Summary and recommendation
Microsoft Dynamics 365 user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Microsoft Dynamics 365 user management spans two separate admin surfaces that must stay in sync: the Microsoft 365 Admin Center (license assignment) and the Power Platform Admin Center (environment access and security role assignment).
Every app in the Dynamics 365 suite - Sales, Customer Service, Business Central, Project Operations - follows this two-step pattern before a user can log in. Business Central adds a third surface: its own Users page for permission set assignment.
Quick facts
| Admin console path | Power Platform Admin Center > Environments > [Select Environment] > Settings > Users + permissions > Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Included |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| System Administrator | Full access to all environment settings, user management, security role assignment, customization, and data. Equivalent to superuser within the environment. | Cannot bypass Microsoft 365 tenant-level admin controls; cannot assign licenses (license assignment is done in Microsoft 365 admin center, not within Dynamics 365). | Any paid Dynamics 365 license (e.g., Sales Enterprise, Customer Service Enterprise, Business Central Essentials/Premium) | Varies by module; Sales Enterprise $95/user/month, Business Central Essentials $80/user/month (Nov 2025 pricing) | System Administrator role grants access to all records regardless of business unit or team ownership. Assign with caution. |
| System Customizer | Can customize the environment (create/edit entities, forms, workflows) but has limited access to data records by default. | Cannot manage users or assign security roles; cannot access data outside their own records unless additional roles are assigned. | Any paid Dynamics 365 license | Varies by module | Often confused with System Administrator; does not grant broad data access. |
| Standard / Named User (e.g., Salesperson, Customer Service Representative) | Access scoped to the security roles assigned; typically read/write on records within their business unit or team. | Cannot access admin settings, manage other users, or customize the environment unless additional roles are granted. | Module-specific full user license (e.g., Dynamics 365 Sales Professional $65/user/month, Sales Enterprise $95/user/month) | $65–$180/user/month depending on module | Users must have a license assigned in Microsoft 365 admin center before they can be added to a Dynamics 365 environment. License assignment and role assignment are two separate steps. |
| Team Member | Light-use access: can read most records, update own records, complete assigned tasks, and log time/expenses. Cannot use full CRM/ERP functionality. | Cannot create most record types (e.g., cannot create Opportunities, Cases, or Leads in Sales/Service apps). Restricted to a defined subset of entities. | Dynamics 365 Team Members license | $8/user/month | Team Member license is heavily restricted. Microsoft enforces use-right limitations; using Team Members for full CRM tasks violates license terms and may be flagged in audits. |
| Non-interactive / Application User | Used for system integrations and background services. Can be assigned security roles for API/integration access. Does not consume a named user license. | Cannot log in interactively to the Dynamics 365 UI. | No paid per-user license required; limited to a set number of non-interactive users per tenant (typically up to 7 per environment). | No per-seat cost for non-interactive users within the allowed limit | Non-interactive user limit is per environment. Exceeding the limit requires additional licensing. Application users (for service principals/OAuth apps) are separate and unlimited but require Azure AD app registration. |
| Delegated Administrator | Microsoft partner or CSP admin who can manage the tenant on behalf of the customer. Has tenant-level admin access. | Access is controlled by the customer tenant; customer can revoke delegated admin rights at any time. | Requires Microsoft Partner Network relationship | No additional seat cost to the customer | Delegated admins appear in the tenant but are managed through the Microsoft Partner Center, not the standard user management flow. |
Permission model
- Model type: hybrid
- Description: Dynamics 365 (Customer Engagement apps: Sales, Service, etc.) uses a role-based access control (RBAC) model with security roles composed of granular entity-level privileges (Create, Read, Write, Delete, Append, Append To, Assign, Share) scoped by access level (User, Business Unit, Parent Business Unit, Organization). Business Central uses permission sets (predefined or custom collections of object-level permissions). Both products support custom roles/permission sets. Access can also be granted via Teams (owner teams or access teams) in Customer Engagement apps.
- Custom roles: Yes
- Custom roles plan: Available on all paid Dynamics 365 licenses; no premium tier required for custom security roles.
- Granularity: Entity-level (table-level) with per-privilege (CRUD + Append/Assign/Share) and per-scope (user/BU/org) control in Customer Engagement apps. Object-level (table, page, report, codeunit) with read/insert/modify/delete/execute permissions in Business Central.
How to add users
- Assign the appropriate Dynamics 365 license to the user in the Microsoft 365 Admin Center (https://admin.microsoft.com) under Users > Active Users > [User] > Licenses and apps.
- Wait for license propagation (can take up to 15 minutes; user must exist in Azure Active Directory / Microsoft Entra ID).
- Navigate to the Power Platform Admin Center (https://admin.powerplatform.microsoft.com).
- Select Environments > [Target Environment] > Settings > Users + permissions > Users.
- Click 'Add user' and search for the user by name or email.
- Select the user and click 'Add'.
- After the user is added to the environment, assign one or more security roles: select the user, click 'Manage security roles', check the desired roles, and save.
- (Business Central only) In Business Central, go to Settings > Users, select the user, and assign permission sets and user groups as needed.
Required fields: Valid Microsoft 365 / Azure AD account (user must exist in the tenant), Dynamics 365 license assigned in Microsoft 365 Admin Center, At least one security role assigned within the environment
Watch out for:
- License must be assigned in Microsoft 365 Admin Center before the user can be added to a Dynamics 365 environment. Users without a valid license will appear greyed out or cannot be added.
- Adding a user to the environment and assigning a security role are two separate steps; a user added without a security role has no functional access.
- Users are sourced from Azure AD (Entra ID); external users (guests) require Azure AD B2B guest accounts and may have restricted access depending on environment settings.
- In Customer Engagement apps, users are associated with a Business Unit at creation. Changing a user's Business Unit later can affect record ownership and access.
- For Business Central, user creation is triggered automatically when a licensed user first signs in, or can be done manually via the Users page in Business Central administration.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Included with Microsoft Entra ID (Azure AD); SCIM provisioning supported via Entra ID for automated user lifecycle management. No additional Dynamics 365 tier required beyond a paid license. |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Users cannot be permanently deleted from a Dynamics 365 environment. The supported action is to disable (deactivate) the user within the environment. This prevents login and removes active access while preserving all records owned by or associated with that user. The underlying Azure AD account can be deleted at the tenant level, which will also disable environment access, but the user record remains in Dynamics 365 in a disabled state.
- Navigate to Power Platform Admin Center (https://admin.powerplatform.microsoft.com).
- Select Environments > [Target Environment] > Settings > Users + permissions > Users.
- Locate the user (filter by 'Enabled' status if needed).
- Select the user's checkbox.
- Click 'Disable' (or 'Manage user' and set status to Disabled).
- Confirm the action. The user's status changes to 'Disabled' and they can no longer log in.
- (Optional) Remove the Dynamics 365 license from the user in Microsoft 365 Admin Center to free the license seat for reassignment.
| Data impact | Behavior |
|---|---|
| Owned records | All records owned by the disabled user remain in the system and retain the disabled user as owner. Records are not automatically reassigned. Admins must manually reassign ownership or use bulk reassignment tools if needed. |
| Shared content | Shared records and access teams the user belonged to remain intact. The user's sharing grants become inactive but the records themselves are unaffected. |
| Integrations | Any integrations or workflows running under the disabled user's credentials (e.g., connection references, flow connections) will fail. These must be reassigned to an active user or service account before disabling. |
| License freed | Disabling a user in the Dynamics 365 environment does NOT automatically free the license. The license must be separately removed in Microsoft 365 Admin Center under the user's license assignments. |
Watch out for:
- Disabling a user in the Dynamics 365 environment and removing their license in Microsoft 365 Admin Center are two separate actions; both are required to fully offboard and reclaim the license seat.
- Workflows, Power Automate flows, and integrations that run in the context of the disabled user will break immediately upon disabling. Audit and reassign these before deactivating.
- Records owned by a disabled user remain assigned to them and may become inaccessible to other users depending on security role scoping (e.g., if other users only have 'User' level read access). Reassign ownership proactively.
- If the Azure AD account is deleted before the Dynamics 365 user is disabled, the user record in Dynamics 365 will show as disabled automatically, but owned records and the above issues still apply.
- In Business Central, disabling a user is done within Business Central's own Users page (Settings > Users > select user > set State to Disabled), separate from the Power Platform Admin Center.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Dynamics 365 Team Members | Light-use access across Dynamics 365 apps; read most data, update own records, complete tasks, log time/expenses. Restricted entity use rights. | $8/user/month |
| Dynamics 365 Sales Professional | Core sales force automation: accounts, contacts, leads, opportunities, quotes. Limited customization. | $65/user/month |
| Dynamics 365 Sales Enterprise | Full sales automation plus forecasting, sequences, sales accelerator, LinkedIn Sales Navigator integration, and Power Apps/Power Automate use rights. | $95/user/month |
| Dynamics 365 Sales Premium | Sales Enterprise plus Dynamics 365 Sales Insights (AI-driven features). | $162/user/month |
| Dynamics 365 Business Central Essentials | Financial management, supply chain, project management, CRM (basic). Core ERP functionality. | $80/user/month (as of November 2025 pricing) |
| Dynamics 365 Business Central Premium | Everything in Essentials plus Service Management and Manufacturing modules. | $110/user/month (as of November 2025 pricing) |
| Dynamics 365 Project Operations | Project planning, resource management, time/expense tracking, project billing. | $135/user/month |
| Dynamics 365 Customer Service Enterprise | Case management, knowledge base, SLAs, omnichannel (add-on), Power Apps/Automate use rights. | $95/user/month |
- Where to check usage: Microsoft 365 Admin Center (https://admin.microsoft.com) > Billing > Licenses - shows assigned vs. available seats per license SKU. Power Platform Admin Center > Capacity > Add-ons also shows environment-level consumption. Microsoft 365 Admin Center > Reports > Usage provides last-activity data per user.
