Managing users and security

There is an upcoming change and an undocumented feature related to managing users and security in Microsoft Dynamics 365 for Finance and Operations. Using these features do have its pros and cons. In this post, I will explain the features and explain what you need to consider to use it in one way or the other.

Managing users

One important upcoming change for the October 2019 release is a requirement to assign licenses in the Microsoft 365 admin center. You can read more about this on the Create new users documentation page. You can also use the Azure portal or Office 365 admin center to manage the users. In the end, it is all managing the same Azure Active Directory users.

When you have assigned the license, you will have a choice to setup the user manually within Finance and Operations or have them created automatically the first time they do login. Note that when you have not prepared anything for a new user, they will be created as user without any security role assigned.

There are some downsides here. The User ID field is auto created with an unmeaningful ID like ‘$C0BA’. The same was the case in Microsoft Dynamics AX 2012 when a user was part of an Active Directory group. You can actually change this by renaming the user record. There are some risks as query values will not be changed accordingly and possibly some tables where the user ID is used in a field might be skipped by the renaming process in case there is no relation defined.

I have created an idea on the Dynamics experience website called: Friendly User ID pattern when creating users automatically. You can vote for this idea to have visibility for the Microsoft product team.

However, I would personally like to setup or import the user myself. You can then directly control other user attributes like the startup company, time zone and language. Of course, you can also let the new user setup the preferences himself. A procedure where you first wait for a new employee to start in your company and will login as user; then change the user settings in Microsoft Dynamics 365 and then assign the roles doesn’t sound like a logical one. Usually, you would like to have the user prepared correctly, also with security roles assigned. So, in this case, your new employee will have a smooth start.

Managing security

When you are in control about setting up users, you also need to find the best way to assign security roles. There are three options:

  • Assign roles manually (via Users or Assign users to role pages)
  • Use automatic role assignment
  • Azure Active Directory Group membership

The most convenient option depends on various conditions. It could be related to e.g. number of users, number of roles (per user) and the number of legal entities and how to secure them individually. In this post I will not elaborate on all options. As this post is about Azure Active Directory, I will explain the last option here.

The option to assign security using Azure Active Directory groups is a not documented feature. Initially, when you setup Microsoft Dynamics 365 for Finance and Operations, this option is not enabled. You have to enable this via the License Configuration form. To be able to change this configuration, you should have your environment in maintenance mode. How to enable and disable this mode in various different types of environment, you can follow the instructions on the Maintenance mode documentation.

When you have the environment in maintenance mode, you can browse to System administration > Setup > License configuration.

You have to enable the configuration called Active Directory security group. When you close the form it will present a slider dialog to confirm the items to be enabled. After this exercise, don’t forget to disable the maintenance mode.

Before you can use the Azure Active directory groups, you have to define them and assign members. For this post, I prepared some groups and used the Microsoft 365 admin center, but you can also use the Office 365 admin center or the Azure admin portal.

When you have the groups and members setup, you can continue with the setup in Microsoft Dynamics 365. Browse to the next page: System administration > Users > Groups. Then click the button Import groups. You have to fill the ID field with own values. I did just copy the Name as ID for my groups. To have ALL groups imported and not only a single one, you have to select all records which needs to be created as Group.

When the import is successful, you can assign security roles; even with constraining legal entities by Assigning organizations.

When you have completed the full setup of Groups, users which are a member in Azure Active Directory will inherit the security roles. However, the roles are not directly assigned to the user itself. The same user can be a member of multiple groups. In that case this person will get cumulative access across the groups.

Notes and thoughts…

Using the Azure Active Directory groups to manage security, has certain advantages. A system administrator can create new users and assign groups in one central place. As the groups can also have organizations assigned, it will prevent setting up users with security roles and forget about the company restrictions. Note that the automatic role assignment feature can also take care of the correct organization assignments. I have experience how to manage security using automatic role assignments in environments with 2500+ legal entities and/or 1700+ users.

I will also list some disadvantages of the Azure group option.

  • When a user is a member of multiple groups, the Segregation of Duties functionality is not working. To be able to use the SoD features correctly, you need to assign the roles on the user himself.
  • Out of the box reports will not be able to list the roles the user has access to. There is an additional dimension called Group which has the actual role assignment.
  • When you configure workflows where users will be assigned via the option security roles, you have to setup the roles on the user himself.

