web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / Entra groups and JIT u...
Finance | Project Operations, Human Resources, ...
Suggested Answer

Entra groups and JIT user provisioning suddenly not working

(1) ShareShare
ReportReport
Posted on by cdokos 13
Hello,
 
We noticed recently that the already mapped EntraID groups to the D365 F&O stopped provisioning new users (JIT). Any new user added to any existing group, even though the groups are enabled and mapped to D365 F&O roles, is denied access with the following error:
 
 
Problem seems to be started after 30/10/2024 and without any change and affects our LIVE environment! Version: 10.0.41 (10.0.2015.54)
Anyone else experiencing this issue?
We have raised a ticket (SEVERITY A - #2411071420003102) to MS and no response yet!!!
d365_fo_error.jpg

Your file is currently under scan for potential threats. Please wait while we review it for any viruses or malicious content.

Categories:
Dynamics 365 general
I have the same question (0)
  • Suggested answer
    t4m7 Profile Picture
    t4m7 61 on at
    Hi -- 
    sounds like you have long had the licensing feature turned on to allow the Entra AD groups, and that you normally expect that the first time the user logs in, it will match via a group and they will have access, inheriting the group's role. You indicate it is happening to all/any new user in all/any group.
     
    i have a few questions:
    1. In Entra, looking at the user, and at the sign-in log, do you see any indication of the attempt? If yes, then is there a failure or any useful info? If no, can you look at the whole sign-in log to see if there are attempts by a different user from who is expected?
    2. In F&O can you add a new user using the Users > import users option...which would confirm/test that there are no issues querying the AD users or bringing them in manually.
    3. If you try from a tier 2 or tier 1 environment, is it the same?
    4. Does the Telemetry ID part look correct?
     
    We used to rely on this, but we eventually moved away from it because of inconsistencies and limitations, usually related to the length of the group names or the resulting UserIDs, the impact of name changes, as well as the number of legal entities we have.
     
    Instead, we still lean on the EntraAD groups for the users and roles, but we built a PowerAutomate to orchestrate the creation of new users, the association with the correct legal entity, and the assignment of roles. Well, we use 2 PowerAutomate Flows...one for users, one for roles. In the PowerAutomate (a LogicApp would also work), we do the following:
    Users:
    1. use the graph api to get the group - we have 1 group for "access" similar to the CE/power platform side, and then azure ad connector to get the members
    2. use the f&o connector to list the existing enabled users
    3. parse and compare
    3.a. Some need to be created, we use the f&o connector to create a record in SystemUsers -- note, the f&o record limits the userid to 20 characters
    3.b. Some need to be disabled, we use the f&o connector to disable
     
    Roles:
    Similar, but this time we have an EntraAD group per role
    1. user the graph api to get the groups and the users in the groups
    2. use the f&o connector to get the roles and the users with the role
    3. parse and compare
    3.a. add users to roles
    3.b. drop users from roles
     
    you can also use this concept to manage the native F&O group membership (which you can then use for credit pools or approval groups, etc), maintaining an EntraAD security group that maps to an F&O group and keeping them in sync with the Flow.
  • cdokos Profile Picture
    cdokos 13 on at
    Hey,
     
    I see your point but in an organization with more than 600 employees and with an existing previously working JIT/SCIM provisioning schema it is kind impossible to change to manually importing users and assigning all the proper roles; not to mention that this is error prone.
     
    To answer you questions:
     
    1. In Entra, looking at the user, and at the sign-in log, do you see any indication of the attempt? If yes, then is there a failure or any useful info? If no, can you look at the whole sign-in log to see if there are attempts by a different user from who is expected? - Yes I can see successful sign-in logs for the users under "Microsoft Dynamics ERP" application
    2. In F&O can you add a new user using the Users > import users option...which would confirm/test that there are no issues querying the AD users or bringing them in manually. - Done this without any issue but still we have on-boarded during the last 2 days more than 70 people by using the already existing provisioning method and can't access the platform
    3. If you try from a tier 2 or tier 1 environment, is it the same? - Haven't tried this but all existing users in Sandbox (same as PROD) are still able to access the platforms
    4. Does the Telemetry ID part look correct? - Can't check for telemetry ID of the new users since they are not able to perform their first logon and as a result they don't appear initially on "Manage Users" section
     
    Moreover, I've started thinking that maybe a backend change has been performed and has caused this issue. See the following link which states about a deprecation on 30/10/2024 but although it should affect only guest/external users, still sounds very similar.
     
