9 common errors to avoid while implementing security in Microsoft Dynamics 365 Finance and Operations This blog post was authored by Madison Hafley - Consultant, Business Platform Transformation on Protiviti's technology insights blog.Microsoft Dynamics 365 Finance and Operations (D365FO) is a comprehensive ERP solution that empowers businesses to optimise financial management and operational efficiency. With its integrated approach, powerful analytics, scalability and continuous innovation, it is a valuable asset for organisations striving to navigate today’s dynamic business landscape successfully. Many organisations will require custom security design to meet their compliance and segregation of duties requirements. Prior to implementing D365FO, organisations should understand these nine common mistakes and how to avoid them to optimise the experience and reduce security risks. Topics IT Management, Applications and Transformation Technology Enablement 1. No management buy-inTo have a successful security project, management buy-in is essential. Without their support, obstacles that arise will be more challenging to solve since security can often be pushed to the sidelines.2. Not involving the critical threeThe critical three include: Business users, compliance and IT. Without involving all three user groups, businesses will have a tough time communicating what they need, understanding what security risks are involved and how to approach the problem. Communication between these teams is vital and will allow for a successful security implementation.3. Using a ruleset not tailored to the businessSegregation of duties (SoD) reporting tools that come with standard rulesets can provide a high-level overview for understanding what risks are involved within security roles. However, it is important to keep in mind that each business is different, and customisations will be needed.4. Relying on security by obscurityA common mindset among businesses is if they don’t know about the risk, then it’s not causing an issue. However, this mindset can lead to a trickle-down effect. Most SoD violations occur unintentionally and the best way to prevent them is to remove the access altogether.5. Assuming out-of-box roles are compliantD365FO has out-of-the-box roles that can provide a foundation for building out security. However, using out-of-the-box security can be harmful to the business since the standard roles provide excessive access, leading to SoD violations.We recommend developing new security roles that are broken into business tasks rather than using the out-of-the-box roles that D365FO offers.6. Over-assignment of system administratorThe system administrator role in D365FO tends to be over-assigned to users. This can happen when the business is unable to determine the correct security access or when a user is unable to perform what they need to in a timely manner without this access. This can lead to a risk because the system administrator role has access to everything and will not show up in SoD reporting.To reduce this risk, we recommend the system administrator role be restricted to the fewest number of users possible. If a user needs elevated access, then we recommend granting access through a test environment. To monitor users who have system administrator access, we recommend the business set up a reoccurring cadence to review users who have this access. Additionally, there are tools (like Fastpath) that can be set up to do certain types of monitoring of system administrators.7. Retaining old access as users change job responsibilitiesMost high-conflict users will have access to several job responsibilities within different process areas. Removing old access right away is critical to reduce security risk. Additionally, businesses should avoid copying access from other users since it can lead to a snowball effect. Rather than copying access from other users, assign the least amount of access required for a user to perform their day-to-day operations.8. Forgetting about the process backboneSecurity governance processes are important to support a secure and compliant environment. These reviews should involve IT, business leaders, and as needed compliance. Perform the following checks on a consistent basis to regulate risks and reduce pain points for the future:Before assigning new user access, check for SoD risks to manage the risk beforehand.Perform user access reviews regularly to catch inappropriate access.Ensure that the business and IT are comfortable with role changes as they occur.Perform regular user SoD reviews to see if access can be removed or remediated.Perform a SoD ruleset review regularly to ensure the risks remain relevant or to catch missing risks from new functionality that has been added.9. Starting security discussions at the wrong timeWhether D365FO implementation is complete or still in progress, timing is everything. The sooner organisations start, the better. However, starting too early can mean role owners may not be able to make informed decisions. When implementing D365FO, many businesses will focus on security after the conference room pilot (CRP) sessions and before user acceptance testing (UAT). Leveraging the UAT date allows for businesses to work backward to create an appropriate security timeline.Implementing Microsoft Dynamics 365 Finance and Operations is a significant undertaking, but avoiding these key mistakes when implementing access and user security can significantly increase the likelihood of a successful and smooth implementation. By carefully planning, gaining management buy-in, focusing on security, providing adequate support and change management, organisations can harness the full potential of D365FO to drive efficiency and growth.To help clients begin their journey towards a robust, compliance-oriented security with the aid of the Microsoft Dynamics 365 for Finance and Supply Chain Security role templates, Protiviti has developed Microsoft Dynamics 365 Finance and Supply Chain Security Role templates. Learn more here.To learn more about our Microsoft consulting solutions, contact us. Find out more about our solutions: Cybersecurity Consulting From the speed of innovation, digital transformation, and economic expectations to evolving cyber threats, the talent gap, and a dynamic regulatory landscape, technology leaders are expected to effectively respond to and manage these competing priorities. Microsoft Consulting Solutions Protiviti is a Managed, Microsoft Cloud Solutions Partner with proficiency in all 6 designations: Modern Work, Security, Data and AI, Infrastructure, Digital and Application Innovation and Business Applications. