Powered by Zoomin Software. For more details please contactZoomin

Microsoft Dynamics 365 Finance and Operations Connector Guide

Product
Version
I want to ...
Reset filters
Publication

Understanding the Integration between EIC and Dynamics 365

Understanding the Integration between EIC and Dynamics 365

You must create an integration between EIC and the collaboration platform hosted by the target application to perform the import, provisioning, and deprovisioning tasks. The following components are involved in the integration:

Connected Application is the target application for which EIC manages the identity repository.

Security System represents the connection between EIC and the target application.

  • It comprises of an endpoint, which is the target application for which EIC manages the identity repository. For more information about creating a security system,

  • It provides application instance abstraction from connectivity including high-level metadata.

You can select one connection for importing data from the target application and another connection for provisioning data to the target application. For more information about creating a security system, see Creating A Security System in the Enterprise Identity Cloud Administration Guide.

Endpoint is an instance of an application within the context of a security system.

  • It is the target application or application from where the connector imports the data and performs provisioning or deprovisioning of identity objects such as users, accounts, and entitlements.

  • It is mandatory to create an endpoint after creating the security system.

You can associate a single security system with multiple endpoints if the deployment involves modelling of multiple isolated virtual applications (based on sets of specific entitlements according to certain categories) within a single application instance. For more information, see Creating Endpoints in the Enterprise Identity Cloud Administration Guide.

Connector is a software component that enables communication between EIC and the target application through the Open Data Protocol (OData). 

It provides a simplified integration mechanism where you only need to create a connection with minimal connectivity information for your target application. For example, to create a connection, select the D365 connection type for importing data, the REST_Dynamics365 (REST) connection type for performing provisioning and de-provisioning tasks, and specify Base URL, Tenant ID, Login URL, Client ID, and Client Secret to connect it.

Connector Architecture

The connector integrates with Dynamics 365 via the OData Protocol. The following diagram illustrates the connector architecture and communication with the target application. 

  1. EIC connects with Azure AD using the Dynamics 365 connector and requests an access token.

  2. The Azure AD provides the access token to EIC via the Dynamics 365 connector.

  3. The connector uses the access token to authenticate to the Dynamics 365 F&O application (ODATA request). Data from the Dynamics 365 F&O application (ODATA response) is returned to EIC.

  4. Data from the Dynamics 365 F&O application (ODATA response) is returned to EIC. For more details about OAuth 2.0 on the Microsoft identity platform, see the Microsoft documentation web site.

  5. User accounts and access information is imported from the Dynamics 365 F&O application to EIC.

  6. (Optional) Account management operation (provisioning) is performed from EIC to the Dynamics 365 F&O application.

Data Model

The following table provides details about the mapping of data-types and objects between the Dynamics 365 F&O application and EIC.

Saviynt Object Dynamics 365 F&O Object

User

Workers (Employees and Contractors)

Accounts

SystemUsers

Entitlement

Roles, Duties, Privileges, Organizations, and Permissions

Terms Used in this Document

The following terms are used in this document:

Terms Description

User

Workers/employees/contractors objects in the Dynamics 365 F&O environment.

Role

Group of duties required for a job function.

Privilege

Access required to do a job.

Duty

Group of related privileges required for a job function.

Permission

Group of base objects and required permissions.

Configuring a Connection

You must perform the following tasks in sequence to integrate EIC with the target application:

  1. Register the Dynamics 365 F&O connector application in the Azure environment

  2. Create a connection

    1. Define the connection and reconciliation properties.

    2. Create a security system.

    3. Create an endpoint for the security system.

  3. Import users, account, and other objects

    1. Run the User Import job to import users.

    2. Run the Data Import job to import accounts.

    3. Run the Data Import job to import access related objects.

  4. (Optional) Provision/de-provision accounts and entitlements to users

    1. Create a request.

    2. Approve the request.

    3. Run the provisioning job.

Registering the Connector in the Azure Environment

You must register the Dynamics 365 F&O connector as a client application in the Azure environment to obtain the client ID and client secret for authenticating to the Dynamics 365 F&O application. Perform the following steps to register an application and provide the required permissions in the Azure Portal:

  1. Login into Azure Portal https://portal.azure.com/ with Azure Admin credentials to access the Azure AD directory associated with Azure ID Tenant.

  2. Click  Azure Active Directory>App registrations>New registration to register a new application.

  3. Enter the user-facing display name of the application in the Name field.

  4. Select Accounts in this organizational directory only (your enterprise directory [example: Saviynt.com]) under the Supported account types field.

