Azure Conditional Access for Microsoft Dynamics 365 for Ops and Finance

Question Status

Verified
Peter Selch Dahl asked a question on 13 Nov 2017 6:15 AM

Hi,

I have defined some default Azure Conditional Access policies around a customers Azure Active Directory applications, which also set some default conditional access policies for accessing Microsoft Dynamics 365 for Operations and Finance. This is all very well, but the customer would like to define more restrictive policies around MS Dynamics due to invoice approval and sensitive data.

It seems like Microsoft doesn't provide an Azure Active Directory application that support conditional access for Microsoft Dynamics 365 for Operations and Finance yet. What are the plans for this and who should I contact at Microsoft?

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/32235784-add-conditional-access-support-for-microsoft-dyna

Thanks,

Peter Selch Dahl

Azure MVP

Reply
André Arnaud de Calavon responded on 13 Nov 2017 7:19 AM

Hi Peter,

The users and access rights are managed within D365 for Finance and Operations. AAD will be used to authenticate the users.

Reply
Peter Selch Dahl responded on 13 Nov 2017 3:45 PM

Hi André,

Thanks for your reply. User and Access rights are normally handled within the application, but what I’m looking for is the Conditional Access within Azure Active Directory that prevent sign in from unknown location and untrusted devices.

Best Regards,

Peter Dahl

Reply
Suggested Answer
André Arnaud de Calavon responded on 14 Nov 2017 9:43 AM

Hi Peter,

Now I do understand your question.

This is currently in development. Have a look at the roadmap: roadmap.dynamics.com

Filter on the tag 'Could platform' for the information about known clients.

Reply
Peter Selch Dahl responded on 15 Nov 2017 2:27 AM

Hi André,

Once again thanks for your reply. I had a look at the roadmap and was only able to find this

"Control access to a specific set of IP addresses so that only known clients can log in

This feature will allow users to lock down access to Finance and Operations environment from a specified set of IP addresses, such as your office or store locations. With this feature, an administrator will be able to lock down communications to Finance and Operations from and to their on-premise network. Only specified IP addresses will be able to gain access to the service, others will be prevented from acquiring access."

It seems like a step in the right direction, but this is not Azure Conditional Access. It sounds more like Microsoft is adding support for configurering Azure NSG rules around the Dynamics 365 environment. Please correct me if I'm wrong.

Was it the same feature you found?

Best Regards,

Peter Selch Dahl

 Azure MVP

Reply
Verified Answer
André Arnaud de Calavon responded on 15 Nov 2017 7:14 AM

Hi Peter,

This is indeed the same information. Currently, the application is hosted on VM's using Internet Information Services. It is not an Azure app. AAD is only used for authentication of the users.

Reply
Peter Selch Dahl responded on 16 Nov 2017 1:19 AM

Thanks! Just the information i needed. Dynamics 365 must rely on a Azure Active Directory App Registration for authentication to work with the Azure federation gateway (https://sts.windows.net). You can find it in your own Azure Active Directory (microsoftintune.uservoice.com/.../Dynamics.png). I know that the code behind AX/Dynamics is running on IIS inside a VM, but the authentication part is handled by the idp (Azure Active Directory).

It is this Azure application that are missing support for Azure Conditional Access. I'm glad this is being added soon.

Azure Conditional Access:

docs.microsoft.com/.../active-directory-conditional-access-azure-portal

Reply
Sukrut Parab responded on 16 Nov 2017 2:08 PM

You are correct . These are Azure  NSG rules.We are currently using those. Right now if we need to add any new IP , we are providing it to Microsoft and they add it for us.

Reply
Marten Reijner responded on 21 Nov 2017 2:42 AM

Hi Peter,

I have the exact same question as you but I am struggeling to understand how you reached to conclusion "glad this is being added soon" I find nothing related in the roadmap "Control access to a specific set of IP addresses so that only known clients can log in".

I hope you can clarify.

Thanks

/Mårten

Reply
André Arnaud de Calavon responded on 21 Nov 2017 6:35 AM

Hi Marten,

Peter did copy the announcement from the roadmap site in a reply above.

Reply
Peter Selch Dahl responded on 24 Nov 2017 2:56 AM

TEMPORARY SOLUTION:

Even though "Microsoft Dynamics ERP" is not listed in Azure Active Directory (The portal) and you can't configure "Conditional Access" specifically on that application, if you define a policy for ALL SaaS apps you will also include Microsoft Dynamics 365. It works like a charm!

At some point Microsoft will add support for "Conditional Access" and you will be able to defined the policy on the application within Azure Active Directory

https://imgur.com/a/syWpt

Reply
Peter Selch Dahl responded on 28 Nov 2017 3:08 PM

BlogPost - Protecting Dynamics 365 for Finance and Operations with Azure Conditional Accees:

blog.peterdahl.net/.../azure-conditional-access-support-for-dynamics-365-for-finance-and-operations

Reply
Steeve Gilbert responded on 7 Dec 2017 6:45 AM

Hi André,

How do you notify Microsoft of your list of IP address allowed to connect to D365?  We would like to use that approach.  Do I open a service request and say "please limit access to D365 to those IPs?"

Thanks

Reply
André Arnaud de Calavon responded on 7 Dec 2017 4:48 PM

Hi Steeve,

It is currently in development. You have to wait for the details once it has been released.

Reply
Verified Answer
André Arnaud de Calavon responded on 15 Nov 2017 7:14 AM

Hi Peter,

This is indeed the same information. Currently, the application is hosted on VM's using Internet Information Services. It is not an Azure app. AAD is only used for authentication of the users.

Reply
Suggested Answer
André Arnaud de Calavon responded on 14 Nov 2017 9:43 AM

Hi Peter,

Now I do understand your question.

This is currently in development. Have a look at the roadmap: roadmap.dynamics.com

Filter on the tag 'Could platform' for the information about known clients.

Reply