web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Blogs / Microsoft Dynamics CRM 365/2016/2015/2013/4 Trails / Inventory Visibility Addon ...

Inventory Visibility Addon Service Secure Access Architecture

Views (11)
Fameeda Yaseen Profile Picture Fameeda Yaseen 451
Inventory Visibility Addon Service Secure Access Architecture

This solution combines Dynamics 365 Supply Chain Management, Intelligent Order Management (IOM), Inventory Visibility (IV), Power Apps, Dataverse, Azure Functions, Azure Key Vault, and Azure Active Directory to build a secure inventory visibility access architecture that enables business users to access on-hand inventory, reservation, and Available-to-Promise (ATP) capabilities without granting System Administrator privileges.
Introduction
This reference architecture describes a secure design for providing controlled access to Inventory Visibility (IV) capabilities in Dynamics 365 Supply Chain Management with collaboration of Intelligent Order Management module.
It applies to organizations in manufacturing, retail, wholesale, automotive, and distribution industries that require secure inventory visibility while maintaining strong governance and compliance controls.
This reference architecture should be defined during the solution architecture and security design phase of an implementation, before role design and environment hardening.
Key stakeholders include:
  • Solution architects
  • Security architects
  • IT administrators
  • Supply chain operations leaders
  • Compliance and audit teams
The architecture presents two solution approaches:
  1. Secure operational access using backend service admin authentication
  2. Reporting-based access using Power BI over virtual tables
Architecture
The following diagram illustrates the architecture for the solution.