  5. Click Register to register the new application.

  6. Click View API Permissions to view the configured permissions.

  7. Click Add a permission > APIs my organization uses and select ConnectorFullAccess application API permission. The user must be a global administrator in the Azure ID tenant and have the System administrator role in the Azure Finance and Operations application.

  8. Click Add Permissions to add the selected permission. You can now access the AccessDynamics Connector Service APIs.

  9. Click System administration located on the left navigation pane and navigate to Workspaces>Setup > Azure Active Directory applications to view the added Azure active directory applications client IDs.

  10. Select New to add a new active directory application.

  11. Fill in the following fields for the new record:

    • Enter the application ID that you have registered in Azure AD in the Client ID field.

    • Enter a name for the application in the Name field.

    • Select an appropriate service account user ID in the User ID field. You must provide a dedicated service account that has the correct permissions for the operations that must be performed.

  12. Click Save.

Creating a Connection

You must create two separate connections to perform reconciliation (D365 connection type) and provisioning operations. While the connection parameters for authenticating to Azure AD are common for both connections, the provisioning connection (REST_Dynamics365 (REST) connection type needs you to specify additional parameters for REST connectivity to the target application.

Note

The Connection Template displays the connection parameters in two categories such as Basic Config and Advanced Config. The Basic Config category displays the minimum set of parameters required to establish a connection. The Advanced Config category displays the advanced parameters. When you define and save the values for the parameters in Basic Config, those values are automatically populated in the Advanced Config page for the parameters where they are referred. To modify any of the values for advanced parameters, click Advanced Config.

To create a connection, perform the following steps:

  1. Log in to EIC.

  2. Click ADMIN > Identity Repository > Connections > Create Connection.

  3. Specify the values for the following fields and click Save & Test Connection. Ensure that all mandatory parameters are specified.

Parameters for Establishing a Connection

The following parameters are required for establishing a connection:

Note

Do not populate the parameters that are not listed in the below table.

Parameter Description

Connection Name

Provide a name for the connection.

Connection Description

Provide a description for the connection.

Connection Type

Select a Connection Type based on the operation you want the connector to perform:

  • Select the connection type as D365 for reconciliation operations.

  • Select REST_Dynamics365 (REST) for provisioning and de-provisioning operations.

Base URL

Provide the Base URL for the application. It will differ based on your access URL. For example:

https://acme.cloudax.dynamics.com

TENANT_ID

Provide the tenant ID.

Example: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx

LOGIN_URL

Provide the Microsoft authentication URL.

https://login.microsoftonline.com

CLIENT_ID

Specify the Client ID for authenticating to Azure AD and for generating the access token. The Client ID is generated while creating a new connected app for the connector. For more information, see Registering the Connector in the Azure Environment.

Example: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx

CLIENT_SECRET

Specify the secret of the Client ID for authenticating to Azure AD and for generating the access token. The CLIENT_SECRET is generated while creating a new Connected app for the connector. For more information, see Registering the Connector in the Azure Environment.

Scope

Specify this parameter if you want to invoke Microsoft Graph 2.0 APIs to enforce the least privilege model for the connector on Dynamics 365 Finance and Operations objects.

Syntax: https://<tenant_url>/.default

If you do not specify a value for the parameter, Microsoft Graph 1.0 APIs are used.

Specifying Parameters for Reconciliation Operations

After defining the connection parameters, specify the following parameters for performing reconciliation:

Parameter Description

USER_FILTER

Specify the particular set of users to import. The options are:

  • All: To import all employees and contractors.

  • Employees: To import only employees.

  • Contractors: To import only contractors.

Note
  • Do not change the filter from superset to subset. For example, if you import the users by specifying the ALL option and then change the option to Employees then the contactors will be deactivated.

  • Username must be unique for importing users.

USER_IMPORT_MAPPING

Specify the mapping of users to import into EIC in the following format:

Note

The DimensionDisplayValue attribute contains information about the Business Unit (OrgUnit) and Cost Cente configured in Microsoft Dynamics 365. Before specifying the user import mapping, configure the DimensionDisplayValue format. For more information, see Dynamics 365 Finance and Operations in Integration Prerequisites.

JSON
{
  "DimensionalDisplayValue_Delimiter": "-",
  "city": "AddressCity~#~char",
  "country": "AddressCountryRegionISOCode~#~char",
  "costcenter": "DimensionDisplayValue[2]~#~char",
  "createdate": "OriginalHireDateTime~#~char",
  "displayname": "Name~#~char",
  "email": "PrimaryContactEmail~#~char",
  "employeetype": "WorkerType~#~char",
  "employeeid": "PersonnelNumber~#~char",
  "enddate": "EmploymentEndDate~#~char",
  "firstname": "FirstName~#~char",
  "lastname": "LastName~#~char",
  "locationnumber": "OfficeLocationId~#~char",
  "location": "OfficeLocation~#~char",
  "middlename": "PhoneticMiddleName~#~char",
  "orgunitid": "DimensionDisplayValue[1]~#~char",
  "phonenumber": "PrimaryContactPhone~#~char",
  "preferedFirstName": "KnownAs~#~char",
  "regioncode": "AddressZipCode~#~char",
  "startdate": "EmploymentStartDate~#~char",
  "state": "AddressState~#~char",
  "statuskey": "IsDisabled~#~char",
  "street": "AddressStreet~#~char",
  "termdate": "TerminationDate~#~date",
  "title": "TitleId~#~char",
  "username": "PersonnelNumber~#~char",
  "customproperty1": "NameAlias~#~char",
  "customproperty2": "Gender~#~char",
  "customproperty3": "PersonalSuffix~#~char",
  "customproperty4": "DimensionDisplayValue~#~char",
  "customproperty5": "StartDate~#~date",
  "customproperty6": "EmploymentDetailsExpiration~#~char",
  "customproperty7": "EmploymentLegalEntityId~#~char",
  "customproperty8": "WorkerStatus~#~char",
  "customproperty9": "PrimaryContactPhoneExtension~#~char",
  "customproperty10": "PrimaryContactPhoneIsMobile~#~char",
  "customproperty11": "PrimaryContactPhoneDescription~#~char",
  "customproperty12": "AddressCountryRegionId~#~char",
  "customproperty13": "PrimaryAddressLocation~#~char",
  "customproperty14": "AddressLocationId~#~char",
  "customproperty15": "PrimaryContactEmailDescription~#~char",
  "customproperty16": "NativeLanguageId~#~char",
  "customproperty17": "WorksFromHome~#~char",
  "customproperty18": "PartyNumber~#~char",
  "customproperty19": "PartyType~#~char",
  "customproperty20": "ContractorVendorId~#~char"
}

ACCOUNT_IMPORT_MAPPING

Specify the mapping of accounts to import into EIC in the following format:

JSON
{
"accountID": "UserID~#~char",
"customproperty1": "Alias~#~char",
"customproperty10": "Enabled~#~char",
"customproperty45":
"WorkflowLineItemNotificationFormat~#~char",
"customproperty11": "DocumentHandlingActive~#~char",
"customproperty12": "UserInfo_defaultPartition~#~char",
"customproperty13": "GlobalListPageLinkMode~#~char",
"customproperty14": "GlobalExcelExportMode~#~char",
"customproperty15": "ShowAttachmentStatus~#~char",
"customproperty16": "EventPopUpLinkDestination~#~char",
"customproperty17": "NetworkDomain~#~char",
"customproperty18": "Company~#~char",
"customproperty19": "SqmGUID~#~char",
"customproperty2": "Email~#~char",
"customproperty20": "SendNotificationsInEmail~#~char",
"customproperty21": "Density~#~char",
"customproperty22": "DefaultCountryRegion~#~char",
"customproperty23": "SendAlertAsEmailMessage~#~char",
"customproperty24": "SqmEnabled~#~char",
"customproperty25": "GlobalExcelExportFilePath~#~char",
"customproperty26": "Language~#~char",
"customproperty27": "EventPopUpDisplayWhen~#~char",
"customproperty28": "EventPollFrequency~#~char",
"customproperty29": "EventWorkflowShowPopup~#~char",
"customproperty3": "EmailProviderID~#~char",
"customproperty30": "StartPage~#~char",
"customproperty31": "PreferredTimeZone~#~char",
"customproperty32": "HomePageRefreshDuration~#~char",
"customproperty33": "UserInfo_language~#~char",
"customproperty34": "AutoLogOff~#~char",
"customproperty35": "Theme~#~char",
"customproperty36": "MarkEmptyLinks~#~char",
"customproperty37": "Enabled~#~char",
"customproperty38":
"ShowNotificationsInTheMicrosoftDynamicsAX7Client~#~char",
"customproperty39": "Helplanguage~#~char",
"customproperty4": "PersonName~#~char",
"customproperty40": "EventPopUps~#~char",
"customproperty41": "PreferredCalendar~#~char",
"customproperty42": "PreferredLocale~#~char",
"customproperty43": "ExternalUser~#~char",
"customproperty44": "AutomaticUrlUpdate~#~char",
"displayName": "UserName~#~char",
"name": "UserName~#~char"
}

ORGANIZATION_FILTER

Specify the filter to use as search criteria for organizations managed by the target application. By default, the connector searches the following organizations: LegalEntities, OperatingUnits, Departments, BusinessUnits, and CostCenters.

