Deploy Microsoft Sentinel solution for Dynamics 365 Finance and Operations

This article describes how to deploy the Microsoft Sentinel solution for Dynamics 365 Finance and Operations. The solution monitors and protects your Dynamics 365 Finance and Operations system: It collects audits and activity logs from the Dynamics 365 Finance and Operations environment, and detects threats, suspicious activities, illegitimate activities, and more. Read more about the solution.

Important

• The Microsoft Sentinel solution for Dynamics 365 Finance and Operations is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
• The solution is a premium offering. Pricing information will be available before the solution becomes generally available.

Prerequisites

Before you begin, verify that:

• The Microsoft Sentinel solution is enabled.
• You have a defined Microsoft Sentinel workspace and have read and write permissions to the workspace.
• Microsoft Dynamics 365 Finance version 10.0.33 or above is enabled and you have administrative access to the monitored environments.
• You can create an Azure Function App with the Microsoft.Web/Sites, Microsoft.Web/ServerFarms, Microsoft.Insights/Components, and Microsoft.Storage/StorageAccounts permissions.
• You can create Data Collection Rules/Endpoints with the permissions:
  • Microsoft.Insights/DataCollectionEndpoints, and Microsoft.Insights/DataCollectionRules.
  • Assign the Monitoring Metrics Publisher role to the Azure Function.

Collect the environment URL from your Finance and Operations cloud environment

1. Open your Dynamics 365 project in Microsoft Dynamics Lifecycle Services (LCS) and select the specific Finance and Operations environment you want to monitor with Microsoft Sentinel.

2. In the Environment version information section, make sure that you're using application release version 10.0.33 or above.

   

3. To collect your environment URL, select Log on to environment and save the URL in the browser to use when you deploy the ARM template. For example: https://sentineldevc055b257489f70f5devaos.axcloud.dynamics.com.

   Note

   The URL may look different, depending on the environment you use, for example, you could be using a sandbox, or a cloud hosted environment. Remove any trailing slashes: /.

   

Deploy the solution and enable the data connector

1. Navigate to the Microsoft Sentinel service.

2. Select Content hub, and in the search bar, search for Dynamics 365 Finance and Operations.

3. Select Dynamics 365 Finance and Operations.

4. Select Install.

   For more information about how to manage the solution components, see Discover and deploy out-of-the-box content.

Deploy the data connector

1. Once the solution deployment is complete, return to your Sentinel workspace and select Data connectors.

2. In the search bar, type Dynamics 365 F&O, and select Dynamics 365 F&O (Using Azure Function).

3. Select Open connector page.

In the connector page, make sure that you meet the required prerequisites and complete the following configuration steps.

Configure the data connector

Note

 This connector uses Azure Functions to connect to Dynamics Finance and Operations to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

Deploy the Azure Resource Manager (ARM) template

1. Select Deploy to Azure.

2. Follow the installation wizard to complete deployment. The Finance Operations API Host parameter in the deployment wizard refers to the environment URL collected in this step.

Enable data collection

To enable data collection, you create a new role in Finance and Operations with permissions to view the Database Log entity. The role is then assigned to a dedicated Finance and Operations user, mapped to the Microsoft Entra client ID of the Function App's system assigned managed identity.

To collect the managed identity application ID from Microsoft Entra ID:

1. Sign in to the Azure portal.
2. Browse to Microsoft Entra ID > Enterprise applications.
3. Change the application type filter to Managed Identities.
4. Search for and open the Function App created in the previous step. Copy the Application ID and save it for later use.

Create a role for data collection in Finance and Operations

1. In the Finance and Operations portal, navigate to Workspaces > System administration, and select Security Configuration.

2. Under Roles, select Create new and give the new role a name, for example, Database Log Viewer.

3. Select the new role from the list of roles, and select Privileges > Add references.

4. Select Database log Entity View from the list of privileges.

5. Select Unpublished objects, and select Publish all to publish the role.

Create a user for data collection in Finance and Operations

1. In the Finance and Operations portal, navigate to Modules > System administration, and select Users.

2. Create a new user and assign the role you created in the previous step to the user.

Register the managed identity in Finance and Operations

1. In the Finance and Operations portal, navigate to System administration > Setup > Microsoft Entra ID applications.

2. Create a new entry in the table:

   • For the Client Id, type the application ID of the managed identity.
   • For the Name, type a name for the application.
   • For the User ID, type the user ID created in the previous step.

Enable auditing on the relevant Dynamics 365 Finance and Operations data tables

Note

Before you enable auditing on Dynamics 365 F&O, review the database logging recommended practices.

The analytics rules currently provided with this solution monitor and detect threats based on logs sourced from these tables:

• All tables under System
• The Bank accounts table under Bank

If you're planning to use the analytics rules provided in this solution, enable auditing for the System and Bank accounts tables.

This screenshot shows the System and Bank accounts tables under logging database changes.

To enable auditing on Finance and Operations tables you want to monitor:

1. In the Finance and Operations portal, Select Modules > System Administration > Database log > Database log setup.

2. Select New > Next, and select the tables you want to monitor.

3. Select Next.

4. To enable auditing on all fields of the selected tables, mark all four check marks to the right of the table names with empty field labels. To see the tables with empty field labels at the top, sort the table list by the field table in ascending order (A to Z):

   

5. Select Next and then Finish.

6. Select Yes in all warning messages.

Verify that the data connector is ingesting logs to Microsoft Sentinel

To verify that log ingestion is working:

1. Run activities (create, update, delete) on any of the tables you enabled for monitoring in the previous step.

2. Wait up to 15 minutes for Microsoft Sentinel to ingest the logs to the logs table in the workspace.

3. Query the FinanceOperationsActivity_CL table in the Microsoft Sentinel workspace under Logs.

4. Check that the table shows new logs that reflect the activities you executed in step 1 of this procedure.

   

Next steps

In this article, you learned how to deploy the Microsoft Sentinel solution for Dynamics 365 Finance and Operations.

• Learn how to enable the security content
• Review the solution's security content