9 common errors to avoid while implementing security in Microsoft Dynamics 365 Finance and Operations This blog post was authored by Madison Hafley - Consultant, Business Platform Transformation on Protiviti's technology insights blog.Microsoft Dynamics 365 Finance and Operations (D365FO) is a comprehensive ERP solution that empowers businesses to optimise financial management and operational efficiency. With its integrated approach, powerful analytics, scalability and continuous innovation, it is a valuable asset for organisations striving to navigate today’s dynamic business landscape successfully. Many organisations will require custom security design to meet their compliance and segregation of duties requirements. Prior to implementing D365FO, organisations should understand these nine common mistakes and how to avoid them to optimise the experience and reduce security risks. Topics IT Management, Applications and Transformation Technology Enablement 1. No management buy-inTo have a successful security project, management buy-in is essential. Without their support, obstacles that arise will be more challenging to solve since security can often be pushed to the sidelines.2. Not involving the critical threeThe critical three include: Business users, compliance and IT. Without involving all three user groups, businesses will have a tough time communicating what they need, understanding what security risks are involved and how to approach the problem. Communication between these teams is vital and will allow for a successful security implementation.3. Using a ruleset not tailored to the businessSegregation of duties (SoD) reporting tools that come with standard rulesets can provide a high-level overview for understanding what risks are involved within security roles. However, it is important to keep in mind that each business is different, and customisations will be needed.4. Relying on security by obscurityA common mindset among businesses is if they don’t know about the risk, then it’s not causing an issue. However, this mindset can lead to a trickle-down effect. Most SoD violations occur unintentionally and the best way to prevent them is to remove the access altogether.5. Assuming out-of-box roles are compliantD365FO has out-of-the-box roles that can provide a foundation for building out security. However, using out-of-the-box security can be harmful to the business since the standard roles provide excessive access, leading to SoD violations.We recommend developing new security roles that are broken into business tasks rather than using the out-of-the-box roles that D365FO offers.6. Over-assignment of system administratorThe system administrator role in D365FO tends to be over-assigned to users. This can happen when the business is unable to determine the correct security access or when a user is unable to perform what they need to in a timely manner without this access. This can lead to a risk because the system administrator role has access to everything and will not show up in SoD reporting.To reduce this risk, we recommend the system administrator role be restricted to the fewest number of users possible. If a user needs elevated access, then we recommend granting access through a test environment. To monitor users who have system administrator access, we recommend the business set up a reoccurring cadence to review users who have this access. Additionally, there are tools (like Fastpath) that can be set up to do certain types of monitoring of system administrators.7. Retaining old access as users change job responsibilitiesMost high-conflict users will have access to several job responsibilities within different process areas. Removing old access right away is critical to reduce security risk. Additionally, businesses should avoid copying access from other users since it can lead to a snowball effect. Rather than copying access from other users, assign the least amount of access required for a user to perform their day-to-day operations.8. Forgetting about the process backboneSecurity governance processes are important to support a secure and compliant environment. These reviews should involve IT, business leaders, and as needed compliance. Perform the following checks on a consistent basis to regulate risks and reduce pain points for the future:Before assigning new user access, check for SoD risks to manage the risk beforehand.Perform user access reviews regularly to catch inappropriate access.Ensure that the business and IT are comfortable with role changes as they occur.Perform regular user SoD reviews to see if access can be removed or remediated.Perform a SoD ruleset review regularly to ensure the risks remain relevant or to catch missing risks from new functionality that has been added.9. Starting security discussions at the wrong timeWhether D365FO implementation is complete or still in progress, timing is everything. The sooner organisations start, the better. However, starting too early can mean role owners may not be able to make informed decisions. When implementing D365FO, many businesses will focus on security after the conference room pilot (CRP) sessions and before user acceptance testing (UAT). Leveraging the UAT date allows for businesses to work backward to create an appropriate security timeline.Implementing Microsoft Dynamics 365 Finance and Operations is a significant undertaking, but avoiding these key mistakes when implementing access and user security can significantly increase the likelihood of a successful and smooth implementation. By carefully planning, gaining management buy-in, focusing on security, providing adequate support and change management, organisations can harness the full potential of D365FO to drive efficiency and growth.To help clients begin their journey towards a robust, compliance-oriented security with the aid of the Microsoft Dynamics 365 for Finance and Supply Chain Security role templates, Protiviti has developed Microsoft Dynamics 365 Finance and Supply Chain Security Role templates. Learn more here.To learn more about our Microsoft consulting solutions, contact us. Find out more about our solutions: Technology Consulting Services Whether you are looking to automate, modernise, or embark on an end-to-end transformation journey, our technology consulting solutions can help. Our services range from strategy, design, and development through implementation, risk management, and managed services. Operations Consulting Protiviti’s operations consulting experts work closely with key stakeholders to integrate industry best practices and tailor business solutions to help reduce operating costs, increase productivity and service, and reduce the capital required to support business goals and objectives. Finance Transformation Protiviti helps finance leaders address their current challenges, prepare for future challenges, and explore opportunities for continuous growth, delivering innovative solutions and supporting finance as a forward-thinking, strategic partner for the business. Leadership Sam Bassett Sam is the country leader for Singapore. With over 25 years' experience, he's primarily worked in financial services with consulting firms or directly in the banking industry to deliver change and support strategic, tactical, and operation goals across Asia, Europe and ... Learn More Cloud synergy: Microsoft Azure and its relationship to Microsoft 365 As organisations increasingly embrace cloud-based technologies to enhance productivity and efficiency, understanding the dynamic relationship between Microsoft Azure and Microsoft 365 becomes crucial for maximising their potential. Read more Enabling enterprise data governance with Microsoft Purview Data is the lifeblood of today’s digitally transformed business environment and is growing rapidly as it is estimated that 90 percent of the world’s existing data was created in the last two years alone. With such rapid growth, simply understanding the context of what data is important to keep, classifying that data and organising it into a useful form cannot happen without the support of... Read more Migrating Security from Microsoft Dynamics 365 Finance and Supply Chain Management Microsoft Dynamics 365 Finance and Supply Chain Management (D365 F&SCM) publishes security changes with new code releases. These changes are automatically applied to out-of-the-box security roles, duties and privileges when the code is upgraded in a given environment. Read more