STATUS_THRESHOLD_CONFIG

Specify the account attribute mapped with the account status and the values to be considered for imported accounts in the STATUS_THRESHOLD_CONFIG parameter. You can also specify the threshold limit enforced in full account import to prevent bulk update of missing accounts due to API errors, processing errors, or misconfiguration of import parameters such as status or account filters. The status of missing accounts are updated as inactive or deleted (SUSPENDED FROM IMPORT SERVICE) if the count is within the threshold limit. This is not a mandatory parameter.

To define this parameter, use a format similar to the following:

JSON
{
"statusAndThresholdConfig": {
"statusColumn": "customproperty37",
"activeStatus": [
"true"
],
"deleteLinks": true,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": false,
"inactivateAccountsNotInFile": false
}
}

The attributes supported in STATUS_THRESHOLD_CONFIG are described below:

  • statusColumn: Specify the account attribute mapped with the status of the account.

  • activeStatus: Specify all possible values that indicate the active status of the accounts in the target application. All accounts that do not have these status values are marked as inactive.

  • accountThresholdValue: Specify the threshold value that you want the connector to use for inactivating or deleting accounts missing from import. For example, if the threshold limit is set to , and if the number of missing accounts exceeds this value, the connector does not change the status of these accounts. The default value is .

Note

From Release v23.2v5.5 SP3.16, during account import, if the number of missing accounts exceeds the value that you specified in accountThresholdValue, a detailed message is displayed in the Job Details page. The message includes the count of accounts missing from import and the account threshold limit that you configured in accountThresholdValue. For more information, see Video: Improved Status and Threshold Functionality.

Note

If you do not want to perform an account threshold check, specify accountThresholdValue as zero or a negative value, for example or .

  • deleteLinks: Specify or to instruct the connector to remove or retain entitlements associated with accounts missing from import. When set to , entitlements associated with missing accounts are removed. The default value is .

  • inactivateAccountsNotInFile: Specify or to instruct the connector to mark accounts that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set to, accounts that are not imported during import are marked as inactive. The default value is .

Specifying Parameters for Provisioning Operations

After defining the connection parameters, specify the following parameters for performing provisioning and de-provisioning operations via the REST connection:

Parameters Description

CreateAccountJSON

Specify this parameter for creating a new account in EIC by mapping the request action and response for Create Account tasks in the following format:

JSON
{
  "accountIdPath": "call1.message.UserID",
  "responseColsToPropsMap": {
    "displayname": "call1.message.UserID~#~char"
  },
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "https://acme.cloudax.dynamics.com/Data/SystemUsers",
      "httpMethod": "POST",
      "httpParams": "{\"UserID\":\"${user.username}\",\"NetworkDomain\":\"https://sts.windows.net/acme.onmicrosoft.com\",\"Company\":\"${user.customproperty18}\",\"Alias\":\"${user.customproperty1}\",\"DefaultCountryRegion\":\"${user.customproperty22}\",\"SqmEnabled\":\"${user.customproperty24}\",\"StartPage\":\"${user.customproperty30}\",\"PreferredTimeZone\":\"${user.customproperty31}\",\"HomePageRefreshDuration\":\"${user.customproperty32}\",\"UserInfo_language\":\"${user.customproperty33}\",\"Enabled\":true,\"UserName\":\"${user.username}\",\"AccountType\":\"ClaimsUser\",\"ExternalUser\":false,\"Helplanguage\":\"en-us\"}",
      "httpHeaders": {
        "Authorization": "${access_token}",
        "Accept": "application/json",
        "OData-Version": "4.0"
      },
      "httpContentType": "application/json"
    }
  ]
}

UpdateAccountJSON

Specify this parameter for updating an existing account in EIC in the following format:

JSON
{
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "https://acme.cloudax.dynamics.com/Data/SystemUsers(UserID='${account.accountID}')",
      "httpMethod": "PATCH",
      "httpParams": "{\"Alias\":\"${user.email}\"}",
      "httpHeaders": {
        "Authorization": "${access_token}",
        "Accept": "application/json",
        "OData-Version": "4.0"
      },
      "httpContentType": "application/json",
        "successResponses": {
        "statusCode": [
          200,
          201,
              204
        ]
      }
    }
  ]
}

EnableAccountJSON

Specify this parameter for enabling a disabled account on the target application. The connector uses the values specified for this parameter to check the attributes associated with the disabled account before enabling it.

