Security Roles

The preferred approach is to terminate users directly in D365FO using the HR framework. If your environment integrates HR and system access, user termination can be initiated from the Employees form.

1. Navigate to Human Resources > Workers > Employees.

2. Select the employee record.

3. In the Action Pane, under Personnel actions, click Terminate.

4. Select the termination action, enter the termination date, and save the record.

If personnel actions workflows are enabled under HR Shared Parameters, the termination can be routed for approval before becoming effective.

5. OPTIONAL: Execute the termination workflow if selected personnel action type requires a workflow approval.

Workflow submission

  Workflow approval  

Workflow completion

Employee determination

Once the termination is processed, you should also ensure the user’s security roles are removed. This step is critical because it directly revokes system privileges and ensures compliance with SOX. 

NOTE: A standard termination workflow in Dynamics 365 for Finance and Operations (D365FO) does not automatically disable a user account. The standard workflow process in Human Resources primarily handles the worker's employment status, moving them from active to terminated. The user account and security roles must be handled separately.

6. User termination and security role removal 

User termination and security role removal - Before

User termination and security role removal - After

Alternative: Disable User and Remove Their Security Roles

In some organizations, HR and IT systems are not fully integrated, or there may be licensing constraints preventing full use of the HR module. In these cases, you can directly disable a user account in D365FO.

1. Go to System Administration > Users > Users.

2. Select the user record.

3. Toggle the Enabled field to Off.

4. Remove all assigned security roles as shown in the previous section.

This approach is faster but less structured compared to personnel action termination. However, it still meets the SOX requirement of revoking access promptly.

Address Workflow Delegations

Terminated users may still be assigned workflow tasks or delegation rules. If these are not reassigned, business processes (such as vendor invoice approvals, purchase requisition approvals, or journal approvals) could stall. There isn’t any screen that shows all delegations in D365FO, but there is a workaround — a table stores that information: WorkflowWorkItemDelegationParameters

To identify active delegations, use the following link in your environment:

<yourD365FOurl>/?mi=SysTableBrowser&tablename=WorkflowWorkItemDelegationParameters

This opens the table browser to review current workflow delegation records.

Any delegations tied to the terminated user should be reassigned to active employees.

Monitor Batch Jobs

Another critical check is to monitor background batch jobs. Many automated processes in D365FO—such as periodic invoicing, financial consolidations, or integrations—run under a specific user account. If a terminated user owns a batch job, the process may fail after their account is disabled.

To monitor this:

1. Go to System Administration > Inquiries > Batch Jobs.

2. Review the Run by field for each job.

3. Recreate critical jobs with a valid service account or another active user.

This review is especially important during offboarding to prevent system disruptions.

Monitor Disabled and Deleted Users via Database Logging

As a detective control, organizations can enable Database Logging in D365FO to track changes to user accounts. This ensures auditability of user termination activities and provides evidence during SOX testing.

Recommended logging events include:

• User creation
• User deletion
• User enabled/disabled changes
• Security role assignments and removals

For example user activation/deactivation can be followed as below:

Note that the above screen shows enabled and disabled users, giving admins full visibility to take necessary actions.

Database logging not only provides assurance but also strengthens the organization’s ability to demonstrate compliance during external audits.

Conclusion

User termination in D365FO is not just about removing access—it is about safeguarding financial data, preventing fraud, and ensuring compliance with SOX requirements. By following a structured process that includes terminating or disabling users, removing security roles, reassessing workflow delegations, monitoring batch jobs, and tracking changes through database logging, organizations can significantly reduce risk.

An effective termination process bridges the gap between IT operations and compliance, providing assurance to management, auditors, and regulators. Whether you use the HR-driven personnel action approach or the direct disablement method, what matters most is consistency, timeliness, and proper documentation.

In short, closing the door properly when a user exits is just as important as granting them access in the first place.

