AI agents in Microsoft Dynamics 365 Finance & Supply Chain Management (D365 F&SCM) are evolving into powerful digital assistants that can answer questions, guide users and perform actions in the system. These capabilities are rapidly expanding, and there are many benefits, but organizations must be intentional about security, governance and auditability before enabling agents broadly.
This is especially important with the introduction of Model Context Protocol (MCP), which significantly expands what agents can do inside D365 F&SCM.
The importance of a strong security foundation
Microsoft provided agents in D365 F&SCM currently rely on the permissions of the user who invokes them. A gap in user security, overprovisioning, poor role design or segregation of duties (SoD) conflicts is inherited by the agent.
If user security is not tightly controlled, agents can unintentionally amplify risk by executing actions more quickly and consistently than humans. They can also expose information that is currently shrouded through “security by obscurity.” Strong and compliant user security is a prerequisite for safe agent deployment.
Agent logs help identify the pages and actions an agent needs, allowing access to be tightened over time. Agents should be governed like users, not background features. Additionally, Microsoft offers Agent 365, for which Protiviti is an official product launch partner, which provides the ability to observe, govern and secure the growing number of agents within organizations in a single platform.
Governance, guardrails and auditability
As agents become more capable, guardrails matter. Without proper controls, agents can overshare sensitive or incorrect information and create gaps in auditability.
Before enabling agents, organizations should:
- Control who can access or invoke agents.
- Ensure user security role assignments are accurate.
- Define policies for agent to agent information sharing.
- Define limits for agents by setting policies and procedures.
Organizations should document where agents act in workflows, define approvals and exception handling and ensure procedures exist to support audit and compliance expectations. Agents should accelerate processes, not replace governance.
How MCP changes the picture
Model Context Protocol is a foundational component of AI architectures now. It defines:
- What data an agent can access.
- What actions it can perform.
- How those actions are executed safely and consistently.
MCP is available in version 10.0.47 and higher, so it is possible this functionality will not be seen until upgrading to 10.0.48, which must also be activated via Feature Management. After enabling, add the agent platform to the Allowed MCP Clients (Microsoft Copilot Studio and Visual Studio have access by default).
With MCP enabled, agents can interact directly with the D365 F&SCM user interface, navigate pages and execute actions like a user. This is a major shift from earlier automation approaches (such as Power Automate) and makes least privilege role design even more critical.
MCP is valuable because it provides a standardized, auditable way for agents to interact with D365 F&SCM business logic.
The evolution continues
AI agents and MCP in D365 F&SCM are new and evolving. Microsoft, partners and customers are working together to define what good security and governance look like in an agent-driven ERP world.
Agents are powerful and will quickly outrun security, auditability and controls if not proactively addressed.
*For more information, please visit https://learn.microsoft.com/en-gb/dynamics365/fin-ops-core/dev-itpro/copilot/copilot-mcp.
To learn more about our Microsoft consulting services, contact us.
