There is an upcoming change and an undocumented feature related to managing users and security in Microsoft Dynamics 365 for Finance and Operations. Using these features do have its pros and cons. In this post, I will explain the features and explain what you need to consider to use it in one way or the other.
One important upcoming change for the October 2019 release is a requirement to assign licenses in the Microsoft 365 admin center. You can read more about this on the Create new users documentation page. You can also use the Azure portal or Office 365 admin center to manage the users. In the end, it is all managing the same Azure Active Directory users.
When you have assigned the license, you will have a choice to setup the user manually within Finance and Operations or have them created automatically the first time they do login. Note that when you have not prepared anything for a new user, they will be created as user without any security role assigned.
There are some downsides here. The User ID field is auto created with an unmeaningful ID like ‘$C0BA’. The same was the case in Microsoft Dynamics AX 2012 when a user was part of an Active Directory group. You can actually change this by renaming the user record. There are some risks as query values will not be changed accordingly and possibly some tables where the user ID is used in a field might be skipped by the renaming process in case there is no relation defined.
I have created an idea on the Dynamics experience website called: Friendly User ID pattern when creating users automatically. You can vote for this idea to have visibility for the Microsoft product team.
However, I would personally like to setup or import the user myself. You can then directly control other user attributes like the startup company, time zone and language. Of course, you can also let the new user setup the preferences himself. A procedure where you first wait for a new employee to start in your company and will login as user; then change the user settings in Microsoft Dynamics 365 and then assign the roles doesn’t sound like a logical one. Usually, you would like to have the user prepared correctly, also with security roles assigned. So, in this case, your new employee will have a smooth start.
When you are in control about setting up users, you also need to find the best way to assign security roles. There are three options:
- Assign roles manually (via Users or Assign users to role pages)
- Use automatic role assignment
- Azure Active Directory Group membership
The most convenient option depends on various conditions. It could be related to e.g. number of users, number of roles (per user) and the number of legal entities and how to secure them individually. In this post I will not elaborate on all options. As this post is about Azure Active Directory, I will explain the last option here.
The option to assign security using Azure Active Directory groups is a not documented feature. Initially, when you setup Microsoft Dynamics 365 for Finance and Operations, this option is not enabled. You have to enable this via the License Configuration form. To be able to change this configuration, you should have your environment in maintenance mode. How to enable and disable this mode in various different types of environment, you can follow the instructions on the Maintenance mode documentation.
When you have the environment in maintenance mode, you can browse to System administration > Setup > License configuration.
You have to enable the configuration called Active Directory security group. When you close the form it will present a slider dialog to confirm the items to be enabled. After this exercise, don’t forget to disable the maintenance mode.
Before you can use the Azure Active directory groups, you have to define them and assign members. For this post, I prepared some groups and used the Microsoft 365 admin center, but you can also use the Office 365 admin center or the Azure admin portal.
When you have the groups and members setup, you can continue with the setup in Microsoft Dynamics 365. Browse to the next page: System administration > Users > Groups. Then click the button Import groups. You have to fill the ID field with own values. I did just copy the Name as ID for my groups. To have ALL groups imported and not only a single one, you have to select all records which needs to be created as Group.
When the import is successful, you can assign security roles; even with constraining legal entities by Assigning organizations.
When you have completed the full setup of Groups, users which are a member in Azure Active Directory will inherit the security roles. However, the roles are not directly assigned to the user itself. The same user can be a member of multiple groups. In that case this person will get cumulative access across the groups.
Notes and thoughts…
Using the Azure Active Directory groups to manage security, has certain advantages. A system administrator can create new users and assign groups in one central place. As the groups can also have organizations assigned, it will prevent setting up users with security roles and forget about the company restrictions. Note that the automatic role assignment feature can also take care of the correct organization assignments. I have experience how to manage security using automatic role assignments in environments with 2500+ legal entities and/or 1700+ users.
I will also list some disadvantages of the Azure group option.
- When a user is a member of multiple groups, the Segregation of Duties functionality is not working. To be able to use the SoD features correctly, you need to assign the roles on the user himself.
- Out of the box reports will not be able to list the roles the user has access to. There is an additional dimension called Group which has the actual role assignment.
- When you configure workflows where users will be assigned via the option security roles, you have to setup the roles on the user himself.
These downsides might be important for you. In that case, you have to go for manual or automatically assigned roles.
There is more…
The Groups are in fact also records in the User table. When assigning users to roles, these Groups are also visible like any other user. In Microsoft Dynamics AX 2012, you had to setup the groups in the Users form and choose a user type to setup a group.
It is possible to use a combination of groups and direct role assignments on users. In that case, it will cumulate all permissions. So, it could be a valid scenario to have e.g. all employees setup with a group to get the Employee role and assign additional roles to users to meet requirements like SoD and workflow role assignments.
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!