web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro
Introducing our New Video Series: Community Spotlight
News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Small and medium business | Business Central, N... / GDAP vs. Guest User in...
Small and medium business | Business Central, N...
Unanswered

GDAP vs. Guest User in Business Central Online: our findings, workaround, and open questions

(0) ShareShare
ReportReport
Posted on by MS-11030904-0
Dear all,
 
we wanted to share a situation we recently ran into while working with Business Central Online as a partner – and I’m very curious if others have experienced the same behavior.

At first glance, this seems like a fairly standard setup. As a partner, we often need two types of access in a customer tenant:

  • On the one hand, we join as a guest user for collaboration scenarios like Microsoft Teams or Azure DevOps.
  • On the other hand, we use GDAP to administer Business Central environments without needing a customer license.

Individually, both approaches work perfectly fine. The problem starts when both are used with the same identity.

In our case, the consultant had already been invited as a guest user in the customer tenant. The invitation was accepted and the user had already worked with Teams and DevOps.

Later, we tried to access Business Central Online using GDAP – and that’s where things started to behave unexpectedly.

Instead of seeing the usual “GDAP-style” user (the anonymized USER_xxx account), Business Central seemed to pick up the already existing guest user context. That effectively broke the expected delegated admin behavior, because the guest user didn’t have a Business Central license.

The result: no proper access via GDAP anymore.

What made this tricky was that it wasn’t immediately obvious what was going on. The key indicator for us was the Users page in Business Central. Instead of seeing the typical technical GDAP user, we saw a normal, personalized user – which was a strong hint that the system wasn’t treating the login as a pure delegated admin scenario anymore.

From what we understand, this is consistent with how Business Central works in general. Delegated admins are supposed to show up as separate, anonymized identities. But if the same user already exists in the customer tenant, the system seems to associate everything with that existing identity.

The real challenge, however, was not identifying the issue – but fixing it.

Once the “wrong” user context was established, we didn’t find a clean way to simply switch back to the intended GDAP behavior. Disabling the user in Business Central was not sufficient.

The workaround that worked for us was the following approach:

  1. First, we removed (soft-deleted) the guest user in the customer tenant.
  2. Then we made sure that the first login to Business Central happened via GDAP (including the environment had to be reset so that no "invalid" users remained).
  3. After that, Business Central created and used the expected anonymized GDAP user.
  4. Finally, we restored the guest user so that Teams and DevOps continued to work.

In one of our scenarios, the cleanup was even more complex, and we ended up recreating the Business Central environment to fully reset the situation.

We want to clearly emphasize: this is not an official Microsoft guideline. It’s simply the approach that worked for us in practice.

That’s also the reason for this post.

We would really like to understand if this is a common issue in the community, or if we just ran into a very specific edge case.

A few questions to those of you working with GDAP and Business Central Online:

  • Have you seen similar behavior when a partner user already existed as a guest in the customer tenant?
  • Did Business Central also stop using the expected GDAP identity in your case?
  • Were you able to fix it without more invasive steps like recreating the environment?
  • And more generally – do you separate identities for collaboration (Teams/DevOps) and GDAP administration to avoid this entirely?

Our current takeaway is quite simple: mixing guest access and GDAP access with the same identity can lead to unexpected side effects in Business Central Online. At the very least, it’s something we will pay much closer attention to in future projects.

Looking forward to hearing your experiences and thoughts.

 
Kind regards,
Markus
Categories:
Dynamics 365 Business Central
I have the same question (0)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro
Introducing our New Video Series: Community Spotlight

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Women in Power Builds Momentum

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders

These are the community rock stars!

Leaderboard > Small and medium business | Business Central, NAV, RMS

#1
OussamaSabbouh Profile Picture

OussamaSabbouh 2,028 Super User 2026 Season 1

#2
YUN ZHU Profile Picture

YUN ZHU 1,366 Super User 2026 Season 1

#3
Grigorios Mavrogeorgis Profile Picture

Grigorios Mavrogeorgis 1,175 Super User 2026 Season 1

Last 30 days Overall leaderboard

Featured topics

Microsoft Training Manuals

Product updates

Dynamics 365 release plans