web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro
Introducing our New Video Series: Community Spotlight
News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / D365 ERP MCP Agent Byp...
Finance | Project Operations, Human Resources, ...
Unanswered

D365 ERP MCP Agent Bypasses User Security Roles — How to Enforce Permissions?

(1) ShareShare
ReportReport
Posted on by CuriousMind 76

Background: We have added some custom logic in the OOB Copilot for Finance and Operations Agent in Copilot Studio to create and manages routes and in D365 F&O. The agent structure is:

  • OOB "Copilot for Finance and Operations" agent — surfaced in the D365 F&O Copilot sidecar
  • D365 ERP MCP connected as a tool to the OOB agent
  • Custom instructions and knowledge document added to the OOB agent covering route creation steps and business logic
  • Agent correctly uses D365 ERP MCP tools for live data operations 

    •  

Problem: Observed that the D365 ERP MCP does not account for the logged-in user's D365 security roles.

Specifically:

  1. We removed the security role that grants route creation access from a test user
  2. That user cannot manually create routes in D365 F&O (blocked as expected)
  3. However, when the same user uses the Copilot sidecar agent, routes are created successfully bypassing the security restriction entirely

Questions:


  1. What credentials does the D365 copilot agent run under - the logged-in user's session, or a separate service account?

  2. Is there a way to configure the agent to enforce the logged-in user's D365 security roles?

  3. As a workaround, can the agent query SecurityUserRoleV2 or a similar entity to check if the current user has the required role before proceeding with record creation?

  4. Is this a known limitation of the D365 ERP MCP, and if so, what is the recommended approach for enforcing security in agent-driven workflows?

    5.  

Any guidance from the community would be appreciated.

Categories:
Dynamics 365 Finance
I have the same question (0)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro
Introducing our New Video Series: Community Spotlight

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Women in Power Builds Momentum

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Abhilash Warrier Profile Picture

Abhilash Warrier 461 Super User 2026 Season 1

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 428 Super User 2026 Season 1

#2
Subra Profile Picture

Subra 428

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP
License usage reporting (in-app and PPAC) with Entra dynamic groups

Product updates

Dynamics 365 release plans