Create users according to licences
Note
Azure Active Directory is now Microsoft Entra ID. Learn more
Security groups are new to Business Central in 2023 release wave 1. They're similar to the user groups that this article mentions. Like user groups, administrators assign the permissions to the security group that its members need to do their jobs.
User groups will no longer be available in a future release. You can continue using user groups to manage permissions until then. To learn more about security groups, go to Control Access to Business Central Using Security Groups.
This article describes how administrators create users and define who can sign in to Business Central. This article also describes how to assign permissions to different users according to your product licences.
When you create users in Business Central, you grant permissions to them through permission sets. You can also organise users in user groups. User groups make it easier to manage permissions and other settings for multiple users at the same time. For more information, see Assign Permissions to Users and Groups.
For more information about the different types of licences and how licensing works in Business Central, download the Dynamics 365 Licensing Guide.
Note
The process of managing users and licences varies depending on whether Business Central is deployed online or on-premises. For Business Central online, you must add users from Microsoft 365. In on-premises deployments, you can create, edit, and delete users directly.
Manage users and licences in online tenants
User accounts in Business Central must be first created in the Microsoft 365 admin centre. These user accounts aren't exclusive to Business Central. If you subscribe to other plans, they can be used to sign in to other applications, such as Power BI. For information about creating users in the Microsoft 365 admin centre, go to Add users in Microsoft admin centre.
Your subscription to Business Central online defines how many Business Central user licences you're allowed. Users are added to your tenant in the Microsoft Partner Centre, typically by your Microsoft partner. For more information, see Administration of Business Central Online.
You assign licenses to users according to the work each user does in Business Central. You can assign licences in several ways:
- Your company's Microsoft 365 administrator can do it in the Microsoft 365 Admin Centre. For more information, see Add users individually or in bulk to Microsoft 365.
- A Microsoft partner can assign licences in the Microsoft 365 Admin Centre or in the Microsoft Partner Centre. For more information, see User management tasks for customer accounts in the Microsoft Partner Centre Help.
For more information, see Administration of Business Central Online in the administration Help.
After user accounts are created in the Microsoft 365 admin centre, there are two ways to import them to Business Central:
A user account is imported automatically when the user signs in to Business Central the first time.
Note
After a user signs in to Business Central online, you can't delete the user.
The administrator can import users by choosing the Update Users from Microsoft 365 action on the *Users page.
Both approaches have their own advantages, and you can use them simultaneously. Each approach allows administrators to proactively configure Business Central to assign the starting permissions, user groups, and user profiles. Using the Update Users from Microsoft 365 action gives administrators more control to adjust permissions, user groups, and profiles. It's an ideal approach when you're setting up Business Central the first time, before any users sign in, or when adding a new team of users.
Note
After you add users in the Microsoft 365 Admin Centre, we recommend that you update the user information in Business Central as soon as possible. Keeping user information current is easy to do, and helps ensure that people can always sign in. For more information, see To add users or update user information and licence assignments in Business Central.
Updating user information is especially important if you've customised permission sets for the licence. If a new user tries to sign in to Business Central before you've added them, they might not be able to. For more information, see Configure permissions based on licences.
However, users who experience this problem aren't actually blocked. They can either use the Go back home action, or simply sign in again to resolve the issue.
You might see other users in the Users list apart from those from your own company. When a delegated admin from a reselling partner company logs into a Business Central environment on behalf of their customer, they are automatically created as a user inside Business Central. This way, the actions performed by a delegated admin are logged in Business Central, such as posting documents, and associated with their user ID.
With granular delegated admin privileges (GDAP), the user is shown in the Users list and can be assigned any permissions. They are not shown with name and other personal information but with their company name and a unique ID. Both internal and external admins can see these users in the Users list, and they have full transparency into what these users do through the change log, for example. But they can't see the actual name of these users. GDAP users are listed with user names in the following format: User123456@partnerdomain.com
. They might have a user name that reflects the partner's company name, and the email address is not the person's actual email address. This way, the GDAP user accounts do not reveal personal information. If you need to find out who the person behind such a pseudonym is, you'll have to reach out to the company that this user works or worked for.
For more information, see Delegated administrator access to Business Central Online.
