Dynamics 365 BC access reviews: where the governance gap shows up

TL;DR: User access reviews in Microsoft Dynamics 365 Business Central often fail when teams rely on spreadsheets, low-context reviewers, and infrequent certification cycles, leaving overprovisioned financial access, hidden indirect entitlements, and SoD conflicts untouched, according to Delinea. The governance issue is not review volume alone, but whether access reviews can actually expose what users can do with business-critical permissions.

NHIMG editorial — based on content published by Delinea: User access reviews for Microsoft Dynamics 365 BC, lightweight strategies that work

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams run access reviews for ERP systems like Dynamics 365 BC?

A: They should start with the highest-risk entitlements, use reviewers who understand business process, and validate effective access rather than relying on role names.

Q: Why do manual access certification campaigns fail in business applications?

A: Manual campaigns fail because spreadsheets and email reminders do not give reviewers enough context to judge effective access.

Q: What breaks when indirect permissions are ignored in ERP reviews?

A: The review stops reflecting actual privilege.

Practitioner guidance

• Prioritise high-risk ERP roles first Start with financial posting rights, vendor master access, approval roles, and any account with a Super-style entitlement.
• Review effective access, not role labels Use permission set recording and indirect access analysis to see what a user can actually do, including permissions inherited through groups or excluded from composite roles.
• Replace spreadsheet campaigns with workflow routing Route reviews to the right business owner, send automated reminders, and escalate overdue decisions so certification is accountable instead of purely administrative.

What's in the full article

Delinea's full article covers the operational detail this post intentionally leaves for the source:

• A practical walkthrough for reviewing Dynamics 365 Business Central permissions that involve indirect access and excluded permissions
• Examples of high-risk ERP roles that should be prioritised first in a certification cycle
• Workflow considerations for replacing spreadsheet-based review tracking with automated routing and escalation
• Guidance on using native D365BC security features such as Permission Set Recording and Indirect Access Analysis

👉 Read Delinea’s guidance on lightweight user access reviews for Dynamics 365 BC →

Dynamics 365 BC access reviews: where the governance gap shows up?

Explore further

View Full Forum →  |  NHI Foundation Course →