Become a Member My Atlas
Insights
Training
Advisory & Negotiation
Free Resources
About
Contact Us
Search
Become a Member

May 23, 2025

  Blog

Dynamics 365 ERP Licensing Moves to Security Roles: Cleanup Required 

My Atlas / Blog

1,015 wordsTime to read: 6 min
Andrew Snodgrass by
Andrew Snodgrass

Andrew analyzes and writes about Microsoft's data management, business intelligence, and machine learning solutions, as well as aspects of licensing... more

Two factory workers in orange shirts examining a piece of paper

Microsoft has once again “clarified” rules that change how Dynamics 365 user license compliance is measured but could also simplify how to determine what user licenses are required. Many Dynamics 365 Finance + Operations customers should spend time now cleaning up security roles assigned to their users, before Microsoft potentially claims they are out of compliance. (Note: this change does not impact Dynamics 365 CRM customers.) 

What Happened?

On May 3rd, 2025, I was going through the latest Dynamics 365 Licensing Guide to look for changes, when I noticed the addition of a sentence in Appendix E on page 56:

Credit: Microsoft (click to enlarge)

“Licensing requirements for these applications are determined by the role-based security assigned to each user.” 

“These applications” refers to the Dynamics 365 Finance and Operations applications: Finance, Supply Chain Management, Commerce, Project Operations, and Human Resources. 

The significance of the sentence is that the user licensing requirements for Dynamics 365 Finance and Operations applications have shifted from “what a user actually did” to “what a user could potentially do.” 

Previously, organizations were on the hook for a Dynamics 365 license based on the application users accessed, the routines they ran, and the type of data they updated. Microsoft provided some reports that gave guidance on what license users “might” require, but the ultimate test of license compliance was based on activities users performed. This could only be determined by viewing audit logs, which had their own limitations, or by evaluating the custom screens or custom applications users accessed, because these custom screens and applications programmatically limited what users could do. (In Nov. 2024, I wrote extensively about how to tackle user license compliance for our members in “Dynamics 365 User License Compliance: A Struggle that Benefits Microsoft.”) 

However—and this is a big however—going forward, the new sentence “clarifies” that what a user actually does is no longer relevant, because organizations are now on the hook for a Dynamics 365 license or licenses that cover security roles assigned to users. 

Why is this a Concern?

I’m concerned for companies who have enjoyed Microsoft’s relaxed approach to user license compliance and have routinely handed out higher security roles than needed, which now exposes the organization to new (sorry, “clarified”) license requirements. 

The licensing change won’t severely impact everyone, especially not those customers who were diligent with assigning security roles, but I do think it will be a problem in the following scenarios: 

Security roles applied for convenience. Many admins took the easy approach and assigned users with as many security roles as needed to get the user working and meeting any potential request, reducing the need for the user to come back and ask for more rights later. Is this a best practice? No. But we all know that it happens. 

Customizations using default security roles. This is the biggest issue. Most customers customize Dynamics 365 Finance + Operations in some way. They modify Dynamics 365 screens to remove certain fields or add access to other data, and some customers build or purchase custom applications that augment the Dynamics 365 service and access data directly. In these situations, an admin must still assign users with a security role, and those security roles (especially the default ones) often contain rights beyond what a user needs for the custom scenario. This is generally acceptable, because the custom screen or application limits what a user can do, so giving them excessive rights is a low risk. 

However, with the new sentence in the Licensing Guide, all users are required to have a license based on the security roles they are assigned, whether or not they actually perform activities allowed by those security roles. 

What Should Customers Do? 

Don’t panic. Although the change is in place as of May 2025, there is no automatic compliance check that will lock users out if they don’t have the right licensed assigned. What you should do it start planning for your next audit or renewal, so I recommend the following steps. 

  1. Talk with your Dynamics 365 security admins and find out how big of an issue this is. They will have the best sense of the magnitude and risk for your organization. 
  1. Adopt a “least access” approach to security roles. In other words, do the right thing and only assign users the security roles and features they need, rather than being overly generous. In many cases, this will involve building custom security roles that only grant rights to the features and data users actually need. Custom security roles are a common approach and nothing to be feared. 
  1. Clean up existing security role assignments. Microsoft is previewing new license compliance reports that compare the security roles a user has (and therefore the license required) with the licenses users are assigned. The reports can highlight when users are under licensed, but I suggest using it as a starting point to determine if users have excessive security roles or could benefit from a custom security role that has a lower licensing requirement. 
  1. Talk with developers who customize the Dynamics 365 service and determine if they used default security roles or custom security roles to provide access to their custom solution. Typically, custom solutions benefit from custom security roles that grants the least number of rights and therefore the lowest possible license requirement. 

Do you really read the Licensing Guide each Month? 

It’s been asked this many times and yes, I read through the new Licensing Guide every month, looking for changes that impact customers.  

I also keep a copy of most of them, in case I need to look back through time. I’m not sure anyone needs a “Dynamics 365 (On-premises) Enterprise Edition – Dec. 2016” licensing guide, but I have one. 

In a similar situation, last April, I wrote about how Microsoft “clarified” licensing rules about Dynamics 365 and Power Apps last April as well in “Dynamics 365 rights in Power Apps Subscriptions: Changes on the horizon.” 

Related Resources

Directions kit “Dynamics 365.” (Directions members only)

Licensing Reference Set for Dynamics 365 (Directions members only)

Related Free Content

Timeline for the phased retirement of SharePoint Online Alerts Alert! SharePoint Alerts Is Retiring   May 20, 2025   Blog
Microsoft CEO Satya Nadella on stage at Build 2025 Ten Takeaways from Microsoft Build 2025  May 19, 2025   Blog
Microsoft to provide security updates for M365 apps on Windows 10 for three more years  Updated: May 13, 2025   Blog
Diagram showing Basic Authentication with SMTP using email senders Exchange Online to Cut Off Some Devices and Apps Starting This Fall May 8, 2025   Blog
Azure datacenter in a rural setting Microsoft Q3 FY25 earnings: What Enterprises Need to Know  Updated: May 2, 2025   Blog
Thanks… I’m Calling it a Day May 2, 2025   Blog
Map of Europe next to a keyboard and data image Microsoft: European customers can count on us  Updated: April 30, 2025   Blog
Screen shot of the revamped Microsoft 365 Copilot Chat app coming in May The Revamped Microsoft 365 Copilot App: It’s All About the Agents  Updated: April 29, 2025   Blog
A man in front of a computer sifting through lots of paper documents Busting Four of the Biggest Microsoft Support Myths  Updated: April 24, 2025   Blog
Price Increases for Microsoft On-Premises Servers Take Effect July 1 Updated: April 8, 2025   Blog
Windows Roadmap: Caution, Construction Ahead Updated: April 4, 2025   Blog
Microsoft's 3 CEOs at the event where Nadella was named CEO in 2014 Microsoft Turns 50: Directions Looks at the Good, Bad, and the Future Updated: April 4, 2025   Blog
Diagram showing how Security Copilot integrates with agents Microsoft Readies New Security Copilot Agents Updated: March 24, 2025   Blog
Skype and Teams logos in boxes on a pastel background Microsoft to drop its Skype communications service in May 2025 Updated: March 3, 2025   Blog
Exchange Server: An Even Tighter SE Squeeze Updated: February 10, 2025   Blog
Microsoft makes DeepSeek R1 model available via Azure AI Foundry and GitHub Updated: January 30, 2025   Blog