web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Blogs / Hardik’s Dynamics Dojo / Understanding Subscription ...

Understanding Subscription Licenses in Dynamics 365 F&O

HardikPatel523 Profile Picture HardikPatel523 234

Or… why your user can open a page but suddenly gets slapped with “Access Denied” 😅

Ever had this situation?
You create a beautiful customization.
Everything works perfectly in your environment.
You deploy it.
User clicks the menu item…
💥 “You do not have sufficient permissions.”
And suddenly everyone looks at you like you personally hacked Microsoft security.
Then starts the legendary investigation:
  • “Does the user have the role?”
  • “Did sync happen?”
  • “Is security cache refreshed?”
  • “Is AOS angry today?”
But many times…
👉 The actual issue is license mismatch.
If you have not read my security blog yet, I highly recommend starting there first because this blog builds on top of concepts like:
  • Roles
  • Duties
  • Privileges
  • Entry Points
📖 Read here:
Because honestly…
Understanding security without understanding licensing in D365 F&O is like knowing how to drive… but not knowing petrol costs money 🚗💸

The Real Problem

Most developers understand:
  • Roles
  • Duties
  • Privileges
But very few truly understand:
  • Operations license
  • Activity license
  • Team Member license
  • How menu items determine licenses
  • What “View” and “Maintain” actually do behind the scenes
And because of that:
🚨 Users get overlicensed
🚨 Companies spend unnecessary money
🚨 Security behaves “randomly”
🚨 Audits become painful

Imagine 1000 users in a large organization.
If even 200 users accidentally consume higher licenses than needed…
💸 That can literally cost lakhs every year.
That is why licensing is not just “technical knowledge”.
It is architecture knowledge.

In Dynamics 365 F&O, security controls access… but licensing controls entitlement.
Huge difference.

The Biggest Licensing Misunderstanding in D365

Most developers think this:

Access TypeLicense
ReadTeam Member
EditOperations

Simple right?
❌ Completely wrong.
Because D365 does NOT decide license purely based on:
  • Read
  • Maintain
Instead, the system checks TWO things together:
  1. Privilege entry point access level
  2. Menu item license properties
Specifically:
- `ViewUserLicense`
- `MaintainUserLicense`
And this is where the real magic happens.

First Understand This Like Netflix 🍿

Think about Netflix subscription plans.

Netflix ActionRequired Plan
Watch on mobileBasic
Watch on TVStandard
Watch 4K HDRPremium

Now suppose:
  • User has only Mobile Plan
  • But tries to watch 4K on TV
❌ Netflix blocks it.
Even though:
  • User has account
  • User has password
  • User successfully logged in
Because entitlement is different from authentication.
Exactly same in D365 F&O.
System checks:
  1. Does user have access?
  2. What license does this feature require?
  3. Does user subscription match?
Only then access is granted.

How D365 Actually Determines License

Suppose we have a menu item: CustCustomerDetails
And menu item properties are:

PropertyValue
ViewUserLicenseTeam Members
MaintainUserLicenseOperations

Now let’s see what happens.

Scenario 1 — User Has Read Access

Inside privilege entry point:
Access Level = Read
Now system says:
“Okay, user can only VIEW data.”
So D365 checks: ViewUserLicense
Which is: Team Members

✅ Result:
User only requires Team Member license.

Scenario 2 — User Has Maintain Access

Now suppose privilege entry point becomes:
Access Level = Maintain (Create/Update/Delete)
Now system says:
“User can modify data.”
So D365 checks: MaintainUserLicense
Which is: Operations

💥 Result:
User now requires Enterprise license.
THIS is the real behavior.
Not:
  • Read = Team Member
  • Maintain = Operations
But:
  • Read → checks `ViewUserLicense`
  • Maintain → checks `MaintainUserLicense`
Massive difference.

Where These Properties Exist

Inside AOT:
Menu Item
 ├── ViewUserLicense
 └── MaintainUserLicense



And inside security privilege:
Privilege
 └── Entry Point
       └── Access Level



D365 combines BOTH.
That combination determines the required license.

License Determination Matrix

The final required license depends on BOTH:
  • Menu item properties
  • Privilege entry point access level

ViewUserLicenseMaintainUserLicenseEntry Point Access LevelResulting License
NoneNoneReadNone
NoneNoneMaintain/DeleteNone
UniversalNoneReadTeam member
UniversalNoneMaintain/DeleteNone
ActivityNoneReadActivity
ActivityNoneMaintain/DeleteNone
OperationsNoneReadEnterprise
OperationsNoneMaintain/DeleteNone
NoneUniversalReadNone
NoneUniversalMaintain/DeleteTeam member
NoneActivityReadNone
NoneActivityMaintain/DeleteActivity
NoneOperationsReadNone
NoneOperationsMaintain/DeleteEnterprise
UniversalUniversalReadTeam member
UniversalUniversalMaintain/DeleteTeam member
UniversalActivityReadTeam member
UniversalActivityMaintain/DeleteActivity
UniversalOperationsReadTeam member
UniversalOperationsMaintain/DeleteEnterprise
ActivityUniversalReadActivity
ActivityUniversalMaintain/DeleteTeam member
ActivityActivityReadActivity
ActivityActivityMaintain/DeleteActivity
ActivityOperationsReadActivity
ActivityOperationsMaintain/DeleteEnterprise
OperationsUniversalReadEnterprise
OperationsUniversalMaintain/DeleteTeam member
OperationsActivityReadEnterprise
OperationsActivityMaintain/DeleteActivity
OperationsOperationsReadEnterprise
OperationsOperationsMaintain/DeleteEnterprise

“Operations” basically corresponds to Enterprise in this context, and “Universal” corresponds to Team Members.
In Visual Studio, you’ll see these values as Operations and Universal in the menu item properties, whereas in the UI they appear as Enterprise and Team Members.

