Microsoft have an ongoing mission around security, check out the Secure Future Initiative | Microsoft & the recent newsletter SFI_November_2024_update.pdf
But here I wanted to share a very simple tip around an effective just-in-time access control for clients to allow / prevent partners from accessing their BC environments.
I see this coming into play post go-live. Better to leave the door locked and provide access only when required, so long as you (the client organisation) have suitable coverage with you internal IT resource/team to let the partners in when necessary.
Recent evolution of partner access in general
Today we have GDAP access Granular delegated admin privileges (GDAP) introduction - Partner Center | Microsoft Learn which allows clients to grant partners access to their tenancy with only the necessary roles. For example on BC-related matters all you really need to be granting is Dynamics 365 Business Central Administrator. You might see partners also requesting Service Support Administrator as this allows the partner to manage service health and submit tickets on your behalf.
Before GDAP there was DAP, the main drawback of this was you had to grant Global Admin to the partner, which is pretty bad for security here is what ChatGPT has to say, I think mostly correct ChatGPT - DAP vs GDAP Comparison in short:
- DAP: Full Global Admin access.
- GDAP: Specific, role-based access
Partner access to D365 BC
In the most recent release wave, client organisations have yet another options to help tighten security; with Control partner access per environment | Microsoft Learn.
With this new feature (another from the the ideas forum Microsoft Idea, Microsoft Idea; thank you Kamil & Xavier) clients can toggle partner access off completely, or if they have multiple partners that they have granted D365 BC Admin to they can now define which partner can access which environment. Which I would strongly recommend using!
D365 BC admin panel showing the new 'Partner Access' control |
Turn off partner access completely or set which partners can access |
While we are on the topic of GDAP enabled partner side users accessing D365 BC, you can review the sign-in events from these partner users in Azure sign-in logs - filter for 'Service provider' in the 'Cross tenant access type' column. Thanks to Ru Campbell for this tip!
Azure Portal / EntraID / Sign-in logs |
What the EntraID logs won't tell you is what the partner user did when logged in, that's down to your change log setup. Speak to your Microsoft partner to help you set that up if not already running Auditing changes - Business Central | Microsoft Learn.
FYI this is what a GDAP user looks like in BC, the long code you see is the user's object ID in their home tenancy, so you can get the name of that user from the partner if you really need to.
A partner user as seen in the D365 BC user list |
In summary
- You can improve your security posture by adopting just-in-time access for your D365 BC Microsoft partner.
- Ensure they are offering you a GDAP relationship with only the roles needed - namely Dynamics 365 Business Central Admin & possibly Support Service Admin.
- Use the Partner Access control on your D365 BC environments to quickly turn access on or off as needed.
What do you think?
Please let me know your thoughts in the comments
Connect or follow me on LinkedIn to get all my updates Andrew Wingate | LinkedIn