Create Users According to Licenses
Security groups are new to Business Central in 2023 release wave 1. They're similar to the user groups that this article mentions. Like user groups, administrators assign the permissions to the security group that its members need to do their jobs.
Security groups will replace user groups in a future release. You can continue using user groups to manage permissions until then. To learn more about security groups, go to Control Access to Business Central Using Security Groups. To start using security groups now, your administrator can turn on Feature: Convert user group permissions on the Feature Management page.
This article describes how administrators create users and define who can sign in to Business Central. You'll also learn how to assign permissions to different users according to your product licenses.
When you create users in Business Central, you grant permissions to them through permission sets. You can also organize users in user groups. User groups make it easier to manage permissions and other settings for multiple users at the same time. For more information, see Assign Permissions to Users and Groups.
For more information about the different types of licenses and how licensing works in Business Central, download the Dynamics 365 Licensing Guide.
The process of managing users and licenses varies depending on whether Business Central is deployed online or on-premises. For Business Central online, you must add users from Microsoft 365. In on-premises deployments, you can create, edit, and delete users directly.
Manage users and licenses in online tenants
User accounts in Business Central must be first created in the Microsoft 365 admin center. These user accounts aren't exclusive to Business Central. If you subscribe to other plans, they can be used to sign in to other applications, such as Power BI. For information about creating users in the Microsoft 365 admin center, go to Add users in Microsoft admin center.
Your subscription to Business Central online defines how many Business Central user licenses you're allowed. Users are added to your tenant in the Microsoft Partner Center, typically by your Microsoft partner. For more information, see Administration of Business Central Online.
You assign licenses to users according to the work each user will do in Business Central. You can assign licenses in several ways:
- Your company's Microsoft 365 administrator can do it in the Microsoft 365 Admin Center. For more information, see Add users individually or in bulk to Microsoft 365.
- A Microsoft partner can assign licenses in the Microsoft 365 Admin Center or in the Microsoft Partner Center. For more information, see User management tasks for customer accounts in the Microsoft Partner Center Help.
For more information, see Administration of Business Central Online in the administration Help.
After user accounts are created in the Microsoft 365 admin center, there are two ways to import them to Business Central:
A user account is imported automatically when the user signs in to Business Central the first time.
The administrator can import users by choosing the Update Users from Microsoft 365 action on the *Users page.
Both approaches have their own advantages, and you can use them simultaneously. Each approach allows administrators to proactively configure Business Central to assign the starting permissions, user groups, and user profiles. Using the Update Users from Microsoft 365 action gives administrators more control to adjust permissions, user groups, and profiles. It's an ideal approach when you're setting up Business Central the first time, before any users sign in, or when adding a new team of users.
After you add users in the Microsoft 365 Admin Center, we recommend that you update the user information in Business Central as soon as possible. Keeping user information current is easy to do, and helps ensure that people can always sign in. For more information, see To add users or update user information and license assignments in Business Central.
Updating user information is especially important if you've customized permission sets for the license. If a new user tries to sign in to Business Central before you've added them, they might not be able to. For more information, see Configure permissions based on licenses.
However, users who experience this problem aren't actually blocked. They can either use the Go back home action, or simply sign in again to resolve the issue.
You might see other users in the Users list apart from those from your own company. When a delegated admin from a reselling partner company logs into a Business Central environment on behalf of their customer, they are automatically created as a user inside Business Central. This way, the actions performed by a delegated admin are logged in Business Central, such as posting documents, and associated with their user ID.
With granular delegated admin privileges (GDAP), the user is shown in the Users list and can be assigned any permissions. They are not shown with name and other personal information but with their company name and a unique ID. Both internal and external admins can see these users in the Users list, and they have full transparency into what these users do through the change log, for example. But they can't see the actual name of these users. GDAP users are listed with user names in the following format:
User123456@partnerdomain.com. They might have a user name that reflects the partner's company name, and the email address is not the person's actual email address. This way, the GDAP user accounts do not reveal personal information. If you need to find out who the person behind such a pseudonym is, you'll have to reach out to the company that this user works or worked for.
For more information, see Delegated administrator access to Business Central Online.
Configure permissions based on licenses
APPLIES TO: Business Central 2022 release wave 1 and later
Admins can configure permissions sets and user groups for each license.
For example, the commonly used license, Dynamics 365 Business Central Team Member, has the following permissions sets by default:
- D365 READ
- D365 TEAM MEMBER
- EDIT IN EXCEL - VIEW
- EXPORT REPORT EXCEL
Other permission sets are added automatically based on the user groups assigned to the license. When creating a new user based on this license, Business Central assigns the permission sets originating from the user groups and the permission sets from the license. The same starting permissions are assigned to the user if their user account was created automatically in Business Central or if the administrator used the Update Users from Microsoft 365 action in the Users page.
If this default configuration isn't the right setup for a particular environment, the admin can change that configuration. However, customized permissions will affect only new users who are assigned that license. Permissions for existing users who are assigned the license won't be affected.
Sign in to Business Central using an administrator account.
Choose the icon, enter License Configuration, and then choose the related link.
