Implementing security with Azure Active Directory User Groups in Dynamics 365 F&O

June 6, 2024

Microsoft Active Directory Security Groups is a legacy feature from Microsoft that enables user role and organization assignments based on their membership in Microsoft Active Directory security groups. It can also be used to enable JIT (just-in-time) provisioning of users when they sign into Dynamics 365 Finance and Operations environment for the first time.
The purpose of Active Directory security groups is to simplify and manage access control and permissions for users within a network. These groups allow administrators to efficiently assign rights and permissions to multiple users simultaneously, ensuring consistent access to resources such as files, folders, applications, and other network services.
As the Office 365 world is expanding, more businesses are moving their solutions to the cloud. As a result, there is a greater need for administrators to be able to manage and provision users from a central location and as a group rather than individually.
Administrators can leverage their Azure Active Directory (Azure AD) groups to manage user access rights in Dynamics 365 Finance and Operations (D365FO). This blog will guide you through the steps for setting up and configuring Dynamics 365 Finance and Operations. Keep in mind that setting up and configuring Azure Active Directory is the responsibility of the IT administration.

How to enable the Active Directory Groups feature in Dynamics 365 Finance and Operations

The Azure Active Directory Groups feature is not enabled by default. To enable this feature, you must change the setting on the license configuration page. To do so, go to System Administration > Setup > License Configuration. Find Administration and then enable the Microsoft Entra ID Security Group.

Note: The system should be in maintenance mode to enable any license configuration.
Setting group security

Setting up group security

After enabling the feature, when you go to System Administration and then choose Users, you will see a new entry called Groups.

This page will look similar to the user setup screen, but you are setting up group security instead.

The first thing to do is import the Azure AD group you want to set up by clicking on the import groups.

The name field will be non-editable as it’s getting the name directly from AD (Active Directory). You must fill out the ID field, and it should be unique.
Once you select the group, you will notice that the screen looks exactly like the user info setup screen. It has a details area at the top and the roles you want to assign at the bottom.

Now, you need to select the appropriate roles to assign to the AD groups you will import. Once this is done, all current users of the group, as well as any future users who join the group, will automatically inherit the group’s security settings. In this way, if you need to make a security change in the future, it will affect all users of a group, and there won’t be any need to go to each user one by one to change security settings.

Managing users in Dynamics 365 Finance and Operations

The Microsoft Entra ID security group feature offers JIT (Just in Time) provisioning. JIT refers to when a new user tries to sign in to the Dynamics 365 Finance and Operations environment for the first time. If the user’s AD group is available in D365 F&O, it will automatically create its user.

The main drawback of this feature is that the user ID, in this case, will be an auto-generated number sequence preceded by a ‘$’ sign.

Things to remember while enabling the Active Directory Security Groups

Disabling an Azure AD Group does not disable the users assigned to that group from logging in. However, only disabling the Azure AD user, removing the group as a user from within Dynamics 365 Finance and Operations, or removing the D365FO user entirely will affect the user’s ability to sign in to D365FO.
All assigned access is cumulative. This means that if a user is directly assigned roles and is a member of an Azure AD group with assigned roles, their access will be the combination of the directly assigned roles and the inherited roles from the Azure AD group.
While this process eases user security setup, it complicates reporting on a user’s access. Keep in mind that, by default, no report is available to show a user’s access rights clearly.

Enhance security in Dynamics 365 Finance and Operations with Confiz

Active Directory groups in Dynamics 365 Finance and Operations offer robust security features that seamlessly integrate with your system. These groups can grant access, restrict users, and enhance security, providing significant value to your Dynamics 365 environment.
If you have any questions or concerns about enabling this feature or need assistance with implementing Active Directory groups, please don’t hesitate to contact us at marketing@confiz.com. Our team of Dynamics 365 functional and technical consultants is here to help.