Increase Security with Privileged Identity Management - A must for Business Central Partners

In the world of Microsoft Dynamics 365 Business Central, ensuring security and managing access has always posed challenges for both customers and consultants of their Business Central partner. From the days of NAV to the present with Business Central on-premises, issues such as IP restrictions, multiple VPN services, single-user accounts (leading to password sharing), and a lack of multi-factor authentication were, well, quite annoying.

While many of these issues have been addressed with the release of Business Central online, Business Central partners can further improve their data protection efforts.

And to be clear, this article is not about permission sets, profiles, the security group you can set per Business Central environment or licenses. This article is about hardening the access you have as a Business Central partner to the Business Central environments of your customers. The solution I would like to talk about to achieve this is Privileged Identity Management.

Privileged Identity Management (PIM)

Privileged Identity Management, or PIM, is a feature of Microsoft Entra designed to provide comprehensive control over and monitoring of access to crucial resources within your organization. PIM's primary goal is to mitigate the risks associated with excessive, unnecessary, or misused access permissions on resources that are vital to your organization's operations. This feature extends its protective measures to various resources, including Entra ID roles, Azure resources, and more. In this post, my focus is primarily on securing access to your customers' Business Central environments.

Some of the key features of PIM are:

• Just-in-time access: only get access to certain permissions when you need them
• Time-bound access: permissions are only valid for a certain amount of time and revoked automatically
• Approval flows: an approver can be configured before users gain access
• Multi-factor Authentication/Compliant devices: can be a requirement before gaining access
• Justification: providing a reason is required before gaining access
• Role activation notifications: Certain users get notified upon activation
• Auditing: compliance administrators can review access requests

What does it cost?

Unfortunately, PIM is not a free feature of Entra ID. The functionality comes with Entra ID P2, which is about $9 per user per month. However, if you have a Microsoft 365 E5 enterprise subscription, it is already available for you.

Let's talk about GDAP

Business Central partners access their customers' environments through a mechanism known as Granular Delegated Admin Privileges (GDAP). GDAP allows the end customer to grant the partner access to the "Dynamics 365 administrator" role in their Microsoft 365 tenant, which facilitates access to both the Business Central environment and the admin portal.

Access is initiated through the Microsoft Partner Center by sending an "Admin Relationship" invitation link to the customer's administrator, as illustrated below. This invitation is valid for a maximum of 730 days, and it defines the Entra Roles to be assigned.

Once accepted, the admin relationship becomes active. The final step is to assign an Entra ID Security Group to this relationship. This step enables members of a specified group to seamlessly utilize this admin relationship and gain access to the customer's Business Central environment.

Lack of "zero trust" in the scenario above

While this approach works, it lacks a "zero trust" perspective, as members of the "ERP Partner" group have access to the customer's environment at all times, even when it may not be necessary. What if a user's credentials get compromised? How do we ensure that access occurs only through Microsoft Intune-compliant computers? What if certain users, like interns, need to request approval and provide justification before accessing a customer's Business Central environment? This is where PIM can help improving the process.

How do I set PIM up?

To implement PIM for an Entra ID security group, follow these steps:

• Go to entra.microsoft.com
• Navigate to "Identity Governance" and select "Privileged Identity Management."
• Search for and click on "Manage," then "Groups."
• If your desired security group is not listed, click "Discover groups" to onboard new groups

• Click on the group you've created for use with GDAP, such as "ERP Partner"
• On the left, you'll find categories like tasks, manage, and activity. Start by configuring settings.
• Under settings, choose between member and owner settings. Since a member has sufficient permissions for GDAP access, select "member"
• In the settings blade, define parameters tailored to your organization's needs, including duration, requirements, justification, and approvals. Adjust these settings as needed and save your configuration.

• Return to the group in PIM and select "Assignments"
• Define the users eligible for elevation to become members of the group. For instance, you can add users like Alex Wilber to the group.

From the user's perspective, they can activate the role directly from the same menu. Once activated, the user can access the same resources as they usually would with permanent membership to the Entra ID security group. But now:

1. It is time-based, so access is limited
2. The user has confirmed their identity with MFA
3. A reason is given for auditing

And that's it! You've successfully implemented a great way to protect your Business Central customers using Microsoft's great security toolkit. However, you shouldn't stop here. The same technology can be used to protect so much more. Take a look at your internal permissions for example. Who has the Global Administrator role, and is it really necessary? Can you narrow down access to critical Azure resources? The possibilities are endless. Hopefully this post inspires you to look further.

More information on PIM: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/