Now Available in Community - New TechTalk Videos for 2020
Read More about New TechTalks for 2020
2020 release wave 1Discover the latest updates and new features to Dynamics 365 planned through September 2020
Release overview guides and videos Release Plan | Preview 2020 Release Wave 1 TimelineWatch the 2020 Release Wave 1 virtual launch event
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance TechTalks | Customer Engagement TechTalks | Upcoming TechTalks
I've a customer that utilize Azure Conditional Access to protect access to the D365 for Finance and Operations environment only from trusted devices or using Azure MFA. It works as expected and all users within the company most use strong authentication for access the environment, but now it has come to our attention that external vendors are able to bypass our security defined in Azure Active Directory.
They accomplish this by adding a new user in AX (Dynamics 365) and pointing at another external identity provider (Idp), which we can not manage or restrict outside of AX (Dynamics 365). We would like to manage the security and governance using Azure B2B instead of the regular practices within AX (Dynamics 365) as this would allow the customers to perform logging and security from their Azure AD tenant.
We have one of the vendors using a Azure B2B account, but we don't know how this was created. We see at some point he accepted a Azure B2B invite from our Azure Active Directory and for that reason we thing that we can see sign-in activity, perform logging and enforce security on his external user from another Azure Active Directory tenant. If this is indeed the case how can we extend the security to other newly added users within Dynamics 365/AX? Do they need to accept the invite for the security to comply with the company policies. It seems a bit weird that the owner of the finance system should have the ability to manage the identity security. I see how this could be nice to have to invite external auditors, users from a merger or other scenarios in a very easy way, but how can we manage the security and governance?
Johan Persson wrote a great blog post that clearly explains how easy it is to add users from other Azure Active Directories directly within Dynamics 365/Ax https://blog.johanpersson.nu/?p=1765.
We would really like to restrict this practice due to compliance, governance, security, GDPR and logging issues. Basically block external access like for example the SharePoint team have done, unless the external user was added as a Azure B2B user to the customers own Azure Active Directory.
What we would like to see:
any advice and suggestions will be greatly appreciated.
/Peter Selch Dahl
Business Applications communities