Capabilities, limitations of Microsoft’s native SoD tool This blog post was authored by Amy Mickle - Manager, Business Application Solutions on Protiviti's technology insights blog.Segregation of duties (SoD) is a well-known term among auditors and anyone who has ever been audited. SoD is the understanding that no user should have access to two conflicting business functions that would allow a user to commit fraud or error (e.g., the ability to create a vendor record, then process a payment to that vendor). The idea can be intimidating and overwhelming to those who do not have the proper tools in place to successfully manage SoD risks. However, it is important for all businesses to be able to effectively evaluate, understand and control the potential risks in their environments.To meet these client challenges, Microsoft Dynamics 365 Finance (D365) has incorporated a native SoD tool that can be leveraged to identify potential SoD risks that exist within the D365 environment. This functionality can be found through the following navigation path: system administration > security > segregation of duties. Setting up the tool can be relatively easy; some high-level steps are outlined below. Topics Technology Enablement How to set up the SoD tool Image Define the SoD rules that determine what is considered an SoD risk (e.g., maintain vendor master and maintain vendor payments).SoD rules are defined at the duty level. Map two duties so that a user does not have have access to both.Enter the SoD rule severity, risk description and mitigation (if applicable).To evaluate SoD risks at the role level, click ‘validate duties and roles’ to check if existing security roles violate the defined SoD rules. To evaluate SoD risks at the user level, navigate to ‘verify compliance of user-role assignments.’Any organisation that does not have any other support tools may want to leverage this functionality to provide some initial insights. However, there are limitations to the tool that need to be considered to determine how much reliance can be placed on its insights to support organisational needs and security environments.Limitations of the SoD toolMicrosoft does not provide template SoD rules. It is up to the business and information security personnel to define the SoD rules.SoD rules are defined at the duty level. However, the lowest level of the security hierarchy is securable objects (role > duty > privilege > securable object). It is recommended to map SoD rules at the securable object level to obtain an accurate SoD evaluation.Mapping SoD rules at the duty level does not provide the level of detail required to pinpoint the access that needs to be removed to resolve the SoD risk. At the duty level, it is likely that too much access will be removed as a result.Duties can be modified and as a result if a duty changes, the ruleset also needs to change.D365 will report a risk even if the duty does not have any underlying security assigned aka the duty is not providing any access in D365.Mapping at the duty level will skip over scenarios where privileges are assigned directly to security roles.There is an increased level of effort required to upkeep the SoD rules when a duty is created or deleted.Mitigating controls are a critical element of SoD. D365 does not provide a central repository to store mitigating control data effectively.Role SoD risks appear as banner notifications and user SoD risks appear in the action center, which does not allow for easy reporting.In summary, the D365 SoD tool can be a good starting place, but organisations may need to incorporate other processes and capabilities to effectively manage SoD risks. Tools such as Fastpath provide extensive SoD reporting capabilities and can be customised to fit different business’ needs. Protiviti has partnered with Fastpath since 2012 and has executed over 100 assessments in Fastpath. Through this experience, Protiviti has developed a D365 leading practice SoD and sensitive access (SA) risk rulesets with over 250 SoD rules defined that can be customised to fit any business.To help clients begin their journey towards a robust, compliance-oriented security with the aid of the Microsoft Dynamics 365 for Finance and Supply Chain Security role templates, Protiviti has developed Microsoft Dynamics 365 Finance and Supply Chain Security Role Templates. Learn more here.To learn more about our Microsoft consulting solutions, contact us. Find out more about our solutions: Microsoft Consulting Solutions Protiviti is a Managed, Microsoft Cloud Solutions Partner with proficiency in all 6 designations: Modern Work, Security, Data and AI, Infrastructure, Digital and Application Innovation and Business Applications. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Alan Wong Alan is a director at Protiviti Hong Kong with over 21 years of experience in IT and security solutions and project management. He specialises in IT governance, risk assessment, regulatory compliance, and cybersecurity assessment and consulting. He also has an extensive ... Learn More Featured insights BLOGS Building a Business Case for Copilot for Microsoft 365 – A Game-Changer for Business Efficiency With the rapid rise in artificial intelligence (AI) tools, companies are updating technologies and processes as quickly as budgets allow. Industries are transforming rapidly as the drivers for economic growth are evolving. BLOGS Improving Financial Services’ Efficiency with Copilot for Microsoft 365 In an era of rapid technological advancement, businesses are increasingly turning to artificial intelligence (AI) to enhance productivity, streamline processes and improve decision-making. One such tool making waves in the financial services sector... BLOGS Unlocking Agile Insights: Building Automated Burndown Charts with Microsoft DevOps Analytics View and Power BI In the fast-paced world of software development, staying ahead of the curve requires more than just coding prowess. Agile methodologies have emerged to provide a structured framework for teams to navigate the ever-changing landscape. BLOGS Building an Accessibility Culture with Copilot for Microsoft 365 Organisations across the U.S. recognise the criticality of accessibility for both consumers and employees. This concern dates to the early 2000s, when several well-known brands were targeted by lawsuits that ultimately changed how e-commerce works.... BLOGS Cloud synergy: Microsoft Azure and its relationship to Microsoft 365 As organisations increasingly embrace cloud-based technologies to enhance productivity and efficiency, understanding the dynamic relationship between Microsoft Azure and Microsoft 365 becomes crucial for maximising their potential. With the power of... BLOGS Microsoft SharePoint Premium simplifies content management and governance Content management involves the creation, organisation, storage and distribution of digital content within an organisation, ranging from documents and images to videos and web pages. One of the biggest problems businesses face with content management... BLOGS 9 common errors to avoid while implementing security in Microsoft Dynamics 365 Finance and Operations Microsoft Dynamics 365 Finance and Operations (D365FO) is a comprehensive ERP solution that empowers businesses to optimise financial management and operational efficiency. With its integrated approach, powerful analytics, scalability and continuous... BLOGS Navigating the GenAI course with Microsoft Copilot Generative artificial intelligence (GenAI) is a hot topic these days, and not just in the IT world. The statistics indicate off-the-charts interest in GenAI’s capabilities, with AI spending predicted to more than double to $300 billion by 2026.... BLOGS Azure DevOps: 3 tips to organise work items using standard functionality To effectively manage software development projects, it’s crucial to organise work items efficiently. Proper organisation not only boosts productivity but also enhances collaboration among team members. Microsoft Azure DevOps (ADO) is a powerful... BLOGS Creating Read-Only Roles for Microsoft Dynamics 365 Finance and Supply Chain Management This blog post was authored by Sarah Guthrie - Senior Consultant, Enterprise Application Solutions on Protiviti's technology insights blog. In today’s fast-paced business landscape, organisations rely heavily on robust enterprise resource planning... BLOGS Migrating Security from Microsoft Dynamics 365 Finance and Supply Chain Management Microsoft Dynamics 365 Finance and Supply Chain Management (D365 F&SCM) publishes security changes with new code releases. These changes are automatically applied to out-of-the-box security roles, duties and privileges when the code is upgraded... Button Button Featured client stories Discovering Actionable Insights From Customer Feedback With Azure OpenAI Struggling with extracting customer data for product development and quality control? Learn what this leading pet retailer did to integrate advanced analytics and Azure OpenAI to enhance productivity. Global Hospitality Company Achieves Efficiencies with Microsoft and Nintex A global hospitality company needed to transition their highly manual process for RFPs to one that was more automated. The need to update their processes was driven by the changes required to address the Covid-19 pandemic, which created a dynamic... Global Retailer Goes Digital: Revitalising Store Operations and Enhancing Community Commitment Protiviti leveraged Microsoft Power BI to help this client transform its operational analytics. We built a user interface that generates analytics every 15 minutes and is easy to use with little training required. From staffing and sales targets to... Intelligent Document Retrieval System, Powered by Responsible AI, Helps Reduce Air Pollution This company is a leader in the supply of after-sale services to the world’s engine and compressor markets and is trusted by nuclear power plants, the U.S. military and both public and private electricity generators around the globe. With the EPA’s... Global Health Services Company Modernises Data and Applications with Microsoft A global health services company needed to execute on its corporate promise to deliver affordability and convenience to its patients. However, the company discovered that there was a disconnect between that promise and intended delivery. Further... Manufacturer Optimises Supply Chain Analytics With Azure Machine Learning Global Manufacturer optimises supply chain analytics with Microsoft Azure Machine Learning significantly improving its ability to adapt to rapid changes in both processes and cost analyses. Button Button