     
    Either way, this implementation (https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/sysadmin/active-directory-security-group) is a well documented feature from MS, that needs to be fixed unless they publicly declare that it's deprecated. Large organization like ours that are directly affected should be provided with an official work-around or at least a notice period.
     
    By the way, EntraID team (as the ticket now is escalated to them) seems to be unaware of that integration (between D365 F&O and EntraID) and after one week of investigation by their side, they are still unable to find the root cause or at least admit that something's going on their side.
     
  • Suggested answer
    NikolajSorensen Profile Picture
    NikolajSorensen 1,792 on at
    I do not have a solution to your problem. 
    Perhaps the invalid users link and the repair functionality can address it?
     
    But the feature is a legacy feature which is clearly stated in the link you have provided, it has known limitations and it is clearly stated that these will not be adressed.
     
    You have based your access provisioning process on a legacy feature with known limitations that would not be adressed. 
    To me that also means you should not expect any issues arising to be addressed by Microsoft.
     
    You really need to look for alternative solutions.
  • cdokos Profile Picture
    cdokos 13 on at
    At least we need to know which limitation we have currently hit (if we did so).
    The fact that this is a legacy feature does not imply that it can be deprecated or altered no matter when Microsoft decides and without an earlier notice.
     
    We are not talking about addressing current limitations but troubleshoot a functionality (already documented) that used to work flawlessly and stopped working without any change or limitation violation.
     
    Unless we have an official answer from Microsoft that we can't use this method anymore, we can't understand why change it know, even after mentioning "until the group experience is unified with the more comprehensive feature in Dataverse"
  • NikolajSorensen Profile Picture
    NikolajSorensen 1,792 on at
    You are entitled to your opinion, but in reality the functionality did not work flawlessly which is very clear by the fact that Microsoft has explicitly called out the KNOWN limitations. 
     
    I am quite certain that the feature itself has not changed or been deprecated officially, but probably the changes to the authentication has now impacted this feature.
     
    Again I would really advice you to look for other solutions, as I would not expect MS to fix whatever the cause of the problem is.
     
     
  • t4m7 Profile Picture
    t4m7 61 on at
    Sorry, I meant to specify "Does the Group's Telemetry ID" look correct.
    I think you are likely correct, that something with their change has disrupted the group behavior.
     
    I agree with you, we were often chasing corrections and tweaks, which was why we settled on the PowerAutomate approach.  We have 2000 users, so constant changes, and it handles it quite well, keeping them all in sync. For us it is the same overhead as before, in which our interactive process involves assigning users to the correct security groups during hiring or changing of positions.  The rest is automated.  It even allows us to support nested groups, which even the built-in dynamic groups of entra don't handle well.
  • Suggested answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,069 Super User 2025 Season 2 on at
    Hi cdokos,

    I have seen a similar report about a week ago. I don't know what is causing this. It is weird that it is working in one environment (UAT sandbox) and not in production. That is definitely due to an error at the side of Microsoft. I just tested it in my environment (10.0.41 sandbox) where it is working correctly. 
     
    There is an alternative solution that also takes away all known limitations as listed by Microsoft. I developed an enhancement for the Entra ID group integration where users can be imported before their first login when assigned to specific Entra ID groups. They will then get the same naming convention as when you manually import users, so no $ sign. 
    Also the enhancement has an integration with the automatic role assignment which will assign the roles to the users in case you would want to have all features working normally. The enhancement is part of a Github project which is open source, maintained by community volunteers and free! 
    You can read more about this enhanced feature and get the link to the solution on Github via my blog: Enhanced Entra ID group integration in D365FO Admin Toolkit - Dynamicspedia

    For sure with severity-A, Microsoft Support should work about day and night to get the issue fixed. I wonder if MSFT Support already contacted the product team responsible for this area. Keep escalating until it is solved or agreed to be not severity A.
  • cdokos Profile Picture
    cdokos 13 on at
    @André Arnaud de Calavon
     
    Thank you for your reply.
    I'm glad we are not the only ones facing this issue especially since MSFT Support hasn't yet acknowledged any known issue/bug from their side and they have reported no feedback until now on any possible investigation on their back-end.
     
    We will continue by any means to escalate the issue until it is solved and in the meantime we will examine the enhancement you mentioned although this needs to be implemented by our Dynamics365 partner and requires further development.
     
    Kindly keep us posted!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 592 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 478 Super User 2025 Season 2

#3
BillurSamdancioglu Profile Picture

BillurSamdancioglu 305 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans