How to use Azure Active Directory for managing users and security in Dynamics 365 for Finance and Operations

Managing users and security

There is an upcoming change and an undocumented feature related to managing users and security in Microsoft Dynamics 365 for Finance and Operations. Using these features do have its pros and cons. In this post, I will explain the features and explain what you need to consider to use it in one way or the other.

Update: There is a new post available where you can learn about a new feature for an enhanced Entra ID integration. Enhanced Entra ID group integration in D365FO Admin Toolkit

Managing users

One important upcoming change for the October 2019 release is a requirement to assign licenses in the Microsoft 365 admin center. You can read more about this on the Create new users documentation page. You can also use the Azure portal or Office 365 admin center to manage the users. In the end, it is all managing the same Azure Active Directory users.

When you have assigned the license, you will have a choice to setup the user manually within Finance and Operations or have them created automatically the first time they do login. Note that when you have not prepared anything for a new user, they will be created as user without any security role assigned.

There are some downsides here. The User ID field is auto created with an unmeaningful ID like ‘$C0BA’. The same was the case in Microsoft Dynamics AX 2012 when a user was part of an Active Directory group. You can actually change this by renaming the user record. There are some risks as query values will not be changed accordingly and possibly some tables where the user ID is used in a field might be skipped by the renaming process in case there is no relation defined.

I have created an idea on the Dynamics experience website called: Friendly User ID pattern when creating users automatically. You can vote for this idea to have visibility for the Microsoft product team.

However, I would personally like to setup or import the user myself. You can then directly control other user attributes like the startup company, time zone and language. Of course, you can also let the new user setup the preferences himself. A procedure where you first wait for a new employee to start in your company and will login as user; then change the user settings in Microsoft Dynamics 365 and then assign the roles doesn’t sound like a logical one. Usually, you would like to have the user prepared correctly, also with security roles assigned. So, in this case, your new employee will have a smooth start.

Managing security

When you are in control about setting up users, you also need to find the best way to assign security roles. There are three options:

  • Assign roles manually (via Users or Assign users to role pages)
  • Use automatic role assignment
  • Azure Active Directory Group membership

The most convenient option depends on various conditions. It could be related to e.g. number of users, number of roles (per user) and the number of legal entities and how to secure them individually. In this post I will not elaborate on all options. As this post is about Azure Active Directory, I will explain the last option here.

The option to assign security using Azure Active Directory groups is a not documented feature. Initially, when you setup Microsoft Dynamics 365 for Finance and Operations, this option is not enabled. You have to enable this via the License Configuration form. To be able to change this configuration, you should have your environment in maintenance mode. How to enable and disable this mode in various different types of environment, you can follow the instructions on the Maintenance mode documentation.

When you have the environment in maintenance mode, you can browse to System administration > Setup > License configuration.

You have to enable the configuration called Active Directory security group. When you close the form it will present a slider dialog to confirm the items to be enabled. After this exercise, don’t forget to disable the maintenance mode.

Before you can use the Azure Active directory groups, you have to define them and assign members. For this post, I prepared some groups and used the Microsoft 365 admin center, but you can also use the Office 365 admin center or the Azure admin portal.

When you have the groups and members setup, you can continue with the setup in Microsoft Dynamics 365. Browse to the next page: System administration > Users > Groups. Then click the button Import groups. You have to fill the ID field with own values. I did just copy the Name as ID for my groups. To have ALL groups imported and not only a single one, you have to select all records which needs to be created as Group.

When the import is successful, you can assign security roles; even with constraining legal entities by Assigning organizations.

When you have completed the full setup of Groups, users which are a member in Azure Active Directory will inherit the security roles. However, the roles are not directly assigned to the user itself. The same user can be a member of multiple groups. In that case this person will get cumulative access across the groups.

Notes and thoughts…

Using the Azure Active Directory groups to manage security, has certain advantages. A system administrator can create new users and assign groups in one central place. As the groups can also have organizations assigned, it will prevent setting up users with security roles and forget about the company restrictions. Note that the automatic role assignment feature can also take care of the correct organization assignments. I have experience how to manage security using automatic role assignments in environments with 2500+ legal entities and/or 1700+ users.

