Create users according to licences


Azure Active Directory is now Microsoft Entra ID. Learn more

Security groups are new to Business Central in 2023 release wave 1. They're similar to the user groups that this article mentions. Like user groups, administrators assign the permissions to the security group that its members need to do their jobs.

User groups will no longer be available in a future release. You can continue using user groups to manage permissions until then. To learn more about security groups, go to Control Access to Business Central Using Security Groups.

This article describes how administrators create users and define who can sign in to Business Central. You'll also learn how to assign permissions to different users according to your product licences.

When you create users in Business Central, you grant permissions to them through permission sets. You can also organise users in user groups. User groups make it easier to manage permissions and other settings for multiple users at the same time. For more information, see Assign Permissions to Users and Groups.

For more information about the different types of licences and how licensing works in Business Central, download the Dynamics 365 Licensing Guide.


The process of managing users and licences varies depending on whether Business Central is deployed online or on-premises. For Business Central online, you must add users from Microsoft 365. In on-premises deployments, you can create, edit, and delete users directly.

Manage users and licences in online tenants

User accounts in Business Central must be first created in the Microsoft 365 admin centre. These user accounts aren't exclusive to Business Central. If you subscribe to other plans, they can be used to sign in to other applications, such as Power BI. For information about creating users in the Microsoft 365 admin centre, go to Add users in Microsoft admin centre.

Your subscription to Business Central online defines how many Business Central user licences you're allowed. Users are added to your tenant in the Microsoft Partner Centre, typically by your Microsoft partner. For more information, see Administration of Business Central Online.

You assign licences to users according to the work each user will do in Business Central. You can assign licences in several ways:

For more information, see Administration of Business Central Online in the administration Help.

After user accounts are created in the Microsoft 365 admin centre, there are two ways to import them to Business Central:

  • A user account is imported automatically when the user signs in to Business Central the first time.


    After a user signs in to Business Central online, you can't delete the user.

  • The administrator can import users by choosing the Update Users from Microsoft 365 action on the *Users page.

Both approaches have their own advantages, and you can use them simultaneously. Each approach allows administrators to proactively configure Business Central to assign the starting permissions, user groups, and user profiles. Using the Update Users from Microsoft 365 action gives administrators more control to adjust permissions, user groups, and profiles. It's an ideal approach when you're setting up Business Central the first time, before any users sign in, or when adding a new team of users.


After you add users in the Microsoft 365 Admin Centre, we recommend that you update the user information in Business Central as soon as possible. Keeping user information current is easy to do, and helps ensure that people can always sign in. For more information, see To add users or update user information and licence assignments in Business Central.

Updating user information is especially important if you've customised permission sets for the licence. If a new user tries to sign in to Business Central before you've added them, they might not be able to. For more information, see Configure permissions based on licences.

However, users who experience this problem aren't actually blocked. They can either use the Go back home action, or simply sign in again to resolve the issue.

You might see other users in the Users list apart from those from your own company. When a delegated admin from a reselling partner company logs into a Business Central environment on behalf of their customer, they are automatically created as a user inside Business Central. This way, the actions performed by a delegated admin are logged in Business Central, such as posting documents, and associated with their user ID.

With granular delegated admin privileges (GDAP), the user is shown in the Users list and can be assigned any permissions. They are not shown with name and other personal information but with their company name and a unique ID. Both internal and external admins can see these users in the Users list, and they have full transparency into what these users do through the change log, for example. But they can't see the actual name of these users. GDAP users are listed with user names in the following format: They might have a user name that reflects the partner's company name, and the email address is not the person's actual email address. This way, the GDAP user accounts do not reveal personal information. If you need to find out who the person behind such a pseudonym is, you'll have to reach out to the company that this user works or worked for.

For more information, see Delegated administrator access to Business Central Online.

Configure permissions based on licences

APPLIES TO: Business Central 2022 release wave 1 and later

Admins can configure permissions sets and user groups for each licence.

For example, the commonly used licence, Dynamics 365 Business Central Team Member, has the following permissions sets by default:

  • D365 READ

Other permission sets are added automatically based on the user groups assigned to the licence. When creating a new user based on this licence, Business Central assigns the permission sets originating from the user groups and the permission sets from the licence. The same starting permissions are assigned to the user if their user account was created automatically in Business Central or if the administrator used the Update Users from Microsoft 365 action in the Users page.

If this default configuration isn't the right setup for a particular environment, the admin can change that configuration. However, customised permissions will affect only new users who are assigned that licence. Permissions for existing users who are assigned the licence won't be affected.

  1. Sign in to Business Central using an administrator account.

  2. Choose the Lightbulb that opens the Tell Me feature. icon, enter Licence Configuration, and then choose the related link.

  3. In the Licence Configuration page, choose the licence that you want to customise, and then choose the Configure action.

  4. Choose the Customise permissions field to switch on customisation, and then make the relevant changes.

    In our example, the admin wants to remove the permission to edit in Excel, so they remove the Excel Export Action user group from the Team Member licence. Going forward, new users that are assigned the Team Member licence won't get the option to export data to Excel. If the organisation changes their minds on the subject, they can just go back to the Licence Configuration page and switch off the customisation for that licence type.


This customisation of permissions only takes effect for new users that you assign the relevant licence. Existing users are not updated. We recommend that you customise permissions before you start assigning users licences in the Microsoft 365 admin centre.

To add users or update user information and licence assignments in Business Central

After you add users or change user information in the Microsoft 365 Admin Centre, you can quickly import the user information to Business Central. The import includes licence assignments.


If you need to update user information and you have a lot of users, you can use the filter pane to narrow down the list. You can filter on basic information such as the user name, or set more technical filters, such as the user's security ID.

  1. Sign in to Business Central using an administrator account.
  2. Choose the Lightbulb that opens the Tell Me feature. icon, enter Users, and then choose the related link.
  3. Choose Update Users from Microsoft 365.


Running the synchronisation of users from Microsoft 365 using the Update Users from Microsoft 365 guide, requires the SUPER permission set.


The Update Users from Microsoft 365 guide doesn't update users that are not assigned a licence, such as someone who is Global Admin and Dynamics 365 Admin. Those users will update the next time they sign in to the environment.

The next step for newly created users is to assign user groups and permissions. Go to Assign Permissions to Users and Groups for information. If you're updating a user, and the update includes a licence change, users are assigned to the appropriate user group and their permission sets are updated. For more information, see To manage permissions through user groups.


All users in an environment must be assigned to the same licence, either Essentials or Premium. For more information about licensing, go to Business Central website.

For more information about synchronising user information with Microsoft 365, go to the Synchronisation with Microsoft 365 section.


If you use an external accountant to manage your books and financial reporting, you can invite them to your Business Central so they can work with you on your fiscal data. For more information, see Inviting Your External Accountant to Your Business Central.

To remove a user's access to the system

You can remove a user's access to Business Central online. All references to the user are kept. However, the user can't sign in and active sessions for the user are stopped.

  1. Choose the Lightbulb that opens the Tell Me feature. icon, enter Users, and then choose the related link.
  2. Open the User Card page for the relevant user, and then, in the Status field, select Disabled.
  3. To give the user access again, set the Status field to Enabled.

You can also remove the licence from a user in the Microsoft 365 Admin Centre. The user is then unable to sign in. For more information, see Remove licences from users.

Synchronisation with Microsoft 365

When you assign a licence for Business Central to a user in Microsoft 365, there are two ways to create the user in Business Central.

In both cases, several settings are applied automatically. These settings are listed in the second and third columns in the table below.

If you change user information in Microsoft 365, you can update Business Central to reflect the change. Depending on what you want to update, use one of the actions on the Users page. The actions are described in the last two columns in the table below.

What happens when: First user, first sign-in Update Users from Microsoft 365 Restore User Default User Groups
Scope: Current user Multiple selected users Single selected user (except current)
Create the new user and assign SUPER permission set.

Update the user based on information in Microsoft 365: Status, Full Name, Contact Email, Authentication Email. X X X
Synchronise user plans (licences) with licences and roles assigned in Microsoft 365. X X X
Add the user to user groups according to the current user plans. Remove the SUPER permission set for all users other than the first user to sign in and administrators. At least one SUPER is required. X X X

Removes manually assigned user groups and permissions.

Users can access Business Central records in Teams using only their Microsoft 365 licence. When access is enabled for an environment, synchronising using the Update users from Microsoft 365 action won't include users that only have a Microsoft 365 licence. To include these users in synchronisation, you must first update environment settings by assigning a security group that contains users with a Business Central licence and users with only a Microsoft 365 licence.

Learn about securing access to environments using security groups at Manage access using Microsoft Entra groups.

Get an overview of accessing Business Central in Teams with Microsoft 365 licences at admin-access-with-m365-licence.

Manage users and licences in on-premises deployments

For on-premises deployments, the number of user licences is specified in the licence file (.bclicense or .flf). When an administrator or Microsoft partner uploads the licence file, they can specify which users can sign in to Business Central.

For on-premises deployments, the administrator creates, edits, and deletes users directly from the Users page.

To edit or delete a user in an on-premises deployment

  1. Choose the Lightbulb that opens the Tell Me feature. icon, enter Users, and then choose the related link.
  2. Select the user that you want to edit, and then choose the Edit action.
  3. On the User Card page, change the information as necessary.
  4. To delete a user, select the user that you want to delete, and then choose the Delete action.


For on-premises deployments an administrator can specify how to authenticate user credentials in the Business Central Server instance. When you create a user, you provide the credential type that you are using.

For more information, see the Authentication and Credential Types in the administration Help for Business Central.

See Also

Assign Permissions to Users and Groups
Manage Profiles
Change Which Features are Displayed
Customising Business Central
Getting Ready for Doing Business
Licensing in Dynamics 365 Business Central
Add Users to Microsoft 365 for business
Security and Protection in Business Central (administration content)
Assign a telemetry ID to users

Find free e-learning modules for Business Central here