Dynamics365 Finance&Operations connector

General information

Dynamics365 Finance&Operations connector integrates Dynamics365 Finance&Operations environment with OpenIAM allowing to manage system users and security roles. This is the basic set of the functionality that goes out of the box. However, it could be extended and fit your needs.

Out of the box Dynamics365 connector can:

  • Retrieve information about system user objects
  • Retrieve information about system roles in Dynamics365 Finance&Operations environment
  • Retrieve information about memberships of a system users inside system roles
  • Assign/revoke system roles from system users
  • Set and modify basic system user information

Installation and connection to OpenIAM

All PowerShell connectors are installed in the same way, which is described in the document: PowerShell connector installation

Only requirement specific to this connector is being able to connect to your Dynamics365 Finance&Operations tenant address.

General usage

All PowerShell connectors are used in the same way, which is described in the document: PowerShell connector usage

Configuring managed system

While configuring managed system you should have following properties set:

  • Host URL - should be set to your resource address. It can be similar to https://xxxxx.dynamics.com/
  • Login Id - uses format client_id@tenant_id that is used to access your API
  • Password - should be set to client_secret value.

Configuring policy map

To be able to run provisioning requests to Dynamics365 F&O API, you need to configure policy map.

UserIDUnique identifier of system user in Dynamics365 F&O. Please keep in mind that if we create a user - we can give our own UserID value, so we could track this user in futureYes
UserNameUsername of this user.Yes (required for creating user)
NetworkDomainShould unuquely identity network domain for the user. Can be set like "https://sts.windows.net/".Yes (required for creating user)
AliasSets alias parameter of the system user. Usually it is the same as user email address or UPN in AzureYes (required for creating user)
UserInfo_languageInfo language in culture format like 'en-us'Yes (required for creating user)
HelplanguageHelp language in culture format like 'en-us'Yes (required for creating user)
AccountTypeCould be either Claims user, Claims Grouo, AD Group, AD User. By default - 'ClaimsUser'. Claims - are Azure objects, while AD are belong to on-premeses Active DirectoryYes (required for creating user)
CompanyString that cntains company information of the user.No
EmailEmail address of the user.No
PersonNameName of the person, which is usually equal to UserName.No
EnabledSpecifies if user is enabled (True) or Disabled (False)No

Add vs Update operations difference

Due to Dynamics365 limitations, not every attribute could be set during update process. Some attributes are only allowed while you add new user. If attribute that is not allowed for update operation is passed - OpenIAM connector would ignore it.

Attributes allowed for ADD operation: 'UserID','Company','Alias','Email','PersonName','Enabled','UserName','NetworkDomain','UserInfo_language','Helplanguage','AccountType'

Attributes allowed for UPDATE operation: 'UserID','Company','Alias','Email','PersonName','Enabled','UserName','UserInfo_language','Helplanguage'

Suspend and resume operations

When OpenIAM sends Suspend operation, connector modifies 'Enabled' property of a given user. Resume operation sets the same proparty back to 'True' state.

Deleting users

Delete operation fully removes user from D365 F&O system.


Dynamics365 F&O connector can synchronize System users, system roles and their memberships. It can synchrinize all of them or a single record by a given identifier.

Search query for synchronizing all systemusers:


Search query for synchronizing single systemuser:

Get-SystemUser -Systemuserid 'e5f759c2-cde2-4396-a153-53a53d2cf172'

Search query for synchronizing all roles:


Search query for synchronizing single role:

Get-SecurityRoles -RoleID 'e5f759c2-cde2-4396-a153-53a53d2cf172'

Search query for synchronizing all memberships of the system users towards system roles: