A user defined in Dynamics AX 4.0 and 2009 must be an Active Directory user too. This scenario is supported by Dynamics AX 2012 as well, but some new possibilities were added. When creating a new user, you can choose also Active Directory group or Claims user as an Account type.
Claims user account type is authenticated by SharePoint (and its claims-based authentication), which allows Enterprise Portal to be accessed by users from other domains (Active Directory Federated Service), by users authenticated by a separate database of passwords (Forms Based Authentication) or even by LiveId.
Active Directory group account type allows to create a Dynamics AX user who in fact represents a group of users:
The advantage is obviously in the fact that when a user is added to to right group on Active Directory level, he immediately gets access to Dynamics AX too.
When a particular user from the defined user group logs into Dynamics AX 2012 for the first time, the system automatically creates a standard user account of Active Directory user type, with a generated User ID ($ + alphanumeric sequence, e.g. $8B1C) and with settings taken over from the user group account.
Permissions are not copied from a group to a user, but both group permissions and permissions set specifically for the user are applied together. If a user is removed from the group, the previously created account remains active. Nevertheless, if all rights was given to the user by his membership of the group, he cannot perform any actions in Dynamics AX.