Kunal Murarka World Bank Group Solution Architect

Restrict ability to update other's personal settings/option for out of the box roles; In technical terms Basic level of Access for User Setting privilege in Security Role. Currently, option to set "Basic" level of access for "User Setting" privilege in any custom or out of the box Security role is not present. Current options are None, Local(BU level), Deep( Parent Child BU) or Global (Organization). And for most of the out of the security roles default privilege is set to Local(BU level). Local(BU level) access level technically allows an users to change personal options/setting for other users using D365 SDK or community tools. Currently there are no means to block an user to update setting for other users if we would like to keep personal option setting enabled. This is a security issue/gap and here is the abuse case - It is critical to keep Personal Options enabled for other out of the box features and Outlook Email Tracking using server side sync is enabled for user A and User B. In current out of the box behavior (when user setting privilege is set to Local as there is no option for Basic), User A can change the "Email Filtering” settings to "All email messages" for User B who would like to keep the setting as Email messages in response to Dynamics 365 email".

It is a very common scenario for a new D365 user to encounter the D365 out of the box Notification/Error page if CRM license or security role is not assigned. Unlike SharePoint, there is no provision to submit a request/email from that screen so that designated admin for that CRM instance would receive an email to take it up for follow-up. For large enterprise not having this ability translates into lots of internal IT support tickets or increases the IT support call volume. Inclusion of following/at-least one feature/s would be a great value add - a) Ability to submit access request on error screen to trigger an email to designated instance admin b) Ability to customize out of the box Notification/Error page to accept the request form or a place holder to announce a custom message with support email/phone etc. c) Ability to redirect to a custom URL configured by admin Thanks.

This behavior provides ability to system administrator to test & enable and then synchronize any user's (having D365/power app per user license in same tenant) O365 mailbox in to dynamics instance by changing that user's email tracking setting to "All email messages". This is can lead to a major email/data exposure situation within an enterprise where a developer having system admin in Dynamics /CDS can potentially sync anyone's email with few clicks.

The Salesperson role seems to be a license-based role, so it is automatically assigned to users in same tenants with certain licenses. Due to this issue, new licensed user will get access to multiple applications/instances on that tenant without explicit role assignment. Considering OOB Salesperson role is having BU or Org level access in many OOB entities, this can cause sensitive data exposure issue if other applications are using custom role with restricted access control (e.g. basic / user level privilege on OOB entities) and would like to maintain restricted access for limited users. Regards, Kunal Murarka

MFA can be enabled for Dynamics 365 at a service level where it is enabled either for all environment/instances or none. There is no option available to enable MFA for specific D365/CDS instance / Environment. In a situation where most of D365/CDS based application/instances do not require MFA, it becomes challenging to onboard a sensitive application in same tenant that requires MFA for compliance/regulatory requirements. Regards, Kunal Murarka

Virus scanning for documents upload to Notes/blob through Power portals for external users (B2B & B2C) or Internal users (B2E) is very common need. It is very cricial specifically foe B2C / B2B use cases. Not having virus scanning capability in attachments stored in CDS/D365 can be considered as a blocker to leverage CRM Portal / Power portals for external users (B2B & B2C) or Internal users ( B2E). Regards, Kunal Murarka

If we use server-side sync in S/MIME encrypted messages we won't be able to view S/MIME encrypted messages. Having the ability to directly view the encrypted email within Dynamics can server many use cases.

Ability to export Survey definition as managed and un-managed solution will provide seamless Application lifecycle management (ALM) experience with Microsoft Power Platform / Dynamics 365.

Currently there is no authentication option available for the recipients who are external contact. Support for B2C and B2B (similar to power portal) will help open up lots of business use cases including the ability to identify the respondent.

File upload is available only for B2E scenario. Ability to upload file/attachment is a must for many business use cases for external / anonymous users.