- How to identify unused seats: In Microsoft 365 Admin Center, go to Reports > Usage > Microsoft Dynamics 365 (if available) or use the 'Last sign-in' date visible under Users > Active Users to identify users who have not logged in recently. Alternatively, use Microsoft Entra ID sign-in logs filtered by the Dynamics 365 application to find inactive licensed users.
- Billing notes: Licenses are billed monthly or annually through Microsoft Volume Licensing, Microsoft 365 admin center (direct), or a Cloud Solution Provider (CSP). Annual subscriptions are typically discounted vs. month-to-month. License counts are managed at the tenant level in Microsoft 365 Admin Center; environment-level access is controlled separately in Power Platform Admin Center. Dynamics 365 licenses include use rights for Power Apps (limited) and Power Automate (limited); full Power Platform capabilities require separate licenses. Attach licenses (e.g., Customer Insights, Copilot) are available as add-ons to base module licenses.
The cost of manual management
Every app compounds the offboarding risk because disabling a user in the Power Platform Admin Center and revoking their license in Microsoft 365 Admin Center are independent actions - missing either step leaves the user partially accessible or wastes a paid seat.
Workflows and Power Automate flows running under a departing user's credentials break silently the moment that account is disabled, and the failures are difficult to trace back to the root cause.
Records owned by a disabled user remain assigned to them and can become inaccessible to teammates depending on security role scope, requiring proactive ownership reassignment before or immediately after deactivation.
What IT admins are saying
Admins consistently flag the two-step license-then-role process as the top source of provisioning errors: a user added to an environment without a security role has zero functional access, and the UI does not warn you.
License propagation delays of up to 15–30 minutes after assignment in Microsoft 365 Admin Center are a recurring frustration, especially during time-sensitive onboarding.
The Team Member license use-right restrictions generate compliance risk - users frequently exceed permitted entity access without realizing it, and Microsoft can flag violations during audits.
Common complaints:
- Users frequently report confusion between the two-step process of assigning a license in Microsoft 365 Admin Center and then separately adding the user and assigning security roles in the Power Platform Admin Center or Dynamics 365 environment.
- Admins report that disabling a user does not automatically free the license, requiring a separate action in Microsoft 365 Admin Center, which is easy to overlook during offboarding.
- Workflows and Power Automate flows running under a specific user's credentials break silently when that user is disabled, causing integration failures that are difficult to diagnose.
- Record ownership is not automatically reassigned when a user is disabled, leaving orphaned records that may be inaccessible to other users depending on security role scope settings.
- The Team Member license use-right restrictions are reported as confusing and overly restrictive; users frequently exceed permitted entity access without realizing it, creating compliance risk.
- License propagation delays (up to 15–30 minutes after assignment in Microsoft 365 Admin Center) before a user can be added to a Dynamics 365 environment are a common source of frustration.
- Business Central user management is entirely separate from the Power Platform Admin Center, requiring admins to manage users in two different interfaces for organizations using both CE apps and Business Central.
- Custom security role creation is reported as complex due to the large number of entity-privilege-scope combinations, with no easy way to clone and compare roles in the standard UI.
The decision
Manual management is workable for organizations with low user churn and a single Dynamics 365 module. The overhead scales poorly once multiple environments (dev, test, prod) are in play, because security role GUIDs differ per environment and must be tracked separately.
Teams running Sales Enterprise or Customer Service alongside Business Central face the added complexity of two distinct permission models - RBAC with entity-level privileges in Customer Engagement apps, and permission sets in Business Central - with no unified admin view across both.
Bottom line
Dynamics 365 manual user management is functional but fragmented across at least two admin portals, with license assignment, environment access, and security role assignment each requiring a discrete action.
Every app in the suite inherits this split, meaning offboarding a single user correctly requires coordinated steps across Microsoft 365 Admin Center and Power Platform Admin Center - and Business Central adds its own Users page on top.
The silent failure modes (broken flows, orphaned records, unlicensed seats) make audit hygiene difficult to maintain at scale without automation.
Automate Microsoft Dynamics 365 workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
Every app coverage, including apps without APIs
60+ app integrations plus browser automation for apps without APIs
IT graph reconciliation across apps and your IdP
Less than a week to launch, maintained as APIs and admin consoles change
SOC 2 Type II. ~2 hours of your team's time
