Enhanced Entra ID group integration in D365FO Admin Toolkit
A few years ago, I wrote a blog post about how to use Azure Active Directory for managing users and security in Dynamics 365 for Finance and Operations. In the meantime, Microsoft renamed Azure Active Directory to Microsoft Entra ID. In my blog, I provided how to manage users and provide access permissions by using security groups on Entra ID. Access permissions in Dynamics 365 Finance and Operations are then inherited from a group user. Using this option has some downsides, mainly related to not having security roles directly assigned to the user. I contributed a new feature to the D365FO Admin Toolkit with an enhanced Entra ID group integration feature. You can read more about this new feature in this post.
Standard Entra ID group integration
The standard Entra ID group integration is the base for the customizations I developed. If you are not familiar with this option, I recommend reading the blog I shared in my introduction and a blog from Alex Meyer: Configuring Azure AD Group Security in D365FO. When you are reading these blogs, ensure you translate for yourself Azure Active Directory to Entra ID.
Using this option makes it easy for system and security administrators to provide access by only using Microsoft Entra ID, like many other applications. Administrator portals such as Microsoft 365 Admin Center and the Azure Portal do interact with Entra ID as a cloud-based identity and access management solution.
To be able to use the Entra ID group integration, you must set up some prerequisites. First, the license configuration key Microsoft Entra ID security group needs to be enabled, Then you need to set up security groups in Entra ID and Dynamics 365 F&O. The group users in Dynamics 365 F&O will get the security roles assigned including organization assignments to limit access to specific legal entities.
A user will then inherit permissions from the security group. In addition, you can manually assign roles to the user or have automatic role assignments. The effect of using all three options, Entra ID, manual assignments, and automatic role assignment is that the permissions will be cumulative.
The standard Entra ID groups integration has some downsides as I mentioned in my blog post. I will repeat them in this post.
- In case a user is logging in the first time a user record is automatically created with an unmeaningful ID like ‘$C0BA’.
- There is no visibility within the application which users are associated with what Entra ID groups in Dynamics 365.
- When a user is a member of multiple groups, the Segregation of Duties functionality is not working. To be able to use the SoD features correctly, you need to assign the roles to the user himself.
- Out-of-the-box reports will not be able to list the roles the user has access to. There is an additional dimension called Group which has the actual role assignment.
- When you configure workflows where users will be assigned via the option security roles, you have to set up the roles on the user himself.
- eXtensible Data Security (XDS) policies can be dependent on security roles. In case the user does not have the security role assigned the intended policy is not effective as intended.
- In case you publish Saved views to security roles, the users will not have the saved views copied to their user settings.
An alternative would be using manually or automatically assignments of security roles. Where I implemented automatic role assignment for large organizations, with for example over 1700 users and a scenario where there were over 2500 legal entities, this can be a good alternative but it is not replacing the requirement I hear more often to use Entra ID groups for managing the permissions.
So, a solution to get roles assigned to the users based on their security membership on Entra ID groups will solve the downsides.
Enhanced Entra ID group integration
When thinking of a solution, I initially thought of adding a third type of security role assignment to the enumerator. Next to Manual, and Automatic an assignment type of Entra ID group was something I tried to add. Despite the enumeration is not extensible, I found a way around this and started development for synchronizing the Entra ID group memberships and creating new records in the tables for security role and organization assignments for the user. I had challenges with use cases when having organization assignments on manually or automatically added roles and Entra ID group memberships.
I decided to start over and make a new solution based on automatic role assignments. The assigned roles and organizations or group users are copied as automatic role assignment rules based on a new setting.
Entra ID group membership
To be able to have the Entra ID group membership rules working, a table needs to store this information. I added a new table for this purpose. The table can be populated for all users.
There is a periodic task where you can set up a batch job to synchronize the Entra ID group membership in the background with a recurrence pattern. In the D365FO Admin Toolkit parameters, you can also enable a synchronous integration at the moment users will interact in the application. Also here you can set a pattern to have this executed once an hour or more or less frequently based on your requirements.
Automatic role assignment connection
The next step is enabling the option for a connection between Group users and the automatic role assignment. On the Groups page, a new setting is added to create automatic role assignment rules for each assigned role including organization assignments.
On this page, also a FactBox is added showing the users having a membership for the group in Entra ID. When the Automatic role assignment field is enabled, all existing or new role assignments will be copied as an automatic rule.
For each group user manually assigned to a role, also a rule for dynamically assigning users to role is created. In case the rule is managed by the enhanced Entra ID group integration, you can’t edit the query, you can only view it. The same is valid for the organization assignment on the rule. The rule is based on a query looking at the users being a member of the Entra ID group in the new association table. In case a user or group is not active, it will be excluded from the automatic role assignment.
