web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Small and medium business | Business Central, N... / Enabling MFA as a CSP ...
Small and medium business | Business Central, N...
Suggested Answer

Enabling MFA as a CSP as part of partner security requirements or as a customer to enhance security

(1) ShareShare
ReportReport
Posted on by Marco Mels

The question or issue around MFA is two folded:

  1. [SAAS] Partners / CSP’s are required to use MFA  on all accounts they do add to their customer tenants
    a. They do have a choice to do this via third party as long as they do it on all the accounts they do own which they did add to their customer tenants
    b. They do have a choice to do this via Azure portal via a policy or via Office 365 / Azure portal on a per user base as long as they do it on all the accounts they do own which they did add to their customer tenants
  2. [OnPrem] Customers are free to decide though it is highly recommended to use MFA on all accounts that access their ERP data
    a. They do have a choice to do this via third party
    b. They do have a choice to do this via Azure

In both scenario’s, the accounts being used for CRM / SharePoint / SMTP in Dynamics NAV / Dynamics 365 Business Central do not support MFA. For this scenario, App Passwords must be used. There are two ways of generating App Passwords:

  1. On a per user base via Office 365 portal / via Azure portal on a per user base
  2. Via an Azure Conditional Access Policy
    a. Free Security Defaults  policy => all users will get the MFA assigned, no exceptions, no compatible App passwords are being generated, no Azure premium licenses needs to be purchased
    b. Conditional Access Policies  in Azure => all users can get the MFA assigned, exceptions can be made to allow MFA to be assigned on a per user base, no compatible App passwords are being generated, Azure premium licenses needs to be purchased to allow this flexibility

The issue with not using a conditional access policy is that you can easily forget to enable MFA on newly created account. This is where the Azure premium licenses do come into play. In addition, creating a runbook for users how to create a user in Office 365 and Dynamics NAV / Dynamics 365 Business Central can easily be adjusted with the MFA requirement.

When doing this on a per user base (if your starting point is editing a user via Office 365 you will end up here):

Or editing an user via Azure Portal, Azure Active Directory users, you will end up here :

NOTE: when clicking on "here" replace <<tenant ID>> in the url above with your tenant ID which will happen automatically if you do log on to your partner portal. The scenario is by design. It is a security requirement for CSP's or a security enhancement that can be enabled by customers.

Clearly hope this does help.

I have the same question (0)
  • Suggested answer
    Marco Mels Profile Picture
    Marco Mels on at

    Hello,

    Feel free to comment (not a question).

    Thanks.

  • Javi S Profile Picture
    Javi S 15 on at

    Hi,

    We work with Dynamics 365 Business Central in Cloud in our organization and we are experiencing problems when trying to configure SMTP email.

    We have the default security policy without Azure Premium licenses and we have edited a user via Azure Portal on a per use base to enable him the MFA. Finally we created an app password with that user. However, trying to configure SMTP email with user ID = user email, and password = app password, we keep getting the same error "A call to MailKit.Net.Smtp.SmtpClient.Authenticate failed with this message: 5.7.3 Authentication unsuccessful"

    Any suggestion?

    Thanks

  • Kieran Sweeney Profile Picture
    Kieran Sweeney 30 on at

    Spinning up a new demonstration tenant from cdx.transform.microsoft.com, I encountered the same problem as Javi S.

    1. My steps were as follows:
    2. Deploy M365 and start D365BC for IW's (1-year/90-day Business Central demo environment is disallowed despite having no active tenants).
    3. Create AAD account for e-mail.
      1. Assign E5 license (but not D365BC for IW's).
      2. Avoid assigning any administration permissions.
    4. Enable MFA in AAD.
    5. Select AAD User from Step 2.
    6. Select Enforce MFA.
    7. Initialize user O365 account, register MFA, set App Password, and test Outlook message.
    8. Navigate to SMTP Setup in D365BC.
    9. Use action to default O365 Settings.
    10. Plug in user e-mail and app password.
    11. Test, fail, and gnash teeth.
    12. Try virtually every setting combination in SMTP Setup.

    I have also disabled MFA and used Username/Password and added the D365BC for IW license to no avail.

    I'm running US Business Central 17.0 (Platform 17.0.17020.18218 + Application 17.0.16993.0).

  • bpelinka Profile Picture
    bpelinka 5 on at

    Have you gotten anywhere with this? I just started having this problem in our environment.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Small and medium business | Business Central, NAV, RMS

#1
OussamaSabbouh Profile Picture

OussamaSabbouh 2,092

#2
YUN ZHU Profile Picture

YUN ZHU 663 Super User 2025 Season 2

#3
Sumit Singh Profile Picture

Sumit Singh 515

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans