Designing Security in Dynamics 365 Finance: 10 things to get right
Security is more than “who can click what.” These ten decisions prevent audit pain, workflow failures, and licensing surprises.
1) Optimize licensing (right-size by usage, not by title)
Design roles with the lowest-cost license that still covers the required actions. Separate workflow approvers/readers from daily transaction users:
- Approvers / reviewers / occasional users: if they don’t create or post transactions and mostly review, read, or approve, target a lighter license (where permitted).
- Heavy users (day-in, day-out transactions): assign the full license aligned to their functional area.
- Shared stations (warehouse, shop floor): consider device/shared-use options when appropriate.
- Re-validate against the current Microsoft Dynamics 365 Licensing Guide each quarter.
👉 Reference: Latest Dynamics 365 Licensing Guide
Deliverable: a “persona → role(s) → license tier → monthly cost” table, plus a quarterly right-sizing review (actual usage vs. assigned license).
2) Decide who assigns (and removes) roles
Document who owns each role, who can grant it, and when it must be removed (joiner–mover–leaver). If you use Entra ID (Azure AD) groups for role assignment, schedule access reviews so managers re-certify access on a cadence.
Deliverable: RACI for role assignment + a quarterly access review.
3) Build roles from duties & privileges (not from people)
In Finance & Operations apps, privileges → duties → roles. Compose roles from duties (not from menu clicks) and keep Segregation of Duties (SoD) in mind while you design; it simplifies audits and upgrades.
Deliverable: a “role composition” sheet listing duties/privileges per role.
4) Workflows & delegations: design them with security in mind
Approvers in workflows must actually have the privileges to open, review, and approve; otherwise the workflow errors. Also plan delegations: who can approve on behalf of whom, and ensure the delegate has the necessary rights during the delegation window.
Deliverable: for each workflow, list “Required role(s) for approver” + “Delegate eligibility.”
5) Separate configurators from transaction users
Keep system configuration (parameters, posting profiles, number sequences) in roles distinct from operational transaction roles (journals, invoices, payments). This is least-privilege in practice and reduces blast radius.
Deliverable: two role families—Configure vs Operate—with zero overlap.
6) Define Segregation of Duties (SoD) rules early
Write explicit SoD rules (e.g., Create vendor ≠ Pay vendor) and use the built-in SoD workspace to detect & resolve conflicts before go-live. Track violations and compensating controls when exceptions are necessary.
Deliverable: SoD matrix + a monthly “violations & exceptions” report.
7) Test both “can do” and “cannot do”
Testing isn’t done when users can complete their tasks; you must also verify they cannot perform prohibited actions (e.g., post in the wrong legal entity, change master data without approval).
Deliverable: positive & negative test cases per key role; embed them in UAT.
8) Don’t underestimate rights to see information
Reading isn’t free. Decide which roles can view sensitive reports, dimensions, and fields (salaries, bank details, vendor PII). Permissions apply down to menus, reports, and fields—capture those decisions.
Deliverable: a “sensitive data register” (object → roles with read access → justification).
9) Plan lifecycle controls: joiner, mover, leaver (JML)
Automate onboarding (minimum roles), job changes (swap roles, remove old ones), and offboarding (remove all access immediately). Back it with periodic access reviews so managers re-approve who has Finance access.
Deliverable: JML playbook + recurring access-review schedule.
10) Prepare for audit: logs, break-glass, and evidence
Define emergency access (“break-glass” admin with MFA + alerting), where evidence lives (SoD exports, role change logs), and how you’ll show who approved what in workflows. Keep an Audit Pack ready: SoD rules, role map, access-review exports, workflow evidence.
Deliverable: an “Audit Pack” folder maintained monthly/quarterly.