I will also list some disadvantages of the Azure group option.

  • When a user is a member of multiple groups, the Segregation of Duties functionality is not working. To be able to use the SoD features correctly, you need to assign the roles on the user himself.
  • Out of the box reports will not be able to list the roles the user has access to. There is an additional dimension called Group which has the actual role assignment.
  • When you configure workflows where users will be assigned via the option security roles, you have to setup the roles on the user himself.

Update after initially posted this blog:

  • eXtensible Data Security (XDS) policies can be dependent on security roles. In case the user does not have the security role assigned the intended policy is not effective as intended.
  • In case you publish Saved views to security roles, the users will not have the saved views copied to their user settings.

These downsides might be important for you. In that case, you have to go for manual or automatically assigned roles.

There is more…

The Groups are in fact also records in the User table. When assigning users to roles, these Groups are also visible like any other user. In Microsoft Dynamics AX 2012, you had to setup the groups in the Users form and choose a user type to setup a group.

It is possible to use a combination of groups and direct role assignments on users. In that case, it will cumulate all permissions. So, it could be a valid scenario to have e.g. all employees setup with a group to get the Employee role and assign additional roles to users to meet requirements like SoD and workflow role assignments.



I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!

39 replies
  1. Hari Kiran
    Hari Kiran says:

    Hi Andre,

    I’ve tried this but the user is imported without the security roles which I’ve assigned to the group in D365. Is there any step that I missed?
    Here’s what I did:
    1. In AAD, created a new group “D365 FO”
    2. Added 2 users to this group
    3. Imported group
    4. Added roles like “Budget manager” & “Accounts payable manager”.
    5. I tried importing one of the user from step-2
    6. User is imported only with “System User” role but not roles from step-4

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Hari,

      I’m not sure what exactly you mean with step 2 or step 4. However, it is correct that you will only see the system user role assigned. Like mentioned in the blog, the persons will inherit the security rights from the AAD group settings when they are part of the group, but the role is not directly assigned.

      Reply
  2. Sandeep Erande
    Sandeep Erande says:

    Hi Andre .. I think this only works for Internal AAD users an not for the External AAD users. Could you please confirm ?
    d

    Reply
  3. Aldis
    Aldis says:

    Should this work on local developer machines? I’m getting “The service you are trying to reach is currently unavailable. Please contact your System Administrator for further assistance.”.

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Aldis,

      In my experience it is not working on local dev machines. These machines are emulating some Azure features locally. To be able to use these features, you can deploy environments on Azure.

      Reply
  4. Jessica Roybal
    Jessica Roybal says:

    Hi André,

    Thanks for a great post very helpful. I am helping a client go live with 500 users for the first go live in under 6 months, but will be several more hundred users 6 months later and additional hundreds as we do a roll out globally. Do you have any more thoughts/opinions 1 year after writing the post? Also interested in a compare/contrast with automatic role assignment with the AAD group membership option. The client has several hundred users in AX 2012 and wants to maintain the user ID moving into FO. So I am thinking the AAD group membership option is not going to work for Go-Live for existing users, but new users may want to use this option. What are you thoughts?

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Jessica,

      It is possible to export the users with the current User ID and import it in Dynamics 365 for Finance and Operations with this same ID. Then still the AAD group membership will work as the Azure AD Object ID will be linked to the user in Dynamics 365 apart from the User ID.
      Some additional thoughts after a year: For using Azure AD groups and also having the advantage of alerting on Segregation of Duties (SoD) violations and/or use security roles for workflow assignments, there is an alternative. Recently, I did a workshop with a prospect where we used the Security and Compliance Studio solution from To-Increase to achieve this. One of the features is a replication of the Azure AD group assignments in Dynamics 365. With this information, you can set up rules for the automatic role assignment instead of granting access to a group. Then the users will get the roles directly assigned which ensures it can be used with SoD and workflow assignments.
      If you have additional questions, feel free to reach out via the contact form on my webpage.

      Reply
      • Karthik
        Karthik says:

        Hi Andre

        The solution of integrating AAD with automatic role assignment looks pretty interesting, can you please explain it in bit brief.

