Hi everyone,

I've a customer that utilize Azure Conditional Access to protect access to the D365 for Finance and Operations environment only from trusted devices or using Azure MFA. It works as expected and all users within the company most use strong authentication for access the environment, but now it has come to our attention that external vendors are able to bypass our security defined in Azure Active Directory. 

They accomplish this by adding a new user in AX (Dynamics 365) and pointing at another external identity provider (Idp), which we can not manage or restrict outside of AX (Dynamics 365). We would like to manage the security and governance using Azure B2B instead of the regular practices within AX (Dynamics 365) as this would allow the customers to perform logging and security from their Azure AD tenant. 

We have one of the vendors using a Azure B2B account, but we don't know how this was created. We see at some point he accepted a Azure B2B invite from our Azure Active Directory and for that reason we thing that we can see sign-in activity, perform logging and enforce security on his external user from another Azure Active Directory tenant. If this is indeed the case how can we extend the security to other newly added users within Dynamics 365/AX? Do they need to accept the invite for the security to comply with the company policies. It seems a bit weird that the owner of the finance system should have the ability to manage the identity security. I see how this could be nice to have to invite external auditors, users from a merger or other scenarios in a very easy way, but how can we manage the security and governance?

Johan Persson wrote a great blog post that clearly explains how easy it is to add users from other Azure Active Directories directly within Dynamics 365/Ax https://blog.johanpersson.nu/?p=1765.

We would really like to restrict this practice due to compliance, governance, security, GDPR and logging issues. Basically block external access like for example the SharePoint team have done, unless the external user was added as a Azure B2B user to the customers own Azure Active Directory. 

What we would like to see:

  • The ability to restrict other providers within Dynamics 365/AX besides the primary Azure AD tenant.
  • Use Azure B2B to grant external partners and vendors access to Dynamics 365/AX 

any advice and suggestions will be greatly appreciated.

/Peter Selch Dahl

Azure MVP