web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Blogs / Hardik’s Dynamics Dojo / Understanding Subscription ...

Understanding Subscription Licenses in Dynamics 365 F&O

Views (3)
HardikPatel523 Profile Picture HardikPatel523 234

Or… why your user can open a page but suddenly gets slapped with “Access Denied” 😅

Ever had this situation?
You create a beautiful customization.
Everything works perfectly in your environment.
You deploy it.
User clicks the menu item…
💥 “You do not have sufficient permissions.”
And suddenly everyone looks at you like you personally hacked Microsoft security.
Then starts the legendary investigation:
  • “Does the user have the role?”
  • “Did sync happen?”
  • “Is security cache refreshed?”
  • “Is AOS angry today?”
But many times…
👉 The actual issue is license mismatch.
If you have not read my security blog yet, I highly recommend starting there first because this blog builds on top of concepts like:
  • Roles
  • Duties
  • Privileges
  • Entry Points
📖 Read here:
Because honestly…
Understanding security without understanding licensing in D365 F&O is like knowing how to drive… but not knowing petrol costs money 🚗💸

The Real Problem

Most developers understand:
  • Roles
  • Duties
  • Privileges
But very few truly understand:
  • Operations license
  • Activity license
  • Team Member license
  • How menu items determine licenses
  • What “View” and “Maintain” actually do behind the scenes
And because of that:
🚨 Users get overlicensed
🚨 Companies spend unnecessary money
🚨 Security behaves “randomly”
🚨 Audits become painful

Imagine 1000 users in a large organization.
If even 200 users accidentally consume higher licenses than needed…
💸 That can literally cost lakhs every year.
That is why licensing is not just “technical knowledge”.
It is architecture knowledge.

In Dynamics 365 F&O, security controls access… but licensing controls entitlement.
Huge difference.

The Biggest Licensing Misunderstanding in D365

Most developers think this:

Access TypeLicense
ReadTeam Member
EditOperations

Simple right?
❌ Completely wrong.
Because D365 does NOT decide license purely based on:
  • Read
  • Maintain
Instead, the system checks TWO things together:
  1. Privilege entry point access level
  2. Menu item license properties
Specifically:
- `ViewUserLicense`
- `MaintainUserLicense`
And this is where the real magic happens.

First Understand This Like Netflix 🍿

Think about Netflix subscription plans.

Netflix ActionRequired Plan
Watch on mobileBasic
Watch on TVStandard
Watch 4K HDRPremium

Now suppose:
  • User has only Mobile Plan
  • But tries to watch 4K on TV
❌ Netflix blocks it.
Even though:
  • User has account
  • User has password
  • User successfully logged in
Because entitlement is different from authentication.
Exactly same in D365 F&O.
System checks:
  1. Does user have access?
  2. What license does this feature require?
  3. Does user subscription match?
Only then access is granted.

How D365 Actually Determines License

Suppose we have a menu item: CustCustomerDetails
And menu item properties are:

PropertyValue
ViewUserLicenseTeam Members
MaintainUserLicenseOperations

Now let’s see what happens.

Scenario 1 — User Has Read Access

Inside privilege entry point:
Access Level = Read
Now system says:
“Okay, user can only VIEW data.”
So D365 checks: ViewUserLicense
Which is: Team Members

✅ Result:
User only requires Team Member license.

Scenario 2 — User Has Maintain Access

Now suppose privilege entry point becomes:
Access Level = Maintain (Create/Update/Delete)
Now system says:
“User can modify data.”
So D365 checks: MaintainUserLicense
Which is: Operations

💥 Result:
User now requires Enterprise license.
THIS is the real behavior.
Not:
  • Read = Team Member
  • Maintain = Operations
But:
  • Read → checks `ViewUserLicense`
  • Maintain → checks `MaintainUserLicense`
Massive difference.

Where These Properties Exist

Inside AOT:
Menu Item
 ├── ViewUserLicense
 └── MaintainUserLicense



And inside security privilege:
Privilege
 └── Entry Point
       └── Access Level



D365 combines BOTH.
That combination determines the required license.

License Determination Matrix

The final required license depends on BOTH:
  • Menu item properties
  • Privilege entry point access level

ViewUserLicenseMaintainUserLicenseEntry Point Access LevelResulting License
NoneNoneReadNone
NoneNoneMaintain/DeleteNone
UniversalNoneReadTeam member
UniversalNoneMaintain/DeleteNone
ActivityNoneReadActivity
ActivityNoneMaintain/DeleteNone
OperationsNoneReadEnterprise
OperationsNoneMaintain/DeleteNone
NoneUniversalReadNone
NoneUniversalMaintain/DeleteTeam member
NoneActivityReadNone
NoneActivityMaintain/DeleteActivity
NoneOperationsReadNone
NoneOperationsMaintain/DeleteEnterprise
UniversalUniversalReadTeam member
UniversalUniversalMaintain/DeleteTeam member
UniversalActivityReadTeam member
UniversalActivityMaintain/DeleteActivity
UniversalOperationsReadTeam member
UniversalOperationsMaintain/DeleteEnterprise
ActivityUniversalReadActivity
ActivityUniversalMaintain/DeleteTeam member
ActivityActivityReadActivity
ActivityActivityMaintain/DeleteActivity
ActivityOperationsReadActivity
ActivityOperationsMaintain/DeleteEnterprise
OperationsUniversalReadEnterprise
OperationsUniversalMaintain/DeleteTeam member
OperationsActivityReadEnterprise
OperationsActivityMaintain/DeleteActivity
OperationsOperationsReadEnterprise
OperationsOperationsMaintain/DeleteEnterprise