Configure permissions based on licences
APPLIES TO: Business Central 2022 release wave 1 and later
Admins can configure permissions sets and user groups for each licence.
For example, the commonly used licence, Dynamics 365 Business Central Team Member, has the following permissions sets by default:
- D365 READ
- D365 TEAM MEMBER
- EDIT IN EXCEL - VIEW
- EXPORT REPORT EXCEL
- LOCAL
Other permission sets are added automatically based on the user groups assigned to the licence. When you create a new user based on this license, Business Central assigns the permission sets originating from the user groups and the permission sets from the license. The same starting permissions are assigned to the user if their user account was created automatically in Business Central or if the administrator used the Update Users from Microsoft 365 action in the Users page.
If this default configuration isn't the right setup for a particular environment, the admin can change that configuration. However, customised permissions affect only new users who are assigned that licence. Permissions for existing users who are assigned the licence aren't affected.
Sign in to Business Central using an administrator account.
Choose the icon, enter License Configuration, and then choose the related link.
In the Licence Configuration page, choose the licence that you want to customise, and then choose the Configure action.
Choose the Customize permissions field to switch on customization, and then make the changes.
In our example, the admin wants to remove the permission to edit in Excel, so they remove the Excel Export Action user group from the Team Member licence. Afterward, new users who are assigned the Team Member licence can't export data to Excel. If the organisation changes their minds on the subject, they can just go back to the Licence Configuration page and switch off the customisation for that licence type.
Important
This customisation of permissions only takes effect for new users that you assign the relevant licence. Existing users are not updated. We recommend that you customise permissions before you start assigning users licences in the Microsoft 365 admin centre.
To add users or update user information and licence assignments in Business Central
After you add users or change user information in the Microsoft 365 Admin Centre, you can quickly import the user information to Business Central. The import includes licence assignments.
Tip
If you need to update user information and you have a lot of users, you can use the filter pane to narrow down the list. You can filter on basic information such as the user name, or set more technical filters, such as the user's security ID.
- Sign in to Business Central using an administrator account.
- Choose the icon, enter Users, and then choose the related link.
- Choose Update Users from Microsoft 365.
Important
Running the synchronization of users from Microsoft 365 using the Update Users from Microsoft 365 guide, requires the SUPER permission set.
Note
The Update Users from Microsoft 365 guide doesn't update users that are not assigned a license, such as someone who is a Dynamics 365 administrator. Those users will update the next time they sign in to the environment.
The next step for newly created users is to assign user groups and permissions. Go to Assign Permissions to Users and Groups for information. If you update a user with a license change, Business Central assigns users to the appropriate user group and updates their permission sets. For more information, see To manage permissions through user groups.
Note
With 2024 release wave 1, a Premium license user can sign in to a company where the User Experience field is set to Essentials on the Company Information page. However, the Premium user can't use any of the features that the Premium licence provides. This doesn't work in the opposite direction. Users who have an Essentials license can't sign in to a company where the User Experience is set to Premium on the Company Information page. For more information about licensing, go to Business Central website.
If you use an external accountant to manage your books and financial reporting, you can invite them to your Business Central so they can work with you on your financial data. For more information, see Inviting Your External Accountant to Your Business Central.
For more information about synchronising user information with Microsoft 365, go to the Synchronisation with Microsoft 365 section.
Note
If you use an external accountant to manage your books and financial reporting, you can invite them to your Business Central so they can work with you on your financial data. For more information, see Inviting Your External Accountant to Your Business Central.
To remove a user's access to the system
You can remove a user's access to Business Central online. All references to the user are kept. However, the user can't sign in and active sessions for the user are stopped.
- Choose the icon, enter Users, and then choose the related link.
- Open the User Card page for the relevant user, and then, in the Status field, select Disabled.
- To give the user access again, set the Status field to Enabled.
You can also remove the licence from a user in the Microsoft 365 Admin Centre. The user is then unable to sign in. For more information, see Remove licences from users.
Synchronisation with Microsoft 365
When you assign a licence for Business Central to a user in Microsoft 365, there are two ways to create the user in Business Central.
- The administrator can add the user by choosing the Update Users from Microsoft 365 action on the Users page as described in the To add a user or update user information in Business Central section.
- The licence information updates automatically when the user signs in for the first time.
In both cases, several settings are applied automatically. These settings are listed in the second and third columns in the following table.
