2
With Windows authentication, you can work with memberships on AD groups. You can define permission sets on these AD groups NAV/BC . A user account in NAV/BC must exists but doesn't need any permission sets. In AD you can define the membership of this account.
When this nav/BC user login, NAV/BC gets the permission sets of groups where this accounts to belongs. No need for invidual permission sets on this account.
With ACS authentication, this doesn't work. We tested it with ADFS (on prem) and with O365 tenant. From ADFS/O365 we allowed to send the groups where a user to belong but NAV/BC doesn't use this information of memberships of groups.
So the functionallity between ACS en Windows authentication is not the same. As far as i understand ACS authentication sends only an email adress and will be validated. No extra information like memberhip of groups is communicated between AD and NAV/BC.
This is confirmed by Microsoft.
When this nav/BC user login, NAV/BC gets the permission sets of groups where this accounts to belongs. No need for invidual permission sets on this account.
With ACS authentication, this doesn't work. We tested it with ADFS (on prem) and with O365 tenant. From ADFS/O365 we allowed to send the groups where a user to belong but NAV/BC doesn't use this information of memberships of groups.
So the functionallity between ACS en Windows authentication is not the same. As far as i understand ACS authentication sends only an email adress and will be validated. No extra information like memberhip of groups is communicated between AD and NAV/BC.
This is confirmed by Microsoft.
STATUS DETAILS
Declined
Business Central Team (administrator)
Thank you for reaching out. Your suggestion seems to be a duplicate of the following suggestion: