Deploy Microsoft Sentinel solution for Dynamics 365 Finance and Operations

This article describes how to deploy the Microsoft Sentinel solution for Dynamics 365 Finance and Operations. The solution monitors and protects your Dynamics 365 Finance and Operations system: It collects audits and activity logs from the Dynamics 365 Finance and Operations environment, and detects threats, suspicious activities, illegitimate activities, and more. Read more about the solution.

Important

  • The Microsoft Sentinel solution for Dynamics 365 Finance and Operations is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
  • The solution is a premium offering. Pricing information will be available before the solution becomes generally available.

Prerequisites

Before you begin, verify that:

  • The Microsoft Sentinel solution is enabled.
  • You have a defined Microsoft Sentinel workspace and have read and write permissions to the workspace.
  • Microsoft Dynamics 365 Finance version 10.0.33 or above is enabled and you have administrative access to the monitored environments.
  • You can create an Azure Function App with the Microsoft.Web/Sites, Microsoft.Web/ServerFarms, Microsoft.Insights/Components, and Microsoft.Storage/StorageAccounts permissions.
  • You can create Data Collection Rules/Endpoints with the permissions:
    • Microsoft.Insights/DataCollectionEndpoints, and Microsoft.Insights/DataCollectionRules.
    • Assign the Monitoring Metrics Publisher role to the Azure Function.

Collect the environment URL from your Finance and Operations cloud environment

  1. Open your Dynamics 365 project in Microsoft Dynamics Lifecycle Services (LCS) and select the specific Finance and Operations environment you want to monitor with Microsoft Sentinel.

  2. In the Environment version information section, make sure that you're using application release version 10.0.33 or above.

    Screenshot of the Finance and Operations environment version information.

  3. To collect your environment URL, select Log on to environment and save the URL in the browser to use when you deploy the ARM template. For example: https://sentineldevc055b257489f70f5devaos.axcloud.dynamics.com.

    Note

    The URL may look different, depending on the environment you use, for example, you could be using a sandbox, or a cloud hosted environment. Remove any trailing slashes: /.

    Screenshot of the Finance and Operations environment details.

Deploy the solution and enable the data connector

  1. Navigate to the Microsoft Sentinel service.

  2. Select Content hub, and in the search bar, search for Dynamics 365 Finance and Operations.

  3. Select Dynamics 365 Finance and Operations.

  4. Select Install.

    For more information about how to manage the solution components, see Discover and deploy out-of-the-box content.

Deploy the data connector

  1. Once the solution deployment is complete, return to your Sentinel workspace and select Data connectors.

  2. In the search bar, type Dynamics 365 F&O, and select Dynamics 365 F&O (Using Azure Function).

  3. Select Open connector page.

In the connector page, make sure that you meet the required prerequisites and complete the following configuration steps.

Configure the data connector

Note

 This connector uses Azure Functions to connect to Dynamics Finance and Operations to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

Deploy the Azure Resource Manager (ARM) template

  1. Select Deploy to Azure.

  2. Follow the installation wizard to complete deployment. The Finance Operations API Host parameter in the deployment wizard refers to the environment URL collected in this step.

Enable data collection

To enable data collection, you create a new role in Finance and Operations with permissions to view the Database Log entity. The role is then assigned to a dedicated Finance and Operations user, mapped to the Microsoft Entra client ID of the Function App's system assigned managed identity.

To collect the managed identity application ID from Microsoft Entra ID:

  1. Sign in to the Azure portal.
  2. Browse to Microsoft Entra ID > Enterprise applications.
  3. Change the application type filter to Managed Identities.
  4. Search for and open the Function App created in the previous step. Copy the Application ID and save it for later use.

Create a role for data collection in Finance and Operations

  1. In the Finance and Operations portal, navigate to Workspaces > System administration, and select Security Configuration.

  2. Under Roles, select Create new and give the new role a name, for example, Database Log Viewer.

  3. Select the new role from the list of roles, and select Privileges > Add references.

  4. Select Database log Entity View from the list of privileges.

  5. Select Unpublished objects, and select Publish all to publish the role.

Create a user for data collection in Finance and Operations

  1. In the Finance and Operations portal, navigate to Modules > System administration, and select Users.

  2. Create a new user and assign the role you created in the previous step to the user.

Register the managed identity in Finance and Operations

  1. In the Finance and Operations portal, navigate to System administration > Setup > Microsoft Entra ID applications.

  2. Create a new entry in the table:

    • For the Client Id, type the application ID of the managed identity.
    • For the Name, type a name for the application.
    • For the User ID, type the user ID created in the previous step.

Enable auditing on the relevant Dynamics 365 Finance and Operations data tables

Note

Before you enable auditing on Dynamics 365 F&O, review the database logging recommended practices.

The analytics rules provided with this solution monitor and detect threats based on logs generated in the System Database Log.

If you're planning to use the analytics rules provided in this solution, enable auditing for the following tables:

Category Table
System UserInfo
Bank BankAccountTable
Not specified SysAADClientTable

Enable auditing on tables using the Database log setup wizard in the Finance and Operations portal.

  • In the Tables and fields page, you might want to select the Show table names checkbox to make it easier to find your tables.
  • To enable auditing of all fields in the selected tables, in the Types of change page, select all four check boxes for any relevant table names with empty field labels. Sort the table list by the Field label column in ascending order (A-Z).
  • Select Yes for all warning messages.

For more information, see Set up database logging.

Verify that the data connector is ingesting logs to Microsoft Sentinel

To verify that log ingestion is working:

  1. Run activities (create, update, delete) on any of the tables you enabled for monitoring in the previous step.

  2. Wait up to 15 minutes for Microsoft Sentinel to ingest the logs to the logs table in the workspace.

  3. Query the FinanceOperationsActivity_CL table in the Microsoft Sentinel workspace under Logs.

  4. Check that the table shows new logs that reflect the activities you executed in step 1 of this procedure.

    Screenshot of viewing a new Finance and Operations incident in Microsoft Sentinel.

Next steps

In this article, you learned how to deploy the Microsoft Sentinel solution for Dynamics 365 Finance and Operations.