You’re offline. This is a read only version of the page.
Skip to main content
Dynamics 365 Community
Cancel
Get involved
Get answers
Discover events
Learn Dynamics 365
More
Search
Announcements
Introducing our New Video Series: Community Spotlight
Community site session details
Session Id :
Copy
Close
Introducing our New Video Series: Community Spotlight
Dynamics 365 Community
/
Blogs
/
Microsoft Dynamics CRM 365/2016/2015/2013/4 Trails
/
How to Restrict App Visibil...
How to Restrict App Visibility by Removing extra app Access from Security Roles
Views (1)
Fameeda Yaseen
451
Follow
Like
(
0
)
Share
Report
Issue Summary
Users assigned to custom security roles such as
“Restricted Sales User (Read-Only)”
and
“Intelligent Order Management – Supply Chain Executive”
were able to see
all apps
published in the tenant — even though their role configuration only allows access to specific apps (e.g., IV and IOM custom apps).
Root Cause
The affected security roles contained
extra privileges
on the
App Module (Model-driven App)
table/entity. These privileges granted access to all apps, regardless of app-specific configuration or assigned rights.
You can confirm which apps a user can access using the
App Access Checker
tool:
App Access Checker URL:
https://CRMDev.dynamics.com/WebResources/msdyn_AppAccessChecker.html
How to use:
Enter the user’s ID.
Click
Search
.
The results will list all apps accessible to the user, and indicate
why
access is granted (via role or privilege).
Goal
Restrict app visibility by removing unnecessary
Read
and
Write
access for a specific security role (e.g., “
Restricted IOM User (Read-Only)
”) on the
App Module
entity.
Step-by-Step Resolution
1️.
Open Power Platform Admin Center
Navigate to
https://admin.powerplatform.microsoft.com
.
Select your environment (e.g.,
Production
or
Test
).
2️
Access Security Roles
Go to
Settings → Users + Permissions → Security Roles
(Classic view: Advanced Settings → Security → Security Roles)
Open the target security role (e.g.,
Restricted Sales User (Read-Only)
).
3️
Locate the App Module Table
In the role editor, open the
Custom Entities / Custom Tables
tab.
Search for
App Module
(may also appear as
AppModule
or
Model-driven App
).
Internal Name:
appmodule
4️
Adjust Privileges
Privilege
Description
Recommended Action
None
No access
Select this to remove access
User
Access to owned records
Remove if not needed
Business Unit
Access to records in same BU
Remove if not needed
Parent: Child BU
Access to records in child BU
Remove if not needed
Organization
Access to all records
Remove if not needed
Set:
Read = None
Write = None
5️
Save and Publish
Click
Save and Close
.
Allow a few minutes for the changes to propagate (or have the user re-login).
6️
Validate Access
Log in as the affected user or impersonate their account.
Confirm that the user can
only see the intended apps
and cannot open or modify the App Module table.
Optional Checks (Managed Environments)
If using
Managed Environments
or
Field-Level Security
, also verify:
Solution Layering:
Ensure no managed solution re-adds App Module privileges.
Teams-Based Access:
Confirm that no team membership re-grants access indirectly.
Expected Result
After these changes:
The user’s role will
no longer have Read or Write privileges
on the
App Module
table.
The user will only see the apps explicitly assigned to them (e.g., D365 CE & custom apps).
Unrelated apps published in the tenant will no longer be visible.
Comments
Add new comment
Comment on this blog post
New#123
You don't have the appropriate permissions.
Messages
Welcome,
Profile
Messages
My activity
Sign out
