web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Small and medium business | Business Central, N... / Permission sets being ...
Small and medium business | Business Central, N...
Suggested Answer

Permission sets being reset after standard Microsoft Business Central updates?

(1) ShareShare
ReportReport
Posted on by CU24072300-0 50
Hi everyone,
We are experiencing an issue where our custom permission sets are being partially overwritten or "reset" after Microsoft performs scheduled updates to the Business Central environment.
Specifically, we have removed certain permissions from some standard Microsoft roles to restrict access to specific pages for security compliance. However, after the environment is updated, we notice that these removed permissions are reappearing, effectively reverting our changes.

We are aware that modifying standard roles is not ideal, but we would like to understand:
  • Is this expected behavior when standard objects are updated by Microsoft?
  • What is the recommended strategy to ensure that "denied" access remains persistent even after a system update?
Any best practices for managing this at scale would be appreciated.

Thanks in advance for your help!
Categories:
Dynamics 365 Business Central
I have the same question (0)
  • Suggested answer
    Grigorios Mavrogeorgis Profile Picture
    Grigorios Mavrogeorgis 1,747 Super User 2026 Season 1 on at
    Yes this is expected behavior, modifying the standard Microsoft permission sets is not a good idea exactly for this reason. When Microsoft pushes update, the system permission sets get refreshed from the application and your removed lines come back. They are basically read-only from Microsoft side, even if the UI lets you change them.

    What we do is never touch the standard ones. Instead create your own permission set (copy from the Microsoft one if you want a baseline), and assign that to the users. For removing access you can use the Exclude permission sets — assign first the standard one, then assign an Exclude permission set with the specific table or page set to "Exclude", and the deny wins. This survives updates because your custom set is yours, Microsoft does not touch it.

    At scale, group them by role using permission set groups, much easier to maintain. Document which excludes apply to which group, otherwise after one year nobody remember why some user cannot open a page.

    Hope this help, Best regards.
    ✅ Tick the checkbox below to mark the answer as verified, if it helped resolve your question.
     
    Regards
    Gregory Mavrogeorgis
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Meet the Microsoft Dynamics 365 Contact Center Champions

We are thrilled to have these Champions in our Community!

Congratulations to the April Top 10 Community Leaders

These are the community rock stars!

Leaderboard > Small and medium business | Business Central, NAV, RMS

#1
OussamaSabbouh Profile Picture

OussamaSabbouh 2,233 Super User 2026 Season 1

#2
YUN ZHU Profile Picture

YUN ZHU 1,360 Super User 2026 Season 1

#3
AndrewThomas81 Profile Picture

AndrewThomas81 1,216

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans