Microsoft Enhances Security and Restricts Access to D365FO Azure Storage

posted on Posted on by Adria Ariste Santacreu

comments Tags: , , , , ,
tags No comments

Starting with version 10.0.41, Microsoft is introducing managed identity Entra ID authentication to enhance security for accessing internal D365FO Azure storage, replacing the previously used Azure storage account key-based authentication.

Impact on D365FO

  1. Denied access to internal Azure Files within D365FO.
  2. Supported access to internal Azure Blob storage within D365FO.
  3. Denied access to internal Azure storage (both Azure Files and Azure Blob storage) from outside D365FO (e.g., via MS Azure Storage Explorer).

Impact on Docentric Features

  1. NO IMPACT: Docentric report templates stored in internal D365FO Azure Blob storage.
  2. FEATURE DEPRECATION: Saving reports to Azure Blob storage and Azure Files within internal D365FO Azure storage via Docentric File print destination is deprecated.

The changes become effective as of Docentric version 3.4.9.1. Legacy account key based access will gradually be disabled by Microsoft on all environments till mid 2025.

Required Actions

  1. Saving reports to internal Azure Files via Docentric File print destination: This feature is deprecated and no longer supported by Docentric.
    • Reason for Deprecation: Denied access to internal Azure Files within D365FO, as introduced by Microsoft.
    • Action Required: Please transition to saving reports to external Azure Files.
  2. Saving reports to internal Azure Blob storage via Docentric File print destination: This feature is deprecated and no longer officially supported by Docentric but is expected to remain fully functional.
    • Reason for Deprecation: The lack of an appropriate tool for directly exploring or managing files stored in internal D365FO Azure storage may lead to exceeding the default subscription capacity, potentially resulting in unexpected costs.
    • Action Required: Please transition to saving reports to external Azure Blob storage.
  3. Storing Docentric report templates in internal Azure Blob storage: This feature stays fully supported (all CRUD operations), as Docentric report templates consume minimal space.
    • Action Required: None.
Saving reports to internal D365FO Azure Files and Azure Blob storage is supported in Docentric Free Edition. Transitioning to external Azure storage requires a Docentric Full Edition license.

Migration Path

The migration paths described here will work temporarily, until Microsoft completely removes the access to storage accounts using account keys.

Learn more about the storage security updates in Microsoft documentation >>

You can copy the files from the storage account in several ways, and we're going to present two:

If you are unable to retrieve the connection string with an Access Key as described in the next section, contact Microsoft Support to request temporary access for transferring Azure Blobs or Azure Files to your external Azure Storage account.

Map an Azure file share as a network drive

1. Get the connection string of the current D365FO environment

First, you need to obtain the internal storage connection string of the environment. You will need to execute the DocAzureBlobHelper class.

You can do it by navigating to your environment root url followed by /?cmp=DAT&mi=SysClassRunner&cls=DocAzureBlobHelper. For example: https://test-environment.sandbox.operations.eu.dynamics.com /?cmp=DAT&mi=SysClassRunner&cls=DocAzureBlobHelper.

When the class runs, it will output three values; you need to copy the CsuStorageConnectionString one.

This class can run with three additional parameters in the URL:

  • testCapabilities=true: tests the account capabilities. This will try to::
    • Create a new container.
    • Create a new blob.
    • Create a file and upload it to the blob.
    • Create a shareable link.
    • Delete the blob.
    • Delete the container.
  • azureStorageId: it will test the capabilities using the Azure storage Id passed in the parameter.
  • containerName: it will test the capabilities using the container that you pass as a parameter.
    • If the container exists, the process won't delete it at the end of the test capabilities process.
    • If the container doesn't exist, it will delete it at the end of the test.

If you use the testCapabilities parameter, the output of the class will show the outcome of additional tests:

2. Connect to the storage account using Azure Storage Explorer

You can use the connection string to connect to the storage account using Microsoft's Azure Storage Explorer as described in this article.

3. Map existing file share to a network drive

Once you're connected to the storage account in Azure Storage Explorer, you can map the file share that you want to migrate to a network drive in any PC and browse it using the file explorer.

First, in Azure Storage Explorer, select the file share you want to connect to and copy its URL:

Then open file explorer on the PC where you want to map the drive, go to This PC, click the three dots on the top bar, and select Map network drive:

In the wizard, enter the file share URL we copied in the first step into the Folder field without the https:// part.

Then you need to modify it a bit: it must start with two backslashes (\\), and any slashes in the path have to be replaced by backslashes, as the Example field shows. Select the Connect using different credentials option. Finally, click the Finish button:

Now you will see a dialog asking for the credentials. The username is the name of the storage account that you can find in Azure Storage Explorer:

The password is the account key of the storage account. To get it, right click on the storage account name in Azure Storage Explorer, and select the Copy Primary Key option:

Paste it into the credentials window and click OK. Now you will be able to see the file share as a drive on your PC's file explorer:

By doing this you can back up your files and copy them to another storage account if needed.

You can use an external Azure storage account with Docentric File print destination.
Learn how >>

Copy between storage accounts in Azure Storage Explorer

In this section, we will show you how to copy a file share from one Azure storage account to another storage account, but this process also works with blob containers following the same steps.

As a prerequisite, you need to connect to the source and target storage accounts in Azure Storage Explorer.

Go to Azure Storage Explorer and select the source file share that you want to copy. Right-click on it, and select Copy File Share:

Now we need to go to the target storage account, select the File Shares node and right-click on it, then select Paste File Share:

This will create a new file share in the target storage account with the same name as the original one, and the same contents:

See Also

To learn more about the changes that Microsoft is introducing in internal D365FO Azure storage accounts, check out the following readings:

 

«
»

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Docentric respects your privacy. Learn how your comment data is processed >>

Docentric respects your privacy. Learn how your comment data is processed >>