CONTENT Introduction Importance of User Termination in a SOX Environment Terminate User and Remove Their Security Roles Alternative: Disable User and Remove Their Security Roles Address Workflow Delegations Monitor Batch Jobs Monitor Disabled and Deleted Users via Database Logging Conclusion |
STRENGTHENING INTERNAL CONTROLS WITH USER TERMINATION IN D365FO
Introduction
User lifecycle management is one of the most critical aspects of securing any ERP system, and Microsoft Dynamics 365 Finance and Operations (D365FO) is no exception. From the moment a user is onboarded to the time their access must be revoked, organizations must ensure that system access aligns with employment status and compliance requirements.
In a Sarbanes-Oxley (SOX) regulated environment, user termination becomes more than just a technical activity—it is a key internal control. When employees, contractors, or consultants leave the organization, their access to the system must be promptly revoked to prevent unauthorized activities, reduce fraud risk, and maintain the principle of least privilege.
This article explains the steps, options, and considerations for terminating users in D365FO. It provides practical instructions, highlights SOX compliance implications, and points out potential pitfalls if termination is not handled effectively.
Importance of User Termination in a SOX Environment
SOX Section 404 requires companies to establish and maintain adequate internal controls over financial reporting. One of these controls is ensuring that only authorized personnel have access to financial systems like D365FO.
Failure to properly terminate users creates several risks:
- Unauthorized Access: Former employees may still be able to log into the system.
- Segregation of Duties (SoD) Violations: Inactive but enabled accounts could be exploited, creating audit findings.
- Workflow Disruption: Unattended approvals may remain pending if workflow delegations are not reassigned.
- Batch Job Failures: Critical scheduled processes may stop running if they are tied to a disabled user account.
Therefore, an effective user termination process in D365FO must include technical steps (role removal, account disabling, workflow reassignment) as well as compliance checks to verify that no residual risks remain.
Terminate User and Remove Their Security Roles
The preferred approach is to terminate users directly in D365FO using the HR framework. If your environment integrates HR and system access, user termination can be initiated from the Employees form.
1. Navigate to Human Resources > Workers > Employees.
2. Select the employee record.
3. In the Action Pane, under Personnel actions, click Terminate.
4. Select the termination action, enter the termination date, and save the record.
If personnel actions workflows are enabled under HR Shared Parameters, the termination can be routed for approval before becoming effective.
5. OPTIONAL: Execute the termination workflow if selected personnel action type requires a workflow approval.
Workflow submission
Workflow approval
Workflow completionEmployee determination
Once the termination is processed, you should also ensure the user’s security roles are removed. This step is critical because it directly revokes system privileges and ensures compliance with SOX.
NOTE: A standard termination workflow in Dynamics 365 for Finance and Operations (D365FO) does not automatically disable a user account. The standard workflow process in Human Resources primarily handles the worker's employment status, moving them from active to terminated. The user account and security roles must be handled separately.
6. User termination and security role removal
User termination and security role removal - Before
User termination and security role removal - After
Alternative: Disable User and Remove Their Security Roles
In some organizations, HR and IT systems are not fully integrated, or there may be licensing constraints preventing full use of the HR module. In these cases, you can directly disable a user account in D365FO.
1. Go to System Administration > Users > Users.
2. Select the user record.
3. Toggle the Enabled field to Off.
4. Remove all assigned security roles as shown in the previous section.
This approach is faster but less structured compared to personnel action termination. However, it still meets the SOX requirement of revoking access promptly.
Address Workflow Delegations
Terminated users may still be assigned workflow tasks or delegation rules. If these are not reassigned, business processes (such as vendor invoice approvals, purchase requisition approvals, or journal approvals) could stall. There isn’t any screen that shows all delegations in D365FO, but there is a workaround — a table stores that information: WorkflowWorkItemDelegationParameters
To identify active delegations, use the following link in your environment:
<yourD365FOurl>/?mi=SysTableBrowser&tablename=WorkflowWorkItemDelegationParameters
This opens the table browser to review current workflow delegation records.
Any delegations tied to the terminated user should be reassigned to active employees.
Monitor Batch Jobs
Another critical check is to monitor background batch jobs. Many automated processes in D365FO—such as periodic invoicing, financial consolidations, or integrations—run under a specific user account. If a terminated user owns a batch job, the process may fail after their account is disabled.
To monitor this:
1. Go to System Administration > Inquiries > Batch Jobs.
2. Review the Run by field for each job.
3. Recreate critical jobs with a valid service account or another active user.
This review is especially important during offboarding to prevent system disruptions.
Monitor Disabled and Deleted Users via Database Logging
As a detective control, organizations can enable Database Logging in D365FO to track changes to user accounts. This ensures auditability of user termination activities and provides evidence during SOX testing.
Recommended logging events include:
- User creation
- User deletion
- User enabled/disabled changes
- Security role assignments and removals
For example user activation/deactivation can be followed as below:
Note that the above screen shows enabled and disabled users, giving admins full visibility to take necessary actions.
Database logging not only provides assurance but also strengthens the organization’s ability to demonstrate compliance during external audits.
Conclusion
User termination in D365FO is not just about removing access—it is about safeguarding financial data, preventing fraud, and ensuring compliance with SOX requirements. By following a structured process that includes terminating or disabling users, removing security roles, reassessing workflow delegations, monitoring batch jobs, and tracking changes through database logging, organizations can significantly reduce risk.
An effective termination process bridges the gap between IT operations and compliance, providing assurance to management, auditors, and regulators. Whether you use the HR-driven personnel action approach or the direct disablement method, what matters most is consistency, timeliness, and proper documentation.
In short, closing the door properly when a user exits is just as important as granting them access in the first place.