        Thanks

        Reply
  5. Cameron Robinson
    Cameron Robinson says:

    If members of the Group imported into D365 FO are Guest members to the AD, will that have an impact. It appears these guest users are not created the first time they attempt to login to the environment.

    Reply
  6. May
    May says:

    Hi Andre,

    really helpful post thank you. I was wondering hwat the impact of giving permission via group is to mapping a user to worker record as it is with importing individually?

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi May,

      Thanks for you comment. I’m not sure if I understand your question. Is your question if it is possible to automatically link a worker to the user when the user account is automatically created during the first login?

      Reply
      • pramod
        pramod says:

        Hi is this possible?
        or manual mapping ?
        i had added users to the AAD groups but he’s unavailable in sys admin > users list. to add person record.
        few users are there few are missing is there any gap ?

        Reply
          • pramod
            pramod says:

            Thanks Andre for quick response.

            The user is internal user.

            we were trying to map the worker to user. and we are unable to find the user even though he’s in AAD group.
            because he was never logged-in in the past.

            user list will get update only when user logged in to the system. then we can add person field.

            this is what i observed now and also in power platform side.

            any how thank you very much for this blog really helpfull

          • André Arnaud de Calavon
            André Arnaud de Calavon says:

            Hi Pramod,

            Thanks for the additional information. I was assuming that you wanted to import the user manually before he logs in the first time. As written in the blog, or the user gets created once he tried to login the first time, or you can import the user and don’t assign security roles as the permissions will be inherited from the Azure AD group. When you import the user before he logs in, you can already manage settings like the person link.

        • pramod
          pramod says:

          I got the reason.

          user should login to the system atleast once. then only we can see their list in sys admin > user list.

          Reply
  7. Huggins Mafigu
    Huggins Mafigu says:

    Good day Andre,

    Thank you for the blog post.

    My question is does this feature also works with the on-prem AD?

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Huggins,

      Yes, this feature is available for on-premise environments. I supported an end user with some questions about this several years ago. I only was involved with the setup in Dynamics 365 itself, not the AD side.

      Reply
  8. Pramod
    Pramod says:

    Hi Andre,

    now some people reported that they were able to login earlier but now it stopped for many users 🙁 it’s really strange.
    and another observation is that we can not import the users from AAD, import user functioanlity is not working it says Unable to acquire token using MSAL

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Pramod,

      I’m not able to check any details about your environment myself. Are you running an on-premise environment or a cloud hosted environment? Are you aware if something related got changed? Have you checked if all certificates are still valid?

      Reply
      • pramod
        pramod says:

        Hi Andre,
        it’s a cloud sandbox VM. i had created a MS ticket for this may be some outage is impacting this.

        Reply
          • Pramod
            Pramod says:

            Hi Andre, That was a bug in MS platform only 0.5 % customer impacted due to this bug.
            connection between Azure and F&O was broken for some reason. they said it’s fixed. and I am still validating those.

            and another question. is possible to import the user options via AAD?
            like location his language preference.

          • André Arnaud de Calavon
            André Arnaud de Calavon says:

            Out of the box, these properties are not imported from Microsoft Entra ID (New name for Azure AD). You can check if you can achieve it with a customization. Note that some Dynamics specific dlls are used to interact with Entra Id. I don’t know if these dlls do support all attributes apart from those that are used when importing users.

  9. Abdesh
    Abdesh says:

    Hi Andre,
    Thanks for the post given that there is little info about this feature in public. One question from me though, is the feature still expected to work in D365 Finance and Operations 10.0.38 and standard acceptance environment ?

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Abdesh,

      Yes, the feature still works. Two weeks ago, I presented about this on the D365 Community Summit in Lisbon. Note that after writing this article, Azure AD has been renamed to Azure Entra ID. For this reason also the configuration key that needs to be enabled has been changed to: “Microsoft Entra ID security group”. Feature wise, there is no change. Note that I’m currently working on a project which will be shared with the community to have a more smooth integration where the downsides as listed in my blog will be eliminated.

      Reply
      • Abdesh
        Abdesh says:

        I have hard time to prove it working in a standard acceptance env, followed everything mentioned here as well as Microsoft’s little page about it. Is any power platform integration involved in the prerequisites, I don’t know what to look for else ?

        Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.