Grant users access

To have users up and running in Power Apps and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), you complete some administrative tasks in the Microsoft 365 admin center—which you generally do only once—followed by administrative tasks.

Power Apps is an online service subscription. When you signed up for this service, you received a set of licenses with your subscription, one license for each user. You can purchase additional licenses if you need them.

As described in step one that follows, in the Microsoft 365 admin center, register your users so that they are recognized in the Microsoft Online Services environment, assign a license to each user, and then assign administrative roles to the users you choose to fill those roles. More information: Assigning admin roles

In Power Apps, populate the service with your organization’s data, including users and their security roles, business units, and any existing data that you want to import from other applications or services. If your organization uses business units, assign users to the appropriate business unit, and then assign a security role to each user. Customer engagement apps includes predefined security roles that aggregate a set of user permissions to simplify user security management. An organization can define additional roles or edit predefined security roles to meet its unique security needs. For more information about security roles, see Security roles and privileges.


When you assigned any of the licenses or the Microsoft Power Automate license to a user, the user is automatically added to all your environments, however users can’t access any apps until they’ve been assigned at least one security role. See Step Two: Assign security roles in Dynamics 365 apps.

Differences between the Microsoft Online services environment administrative roles and Microsoft Dataverse security roles

Administrative roles are available to assign to users in the Microsoft 365 admin portal. The administrative roles cover a set of rights and permissions related to managing the service subscription, such as adding users and assigning licenses. The global administrator role has rights to control every aspect of the subscription and to add subscriptions to other online services. The password administrator role has rights to reset a user’s password, create service requests, and monitor the service.

Security roles are assigned within customer engagement apps and cover rights and permissions-related aspects, for example, permission to update records or to publish customizations. Environments include predefined security roles that reflect common user tasks with access levels defined to match the security best-practice goal of providing access to the minimum amount of business data required to use the app. See Predefined security roles.

The roles are similar in that both types contain aggregated sets of permissions that allow access to some items and not to others, and that allow some actions to be taken but not others. The roles are different in that the first one applies to the management of the subscription but not to the service itself, and the second applies only within the service.

Using roles is a powerful way to group a set of rights that are common to a job title or business unit. This way, the administrator can grant a whole set of permissions to users simply by assigning a user or group of users to a given role.

Step One: Provision users, and assign licenses and administrative roles in the Microsoft 365 admin center

Your organization’s subscription to Power Apps provides access to the Microsoft 365 admin center through a global administrator account. The global administrator manages every aspect of the subscription and may add subscriptions to other Microsoft Online Services.

As the global administrator for your organization, one of your first tasks is to create users in the Microsoft 365 admin center. This registers users in the system and enables users to be licensed to use services available within the online service environment. You decide which service you want your users to have by assigning a license for that service to a user. For instructions about creating users in the Microsoft Online Services environment, see Add users and assign licenses at the same time. For instructions about assigning a license to a user, see Assign or remove licenses.

During your planning phase, you might have identified a set of key administrative roles that you want to fill. More information: Plan for deployment and administration. Because the administrative roles provide coverage for administrative tasks when the global administrator is not available, it’s a best practice to assign these roles to users, including assigning the global administrator role to a second user. More information: Assigning admin roles and Permissions in Microsoft 365.

The online service sends an invitation to each user

After you set up a user in the Microsoft 365 admin center, that user receives an email invitation with a link and a password for the Microsoft Online Services environment. The credentials in the invitation provide access to the portal and to documentation. However, the users who receive these invitations can’t access customer engagement apps until you complete step two in this process.

Step Two: Assign security roles in Dynamics 365 apps

Sign in to customer engagement apps and add business units (if your organization needs more than one business unit), and assign security roles and business units to users. The users you registered with the online service in step one are automatically added to customer engagement apps. After you assign at least one security role to a user, that user can click the link in the email invitation, enter credentials, and begin using customer engagement apps. More information: Assign a security role to a user.


Before you start adding information to customer engagement apps, we recommend that you turn off or disable your browser’s pop-up blocker. Pop-up blockers can block data-entry dialog boxes.

You might have data located in other systems. In your planning phase, you considered how you’ll import this data. Before you invite users into customer engagement apps, ensure that you have completed the data migration process. More information: Import data (all record types).

See also

Plan for deployment and administration
Import data (all record types)
Video: Administer application users, security roles, teams, and users in the Power Platform admin center