Navigating Dynamics 365 F&O security gotchas: Key takeaways and expert tips

This article is sponsored by Fastpath, now part of Delinea.

When it comes to securing a Microsoft Dynamics 365 Finance & Operations environment, there are seemingly countless details to keep in mind from proper role assignments and segregation of duties to avoiding over-provisioning and unnecessary licensing costs. 

In a recent MSDW webcast, Alex Meyer and Frank Vukovits of Fastpath, now part of Delinea, shared their list of top D365 F&O security and administration missteps or “gotchas." They also provided practical solutions that user can implement to mitigate or avoid each one.

While the range of risks may seem overwhelming, Meyer and Vukovits recommended ways to think about security in ways that can be incorporated into familiar F&O deployment and management strategies. Let’s look at the gotchas they identified for the MSDW audience.

1. Over-provisioning of user access

One of the most common gotchas is giving too many permissions to too many users. Since D365 F&O has a robust but complicated security system, it's sometimes easier to give users broad roles or even full administrator access when they run into issues.

"If you're on the IT side or on the security team within your organization, how often have you heard somebody higher up coming to you and saying, ‘just give them the access they need to get the job done – to get the orders out the door?" Meyer asked.

If you do that enough, you end up with over-provisioned users, too many admin accounts, and a lot of exposure. 

To counteract this, Meyer recommended the practice of “least privilege,” where you give users the minimum access they need to do their jobs. Giving users more access than they need can create risks, cause accidental changes in the system, and lead to big financial losses if someone misuses their privileges – whether by mistake or on purpose.

2. Security 'tunnel vision'

D365 F&O ties security roles directly to licensing requirements. If you assign a user a high-level role, such as an enterprise-level role, but all they really need to do is view timecards, your organization can end up paying for licenses that aren’t actually needed.

“What a user is assigned in the system from a security perspective will drive the licensing impact for that user," Meyer said. "So if you over assign a user from a security perspective, you’re also provisioning them from a licensing perspective."

Vukovits added, although you might think that Microsoft’s main focus is creating secure roles without conflicts and making license management easy, that’s not really the case.

"The function of the software is to ship product and close the books quicker and generate nice accounting statements," he said. "Security is sort of a secondary necessary evil. [And it may be] your partner or VAR does not know as much about security as you think. And they may or may not have even told you that security and licensing are tied together."

To deal with this issue, Meyer and Vukovits recommended regularly checking the gap (or “delta”) between what roles a user has and what functionality they actually use. You can use the telemetry data in D365 F&O to help identify where you can scale back access and licenses.

3. Not following application lifecycle management process

Security should be treated like code, moving through development, testing, and production environments with proper review and sign-off at each step. Meyer cautioned against giving everyone sysadmin access in a test environment just to get things done because that doesn’t reflect how roles will be used in production.

“You wouldn’t let a developer make code changes directly in your prod system . . . so you want to make sure your security is following that same process," Meyer said.

4. No periodic reviews of access

F&O customers should also expect to schedule regular audits and user access reviews, sometimes called UARs. People change departments, employees leave, or temporary contractors are brought on. Without a scheduled check, e.g., quarterly, semi-annual, or annual, old access accumulates. Dormant accounts are especially risky. Meyer explained that it's easy for users to accumulate roles as they move within the company.

"Then all of a sudden the user that had one role at the beginning of their employment, has ten or fifteen roles," Meyer said. "One of the big gotchas here is that there's no real native functionality within D365 F&O to actually review the access that this user has. You have to manually go in and do that process for your organization."

Consequently, you have to have a process to review security on a periodic basis and ask the following questions:

• Who has access?
• What access do they have?
• Is this access appropriate?

5. Security in domain of IT

Security design and provisioning shouldn’t be left solely to the IT department. Because security intersects with business processes, people who understand each functional area must also be involved.

“You really need to have that strong communication between those teams because your business process owners are going to have to tell your IT team exactly what those users should have access to," Meyer said. "And then your IT team has to go in and actually execute those security changes,"

6. Security low priority in organization

It’s common for organizations to focus heavily on getting new functionality live and push security off until the final weeks. This often results in last-minute scrambles and a patchwork approach.

“And so, all of a sudden, you're trying to jam in potentially hundreds of hours of work into that last couple of weeks and that's not fun for anybody," Meyer said.

As such, ERP teams should start security early by including it in their sprint cycles during implementations, upgrades, or new features. This makes it easier to manage because you build security into the process from the start, according to Meyer.

7. Security testing performed incorrectly

When you test an application, ensure testing is done with the actual security roles that users are going to be assigned. Often, tests pass because users have admin access, which doesn’t reflect real conditions. If security isn’t tested properly, issues may only appear later when users face access problems in a live environment.

That's why your security testing should be done in phases, Meyer said. He outlined the six phases, from design and development through to license impact.

8. Microsoft and ISV updates not reviewed for security impact

While you might have a formal process for your own changes, security can be affected by updates from Microsoft or by ISV add-ons. Each version might introduce new privileges or modify existing roles.

With every D365 F&O release, Microsoft can change security objects behind the scenes, according to Meyer. Therefore, it's important to perform an assessment on security changes with each new update to features as well as from an SoD and license perspective.

9. Not utilizing all D365 F&O security features

D365 F&O supports additional layers of security, such as extensible data security (XDS), data entity permissions, and table-permission frameworks. According to Meyer, these features can be powerful, yet are often underutilized. 

There are security features other than just roles, duties, and privileges that you may not be using that could potentially help to secure your environment, Meyer said.

"So you always want to make sure that you have these in the back of your mind, [and consider] if this is a scenario where you could potentially implement any of these to help additionally secure your environment," Meyer said.

10. Falling into the "security doughnut"

Finally, Vukovits introduced the concept of the “security doughnut." CISOs/CSOs focus on securing the perimeter, i.e., the “dough” of external threats) but leave a gaping hole in the middle – access controls within the business application itself – to the business process owners.

You can have the best cybersecurity externally, but if your own employees inside are over-provisioned in D365 F&O, you can still end up losing money to fraud or mistakes. 

" You have to have the right balance and mitigation of both because the internal threats are just as real," he said.

You can see all the guidance by viewing the webcast recording.