Enabling the Three Lines of Defense in Dynamics 365 Finance & Operations - LINE3: Internal Audit Assurance

ENABLING THE THREE LINES OF DEFENSE IN DYNAMICS 365 FINANCE & OPERATIONS - LINE3: INTERNAL AUDIT ASSURANCE

CONTENT Introduction Line 3 Internal Audit in a D365FO-Centric Environment Independent Assurance Through System Evidence Reviewing Transaction and Ledger Integrity Validating Control Execution and Effectiveness Sampling and Testing High-Risk Transactions Auditing Configuration Changes and Access History Leveraging Reporting and Data Extraction Tools A Third Line Scenario: From Audit Request to Finding Conclusion

INTRODUCTION 

The Third Line of Defense within the Three Lines of Defense (3LoD) model is responsible for independent assurance. Unlike Line 1 (which executes controls) and Line 2 (which monitors and oversees), Line 3 evaluates whether the control framework is designed appropriately, operating effectively, and aligned with the organization’s compliance obligations.

In a Microsoft Dynamics 365 Finance & Operations (D365FO) environment, Line 3 does not create workflows, assign roles, or approve transactions. Instead, Internal Audit uses the system’s data, logs, and reports to test and verify that Lines 1 and 2 are performing their responsibilities and that risks are being managed within tolerance.

This article focuses on how internal audit teams can use D365FO’s capabilities—alongside standard audit methodologies—to perform independent reviews and produce evidence-based assurance for stakeholders such as the audit committee, regulators, and external auditors.

LINE 3 | INTERNAL AUDIT IN A D365FO-CENTRIC ENVIRONMENT

Internal Audit’s primary value lies in its objectivity. It operates separately from both operations and compliance functions, ensuring that its assessment is unbiased and evidence-driven. In D365FO, this objectivity is enhanced by the system’s ability to generate immutable records of transactions, changes, and approvals.

Typical responsibilities of Line 3 include:

• Assessing whether controls designed by Line 1 and monitored by Line 2 are functioning as intended
• Reviewing the completeness and accuracy of transaction data
• Identifying process gaps or control weaknesses not previously detected
• Recommending improvements to strengthen the overall control environment

INDEPENDENT ASSURANCE THROUGH SYSTEM EVIDENCE

1. Reviewing Transaction and Ledger Integrity

Internal auditors frequently begin by validating the accuracy and completeness of financial transactions. In D365FO, this involves:

• Using General ledger > Inquiries > Voucher transactions to trace transactions from source documents to ledger postings
• Verifying that subledger entries (e.g., Accounts Payable, Accounts Receivable, Fixed Assets) reconcile to the general ledger
• Checking for manual journal entries that bypass standard workflows

View of subledger journal of a purchase order invoice (Voucher transactions inquiry showing linkage between subledger and ledger entries)

2. Validating Control Execution and Effectiveness

Line 3 evaluates whether preventive and detective controls are consistently applied. This includes:

• Reviewing workflow history to ensure approvals occurred as designed
• Checking whether SoD violations identified by Line 2 were remediated or mitigated
• Confirming that exception handling processes were documented and followed

D365FO’s workflow history logs and exported SoD violation reports are primary data sources for these validations.

View of workflow history screen with an invoice approval chain

3. Sampling and Testing High-Risk Transactions

Internal Audit applies sampling methods (statistical or judgmental) to test transactions for compliance with policy. Examples include:

• Testing a sample of vendor changes to verify proper approval and supporting documentation
• Reviewing high-value payment transactions for dual authorization evidence
• Confirming that purchase orders over threshold values received required managerial approvals

Sampling can be done by exporting data from D365FO using Data Management > Export into Excel or Power BI for analysis.

4. Auditing Configuration Changes and Access History

Unauthorized or undocumented configuration changes can weaken controls. Internal Audit reviews:

• Database Log entries for high-risk tables (e.g., posting profiles, vendor bank accounts)
• Historical user role assignments to detect privilege escalation
• Removal of access for terminated employees

While D365FO’s native tools provide much of this data, external solutions like Fastpath or Guardian may enhance visibility, especially for historical access reporting.

View of database log entries showing a change to a vendor’s bank account.

5. Leveraging Reporting and Data Extraction Tools

To streamline evidence collection, Line 3 can leverage:

• Task Recorder to document test steps for re-performance by external auditors
• Data entities to pull standardized datasets for repeatable audits
• Power BI integration to visualize trends in control exceptions and workflow performance

By using system-generated evidence, Internal Audit reduces reliance on manual screenshots or user attestations, improving both efficiency and credibility.

A THIRD LINE SCENARIO: FROM AUDIT REQUEST TO FINDING

Imagine Internal Audit is performing a quarterly review of vendor master data changes:

1. Audit extracts vendor bank account changes from the Database Log for the last 90 days.

2. A sample is selected focusing on changes made outside normal business hours.

3. One entry shows a bank account change by a user whose role assignment was supposed to be temporary.

4. Further investigation reveals the role removal was delayed, allowing the user to make changes after their project ended.

5. Audit issues a finding recommending stricter monitoring of role deactivations and improved coordination between HR and IT.

This example illustrates how Line 3 moves beyond detection—providing recommendations that close process gaps and strengthen Lines 1 and 2.

CONCLUSION

The Third Line of Defense in D365FO is not about running the business or overseeing it—it’s about independent validation that both are working as intended. By leveraging D365FO’s inquiry screens, workflow histories, database logs, and data exports, Internal Audit can perform efficient, evidence-based reviews without disrupting daily operations.

When Lines 1 and 2 perform their roles effectively, Line 3’s job becomes one of confirmation and continuous improvement—ensuring that the organization’s control environment is not only compliant, but resilient.

This completes the three-part series on enabling the Three Lines of Defense in Dynamics 365 Finance & Operations. Together, these articles provide a blueprint for embedding operational control, compliance oversight, and independent assurance into your ERP system.

Enforcing Item and State Regulations in Dynamics 365 Finance & Operations

ENFORCING ITEM AND STATE REGULATIONS IN DYNAMICS 365 FINANCE AND OPERATIONS

CONTENT Introduction Restricted Products Regional Lists – Enforcing Sales Restrictions Example: Restricting Motorcycle Sales in California Regulated Products Regional Lists – Tracking Compliance Requirements Example: Licensing Requirements for Agricultural Chemicals Product Safety Data Sheet Validity – Managing Hazardous Material Compliance Example: Auto SDS Creation When Packing Slip is Posted Conclusion

INTRODUCTION 

Many organizations operate in industries where product distribution is tightly regulated by geography. These rules may originate from international trade restrictions, environmental standards, safety requirements, or state-level laws. Examples include:

• Blocking exports of controlled chemicals to certain countries
• Restricting motorcycle sales in specific U.S. states
• Requiring a valid safety data sheet before selling hazardous materials

Managing these rules manually is inefficient and risky. To ensure compliance, enforcement needs to be embedded into the ERP system, where controls are consistently applied without relying solely on user awareness.

In Microsoft Dynamics 365 Finance & Operations (D365FO), the Product compliance framework provides several built-in tools to manage these requirements, located under:

Product information management > Setup > Product compliance

The key compliance features include:

• Restricted products regional lists – Blocks or allows sales of certain products in defined regions
• Regulated products regional lists – Tracks regulatory requirements for specific products in specific regions
• Product safety data sheet validity – Manages the validity of safety data sheets to ensure compliance before sale

This article focuses on how these features work together to help organizations enforce jurisdiction-based sales rules, illustrated with real-world scenarios.

RESTRICTED PRODUCTS REGIONAL LISTS - ENFORCING SALES RESTRICTIONS

The Restricted products regional lists feature is used to prevent or permit sales of certain items in specific jurisdictions. These restrictions are validated during sales order entry, based on the shipping address in the order header.

Key Configuration Elements:

• Jurisdiction type: Country/region, State/province, County, or City
• List type
• Inclusive: Only listed items can be sold in the jurisdiction
• Exclusive: All items except those listed can be sold
• Product association: Items explicitly linked to the list

Product information management > Setup > Product compliance > Restricted products regional lists

EXAMPLE: RESTRICTING MOTORCYCLE SALES IN CALIFORNIA

Scenario: A company sells motorcycles nationwide but is prohibited from selling them in California due to regulatory requirements.

