What do Entra and Purview actually do?
Microsoft Entra
Microsoft Entra manages user identity and authentication for your Microsoft tenant. It handles single sign-on, Multi-Factor Authentication, Conditional Access, and the management of users and groups. In Business Central deployments, you can link Entra security groups directly to Business Central so that group membership automatically determines which permission sets a user receives, keeping user lifecycle management centralized.
One important limitation: Entra has no semantic knowledge of Business Central processes, tables, pages, or business concepts. It cannot reason about approvals, segregation of duties, or the business meaning of a permission set.
Microsoft Purview
Purview is a data governance platform focused on discovery, classification, and policy management across data sources. For Business Central specifically, it automatically receives auditable events such as user changes, permission to set modifications, and environment settings. These are logged to a unified audit log and can be searched and exported for compliance purposes.
One important limitation: Purview does not manage application-level authorization or generate permission sets for Business Central. It captures what happened at the administrative level, but it does not translate that into operational access rules inside an ERP.
In short: Purview provides data visibility and administrative audit logging. Entra manages identity. Neither provides the application-specific, process-aware authorization that Business Central requires.
What does the Authorization Box add?
The 2-Controlware Authorization Box is purpose-built for Business Central authorization governance. It fills the gaps that Entra and Purview leave open.
Process-based authorization modelling: instead of thinking in terms of tables, pages, and object IDs, the Authorization Box lets you define permissions at the level of business roles and tasks (for example, "Purchase-to-Pay: Invoice Approval").
Segregation of Duties (SoD) detection: it contains logic to detect and review SoD conflicts, such as the same user creating vendors and approving payments, and to model mitigations like dual control or compensating controls.
Audit-ready reporting: it documents who changed what, why, and when, which is crucial for internal controls and external audits.
Why does this matter?
Business Central is an ERP with strong regulatory, financial, and process implications. Managing permissions only at the identity or data layer leaves a blind spot where the real business risk lives: the combination of what a given user can do inside the system.
Consider a finance department user who needs to perform invoice entry but should not approve payments. With a simple Entra group mapping, both privileges could accidentally be granted if permission sets were combined for convenience. The Authorization Box prevents this by modelling two distinct business roles, verifying that no user holds the conflicting role pair, and provisioning only the exact permission sets the role requires.
The right tool for each job
These tools work best together. Entra handles who a user is and manages their lifecycle. Purview captures administrative changes and supports compliance reporting. The Authorization Box governs what a user is allowed to do inside Business Central, based on their business role and the processes they are responsible for.
Each covers a layer that the others do not. For organizations with financial controls, regulatory requirements, or audit obligations, all three layers are necessary