Dataflow
Solution 1: Secure Operational Access (Service Principal-Based)
  1. A business user logs into a Model-Driven App built on Power Apps and Dataverse with restricted security roles.
  2. The user selects an Inventory Visibility function (On-hand inquiry, reservation, ATP query).
  3. The app calls Custom API, Dataverse plugin, or Azure Function.
  4. Azure Active Directory authenticates a Service Principal (App Registration).
  5. The Azure Function retrieves the client secret from Azure Key Vault.
  6. An access token is generated using the Environment ID, Client ID, and Secret.
  7. The service securely calls the Inventory Visibility API in Dynamics 365 Supply Chain Management.
  8. Results are returned to the Model-Driven App.
  9. The user views results without having System Administrator privileges.
Solution 2: Reporting-Based Access (Power BI Over Virtual Tables)
  1. Inventory Visibility data is exposed through Dataverse virtual tables.
  2. An administrator configures a Power BI dataset using secure service authentication.
  3. Power BI connects to virtual tables and reads IV data.
  4. Reports are published to the Power BI Service.
  5. Row-Level Security (RLS) is configured where required.
  6. Reports are embedded in a Model-Driven App.
  7. Business users view inventory dashboards without direct API interaction.
Components
The following components are used in the reference architecture:
• Dynamics 365 Supply Chain Management
Provides Inventory Visibility capabilities including on-hand inquiry, ATP, and reservations.
• Inventory Visibility Service
Provides Inventory Visibility capabilities including on-hand inquiry, ATP, and reservations according to the configuration.
• Power Apps (Model-Driven Apps)
Provides the user interface for business users to access inventory visibility functionality securely.
• Dataverse
Stores application data and hosts virtual tables exposing inventory visibility data.
• Azure Active Directory
Authenticates users and Service Principals for secure service-to-service communication.
• Azure Functions
Handles backend token generation and API orchestration without exposing administrative credentials.
• Azure Key Vault
Securely stores client secrets and sensitive configuration required for token generation.
Scenario details
Organizations require real-time inventory visibility across multiple warehouses and channels. Inventory Visibility requires an access token generated using elevated privileges, creating a security concern when business users need access.
Granting System Administrator privileges to operational users introduces compliance, audit, and security risks.
This architecture separates:
  • User authentication
  • Authorization
  • Service-level authentication
Solution 1 enables full operational capability (query editor, reservations, ATP) through secure backend token management.
Solution 2 enables read-only reporting access using Power BI over Dataverse virtual tables.
The customer’s goals include:
  • Preventing privilege escalation
  • Maintaining compliance
  • Enabling secure inventory decision-making
  • Supporting operational efficiency
Benefits include:
  • Improved security posture
  • Reduced audit risk
  • Controlled access to sensitive APIs
  • Scalable enterprise design
Potential use cases
This solution was created for a manufacturing and retail organization. It can also be applied to industries like wholesale trade, automotive, distribution, and agriculture.
It can be used by any organization who:
  • Requires inventory visibility without granting administrative access.
  • Needs secure separation of duties.
  • Must comply with governance and audit standards.
  • Requires Business team can use the inventory visibility capabilities without providing admin rights.
You can use this solution to:
• Provide secure on-hand and ATP visibility
• Deliver reporting dashboards with row-level security
Considerations
These considerations help implement a solution that includes Dynamics 365. Learn more at Dynamics 365 guidance documentation.
Key considerations:
  • Apply least-privilege access principles
  • Use Service Principals instead of admin user impersonation
  • Store secrets in Azure Key Vault
  • Enable logging and monitoring
  • Design for audit compliance
  • Apply Row-Level Security where applicable
Cost optimization
Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.
Primary cost drivers include:
  • Azure Functions execution consumption
  • Azure Key Vault transactions
  • Azure Active Directory App Registration (minimal cost)
  • Power BI licensing (for reporting solution)
  • Dataverse capacity
Solution 1 scales based on API calls and Azure Function execution. Costs increase linearly with transaction volume.
Solution 2 scales primarily with Power BI dataset size and refresh frequency.
To optimize cost:
  • Use consumption-based Azure Functions
  • Cache tokens when appropriate
  • Optimize Power BI refresh schedules
  • Implement incremental data refresh
Use the Azure Pricing Calculator to estimate costs including:
  • Azure Functions
  • Azure Key Vault
  • Power BI
  • Dataverse capacity
For larger deployments:
  • Increase Power BI capacity tier
  • Scale Azure Functions plan
  • Optimize API call batching
Implementing Inventory Visibility Secure Access Architecture
This section describes high-level configuration steps for both solution options.
Procedure: Implement Service Principal Authentication
Use the following steps to configure secure backend token generation.
  1. Register an application in Azure Active Directory.
  2. Grant API permissions required for Inventory Visibility.
  3. Generate a client secret.
  4. Store the secret in Azure Key Vault.
  5. Create an Azure Function to retrieve the secret securely.
  6. Implement token generation logic in Azure Function.
  7. Create a Custom API or plugin in Dataverse to call the Azure Function.
  8. In Azure function call the inventory visibility service like ATP, reservation and on-hand inquiry and return the results to calling application so those can display to business user.
  9. Assign restricted security roles to operational users.
  10. Remove System Administrator privileges from operational users.
Procedure: Implement Power BI Reporting Over Virtual Tables
Use the following steps to configure reporting-based access.
  1. Confirm Inventory Visibility virtual tables are available in Dataverse.
  2. Connect Power BI Desktop to Dataverse.
  3. Build on-hand and ATP dashboards.
  4. Configure Row-Level Security (RLS).
  5. Publish reports to Power BI Service.
  6. Embed reports in the Model-Driven App.
  7. Assign Power BI workspace access to business users.
Next step
  1. Review Dynamics 365 Supply Chain Management Inventory Visibility documentation.
  2. Review Azure Well-Architected Framework security guidance.
  3. Define enterprise role-based access control model.
Related resources
Tags
Applies to: Dynamics 365 Supply Chain Management, Power Apps, Dataverse, Azure Functions, Azure Key Vault, Azure Active Directory, Intelligent Order Management (IOM), Inventory Visibility (IV)
Industries: Manufacturing (20-39), Retail Trade (52-59), Wholesale Trade (50-51)
Stakeholders: Audit, Finance, IT, Operations, Production, Warehouse
Products: Dynamics 365 Supply Chain Management
Contributors

Principal author:


Comments