How to use Azure Active Directory for managing users and security in Dynamics 365 for Finance and Operations
There is an upcoming change and an undocumented feature related to managing users and security in Microsoft Dynamics 365 for Finance and Operations. Using these features do have its pros and cons. In this post, I will explain the features and explain what you need to consider to use it in one way or the other.
Update: There is a new post available where you can learn about a new feature for an enhanced Entra ID integration. Enhanced Entra ID group integration in D365FO Admin Toolkit
Managing users
One important upcoming change for the October 2019 release is a requirement to assign licenses in the Microsoft 365 admin center. You can read more about this on the Create new users documentation page. You can also use the Azure portal or Office 365 admin center to manage the users. In the end, it is all managing the same Azure Active Directory users.

When you have assigned the license, you will have a choice to setup the user manually within Finance and Operations or have them created automatically the first time they do login. Note that when you have not prepared anything for a new user, they will be created as user without any security role assigned.
There are some downsides here. The User ID field is auto created with an unmeaningful ID like ‘$C0BA’. The same was the case in Microsoft Dynamics AX 2012 when a user was part of an Active Directory group. You can actually change this by renaming the user record. There are some risks as query values will not be changed accordingly and possibly some tables where the user ID is used in a field might be skipped by the renaming process in case there is no relation defined.
I have created an idea on the Dynamics experience website called: Friendly User ID pattern when creating users automatically. You can vote for this idea to have visibility for the Microsoft product team.

However, I would personally like to setup or import the user myself. You can then directly control other user attributes like the startup company, time zone and language. Of course, you can also let the new user setup the preferences himself. A procedure where you first wait for a new employee to start in your company and will login as user; then change the user settings in Microsoft Dynamics 365 and then assign the roles doesn’t sound like a logical one. Usually, you would like to have the user prepared correctly, also with security roles assigned. So, in this case, your new employee will have a smooth start.
Managing security
When you are in control about setting up users, you also need to find the best way to assign security roles. There are three options:
- Assign roles manually (via Users or Assign users to role pages)
- Use automatic role assignment
- Azure Active Directory Group membership
The most convenient option depends on various conditions. It could be related to e.g. number of users, number of roles (per user) and the number of legal entities and how to secure them individually. In this post I will not elaborate on all options. As this post is about Azure Active Directory, I will explain the last option here.
The option to assign security using Azure Active Directory groups is a not documented feature. Initially, when you setup Microsoft Dynamics 365 for Finance and Operations, this option is not enabled. You have to enable this via the License Configuration form. To be able to change this configuration, you should have your environment in maintenance mode. How to enable and disable this mode in various different types of environment, you can follow the instructions on the Maintenance mode documentation.
When you have the environment in maintenance mode, you can browse to System administration > Setup > License configuration.

You have to enable the configuration called Active Directory security group. When you close the form it will present a slider dialog to confirm the items to be enabled. After this exercise, don’t forget to disable the maintenance mode.
Before you can use the Azure Active directory groups, you have to define them and assign members. For this post, I prepared some groups and used the Microsoft 365 admin center, but you can also use the Office 365 admin center or the Azure admin portal.

When you have the groups and members setup, you can continue with the setup in Microsoft Dynamics 365. Browse to the next page: System administration > Users > Groups. Then click the button Import groups. You have to fill the ID field with own values. I did just copy the Name as ID for my groups. To have ALL groups imported and not only a single one, you have to select all records which needs to be created as Group.

When the import is successful, you can assign security roles; even with constraining legal entities by Assigning organizations.