As a result of having Alfonso, Brooke, and Kevin being a member of one of the Accountant security groups, the role is assigned automatically. Note that in case users are not assigned to a role, still the security framework will grant permissions for all roles as set up on the group. So, in case the automatic role assignment job is not running, the framework takes care of the permissions. The purpose of the enhancement is to have the role assigned to the user to be able to use the application logic which checks for assigned roles to the user.
Important to know is that if a user is removed from a group in Entra ID, there might be a delay before the automatic role assignment job will run and revoke access. As long as the role is assigned dynamically, the user has permission to execute tasks. It is recommended to find a correct recurrence pattern for the synchronization job or enable synchronous synchronization for the users on the parameters form.
In case you have a mix between role assignments using Entra ID groups, other automatic role assignment rules, and manual assignments, this is working together. Manual assignments override any automatic rule. All permissions granted via these options will be cumulated for a user.
Periodic tasks
For the feature, there are two periodic jobs added that can run periodically in the background. The job Entra ID group user membership synchronization will fill a table storing the membership of users on Entra ID groups.
The task named Import users from Entra ID group membership will check for users in Entra ID who are not created as a user in Dynamics 365. When it finds a new user, it will add the user in Dynamics 365 using the same pattern for user IDs as when using the Import users function on the Users management page. When the batch job creates the user before he signs in the first time, you can prevent getting the 5-character user IDs starting with the dollar sign.
Another advantage of getting the users in Dynamics 365 before they log in, is that you now can check for possible conflicts on Segregation of Duties rules. In that case, a second role will not be added, but due to the security framework of inheriting permissions, effectively the user will have the permissions despite having an unresolved SoD conflict.
D365FO Admin Toolkit Parameters
On the parameters, a new tab page is added for the Entra ID group integration. In case you enable the option Automatic role assignment, it will default this value when importing new Group users.
The Synchronous synchronization field will enable synchronization of groups for a user while the user opens new pages in the application. When this option is enabled, the fields Pattern and Frequency will be available to set the interval when the application should check for changed group memberships on Microsoft Entra ID. The default is set once per hour, but in case you expect a lot of changes during the daytime and it is important to have the group membership synchronized as soon as possible, you can set up a higher frequency. Depending on your requirements, you can also set the frequency to once or twice a day.
With these enhancements, I think organizations can fully benefit from the Identity and Access Management features of Microsoft Entra ID. Other Dynamics 365 applications and third-party applications do also support managing users and granting access using Microsoft Entra ID only. You can watch the video below for a small demonstration of the features.
D365FO Admin Toolkit
The D365FO Admin Toolkit is an open-source initiative from Alex Meyer. It is a toolkit intended to make life for Dynamics 365 administrators easier. The project is hosted on GitHub and created by and for the community.
The first feature added by Alex was the option to revoke and re-instate the system administrator role without needing to have elevated permissions. Since the first release, some other community members have contributed to the project. Some helped with creating e.g. unit tests and others provided languages for several different countries. Also, some other smaller enhancements were added by community members.
The features as described above are now also added to the D365FO Admin Toolkit. They are merged into the Dev branch and part of release 1.7 of the Admin Toolkit. You can use the next landing page: D365FO Admin Toolkit – Alex Meyer (alexdmeyer.com)
There is more…
The released feature is free to download and use. In case you have feedback, feel free to provide your ideas. In case you find issues, please report them. The enhanced Entra ID group feature needs some attention in the future in the next areas:
- Translations. Although translations were contributed, the feature I added is having labels for the English (US) language only. Translations will be updated in a next release
- The batch jobs are not optimized for performance. In case you encounter a performance-related issue with synchronizing the data with Entra ID, please let us know including information about the number of users, groups, and roles in your Dynamics 365 environment. The batch jobs are using a single thread as of this moment. It is possible to divide the workload over multiple batch threads.
- The batch jobs don’t have configuration options in the first release with parameters or selecting which records to include.
- Don’t forget that in case a setup is done to grant permissions via Group users, the member will always have access to the granted areas of the application, even though the roles are not dynamically added to the users. The assignment of the roles to the users is done to solve the issues listed in this blog above.
- Due to having automatic roles assigned, there might be a delay in revoking access from these roles in case a user is removed as a member from a group in Entra ID. In case
- Telemetry is not included in this feature. It needs to be analyzed to check what telemetry is generated by the standard application which now should also be logged in case e.g. a user is created or a role has been assigned.
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!
Great contribution for the community by both of you