If you change user information in Microsoft 365, you can update Business Central to reflect the change. Depending on what you want to update, use one of the actions on the Users page. The actions are described in the last two columns in the following table.
What happens when: | First user, first sign-in | Update Users from Microsoft 365 | Restore User Default User Groups |
---|---|---|---|
Scope: | Current user | Multiple selected users | Single selected user (except current) |
Create the new user and assign SUPER permission set. |
X | X | |
Update the user based on information in Microsoft 365: Status, Full Name, Contact Email, Authentication Email. | X | X | X |
Synchronise user plans (licences) with licences and roles assigned in Microsoft 365. | X | X | X |
Add the user to user groups according to the current user plans. Remove the SUPER permission set for all users other than the first user to sign in and administrators. At least one SUPER is required. | X | X | X Removes manually assigned user groups and permissions. |
Users can access Business Central records in Teams using only their Microsoft 365 licence. When access is enabled for an environment, synchronizing using the Update users from Microsoft 365 action skips users that only have a Microsoft 365 license. To include these users in synchronisation, you must first update environment settings by assigning a security group that contains users with a Business Central licence and users with only a Microsoft 365 licence.
Learn about securing access to environments using security groups at Manage access using Microsoft Entra groups.
Get an overview of accessing Business Central in Teams with Microsoft 365 licences at admin-access-with-m365-licence.
Manage users and licences in on-premises deployments
For on-premises deployments, the number of user licences is specified in the licence file (.bclicense or .flf). When an administrator or Microsoft partner uploads the licence file, they can specify which users can sign in to Business Central.
For on-premises deployments, the administrator creates, edits, and deletes users directly from the Users page.
To edit or delete a user in an on-premises deployment
- Choose the icon, enter Users, and then choose the related link.
- Select the user that you want to edit, and then choose the Edit action.
- On the User Card page, change the information as necessary.
- To delete a user, select the user that you want to delete, and then choose the Delete action.
Note
For on-premises deployments an administrator can specify how to authenticate user credentials in the Business Central Server instance. When you create a user, you provide the credential type that you are using.
For more information, see the Authentication and Credential Types in the administration Help for Business Central.
Analyse user status by licence type
You can use the Data Analysis feature to analyze data on the Users page. You don't have to run a report or open another application, such as Excel. The feature provides an interactive and versatile way to calculate, summarise, and examine data. Instead of running reports using options and filters, you can add multiple tabs that represent different tasks or views on the data. Some examples are "Users by status" or "Users by licence type," or any other view you can imagine. To learn more about how to use the Data Analysis feature, go to Analyze list and query data with analysis mode.
User analysis scenarios
The following sections provide examples of scenarios where analysing the user list can help you monitor the status of your users.
Area | To... | Open this page in analysis mode | Using these fields |
---|---|---|---|
Users by status | See a list of users based on their status (enabled/disabled). | Users | Status, User Name, Full Name, Authorization email, and License Type. |
Users by license type | See a list of users based on their licence type. | Users | License Type, Status, User Name, Full Name, and Authorization email. |
Example: Users by status
To analyse users by status, follow these steps:
- Open the Users list, and choose the icon to turn on analysis mode.
- On the Columns menu, remove all columns (select the box next to the Search field on the right).
- Drag the Status (user enabled/disabled) and License Type fields to the Row Groups area.
- Choose the fields User Name, Full Name, and Authorization email.
- Rename your analysis tab to Users by status, or something that describes this analysis.
The following image shows the result of these steps.
Example: Users by licence type
To analyse users by licence type, follow these steps:
- Open the Users list, and choose the icon to turn on analysis mode.
- On the Columns menu, remove all columns (select the box next to the Search field on the right).
- Drag the License Type and Status (user enabled/disabled) fields to the Row Groups area.
- Choose the User Name, Full Name, and Authorization email fields.
- Rename your analysis tab to Users by license type, or something that describes this analysis.
See also
Assign Permissions to Users and Groups
Manage Profiles
Change Which Features are Displayed
Customizing Business Central
Getting Ready for Doing Business
Administration
Licensing in Dynamics 365 Business Central
Add Users to Microsoft 365 for business
Security and Protection in Business Central (administration content)
Assign a telemetry ID to users