When you have completed the full setup of Groups, users which are a member in Azure Active Directory will inherit the security roles. However, the roles are not directly assigned to the user itself. The same user can be a member of multiple groups. In that case this person will get cumulative access across the groups.
Notes and thoughts…
Using the Azure Active Directory groups to manage security, has certain advantages. A system administrator can create new users and assign groups in one central place. As the groups can also have organizations assigned, it will prevent setting up users with security roles and forget about the company restrictions. Note that the automatic role assignment feature can also take care of the correct organization assignments. I have experience how to manage security using automatic role assignments in environments with 2500+ legal entities and/or 1700+ users.
I will also list some disadvantages of the Azure group option.
- When a user is a member of multiple groups, the Segregation of Duties functionality is not working. To be able to use the SoD features correctly, you need to assign the roles on the user himself.
- Out of the box reports will not be able to list the roles the user has access to. There is an additional dimension called Group which has the actual role assignment.
- When you configure workflows where users will be assigned via the option security roles, you have to setup the roles on the user himself.
Update after initially posted this blog:
- eXtensible Data Security (XDS) policies can be dependent on security roles. In case the user does not have the security role assigned the intended policy is not effective as intended.
- In case you publish Saved views to security roles, the users will not have the saved views copied to their user settings.
These downsides might be important for you. In that case, you have to go for manual or automatically assigned roles.
There is more…
The Groups are in fact also records in the User table. When assigning users to roles, these Groups are also visible like any other user. In Microsoft Dynamics AX 2012, you had to setup the groups in the Users form and choose a user type to setup a group.
It is possible to use a combination of groups and direct role assignments on users. In that case, it will cumulate all permissions. So, it could be a valid scenario to have e.g. all employees setup with a group to get the Employee role and assign additional roles to users to meet requirements like SoD and workflow role assignments.
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!
Good post
Such a great post, thanks André.
Hi Andre,
I’ve tried this but the user is imported without the security roles which I’ve assigned to the group in D365. Is there any step that I missed?
Here’s what I did:
1. In AAD, created a new group “D365 FO”
2. Added 2 users to this group
3. Imported group
4. Added roles like “Budget manager” & “Accounts payable manager”.
5. I tried importing one of the user from step-2
6. User is imported only with “System User” role but not roles from step-4
Hi Hari,
I’m not sure what exactly you mean with step 2 or step 4. However, it is correct that you will only see the system user role assigned. Like mentioned in the blog, the persons will inherit the security rights from the AAD group settings when they are part of the group, but the role is not directly assigned.
Thanks Andre. It is working.
Hi Andre .. I think this only works for Internal AAD users an not for the External AAD users. Could you please confirm ?
d
Hi Sandeep,
Thanks for reading the blog. Your understanding is correct. It works only for users part of your own AAD.
Thanks Andre…
Should this work on local developer machines? I’m getting “The service you are trying to reach is currently unavailable. Please contact your System Administrator for further assistance.”.
Hi Aldis,
In my experience it is not working on local dev machines. These machines are emulating some Azure features locally. To be able to use these features, you can deploy environments on Azure.
Hi André,
Thanks for a great post very helpful. I am helping a client go live with 500 users for the first go live in under 6 months, but will be several more hundred users 6 months later and additional hundreds as we do a roll out globally. Do you have any more thoughts/opinions 1 year after writing the post? Also interested in a compare/contrast with automatic role assignment with the AAD group membership option. The client has several hundred users in AX 2012 and wants to maintain the user ID moving into FO. So I am thinking the AAD group membership option is not going to work for Go-Live for existing users, but new users may want to use this option. What are you thoughts?
Hi Jessica,
It is possible to export the users with the current User ID and import it in Dynamics 365 for Finance and Operations with this same ID. Then still the AAD group membership will work as the Azure AD Object ID will be linked to the user in Dynamics 365 apart from the User ID.
Some additional thoughts after a year: For using Azure AD groups and also having the advantage of alerting on Segregation of Duties (SoD) violations and/or use security roles for workflow assignments, there is an alternative. Recently, I did a workshop with a prospect where we used the Security and Compliance Studio solution from To-Increase to achieve this. One of the features is a replication of the Azure AD group assignments in Dynamics 365. With this information, you can set up rules for the automatic role assignment instead of granting access to a group. Then the users will get the roles directly assigned which ensures it can be used with SoD and workflow assignments.
If you have additional questions, feel free to reach out via the contact form on my webpage.
Hi Andre
The solution of integrating AAD with automatic role assignment looks pretty interesting, can you please explain it in bit brief.
