Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. It provides intelligent security analytics and threat intelligence across the enterprise, helping organizations detect, investigate, and respond to threats faster and more effectively. By integrating Microsoft Sentinel with Dynamics 365 Finance and Operations, businesses can gain deep visibility into operational and security events, enabling proactive monitoring, advanced threat detection, and streamlined incident response—all within a unified platform.
Let’s walk through the steps to configure Microsoft Sentinel for Dynamics 365 Finance and Operations.
Prerequisites: Laying the Groundwork for Integration
Before you dive into the setup, ensure you meet the following prerequisites:
- Dynamics 365 Finance and Operations Version: Your D365 F&O instance must be version 10.0.33 or above.
- Azure Portal Permissions: You need the necessary permissions in your Azure subscription to create Data Collection Rules and Data Collection Endpoints. Specifically, ensure you have permissions for
Microsoft.Insights/DataCollectionEndpoints and Microsoft.Insights/DataCollectionRules. Don't worry about creating them manually; Azure will handle this automatically, but the permissions are vital.
Step-by-Step Deployment Guide: Connecting D365 F&O to Azure Sentinel
Step 1: Obtain Your Dynamics 365 F&O URL
Identify your Dynamics 365 Finance and Operations URL. This is typically your home page URL up to .com
Step 2: App Registration in Azure AD (Entra ID)
- A simple app registration with a name is sufficient; no redirection URL is needed.
- Existing Setup: If you're updating an existing Sentinel setup, you can reuse your current app registration.
- Generate and Save Secret: Once registered (or identified), add a client secret to your app registration. Copy and securely save the following three pieces of information:
- App Client ID
- Directory (Tenant) ID
- Secret Value
Step 3: Create or Utilize a Log Analytics Workspace
You'll need a Log Analytics Workspace in Azure. You can either:
- Create a new one.
- Use an existing one, especially if you're updating an existing Sentinel setup.
Step 4: Create or Connect to an Azure Sentinel Instance
- First-time Setup: Create a new instance of Microsoft Sentinel and connect it to your chosen Log Analytics Workspace.
- Existing Setup: If you're updating Sentinel, you don't need to create a new instance.
Step 5: Configure Security Role in Dynamics 365 F&O
Within your Dynamics 365 Finance and Operations system:
- Find an existing security role that contains the privilege named "Database log Entity View".
- If no such role exists, create a new security role and add the "Database log Entity View" privilege to it.
Do not forget to publish your security changes
Step 6: Assign the Security Role to a User in Dynamics
Assign the security role configured in Step 5 to a relevant user within your Dynamics 365 Finance and Operations system.
Step 7: Add App Registration Details in Dynamics 365 F&O
In Dynamics 365 Finance and Operations, navigate to the Microsoft Entra ID Applications section and add the details of your app registration (from Step 2).
Step 8: Configure Database Logging in Dynamics 365 F&O
Open the database log setup within Dynamics 365 Finance and Operations. Here, you'll register and enable logging for specific tables for which you want activity(CURD) information to flow into Azure Sentinel.
Add any table, will full options (Create/Track New, Update, Delete and Rename Key). Do not enabled/mark the individual fields but at table level (so that all fields get logged)
Step 9: Install Microsoft Business Applications Solution in Azure Sentinel
In the Azure portal, open your Microsoft Sentinel instance:
- Go to Content hub.
- Search for and install the "Microsoft Business Applications" solution.
- Important: Remove any deprecated connectors (e.g., the old "Dynamics 365 Finance and Operations" connector).
- Wait for the installation to complete.
Step 10: Configure the Dynamics 365 Finance and Operations Data Connector
Still within Microsoft Sentinel:
- Go to Data connectors.
- Search for "Dynamics 365".
- Remove any deprecated connectors (e.g., "Dynamics 365 F&O (using Azure Functions)").
- Find and configure the new connector named "Dynamics 365 Finance and Operations".
- Click on the three dots next to it and choose "Open Connector page".
- Click "Add Environment" (ensuring all prerequisites are met).
- Provide the required details:
- Entra Tenant ID
- App Client ID
- App Secret Value
- Finance & Operations URL
Step 11: Testing Your Integration
- Allow approximately 15 to 20 minutes for the connection to establish and data to start flowing.
- In your Dynamics 365 F&O environment, perform some Create, Update, or Delete (CRUD) operations on the tables you enabled for logging in Step 8.
- After some time, navigate back to your Azure Sentinel instance. You should begin to see these CRUD operations reflected in your Sentinel logs, ready for analysis and security monitoring!
What's Next?
With your Dynamics 365 Finance and Operations data now flowing into Azure Sentinel, you can begin to:
- Create Custom Analytics Rules: Develop rules to detect suspicious activities or specific events in your D365 F&O logs.
- Build Workbooks and Dashboards: Visualize key security metrics and trends related to your D365 F&O environment.
- Leverage Threat Intelligence: Enrich your D365 F&O security data with threat intelligence feeds.
You can add or remove any Dynamics 365 Finance and Operations system tables based on your requirements. Your business needs will determine which tables are sensitive and must be tracked and monitored for potential threats.
