Streamlining D365FO Access with Entra ID Security Groups

Hi Friends,

Happy new year!!! Lets continue learning...

In this post, I will share some insight on how Entra security group can used to streamline D365FO access management. 

Managing user access in Dynamics 365 Finance and Operations can be complex—especially in large organizations with frequent onboarding (or offboarding), role changes, and compliance needs. Microsoft Entra ID security groups provide an alternative to traditional role-based access control (RBAC), offering centralized, scalable access management. In this post let’s explore how to set them up, their pros and cons, and best practices for implementation.

Lets see some quick steps to setup Entra security groups, 

1. Enable the Feature:  In D365FO, navigate to Feature Management and enable Microsoft Entra ID Security Groups.
2. Create Security Groups in Entra ID: Use the Microsoft Entra admin center to create groups. You can choose:
• Assigned groups (manual membership)
• Dynamic groups (rule-based membership based on user attributes)
3. Assign Roles to Groups in D365FO: Go to System Administration > Security Configuration > Entra ID Security Groups.
• Import your Entra groups.
• Assign D365FO roles to each group.
4. User Provisioning: When a user logs in, D365FO checks their group membership and automatically assigns roles based on the group configuration. This supports just-in-time (JIT) provisioning

Of course there are advantages Over Traditional Role-Based Access, like

• Centralized Management: Admins can manage access across multiple apps from Entra ID.
• Dynamic Membership: Automatically assign users to groups based on attributes (e.g., department, location).
• Bulk Provisioning: Assign roles to many users at once—ideal for onboarding.
• Lifecycle Automation: Role changes happen automatically when user attributes change.
• Just In time access
• Centralized onboarding and offboarding of users 

And yes, there are some limitations Compared to Traditional Role Assignments, like

• No Role Visibility in User Profile: Roles assigned via groups don’t appear in the user’s security role list in D365FO.
• Audit Complexity: Harder to trace exact role assignments for individual users. Few out of box report doesn't support these users.
• Limited Granularity: Cannot assign roles based on task-level needs unless you create many groups.
• External user in Entra doesn't get access automatically. 
• Complex workflows may not work as expected. 

Now lets talk about few of best Practices for Using Entra ID Groups in D365FO,

• Use Dynamic Groups for Automation:  Define rules like user. department -eq "Finance" to auto-assign users to finance roles.
• Combine with Direct Role Assignments: For exceptions or sensitive roles, assign them directly in D365FO to maintain visibility.
• Document Group-to-Role Mapping: Maintain a clear mapping of which Entra groups correspond to which D365FO roles.
• Audit Regularly: Use PowerShell or Graph API to extract group membership and validate access.
• Avoid Overlapping Assignments: Ensure users don’t get conflicting roles from multiple groups.

My view:

Entra ID security groups simplify access management in D365FO, especially for large-scale or dynamic environments. However, they’re best used in tandem with traditional role assignments to balance automation with control. By following best practices, you can streamline provisioning while maintaining auditability and compliance.

-Harry Follow us on Facebook to keep in rhythm with us. https:fb.com/theaxapta

OData Authentication for On-Premises D365FO

Hi Folks, 

Integrating with D365FO via OData is a powerful way to enable external systems to interact with ERP data. While cloud-hosted environments use Azure Active Directory (AAD) for authentication, on-premises deployments require a different approach—primarily relying on Active Directory Federation Services (AD FS). This post walks through the essentials of authenticating OData requests in an on-prem D365FO setup.

OData in D365FO exposes data entities over RESTful endpoints, enabling CRUD operations. In on-prem environments, authentication is handled by AD FS, which issues security tokens based on user credentials. These tokens are then used to authorize access to the OData endpoints.

Below are key component for this entire process, 

1. AD FS Configuration

ü  AD FS must be properly configured and integrated with D365FO.

ü  The AOS (Application Object Server) uses AD FS metadata to validate tokens.

ü  Ensure the AD FS XML configuration file is accessible to AOS.

2. Client Application Setup

ü  External apps (e.g., Postman, .NET clients) must be registered in AD FS.

ü  You’ll need:

ü  Client ID (from AD FS or Azure App Registration)

ü  Resource URI (typically the D365FO base URL)

ü  Token Endpoint (AD FS OAuth2 endpoint)

3. Token Acquisition

ü  Use OAuth2 protocol to acquire a bearer token.

ü  The token request includes:

§  grant_type=password

§  client_id

§  username and password

§  resource (D365FO URL)

ü  AD FS returns a JWT token if credentials are valid.

4. Calling OData

ü  Include the token in the Authorization header:  Authorization: Bearer <access_token>

ü  Use standard OData URLs like:  https://<your-d365fo-url>/data/Customers 

Lets take an example to authentication via Postman;

1. Get Token

ü  POST to AD FS token endpoint: https://<adfs-url>/adfs/oauth2/token

ü  Body (x-www-form-urlencoded):

            client_id=<your-client-id>

username=<your-username>

password=<your-password>

grant_type=password

resource=https://<your-d365fo-url>

 

2. Use Token

ü  Add Authorization: Bearer<token> header to your OData request.

3. Test Endpoint

ü  GET:  https://<your-d365fo-url>/data/Customers

Please be aware; 

• Token Expiry: Tokens typically expire after 1 hour. Refresh or reacquire as needed.

• AD FS Clock Skew: Ensure time sync between AD FS and AOS servers.

• SSL Certificates: AD FS endpoints must be secured with valid SSL certs.

• User Permissions: The authenticated user must have access to the data entities.

-Harry Follow us on Facebook to keep in rhythm with us. https:fb.com/theaxapta