Thanks
HI Karthik,
The blog actually explains the integration between Azure AD, now being called Entra ID. Can you tell which exact part you don’t understand?
If members of the Group imported into D365 FO are Guest members to the AD, will that have an impact. It appears these guest users are not created the first time they attempt to login to the environment.
Hi Cameron,
In my experience, only Azure AD users of your own tenant will be imported the first time.
Yep, I worked through a series of scenarios and can confirm GUEST accounts do not current work with Groups. Thanks for you reply. Cam
Hi Andre,
really helpful post thank you. I was wondering hwat the impact of giving permission via group is to mapping a user to worker record as it is with importing individually?
Hi May,
Thanks for you comment. I’m not sure if I understand your question. Is your question if it is possible to automatically link a worker to the user when the user account is automatically created during the first login?
Hi is this possible?
or manual mapping ?
i had added users to the AAD groups but he’s unavailable in sys admin > users list. to add person record.
few users are there few are missing is there any gap ?
Hi Pramod,
Is the user part of your Azure AD tenant or an external user? Can you provide more information? Or maybe the user is already added in Dynamics?
Thanks Andre for quick response.
The user is internal user.
we were trying to map the worker to user. and we are unable to find the user even though he’s in AAD group.
because he was never logged-in in the past.
user list will get update only when user logged in to the system. then we can add person field.
this is what i observed now and also in power platform side.
any how thank you very much for this blog really helpfull
Hi Pramod,
Thanks for the additional information. I was assuming that you wanted to import the user manually before he logs in the first time. As written in the blog, or the user gets created once he tried to login the first time, or you can import the user and don’t assign security roles as the permissions will be inherited from the Azure AD group. When you import the user before he logs in, you can already manage settings like the person link.
I got the reason.
user should login to the system atleast once. then only we can see their list in sys admin > user list.
Good day Andre,
Thank you for the blog post.
My question is does this feature also works with the on-prem AD?
Hi Huggins,
Yes, this feature is available for on-premise environments. I supported an end user with some questions about this several years ago. I only was involved with the setup in Dynamics 365 itself, not the AD side.
Hi Andre,
now some people reported that they were able to login earlier but now it stopped for many users 🙁 it’s really strange.
and another observation is that we can not import the users from AAD, import user functioanlity is not working it says Unable to acquire token using MSAL
Hi Pramod,
I’m not able to check any details about your environment myself. Are you running an on-premise environment or a cloud hosted environment? Are you aware if something related got changed? Have you checked if all certificates are still valid?
Hi Andre,
it’s a cloud sandbox VM. i had created a MS ticket for this may be some outage is impacting this.
Hi Pramod,
Microsoft Support might be able to check certain settings and servicing around your environment. I would be interested to know the outcome of this support ticket.
Hi Andre, That was a bug in MS platform only 0.5 % customer impacted due to this bug.
connection between Azure and F&O was broken for some reason. they said it’s fixed. and I am still validating those.
and another question. is possible to import the user options via AAD?
like location his language preference.
Out of the box, these properties are not imported from Microsoft Entra ID (New name for Azure AD). You can check if you can achieve it with a customization. Note that some Dynamics specific dlls are used to interact with Entra Id. I don’t know if these dlls do support all attributes apart from those that are used when importing users.
thank you very much Andre, you are awesome.
Hi Andre,
Thanks for the post given that there is little info about this feature in public. One question from me though, is the feature still expected to work in D365 Finance and Operations 10.0.38 and standard acceptance environment ?
Hi Abdesh,
Yes, the feature still works. Two weeks ago, I presented about this on the D365 Community Summit in Lisbon. Note that after writing this article, Azure AD has been renamed to Azure Entra ID. For this reason also the configuration key that needs to be enabled has been changed to: “Microsoft Entra ID security group”. Feature wise, there is no change. Note that I’m currently working on a project which will be shared with the community to have a more smooth integration where the downsides as listed in my blog will be eliminated.
I have hard time to prove it working in a standard acceptance env, followed everything mentioned here as well as Microsoft’s little page about it. Is any power platform integration involved in the prerequisites, I don’t know what to look for else ?
Hi Abdesh,
There is no Power Platform integration required. Can you describe the current behavior, so I can try to understand what might be wrong in your environment?
Is there any way through X++ code to see which AAD group(s) a User belongs to??
Hi,
Thanks for reading the post and your question. Have a look at my recent post. I created a tool to sync the membership and use that information to assign the roles to the users themselves. The tool is open source and you can check in source code shared in the GitHub project what X++ coding to use. You can use the tool for free.
https://dynamicspedia.com/2024/08/enhanced-entra-id-group-integration-in-d365fo-admin-toolkit/