These downsides might be important for you. In that case, you have to go for manual or automatically assigned roles.

There is more…

The Groups are in fact also records in the User table. When assigning users to roles, these Groups are also visible like any other user. In Microsoft Dynamics AX 2012, you had to setup the groups in the Users form and choose a user type to setup a group.

It is possible to use a combination of groups and direct role assignments on users. In that case, it will cumulate all permissions. So, it could be a valid scenario to have e.g. all employees setup with a group to get the Employee role and assign additional roles to users to meet requirements like SoD and workflow role assignments.

I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.

That’s all for now. Till next time!

19 replies
  1. Hari Kiran
    Hari Kiran says:

    Hi Andre,

    I’ve tried this but the user is imported without the security roles which I’ve assigned to the group in D365. Is there any step that I missed?
    Here’s what I did:
    1. In AAD, created a new group “D365 FO”
    2. Added 2 users to this group
    3. Imported group
    4. Added roles like “Budget manager” & “Accounts payable manager”.
    5. I tried importing one of the user from step-2
    6. User is imported only with “System User” role but not roles from step-4

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Hari,

      I’m not sure what exactly you mean with step 2 or step 4. However, it is correct that you will only see the system user role assigned. Like mentioned in the blog, the persons will inherit the security rights from the AAD group settings when they are part of the group, but the role is not directly assigned.

  2. Sandeep Erande
    Sandeep Erande says:

    Hi Andre .. I think this only works for Internal AAD users an not for the External AAD users. Could you please confirm ?

  3. Aldis
    Aldis says:

    Should this work on local developer machines? I’m getting “The service you are trying to reach is currently unavailable. Please contact your System Administrator for further assistance.”.

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Aldis,

      In my experience it is not working on local dev machines. These machines are emulating some Azure features locally. To be able to use these features, you can deploy environments on Azure.

  4. Jessica Roybal
    Jessica Roybal says:

    Hi André,

    Thanks for a great post very helpful. I am helping a client go live with 500 users for the first go live in under 6 months, but will be several more hundred users 6 months later and additional hundreds as we do a roll out globally. Do you have any more thoughts/opinions 1 year after writing the post? Also interested in a compare/contrast with automatic role assignment with the AAD group membership option. The client has several hundred users in AX 2012 and wants to maintain the user ID moving into FO. So I am thinking the AAD group membership option is not going to work for Go-Live for existing users, but new users may want to use this option. What are you thoughts?

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Jessica,

      It is possible to export the users with the current User ID and import it in Dynamics 365 for Finance and Operations with this same ID. Then still the AAD group membership will work as the Azure AD Object ID will be linked to the user in Dynamics 365 apart from the User ID.
      Some additional thoughts after a year: For using Azure AD groups and also having the advantage of alerting on Segregation of Duties (SoD) violations and/or use security roles for workflow assignments, there is an alternative. Recently, I did a workshop with a prospect where we used the Security and Compliance Studio solution from To-Increase to achieve this. One of the features is a replication of the Azure AD group assignments in Dynamics 365. With this information, you can set up rules for the automatic role assignment instead of granting access to a group. Then the users will get the roles directly assigned which ensures it can be used with SoD and workflow assignments.
      If you have additional questions, feel free to reach out via the contact form on my webpage.

  5. Cameron Robinson
    Cameron Robinson says:

    If members of the Group imported into D365 FO are Guest members to the AD, will that have an impact. It appears these guest users are not created the first time they attempt to login to the environment.

  6. May
    May says:

    Hi Andre,

    really helpful post thank you. I was wondering hwat the impact of giving permission via group is to mapping a user to worker record as it is with importing individually?

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi May,

      Thanks for you comment. I’m not sure if I understand your question. Is your question if it is possible to automatically link a worker to the user when the user account is automatically created during the first login?

  7. Huggins Mafigu
    Huggins Mafigu says:

    Good day Andre,

    Thank you for the blog post.

    My question is does this feature also works with the on-prem AD?

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Huggins,

      Yes, this feature is available for on-premise environments. I supported an end user with some questions about this several years ago. I only was involved with the setup in Dynamics 365 itself, not the AD side.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.