Invalid Users

Starting in Microsoft Dynamics 365 F&O version 10.0.39, Microsoft enforced security guidelines for external users. Effectively, Microsoft disabled the cross-tenant access in Dynamics 365 F&O. This means that external users from a different tenant, can’t log in to Dynamics 365 unless they are created as a guest user in your own client. In this post, I will elaborate on the change, how it can impact your environments and how to setup external users correctly.

External users

When customers have Dynamics 365 F&O apps deployed in their tenant, they will have users needing access to the application as part of their job responsibilities. Type of roles are e.g. an accountant, sales clerk, project manager, and more. These users will daily use the application for business purposes. Next to these internal users, customers can rely on external auditors or consultants. For these users, a company can create users in their own tenant or let these users login with their own organizational account. Since the first release it was possible having the users logging in with own organizational credentials by making a change to the provider field on the User record in Dynamics 365. The application did authenticate the user from a different tenant without any restriction.

This comes with some security concerns. Adding such user was not brought to the attention of system administrators. The IT department at a customer could be fully bypassed. External consultants often got system administration rights giving them the opportunity to add their colleagues. Companies should have better control over who can access what application in their tenant. Microsoft now implemented more strict guidelines when users can login to a Dynamics 365 service. The users should be added to the tenant from the organization. This can be done with a new account from the organization, or invite the external user to the Entra ID of the organization.

Inviting external users to Entra ID was already a best practice, but could be bypassed until version 10.0.38. I wrote a blog before about how to correctly setup external or guest users in Dynamics 365 F&O. If you now try to add an external user in Dynamics 365 F&O without having this user added as guest user, you will receive an error.

You can read the blog I shared above how to solve this problem. When reading my blog, note that in the meantime Microsoft renamed Azure Active Directory to Azure Entra ID.

Invalid users

In case you have an existing environment updated to version 10.0.39, external users that are setup without following the Microsoft guidelines (and my blog from about 2 years ago…) will start experiencing login issues. They will then receive the next error: You are not authorized to login with your current credentials. You will be redirected to the login page in a few seconds. In that case, as mentioned above, ensure the users is known in your Microsoft Entra ID tenant.

To support organizations, Microsoft added a new form in the application to alert administrators which users are invalid for Dynamics 365. Navigate to System administration > Users > Invalid users for an overview of issues.

The form will be empty the first time you open it. You can use the action Refresh to update the view with user setup that does not comply with the next rules:

  • Users not found in Microsoft Entra ID
  • Users where the Telemetry ID is not as the Object ID in your Entra ID tenant.
    In case an external user was added before adding the user as guest to your tenant, it got the Object ID from the external party’s Entra ID tenant.
  • Users from who the email address contains ‘MAIL#
    Due to a previous issue, users with a Live or Gmail account were advised to use a prefix to the email address. This issue has been resolved, so the prefix should be removed now.

The contents of the form can be used as a to do list for administrators. Once action is taken, the record can be deleted. Note that deleting the record on this form will not delete the user from Dynamics 365 nor Entra ID. When deleting some of all records without corrections to the user settings, these users will show up again when you perform a new refresh.

There is more…

On the screenshot I shared above, you see some users without an email filled. These users are Entra ID Group users and should not be included as invalid user in my opinion. I will check if this is already a known issue at Microsoft. If not, I will report it as an issue. If you are using the integration with Entra ID groups, you will most likely also see these users appearing on your list. In that case, you can ignore them from this list.

I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.

That’s all for now. Till next time!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.