Configuration Steps:

Create an exclusive restricted product list for California:

Let's now make sure that related parameter is active. 

Note that compliance check can be done packing slip stage as well.

Expected behavior: Sales orders with California shipping address cannot include the restricted motorcycles. 

Let's create a sales order that includes motorcycle with California address.

Insert restricted product.

Note that system throws an error when the sales line is saved.

Product 'XYZ' is restricted for sale to the delivery address on the sales line. Change the address or the product.

REGULATED PRODUCTS REGIONAL LISTS - TRACKING COMPLIANCE REQUIREMENTS

While restricted product lists block or allow sales, the Regulated products regional lists feature manages regulatory requirements that must be met before a product can be sold in a specific region.

This is essential when:

• A product is legal to sell but requires specific permits or licenses in certain regions
• Compliance documentation must be recorded before shipment
• Different regions impose different regulatory conditions on the same product

Product information management > Setup > Product compliance > Regulated products regional lists

EXAMPLE: LICENSING REQUIREMENTS FOR AGRICULTURAL CHEMICALS

Scenario: A company sells agricultural chemicals across multiple states, but some states/countries require a pesticide applicator license before purchase.

Configuration Steps:

Create a regulated product regional list for each state requiring a license and associate the relevant agricultural chemical items.

This setup can also been seen from the item itself.

Last check, let's now make sure that related parameter is active. 

Expected behavior: Sales orders with Canada shipping address must have an active product safety data sheet when weed killer is sold. If not, system throws a warning.

Let's create a sales order that contains weed killer with Canada address.

Note that system throws an error when the sales line is saved.

Please deliver the latest active product safety data sheet to the customer.

Let's try to post the packing slip.

Note that system throws an error:

No valid product safety data sheet exists for the item on the sales order

PRODUCT SAFETY DATA SHEET VALIDITY - MANAGING HAZARDOUS MATERIAL COMPLIANCE

Some products, especially chemicals, require a Safety Data Sheet (SDS) that must be current and valid at the time of sale. The Product safety data sheet validity functionality ensures that a product cannot be sold if its SDS is expired or missing.

Product information management > Setup > Product compliance > Product safety data sheet validity

EXAMPLE: AUTO SDS CREATION WHEN PACKING SLIP IS POSTED

Scenario: A hazardous chemical (weed killer) sales automatically generates an SDS when packing slip is posted.

Configuration steps:

Create a regulated product regional list for each state requiring a license and associate the relevant agricultural chemical items. (Already done in the previous step).

Define SDS validity rules for the chemical product.

Define a safety data sheet (SDS) for the chemical product.

Attach the actual SDS document. 

The last step is the parameter configuration. Navigate to

Inventory management > Setup > Inventory and warehouse management parameters > Product compliance

Remember that system throws an error shown as below when there is no active SDS.

After configurating product safety data sheet validity, attaching a safety data sheet to the product, and configuring compliance parameters properly, system allows user to generate packing slip and safety data sheet simultaneously.

CONCLUSION

This article explains how Microsoft Dynamics 365 Finance & Operations (D365FO) enforces jurisdiction-based product regulations using its Product compliance framework. It covers three key features:

• Restricted products regional lists: Prevents sales of certain items in specified regions (e.g., blocking motorcycle sales in California).

• Regulated products regional lists: Tracks and enforces regional regulatory requirements before sale (e.g., pesticide license requirements for agricultural chemicals).

• Product safety data sheet (SDS) validity: Ensures hazardous materials have a current SDS before shipping, with the option to auto-generate SDS documents during packing slip posting.

Through step-by-step configuration examples, the article demonstrates how these tools work together to automate compliance, reduce manual oversight, and ensure that regional sales restrictions, licensing obligations, and hazardous material documentation requirements are met directly within D365FO.