Try Microsoft Edge
A fast and secure browser that's designed for Windows 10
I have defined some default Azure Conditional Access policies around a customers Azure Active Directory applications, which also set some default conditional access policies for accessing Microsoft Dynamics 365 for Operations and Finance. This is all very well, but the customer would like to define more restrictive policies around MS Dynamics due to invoice approval and sensitive data.
It seems like Microsoft doesn't provide an Azure Active Directory application that support conditional access for Microsoft Dynamics 365 for Operations and Finance yet. What are the plans for this and who should I contact at Microsoft?
Peter Selch Dahl
The users and access rights are managed within D365 for Finance and Operations. AAD will be used to authenticate the users.
Thanks for your reply. User and Access rights are normally handled within the application, but what I’m looking for is the Conditional Access within Azure Active Directory that prevent sign in from unknown location and untrusted devices.
Now I do understand your question.
This is currently in development. Have a look at the roadmap: roadmap.dynamics.com
Filter on the tag 'Could platform' for the information about known clients.
Once again thanks for your reply. I had a look at the roadmap and was only able to find this
"Control access to a specific set of IP addresses so that only known clients can log in
This feature will allow users to lock down access to Finance and Operations environment from a specified set of IP addresses, such as your office or store locations. With this feature, an administrator will be able to lock down communications to Finance and Operations from and to their on-premise network. Only specified IP addresses will be able to gain access to the service, others will be prevented from acquiring access."
It seems like a step in the right direction, but this is not Azure Conditional Access. It sounds more like Microsoft is adding support for configurering Azure NSG rules around the Dynamics 365 environment. Please correct me if I'm wrong.
Was it the same feature you found?
This is indeed the same information. Currently, the application is hosted on VM's using Internet Information Services. It is not an Azure app. AAD is only used for authentication of the users.
Thanks! Just the information i needed. Dynamics 365 must rely on a Azure Active Directory App Registration for authentication to work with the Azure federation gateway (https://sts.windows.net). You can find it in your own Azure Active Directory (microsoftintune.uservoice.com/.../Dynamics.png). I know that the code behind AX/Dynamics is running on IIS inside a VM, but the authentication part is handled by the idp (Azure Active Directory).
It is this Azure application that are missing support for Azure Conditional Access. I'm glad this is being added soon.
Azure Conditional Access:
You are correct . These are Azure NSG rules.We are currently using those. Right now if we need to add any new IP , we are providing it to Microsoft and they add it for us.
I have the exact same question as you but I am struggeling to understand how you reached to conclusion "glad this is being added soon" I find nothing related in the roadmap "Control access to a specific set of IP addresses so that only known clients can log in".
I hope you can clarify.
Peter did copy the announcement from the roadmap site in a reply above.
Even though "Microsoft Dynamics ERP" is not listed in Azure Active Directory (The portal) and you can't configure "Conditional Access" specifically on that application, if you define a policy for ALL SaaS apps you will also include Microsoft Dynamics 365. It works like a charm!
At some point Microsoft will add support for "Conditional Access" and you will be able to defined the policy on the application within Azure Active Directory
BlogPost - Protecting Dynamics 365 for Finance and Operations with Azure Conditional Accees:
How do you notify Microsoft of your list of IP address allowed to connect to D365? We would like to use that approach. Do I open a service request and say "please limit access to D365 to those IPs?"
It is currently in development. You have to wait for the details once it has been released.