You can limit access to Microsoft Dynamics 365 for Finance and Operations by using Conditional access. Conditional access is a capability of Azure Active Directory. With Conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions.
Azure AD is accessible from anywhere. What if an access attempt is performed from a network location that is not under the control of your IT department? A username and password combination might be good enough as proof of identity for access attempts from your corporate network. What if you demand a stronger proof of identity for access attempts that are initiated from other unexpected countries or regions of the world? What if you even want to block access attempts from certain locations?
In Azure AD, users can access cloud apps from a broad range of devices including mobile and personal devices. What if you demand that access attempts only be performed with devices that are managed by your IT department? What if you even want to block certain device types from accessing cloud apps in your environment?
Azure AD Identity Protection detects sign-in risks. How do you restrict access if a detected sign-in risk indicates a bad actor? What if you would like to get stronger evidence that a sign-in was performed by the legitimate user? What if your doubts are strong enough to even block specific users from accessing an app?
-
The Azure Active Directory tenant must have Active Directory Premium enabled, click here for details.
-
Conditional Access policies defined for Microsoft ERP application are applied to all environments within the tenant.
-
Conditional access excludes the following scenarios:
a. Any Dynamics 365 integrations authenticating through Web Apps/shared secret; however, it works with native app.
b. With Microsoft Logic Apps and Power Automate, at the time signing into the connector, it checks the login for Conditional access, however, once the connection is established, it does not check the conditional access on each call. For example, it does not check IP of the caller each time, but it checks the IP of the caller at the time of signing into the connector for the first time.
c. Dynamics 365 Warehouse Mobile Application
d. CPOS & MPOS logins
e. Dual write integration -- Dual write doesn't run against the logged-in Finance and Operations user. As long as Dual write is setup and Dynamics 365 for Finance and Operations is accessible, it uses App registration & Dual write user to upsert the records.
f. Finance and Operations Virtual Entities
- Sign into the Azure portal, click on the Azure Active Directory > Enterprise applications.
- On the next screen you will see Conditional access under security section. Click on Conditional Access to add conditions to secure Microsoft Dynamics 365 for Finance and Operations.
- Browse to the Conditional Access-Policies page and click on New policy button
- On the next page, name the Conditional Access policy and define the assignment to conditional grant and block the access to the resource.
- Select the Users and groups. You can apply Conditional access at multiple levels i.e. Groups, specific user or all users. For example, in case you are applying Conditional Access security at group level then you can exclude service accounts.
- Next you will assign the Cloud apps on which you want to apply the security, you either apply these Conditional to all apps and exclude some or have specific conditions for each app. In case of specifically defining security permission for Dynamics 365 for finance and operations. Select "Microsoft Dynamics ERP" cloud app has shown in the figure below.
- Next you will define conditions, details on Sign in risk, Device platforms, client apps, Device state and locations can be found on the following link:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions
In this article, we will dig deeper into defining locations as it deals IP restriction.
- To select either block or whitelist certain location, you need to first add those IP ranges into Name locations.
Note: Named Locations should be created first before it can be assigned under the conditions for access the resource. Locations can be defined by going into Enterprise application > Conditional Access policies > Named locations.
Click on the new locations and enter the IP ranges which are considered as trust locations.
In this scenario, we are blocking all the locations excluding the selected locations.
To exclude the trusted locations from conditionally blocking Dynamics 365 for Finance and Operations, click on the exclude tab as shown above. User can either exclude as the trust locations defined in the name locations or selectively pick individual trusted location.
Once the exclusion is defined on the locations, switch to include tab to include all the locations which needed to be blocked.
- In the Access control sections, either you define the grant or block. Which means when the above conditions are meet then grant the access with additional check marked or block the access expect for the condition in the excluded list.
- Finally, you enable the policy. As soon as you try to access the Dynamics 365 for Finance and Operations for any location other then exclude one. It will give error message at the time of login
Dynamics 365 for Finance and Operations Mobile App login is unsuccessful even though 'mobile device' is compliant if device complaint is required by Conditional access policy.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions
You can define conditional policy based on your organization need. Below are few scenarios that you can refer, and design policy based on your need for your implementation.
Scenario a: Block all users to login from all locations except few selected locations e.g., IP/Country.
Define BlockPolicy to include 'All users'
Define BlockPolicy to exclude 'Selected locations'
With above setup, if any user logs-in from selected location, then only he/she can access to Finance and Operations apps.
Scenario b: Grant all users to login and enforce MFA (Multi Factor Authentication) and Device compliance
Define GrantPolicy to include 'All users'
Define GrantPolicy to enforce 'Multi-factor authentication' and 'Device compliant'
Scenario c: Block all user to login from all locations except from few selected locations/IP and enforce MFA & Device compliance to grant access.
This requires two policies (BlockPolicy & GrantPolicy):
(a) BlockPolicy: Block all users to login from all locations except few selected locations e.g. IP/Country
(b) GrantPolicy: Grant access to all user and enforce MFA & Device compliance
You will need to enable both policies. These two policies will be applied as 'AND' condition.