Another Important Rule Most Developers Miss 👀

A role license is determined by: The HIGHEST license required by any privilege inside that role.
Short Example
Suppose a role contains:

PrivilegeRequired License
View Customer DashboardTeam Members
Warehouse Shipment ProcessingActivity
Vendor Payment JournalOperations

Final role license becomes: Operations
Because: Highest license wins.
Even if:
  • 90% of role is Team Member
  • Only 1 privilege requires Operations
The ENTIRE role becomes Operations-level.
This is why:
“Just adding one small privilege” can suddenly increase licensing cost for hundreds of users 😅

Comparison — Wrong vs Correct Understanding

Wrong ThinkingCorrect Thinking
Read = Team MemberRead checks ViewUserLicense
Maintain = Operations alwaysMaintain checks MaintainUserLicense
Access level alone decidesAccess + Menu Item properties decide
Security and licensing are separateThey are deeply connected
Custom menu items are harmlessWrong properties can escalate licenses

Junior Developer Thinking - “Read access means cheap license.”
Senior Developer Thinking - “What are the menu item license properties?
Architect Thinking - “Can this customization increase licensing cost for 2000 users?
That is the maturity curve.

Real-Life Experiences & Best Practices From Projects

Over multiple implementations, I have seen one pattern again and again…
Developer creates:
  • A duty extension
  • Adds custom privilege into standard duty
Everything works.
Everyone happy.
Until suddenly…
💥 A standard role that earlier required Activity license now becomes Enterprise license.
And people start asking: “Why did licensing suddenly increase after customization?”
This happens because: The highest license from privileges inside the role determines the role license.
And yes…
“Enterprise” is basically Operations licensing in this context
So setting these correctly is NOT optional:
  • Menu item license properties
  • Entry point access levels
Both matter heavily.

Another Very Common Mistake 😬

Sometimes developers create One giant privilege for one functionality.
Sounds logical initially.
Example:
  • Same custom functionality
  • Multiple module-specific screens
  • Sales version
  • Purchase version
  • Inventory version
So developer thinks: “Let’s put all menu items into one privilege.”
Now what happens?
💥 Sales user suddenly gets access to Purchase screens.
Not because security is broken…
But because privilege design became too broad.
This is one of the most common over-access issues I see in real projects.
Just because screens belong to same “feature” does NOT mean they belong in same privilege.
Security should follow:
  • Responsibility
  • User role
  • Business process
Not developer convenience 😄

Best Practices We Follow

These practices have worked very well for us across projects.

1. Proper Naming Convention

We always suffix privilege names clearly:
SalesOrder_View
SalesOrder_Maintain


This makes security readable instantly.
When debugging production access at 2 AM…
Good naming suddenly feels like a gift from past-you 😅

2. Separate View and Maintain Privileges

For every Display Menu Item, we create:
  • One View privilege
  • One Maintain privilege
Example:
CustomerDashboard_View
CustomerDashboard_Maintain

And:
  • View privilege → Read access
  • Maintain privilege → Create/Update/Delete based on functionality
This gives:
✅ Better control
✅ Better licensing
✅ Cleaner role design

3. Action Menu Items Usually Have Only Maintain Privilege

Because Action menu items perform actions.
Examples:
  • Posting
  • Processing
  • Generating
  • Updating
So creating separate “View” privilege usually makes no sense there.

4. Menu Item License Properties Are NEVER Left Empty

This is a very important rule for us.
We always explicitly configure:
  • `ViewUserLicense`
  • `MaintainUserLicense`
General guideline we follow:

Operation TypeTypical License
View/InquiryUniversal
Create/UpdateActivity
DeleteOperations

Of course:
  • Business scenarios differ
  • Microsoft standard patterns differ sometimes
But honestly…
This works correctly for more than 90% of customizations.

5. Avoid Extending Standard Duties

This is probably the most controversial one 😄
But in practice: We avoid extending standard duties wherever possible.
Because:
  • It can unintentionally elevate role licenses
  • Impacts become harder to track
  • Future Microsoft updates become riskier
  • Auditing becomes painful
Instead:
✅ Create your own custom duty
✅ Document it properly
✅ Ask customer/admin team to assign it to roles intentionally
Slightly more work initially.
Much safer long term.

Final Thoughts

Good security design is not about: “Making access work somehow.”
It is about:
  • Least privilege access
  • Clean privilege boundaries
  • Predictable licensing
  • Long-term maintainability
Because one careless privilege design can silently become:
💸 A very expensive customization.
One more important note
I intentionally did NOT include detailed pricing information in this blog because:
  • Microsoft licensing may change over time
  • New license categories may get introduced
  • Pricing may differ by region and agreements
But just to give a rough real-world idea of the impact:

License TypeApproximate Cost
Team Member~$8
Activity~$50
Operations / Enterprise~$200

So when a role accidentally moves from: Activity → Operations
That is not just a “technical change”.
At scale, that can become a very expensive architectural decision 😅
These numbers are only rough indicators.
👉 Always refer to Microsoft’s official licensing documentation for latest and exact pricing details.
Would genuinely love to hear: What security and licensing practices do you follow in your projects?
A developer builds features.
A senior developer builds secure features.
But a great Dynamics architect builds features users can access… without terrifying the licensing team.

Comments