Another Important Rule Most Developers Miss 👀

A role license is determined by: The HIGHEST license required by any privilege inside that role.
Short Example
Suppose a role contains:

PrivilegeRequired License
View Customer DashboardTeam Members
Warehouse Shipment ProcessingActivity
Vendor Payment JournalOperations

Final role license becomes: Operations
Because: Highest license wins.
Even if:
  • 90% of role is Team Member
  • Only 1 privilege requires Operations
The ENTIRE role becomes Operations-level.
This is why:
“Just adding one small privilege” can suddenly increase licensing cost for hundreds of users 😅

Comparison — Wrong vs Correct Understanding

Wrong ThinkingCorrect Thinking
Read = Team MemberRead checks ViewUserLicense
Maintain = Operations alwaysMaintain checks MaintainUserLicense
Access level alone decidesAccess + Menu Item properties decide
Security and licensing are separateThey are deeply connected
Custom menu items are harmlessWrong properties can escalate licenses

Junior Developer Thinking - “Read access means cheap license.”
Senior Developer Thinking - “What are the menu item license properties?
Architect Thinking - “Can this customization increase licensing cost for 2000 users?
That is the maturity curve.

Real-Life Experiences & Best Practices From Projects

Over multiple implementations, I have seen one pattern again and again…
Developer creates:
  • A duty extension
  • Adds custom privilege into standard duty
Everything works.
Everyone happy.
Until suddenly…
💥 A standard role that earlier required Activity license now becomes Enterprise license.
And people start asking: “Why did licensing suddenly increase after customization?”
This happens because: The highest license from privileges inside the role determines the role license.
And yes…
“Enterprise” is basically Operations licensing in this context
So setting these correctly is NOT optional:
  • Menu item license properties
  • Entry point access levels
Both matter heavily.

Another Very Common Mistake 😬

Sometimes developers create One giant privilege for one functionality.
Sounds logical initially.
Example:
  • Same custom functionality
  • Multiple module-specific screens
  • Sales version
  • Purchase version
  • Inventory version
So developer thinks: “Let’s put all menu items into one privilege.”
Now what happens?
💥 Sales user suddenly gets access to Purchase screens.
Not because security is broken…
But because privilege design became too broad.
This is one of the most common over-access issues I see in real projects.
Just because screens belong to same “feature” does NOT mean they belong in same privilege.
Security should follow:
  • Responsibility
  • User role
  • Business process
Not developer convenience 😄

Best Practices We Follow

These practices have worked very well for us across projects.

1. Proper Naming Convention

We always suffix privilege names clearly:
SalesOrder_View
SalesOrder_Maintain

This makes security readable instantly.
When debugging production access at 2 AM…
Good naming suddenly feels like a gift from past-you 😅

2. Separate View and Maintain Privileges

For every Display Menu Item, we create:
  • One View privilege
  • One Maintain privilege
Example:
CustomerDashboard_View
CustomerDashboard_Maintain
And:
  • View privilege → Read access
  • Maintain privilege → Create/Update/Delete based on functionality
This gives:
✅ Better control
✅ Better licensing
✅ Cleaner role design

3. Action Menu Items Usually Have Only Maintain Privilege

Because Action menu items perform actions.
Examples:
  • Posting
  • Processing
  • Generating
  • Updating
So creating separate “View” privilege usually makes no sense there.

4. Menu Item License Properties Are NEVER Left Empty

This is a very important rule for us.
We always explicitly configure:
  • `ViewUserLicense`
  • `MaintainUserLicense`
General guideline we follow:

Operation TypeTypical License
View/InquiryUniversal
Create/UpdateActivity
DeleteOperations

Of course:
  • Business scenarios differ
  • Microsoft standard patterns differ sometimes
But honestly…
This works correctly for more than 90% of customizations.

5. Avoid Extending Standard Duties

This is probably the most controversial one 😄
But in practice: We avoid extending standard duties wherever possible.
Because:
  • It can unintentionally elevate role licenses
  • Impacts become harder to track
  • Future Microsoft updates become riskier
  • Auditing becomes painful
Instead:
✅ Create your own custom duty
✅ Document it properly
✅ Ask customer/admin team to assign it to roles intentionally
Slightly more work initially.
Much safer long term.

Final Thoughts

Good security design is not about: “Making access work somehow.”
It is about:
  • Least privilege access
  • Clean privilege boundaries
  • Predictable licensing
  • Long-term maintainability
Because one careless privilege design can silently become:
💸 A very expensive customization.
One more important note
I intentionally did NOT include detailed pricing information in this blog because:
  • Microsoft licensing may change over time
  • New license categories may get introduced
  • Pricing may differ by region and agreements
But just to give a rough real-world idea of the impact:

License TypeApproximate Cost
Team Member~$8
Activity~$50
Operations / Enterprise~$200

So when a role accidentally moves from: Activity → Operations
That is not just a “technical change”.
At scale, that can become a very expensive architectural decision 😅
These numbers are only rough indicators.
👉 Always refer to Microsoft’s official licensing documentation for latest and exact pricing details.
Would genuinely love to hear: What security and licensing practices do you follow in your projects?
A developer builds features.
A senior developer builds secure features.
But a great Dynamics architect builds features users can access… without terrifying the licensing team.

Comments