Once you have decided that moving your ERP to the cloud is the way to go and that Business Central Online is your cloud ERP of choice, you will be introduced to the world of Azure Active Directory tenants, Business Central environments, and online licence types. We recently took a look at Business Central licence types in this blog. Here, we explore what we mean by an Azure Active Directory tenant, the different types of Business Central environments available, and how best to manage them.
What is Azure Active Directory?
Azure Active Directory (Azure AD or AAD) is Microsoft’s cloud-based identity and access management service. It helps businesses and their employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
All Microsoft cloud service subscriptions, including Microsoft Dynamics 365 Business Central, are accessed via an Azure AD tenant which is tied to a specific region of the world. Users are defined in the Azure AD and then assigned the relevant licences in the Microsoft 365 Admin Centre.
It is very important to note that users from one Azure Active Directory tenant cannot access environments that belong to another Azure Active Directory.
Business Central Environments
Every Azure Active Directory tenant that buys a Business Central Online subscription, regardless of whether it is a Premium or Essential licence type, will receive a number of environments. These environments are linked to a specific country with specific localisations included within them.
Each Business Central Online subscription will receive one production environment and three sandbox environments.
- The live Production Environment is the environment from which the business runs its daily business in Business Central. Production environments are backed up automatically by Microsoft to ensure that the business’s critical data is kept protected.
- Sandbox Environments are non-production instances of Business Central. They are isolated from the live production environment and are safe places where Business Central admins and users can explore, learn about, test and develop their Business Central instance. They can do this without having to worry that the work they are doing in the environment will affect their live business data.
Live production environments can be copied into a sandbox environment. The new sandbox will contain all data and all per-tenant expansions and AppSource extensions that are installed and published in the original production environment.
If a business wants more than one production environment, they can be purchased through their CSP partner. Each of these production environments comes with three additional sandbox environments and 4GB of tenant-wide database capacity.
Each environment can also be divided into multiple companies, where each company defines a legal entity or a business unit that has separate accounting requirements. All users who have a Business Central licence for a specific Azure AD tenant will have access to all companies in each Business Central environment that the Azure AD tenant has.
An example of a Business Central Environment
The example below shows a Danish company that has a German subsidiary. The organisation has chosen to use a separate Azure AD for the subsidiary so that the German environment could use the Essentials license type rather than the Premium license type. In each of the production environments, there are separate companies set up to represent the different business units.
Management of the Business Central environments
The best way for a business to manage its Business Central production and sandbox environments is through the Business Central Admin Centre.
Access to the Business Central Admin Centre is restricted to the following types of users:
- Internal tenant administrators
- Admin agent
- Helpdesk agent.
Internal administrators are users who are assigned the Global admin role or the Dynamics 365 Admin role in the Microsoft 365 admin centre. These users are typically system administrators, IT professionals, or super users at the company.
The admin agent and helpdesk agent roles are assigned through the Microsoft Partner Centre for the organisation that is associated with the tenant. These roles can access the Business Central tenant as delegated administrators. In April 2022, Microsoft introduced Granular Delegated Admin Privileges (GDAP), a security feature of the Microsoft Partner Centre that provides partners with least-privileged, granular, and time-bound access to their customers’ workloads in production and sandbox environments.
Once a user enters the Admin Centre, they will see a list of all the Production and Sandbox environments in their BC tenant. When they click on a specific environment, they will get all the technical details (including the environment’s Azure region, version, URL) and then will have access to a number of different admin tasks.
These include:
- Creating a database export (this will allow a user to create a backup of the environment)
- Opening a Support ticket with Microsoft
- Configuring update settings
- Renaming, Deleting or Refreshing the environment
- Viewing all active sessions in that environment
- Managing all apps in the environment.
The ability to view all active sessions in an environment is very handy as it can be used as a troubleshooting tool. The user is able to see all the users with an active session within the environment, and therefore they will have the ability to close any active sessions if required.
Want to find out more about Business Central?
Click here for more information on Dynamics 365 Business Central and what it can do for your business. To find out more about Azure Active Directory tenants, Business Central environments and the different Business Central Online licence types available, contact us for an informal, no-strings attached chat on what TVision could do for you.
