Set up and maintain vendor collaboration
The vendor collaboration interface exposes a limited set of information about purchase orders, invoices, and consignment stock to external vendor users. From this interface, a vendor can also reply to requests for quotation (RFQs), and view and edit basic company information.
This topic explains how to set up vendor collaboration in Microsoft Dynamics 365 for Finance and Operations, Enterprise edition. It also explains how to set up a workflow to provision new vendor collaboration users, and how to manage the security roles for those users.
The information about the setup of security roles for vendor collaboration applies only to the current version of Finance and Operations. In Microsoft Dynamics AX 7.0 (February 2016) and Microsoft Dynamics AX application version 7.0.1 (May 2016), you collaborate with vendors by using the Vendor portal module. For information about user permissions for the Vendor portal in Microsoft Dynamics AX, see Vendor portal user security.
Set up vendor collaboration security roles
A procurement professional or a vendor that has enough permissions can request that a contact person be provisioned as a user by enabling Provision vendor user on the contact person record. During the provisioning process, user permissions are selected for the new external user, and the new vendor user request is submitted. It's important that you correctly set up the user permissions that are available for selection in the vendor user request. Otherwise, vendors might be granted access to information that they should not have access to in Finance and Operations.
Set up the security roles that are available for selection when a new user request is used for a contact person
- Select System administration > Security > External roles.
- Select New, and then select a security role and the Vendor party role.
You might want to add the Vendor admin (external) and Vendor (external) roles that are provided in Finance and Operations. Alternatively, you can use security roles that your company has created.
You should make the Vendor admin (external) role available only if vendors should be able to create new contacts, submit vendor collaboration user requests for new users and changes to user information, and handle those requests via a workflow.
If you plan to manually set up vendor contacts and users, you can make just the Vendor (external) role available. This role will then be the only role that can be requested through a vendor user request.
The SystemUser role is automatically granted when you manually create a new user account in Finance and Operations. Therefore, you must remove that role and assign the SystemExternalUser role. If new user accounts are created via the workflow that is initiated by a vendor user request to provision a new user, one or more of the roles that you've set up for vendor collaboration and the SystemExternalUser role will be assigned.
Vendor admin (external) security role
The Vendor admin (external) role can be used for external vendors that maintain vendor contact information and make requests to provision new vendor collaboration users. External users who have this security role can perform the following tasks:
- View and modify contact person information, such as the person's title, email address, and telephone number.
- Add a new or existing contact person to the vendor accounts that they are a contact for.
- Delete any contact person that they have created.
- Activate or inactivate the association between a contact person and a vendor account. After the association between a contact person and a vendor account is inactivated, the contact person can't be referred to on new purchase orders or other documents.
- Deny or allow a contact person's access to documents on the vendor collaboration interface that are specific to the vendor account. After the association between a contact person and a vendor account is inactivated, access to documents that are specific to the vendor account is always denied.
- Request a new user account for a contact person by using the Provision user action.
- Request that a contact person's user account be inactivated.
- Request that a contact person's user account be modified to add or remove security roles.
- View RFQs.
Vendor (external) security role
The Vendor (external) role can be used for external vendors that will work with purchase orders. External users who have this security role can perform the following tasks:
- Respond to and view information about purchase orders.
- Maintain vendor collaboration invoices.
- View consignment inventory.
- View and respond to RFQs.
- View vendor information.
Set up security roles that are used when prospective vendors are onboarded
To onboard vendors that are initiated via a prospective vendor registration request, you must set up an external security role. This rolle will be assigned to new users during the provisioning process that is controlled by the workflow of the User request workflow (platform) type. For more information, see the Set up workflows to process vendor collaboration user requests section later in this topic.
For information about how to onboard prospective vendors, see Vendor onboarding.
Set up a security role that is used when a new prospective vendor user request is submitted
- Select System administration > Security > External roles.
- Select New, and then select a security role and the Prospective vendor party role.
You should add the Vendor prospect (external) role that is provided in Finance and Operations.
The security role will grant access only to the new vendor registration wizard.
Set up workflows to process vendor collaboration user requests
To help guarantee that all the relevant tasks are completed, and that the appropriate approvals are given, you must set up workflows to handle vendor collaboration user requests.
Vendor collaboration user requests are submitted either by external vendors that have the Vendor admin (external) security role or similar permissions, or by procurement professionals in your company. They can also be generated from prospective vendor registration requests during the vendor onboarding process.
There are three types of requests:
- Requests to provision a new user
- Requests to inactivate an existing user
- Requests to modify the security roles of an existing user
For more information about vendor collaboration user requests, see Manage vendor collaboration users.
You must create two or more workflows to process all three types of vendor collaboration user requests. New workflows are created on the User workflows page.
Example of a workflow for provisioning new users and modifying security roles
To handle vendor user requests to create new users and modify security roles, you can put a branching condition at the beginning of the workflow. In this way, a different branch of the workflow is used, depending on whether the request is to create a new user or modify an existing user.
To set up this branching, create a new workflow of the User Request Workflow (Platform) type. The branches of this workflow might contain the following elements.
Branch to provision new users
- Assign an approval task to the person who is responsible for approving that new users should be granted access to vendor collaboration information.
- Assign a task to the person who is responsible for requesting new Microsoft Azure Active Directory (Azure AD) user accounts in Azure portal. Use the predefined Send Azure B2B user invitation task for this step. In Microsoft Dynamics 365 for Finance and Operations, Enterprise edition 7.3, B2B users can be automatically exported to Azure AD. For more information, see Export B2B users to Azure AD.
- Assign an approval task to the person who uploads to Azure. If an account isn't successfully created, this person rejects the task and ends the workflow. This approval task can be skipped if you've included the step that automatically exports new user accounts to Azure via the B2B application programming interface (API).
- Add an automated task that provisions a new user in Finance and Operations. Use the predefined Automated provision user task for this step.
Add a task that notifies the new user. You might want to send the new user a welcome email that includes a URL for Finance and Operations. This email can use a template that you create on the Email messages page and then select on the User workflow parameters page. The template can include the %portal URL% tag. When the welcome email is generated, this tag which will be replaced by the URL of the Finance and Operations tenant.
This workflow can be used in multiple scenarios that involve user onboarding. For example, it can be used when prospective vendors or contact persons require a vendor collaboration account. Therefore, you should phrase the email as a general statement that can be used for multiple purposes.
Branch to modify security roles
- Assign an approval task to the person who is responsible for approving changes to security roles.
- Add an automated task that adds or removes the relevant security roles. Use the Automated provision user task for this step.
Example of a workflow for inactivating a user
Create a workflow of the Inactivate user request workflow platform type, and then add the following tasks.
- Assign an approval task to the person who is responsible for accepting requests to inactivate users. You can add conditions to automate this approval step.
- Add an automated task that inactivates the user. Use the Automated user inactivation task for this step.
- Add any clean-up tasks that are required. For example, you can add a task that removes the account from your directory in Azure portal.
Enable vendor collaboration for a specific vendor
Before you create a user account for someone who will use vendor collaboration, you must set up the vendor so that it can use vendor collaboration. On the Vendors page, on the General tab, set the Collaboration activation field. The following options are available:
- Active (PO is auto-confirmed) – Purchase orders are automatically confirmed if the vendor accepts them without requesting changes.
- Active (PO is not auto-confirmed) – Your organization must manually confirm purchase orders after the vendor has accepted them.
Procurement professionals in your company can also complete this task.
Troubleshoot the provisioning of new vendor collaboration users
New vendor collaboration users are provisioned via the workflow that you set up to process vendor collaboration user requests of the Provision vendor user type.
If the email address of a new vendor collaboration user belongs to a domain that is registered with Azure as a tenant (that is, if it's a managed domain account), the email address must be an existing Azure AD account. Otherwise, the provisioning process can't be completed.
For more information about the process that is used in the Send Azure B2B user invitation task in the workflow for Azure AD account management, see Azure Active Directory B2B collaboration.