Specify this parameter in the following format:

JSON
{
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "https://acme.cloudax.dynamics.com/Data/SystemUsers(UserID='${account.accountID}')",
      "httpMethod": "PATCH",
      "httpParams": "{\"Enabled\":true}",
      "httpHeaders": {
        "Authorization": "${access_token}",
        "Accept": "application/json",
        "OData-Version": "4.0"
      },
      "httpContentType": "application/json",
        "successResponses": {
        "statusCode": [
          200,
          201,
              204
        ]
      }
    }
  ]
}

DisableAccountJSON

Specify this parameter for disabling an account on the target application and then updating that status in EIC. The connector uses the values specified for this parameter to check the attributes associated with the account before disabling it.
Following is the default format of this parameter:

JSON
{
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "https://acme.cloudax.dynamics.com/Data/SystemUsers(UserID='${account.accountID}')",
"httpMethod": "PATCH",
"httpParams": "{"Enabled":false}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json",
"OData-Version": "4.0"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204
]
}
}
]
}

AddAccessJSON

Specify this parameter to add access to an account in the following format:

JSON
{
"call": [
{
"name": "Roles",
"connection": "userAuth",
"url": "https://acme.cloudax.dynamics.com/Data/SecurityUserRoles",
"httpMethod": "POST",
"httpParams": "{"UserId":"${account.accountID}","SecurityRoleIdentifier":"${entitlementValue.entitlementID}","SecurityRoleName":"${entitlementValue.entitlement_value}","AssignmentStatus": "Enabled","AssignmentMode": "Manual","UserLicenseType": "Activity"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json",
"OData-Version": "4.0"
},
"httpContentType": "application/json",
"unsuccessResponses": { "statusCode": [400,401] },
"successResponses": {"statusCode": [200,201,204]} },
{
"name": "Organization",
"connection": "userAuth",
"url": "https://acme.cloudax.dynamics.com/Data/SecurityUserRoles",
"httpMethod": "POST",
"httpParams": "{"UserId":"${account.accountID}","SecurityRoleIdentifier":"${entitlementValue.entitlementID}","SecurityRoleName":"${entitlementValue.entitlement_value}","AssignmentStatus": "Enabled","AssignmentMode": "Manual","UserLicenseType": "Activity"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json",
"OData-Version": "4.0"
},
"httpContentType": "application/json",
"unsuccessResponses": { "statusCode": [400,401] },
"successResponses": {"statusCode": [200,201,204]} }

]
}

RemoveAccessJSON

Specify this parameter if you want to remove access to an account in the following format:

JSON
{
"call": [{
"name": "Roles",
"connection": "userAuth",
"url": "https://acme.cloudax.dynamics.com/Data/SecurityUserRoles(UserId='${account.accountID}',SecurityRoleIdentifier='${entitlementValue.entitlementID}')",
"httpMethod": "DELETE",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json",
"OData-Version": "4.0"
},
"httpContentType": "application/json",
"OData-Version": "4.0" }, "httpContentType": "application/json", "unsuccessResponses": { "statusCode": [400,401] }, "successResponses": {"statusCode": [200,201,204]} } ]
}

RemoveAccountJSON

Specify this parameter if you want to remove the account in the following format:

JSON
{
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "https://acme.cloudax.dynamics.com/Data/SystemUsers(UserID='${account.accountID}')",
      "httpMethod": "DELETE",
        "httpHeaders": {
        "Authorization": "${access_token}",
        "Accept": "application/json",
        "OData-Version": "4.0"
      },
      "httpContentType": "application/json",
        "unsuccessResponses": { "statusCode": [400,401]  },
        "successResponses": {"statusCode": [200,201,204]} 
    }
  ]
}
Note

The connector uses default values for importing users or accounts unless the mapping details to perform a filtered import are specified.

Creating a Security System

For more information about creating a security system, see Creating A Security System in the Enterprise Identity Cloud Administration Guide.

Creating an Endpoint for the Security System

For more information, see Creating Endpoints in the Enterprise Identity Cloud Administration Guide.

Video: Improved Status and Threshold Functionality

Was this topic helpful?
TitleResults for “How to create a CRG?”Also Available inAlert