Deployment checklist for Microsoft Sustainability Manager

  • Article

How have you deployed the Microsoft Sustainability Manager solution?

  • Check the data center regions, countries/regions, and languages supported by International availability of Microsoft Sustainability Manager.
  • Ensure that the user doing the deployment has Microsoft Power Platform admin, Dynamics 365 admin, or tenant admin privileges.
  • Create a service account for non-production and production environments to establish connections using a non-interactive account. Change data connections to the service account after deployment. Be sure to train users about the data being created by the service accounts.
  • Ensure that preview features aren't enabled in the production instance.
  • Create and configure sensitivity labels in your tenant and enable them for Teams. For more information, go to Create and configure sensitivity labels and their policies.
  • Use a non-default Power Platform environment. Deploying in a default environment will result in reduced functionality and security. For more information about Power Platform environments and best practices, go to Environments overview, Establishing an Environment Strategy for Microsoft Power Platform and Dynamics 365 Implementation Guide.
  • Allocate enough storage space in Power Platform. Admins can only create new environments if there's at least 1GB database storage capacity available in the tenant. For more information, go to Changes for exceeding storage capacity entitlements.
  • Deploy Dynamics 365 apps to test development and production environments to align with the overall environment strategy recommendations for industry solutions in Power Platform.
  • Make sure no sample data is added to the test and production environments.
  • Each tenant is required to deploy the Microsoft Sustainability Manager SKU and be assigned before doing the deployment.
  • For each user in the tenant, you need to deploy the Microsoft Sustainability Manager USL. Perform user and group mapping for the requisite licenses before deploying the solutions to Power Platform.
  • During the environment creation process, be sure to include auditing, DLP policies, and role-based access control so the environments can be used safely.
  • Monitor the deployed solution from Power Platform admin center.
  • Be sure to activate all workflows and actions. Don't leave them in draft mode.
  • Be sure to update firewall rules with the URLs required to access Power Platform.

How have you arranged access to the deployed solution?

  • Avoid assigning licenses to individual users by creating Azure Active Directory (Azure AD) groups that automatically assign users the correct licenses based on their requirements and roles.
  • Organize the Azure AD groups that streamline and simplify role-based access control for the environments per the functions and requirements for the business units and application teams.
  • Create an Azure AD group for each environment to provide an additional control for controlling access to each Dataverse environment.
  • Use conditional access policies in Azure AD to grant or prevent access to Power Apps and Power Automate based upon user/group, device, and location. Conditional access policies provide another mechanism to help protect a controlled Power Platform environment from unauthorized access.
  • Multifactor authentication provides a second barrier of authentication, which adds another layer of security. We recommend that you enforce multifactor authentication and conditional access policies for all privileged accounts for added security.
  • Plan and implement for emergency access or break-glass accounts to prevent tenant-wide account lockout.
  • Limit high privilege access by using an Azure AD security group with Privileged Identity Management (PIM) for admin access to the environments.

Have you completed the post-deployment steps for Microsoft Sustainability Manager before go-live?

  • Turn on the Enhanced Microsoft Teams Integration option and provide initial consent for Microsoft Teams chats inside Dynamics 365 with global administrator rights.
  • Be sure to acquire and assign other dependent licensing to users based on the dependent licenses associated with the solution. For more information, go to Set up and configure Microsoft Cloud for Sustainability.
  • Be sure to assign appropriate role-based access control to the security group for the dedicated environment for Microsoft Sustainability Manager in Power Platform, ideally as part of the environment creation process.
  • When you add users, be sure to assign them at least the Basic user role. The role assignment is required for data ingestion.
  • Be sure to define the company profile (organization) and business unit hierarchy for security segmentation and reference data before go-live. This reference data includes important information such as fuel types, vehicle types, facilities, spend types, and contractual instrument types. For more information, go to Microsoft Sustainability Manager configuration guide.
  • For data import from OneDrive scenarios, ensure that users have the required Microsoft 365 license and a browser policy that allows all cookies. Without this setting, users might not be able to connect to their OneDrive to ingest files.
  • Be sure the Power Query locale setting aligns with the imported data. If it's not aligned, use one of the following methods to adjust and avoid any issues for data import:
    • Change the locale of the CSV or text file.
    • Define a default locale setting.
    • Use a non-default locale setting on a Change type operation.
    • Change the Power Query project option.
    • Change the operation system regional settings on users' computers.

For more information, go to Set a locale or region for data (Power Query) and Data types in Power Query for details.

  • Classify all connectors as business, non-business, or blocked and create data loss prevention policies for Microsoft Sustainability Manager connectors.
  • Create a tenant-wide data loss prevention policy that spans all environments to prevent all unsupported non-Microsoft connectors and classify all Microsoft connectors as business data.
  • Configure Azure Synapse Link between Dataverse and Azure Synapse Analytics based on the prerequisites.

Next steps