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Alan Wong Alan is a director at Protiviti Hong Kong with over 21 years of experience in IT and security solutions and project management. He specialises in IT governance, risk assessment, regulatory compliance, and cybersecurity assessment and consulting. He also has an extensive ... Learn More Featured insights BLOGS Building a Business Case for Copilot for Microsoft 365 – A Game-Changer for Business Efficiency With the rapid rise in artificial intelligence (AI) tools, companies are updating technologies and processes as quickly as budgets allow. Industries are transforming rapidly as the drivers for economic growth are evolving. BLOGS Improving Financial Services’ Efficiency with Copilot for Microsoft 365 In an era of rapid technological advancement, businesses are increasingly turning to artificial intelligence (AI) to enhance productivity, streamline processes and improve decision-making. One such tool making waves in the financial services sector... BLOGS Unlocking Agile Insights: Building Automated Burndown Charts with Microsoft DevOps Analytics View and Power BI In the fast-paced world of software development, staying ahead of the curve requires more than just coding prowess. Agile methodologies have emerged to provide a structured framework for teams to navigate the ever-changing landscape. BLOGS Building an Accessibility Culture with Copilot for Microsoft 365 Organisations across the U.S. recognise the criticality of accessibility for both consumers and employees. This concern dates to the early 2000s, when several well-known brands were targeted by lawsuits that ultimately changed how e-commerce works.... BLOGS Cloud synergy: Microsoft Azure and its relationship to Microsoft 365 As organisations increasingly embrace cloud-based technologies to enhance productivity and efficiency, understanding the dynamic relationship between Microsoft Azure and Microsoft 365 becomes crucial for maximising their potential. With the power of... BLOGS Microsoft SharePoint Premium simplifies content management and governance Content management involves the creation, organisation, storage and distribution of digital content within an organisation, ranging from documents and images to videos and web pages. One of the biggest problems businesses face with content management... BLOGS Navigating the GenAI course with Microsoft Copilot Generative artificial intelligence (GenAI) is a hot topic these days, and not just in the IT world. The statistics indicate off-the-charts interest in GenAI’s capabilities, with AI spending predicted to more than double to $300 billion by 2026.... BLOGS Azure DevOps: 3 tips to organise work items using standard functionality To effectively manage software development projects, it’s crucial to organise work items efficiently. Proper organisation not only boosts productivity but also enhances collaboration among team members. Microsoft Azure DevOps (ADO) is a powerful... BLOGS Capabilities, limitations of Microsoft’s native SoD tool Segregation of duties (SoD) is a well-known term among auditors and anyone who has ever been audited. SoD is the understanding that no user should have access to two conflicting business functions that would allow a user to commit fraud or error (e.g... BLOGS Creating Read-Only Roles for Microsoft Dynamics 365 Finance and Supply Chain Management This blog post was authored by Sarah Guthrie - Senior Consultant, Enterprise Application Solutions on Protiviti's technology insights blog. In today’s fast-paced business landscape, organisations rely heavily on robust enterprise resource planning... BLOGS Migrating Security from Microsoft Dynamics 365 Finance and Supply Chain Management Microsoft Dynamics 365 Finance and Supply Chain Management (D365 F&SCM) publishes security changes with new code releases. These changes are automatically applied to out-of-the-box security roles, duties and privileges when the code is upgraded... Button Button Featured client stories Discovering Actionable Insights From Customer Feedback With Azure OpenAI Struggling with extracting customer data for product development and quality control? Learn what this leading pet retailer did to integrate advanced analytics and Azure OpenAI to enhance productivity. Global Hospitality Company Achieves Efficiencies with Microsoft and Nintex A global hospitality company needed to transition their highly manual process for RFPs to one that was more automated. The need to update their processes was driven by the changes required to address the Covid-19 pandemic, which created a dynamic... Global Retailer Goes Digital: Revitalising Store Operations and Enhancing Community Commitment Protiviti leveraged Microsoft Power BI to help this client transform its operational analytics. We built a user interface that generates analytics every 15 minutes and is easy to use with little training required. From staffing and sales targets to... Intelligent Document Retrieval System, Powered by Responsible AI, Helps Reduce Air Pollution This company is a leader in the supply of after-sale services to the world’s engine and compressor markets and is trusted by nuclear power plants, the U.S. military and both public and private electricity generators around the globe. With the EPA’s... Global Health Services Company Modernises Data and Applications with Microsoft A global health services company needed to execute on its corporate promise to deliver affordability and convenience to its patients. However, the company discovered that there was a disconnect between that promise and intended delivery. Further... Manufacturer Optimises Supply Chain Analytics With Azure Machine Learning Global Manufacturer optimises supply chain analytics with Microsoft Azure Machine Learning significantly improving its ability to adapt to rapid changes in both processes and cost analyses. Button Button