Notifications
Clear all
Topic starter
02/06/2026 8:49 pm
TL;DR: Microsoft Dynamics 365 Finance & Operations governance is moving from documented controls to continuous proof, as organisations face SoD conflicts, over-provisioned users, stale access, and licensing pressure across multi-entity environments, according to Delinea. The practical shift is toward telemetry-backed monitoring that can surface hidden risk before audit findings do.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should teams reduce SoD risk in D365 F&O environments?
A: Start by defining the critical duty combinations that matter to finance and operations, then compare effective permissions against those combinations on a continuous basis.
Q: Why do stale privileged accounts create more risk than their role names suggest?
A: Because the risk is driven by what the account can still do, not by whether anyone remembers assigning it.
Q: How can organisations tell if D365 F&O access governance is actually working?
A: Look for evidence that controls change behaviour.
Practitioner guidance
- Establish continuous SoD monitoring Map critical D365 F&O duties, then monitor effective access against those combinations whenever roles, users, or entities change.
- Use telemetry to validate access decisions Review login activity, privilege use, and unusual cross-entity behaviour to confirm that access is being used as approved.
- Fold licence review into entitlement governance Compare assigned access to actual business need so that unnecessary privilege and licence overspend are resolved together.
The governance pattern is familiar across identity programmes: once business applications carry material risk, audit evidence has to come from operational telemetry, not policy language alone?
👉 Watch Delinea's webinar on D365 F&O access governance and audit readiness →
Explore further
02/06/2026 8:51 pm
Continuous proof is now the core governance requirement for business applications. D365 F&O teams are being asked to show that SoD, privilege, and provisioning controls are effective in operation, not merely defined in policy. That changes the control model from periodic attestation to ongoing evidence gathering, which is closer to how auditors now expect resilient governance to behave. Practitioners should treat every access review as a test of control reality, not a paperwork exercise.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to Oasis Security & ESG.
A question worth separating out:
Q: Who should own access governance when business applications affect audit and licensing?
A: Ownership should be shared, but accountability must be explicit. IAM or security teams usually run the control framework, while finance, application owners, and audit stakeholders validate business need and risk tolerance. Without that split, access decisions drift into either unchecked convenience or disconnected compliance paperwork.
👉 Read our full editorial: D365 F&O access governance needs continuous proof, not paper controls