In the License Configuration page, choose the license that you want to customize, and then choose the Configure action.
Choose the Customize permissions field to switch on customization, and then make the relevant changes.
In our example, the admin wants to remove the permission to edit in Excel, so they remove the Excel Export Action user group from the Team Member license. Going forward, new users that are assigned the Team Member license won't get the option to export data to Excel. If the organization changes their minds on the subject, they can just go back to the License Configuration page and switch off the customization for that license type.
This customization of permissions only takes effect for new users that you assign the relevant license. Existing users are not updated. We recommend that you customize permissions before you start assigning users licenses in the Microsoft 365 admin center.
To add users or update user information and license assignments in Business Central
After you add users or change user information in the Microsoft 365 Admin Center, you can quickly import the user information to Business Central. The import includes license assignments.
- Sign in to Business Central using an administrator account.
- Choose the icon, enter Users, and then choose the related link.
- Choose Update Users from Microsoft 365.
Running the synchronization of users from Microsoft 365 using the Update Users from Microsoft 365 guide, requires the SUPER permission set.
The Update Users from Microsoft 365 guide doesn't update users that are not assigned a license, such as someone who is Global Admin and Dynamics 365 Admin. Those users will update the next time they sign in to the environment.
The next step for newly created users is to assign user groups and permissions. Go to Assign Permissions to Users and Groups for information. If you're updating a user, and the update includes a license change, users are assigned to the appropriate user group and their permission sets are updated. For more information, see To manage permissions through user groups.
All users in an environment must be assigned to the same license, either Essentials or Premium. For more information about licensing, go to Business Central website.
For more information about synchronizing user information with Microsoft 365, go to the Synchronization with Microsoft 365 section.
If you use an external accountant to manage your books and financial reporting, you can invite them to your Business Central so they can work with you on your fiscal data. For more information, see Inviting Your External Accountant to Your Business Central.
To remove a user's access to the system
You can remove a user's access to Business Central online. All references to the user are kept. However, the user can't sign in and active sessions for the user are stopped.
- Choose the icon, enter Users, and then choose the related link.
- Open the User Card page for the relevant user, and then, in the Status field, select Disabled.
- To give the user access again, set the Status field to Enabled.
You can also remove the license from a user in the Microsoft 365 Admin Center. The user is then unable to sign in. For more information, see Remove licenses from users.
Synchronization with Microsoft 365
When you assign a license for Business Central to a user in Microsoft 365, there are two ways to create the user in Business Central.
- The administrator can add the user by choosing the Update Users from Microsoft 365 action on the Users page as described in the To add a user or update user information in Business Central section.
- The license information will update automatically when the user signs in for the first time.
In both cases, several settings are applied automatically. These settings are listed in the second and third columns in the table below.
If you change user information in Microsoft 365, you can update Business Central to reflect the change. Depending on what you want to update, use one of the actions on the Users page. The actions are described in the last two columns in the table below.
|What happens when:||First user, first sign-in||Update Users from Microsoft 365||Restore User Default User Groups|
|Scope:||Current user||Multiple selected users||Single selected user (except current)|
|Create the new user and assign SUPER permission set.
|Update the user based on information in Microsoft 365: Status, Full Name, Contact Email, Authentication Email.||X||X||X|
|Synchronize user plans (licenses) with licenses and roles assigned in Microsoft 365.||X||X||X|
|Add the user to user groups according to the current user plans. Remove the SUPER permission set for all users other than the first user to sign in and administrators. At least one SUPER is required.||X||X||X
Removes manually assigned user groups and permissions.
Users can access Business Central records in Teams using only their Microsoft 365 license. When access is enabled for an environment, synchronizing using the Update users from Microsoft 365 action won't include users that only have a Microsoft 365 license. To include these users in synchronization, you must first update environment settings by assigning a security group that contains users with a Business Central license and users with only a Microsoft 365 license.
Learn about securing access to environments using security groups at Manage access using Azure Active Directory groups.
Get an overview of accessing Business Central in Teams with Microsoft 365 licenses at admin-access-with-m365-license.
Manage users and licenses in on-premises deployments
For on-premises deployments, the number of user licenses is specified in the license file (.bclicense or .flf). When an administrator or Microsoft partner uploads the license file, they can specify which users can sign in to Business Central.
For on-premises deployments, the administrator creates, edits, and deletes users directly from the Users page.
To edit or delete a user in an on-premises deployment
- Choose the icon, enter Users, and then choose the related link.
- Select the user that you want to edit, and then choose the Edit action.
- On the User Card page, change the information as necessary.
- To delete a user, select the user that you want to delete, and then choose the Delete action.
For on-premises deployments an administrator can specify how to authenticate user credentials in the Business Central Server instance. When you create a user, you provide the credential type that you are using.
For more information, see the Authentication and Credential Types in the administration Help for Business Central.
Assign Permissions to Users and Groups
Change Which Features are Displayed
Customizing Business Central
Getting Ready for Doing Business
Licensing in Dynamics 365 Business Central
Add Users to Microsoft 365 for business
Security and Protection in Business Central (administration content)
Assign a telemetry ID to users
Submit and view feedback for