Security architecture


Functionality noted in this topic is available to targeted users as part of a preview release. The content and the functionality are subject to change. For more information about preview releases, see Service update availability.

This topic provides an overview of the security architecture of Dynamics 365 for Finance and Operations.

When you understand the security architecture of Finance and Operations, you can more easily customize security to fit the requirements of your business. The following diagram provides a high-level overview of the security architecture.



By default, only authenticated users who have user rights in Finance and Operations can establish a connection.

Finance and Operations uses Microsoft Azure Active Directory (Azure AD) as the primary identity provider. To access the system, users must be added to the Finance and Operations instance. If users are associated with a Finance and Operations license, the first time that they sign in, they are automatically added as system users who have no roles.


Authorization is the control of access to the Finance and Operations program. Security permissions are used to control access to individual elements of the program: menus, menu items, action and command buttons, reports, service operations, web URL menu items, web controls, and fields in the Finance and Operations client.

In Finance and Operations, individual security permissions are combined into privileges, and privileges are combined into duties. The administrator grants security roles access to the program by assigning duties and privileges to those roles.

Finance and Operations uses context-based security to determine access to securable objects. When a privilege is associated with an entry point (such as a menu item or a service operation), a level of access, such as Read or Delete, is specified. The Finance and Operations authorization subsystem detects the access at run time, when that entry point is accessed, and applies the specified level of access to the securable object that the entry point leads to. This functionality helps to ensure that there is no over-permissioning, and the developer gets the access that he or she intended.

For more information about role-based security in Finance and Operations, see Role-based security.

Data security

Authorization is used to grant access to elements of the program. By contrast, data security is used to deny access to tables, fields, and rows in the database.

Use the extensible data security framework to control access to transactional data by assigning data security policies to security roles. Data security policies can restrict access to data, based on either the effective date or user data, such as the sales territory or organization.

Record-level security, which was a mechanism for securing data in Dynamics AX 2012 and earlier versions, is obsolete. Extensible data security is the recommended mechanism for securing or filtering data in the program.

Additionally, the Table Permissions Framework helps protect some data. Data security for specific tables is enforced by Application Object Server (AOS).


Auditing of user sign in and sign out is now enabled in Finance and Operations. The system logs when a user signs in or out of the application. A sign out is logged even if the user's session expires or ends.

A system administrator or security administrator can access the audit logs by going to the User log page (System administration > Inquiries > User log).