web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / License usage reportin...
Finance | Project Operations, Human Resources, ...
Suggested Answer

License usage reporting (in-app and PPAC) with Entra dynamic groups

(4) ShareShare
ReportReport
Posted on by James Fox 20
We are finding that the license reporting is not reflecting permissions assigned to users via Entra dynamic groups.  We use Entra group memberships to assign roles to users.  Any direct role assignments, as well as roles granted via standard Entra groups, are represented in the reporting properly.  However, any roles granted via a dynamic group in Entra does not reflect in the reports.  The relevant roles are assigned properly, and users are successfully able to access the application based on those assigned roles, but they are not reflected in the reports.
 
We use dynamic groups to automatically assign roles based on various data, which has worked well, but this gap in the reporting is making it very difficult to identify and validate licensing in advance of the upcoming requirement changes.
Categories:
Dynamics 365 Finance
I have the same question (0)
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 304,717 Super User 2026 Season 1 on at
    Hi,
     
    Can you share an example of how you created a dynamic group and how users are assigned? So what is the various data? I can then try to replicate it.
     
    It might not be supported on the licensing reports today. I will join a meeting with Microsoft soon about the license reporting and enforcement. I can then bring this to their attention.
  • James Fox Profile Picture
    James Fox 20 on at
    In Entra, the dynamic group uses attributes in the dynamic membership rules, typically which we populate based on data we sync with our HR system.
    In one example, the rule uses:
    (user.extensionAttribute3 -in ["EP"]) and (user.extensionAttribute6 -in ["YESSLADM","EPGISSR"])
     
    In D365 of course, under Groups, we import the groups from Entra and assign the various roles there.
     
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 304,717 Super User 2026 Season 1 on at
    Hi James,

    I will try to reproduce the scenario. Can you confirm if the users were assigned to the group for more than 24 hours?
  • James Fox Profile Picture
    James Fox 20 on at
    Yes, they've been assigned for weeks or months in some cases.
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 304,717 Super User 2026 Season 1 on at
    Hi James,

    A small update. I have created a dynamic group and using rules there are now two users assigned. So far, the updates are not reflected yet in the PPAC report. The users do have access to the menu items as configured on the group in F&O.
     
    I have also added users to another group with direct assignments to verify them if the report got synced with inherited Entra ID group membership updates.

     
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 304,717 Super User 2026 Season 1 on at
    Hi James,
     
    The PPAC report is working with the dynamic group on a sandbox, but not my production environment. As I know there are some issues with my production environment, I now deployed a new one to check it in a fresh environment.
  • James Fox Profile Picture
    James Fox 20 on at
    Interesting as I am seeing the same across three environments, production and two sandboxes.
  • Suggested answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 304,717 Super User 2026 Season 1 on at
    Hi James,

    On the new production environment, the role details are listed for the user. Currently, the license requirement is not updated for this user (yet). This can also be related to the issues on my original production environment. I now created two new fresh users to test the behavior.

    Anyway, the memberships should be recognized correctly, regardless of a dynamic group. I suggest to create a ticket for Microsoft Support.
  • ianceicys_msft Profile Picture
    ianceicys_msft Microsoft Employee on at
    Hi James and André,
    Thanks for flagging this - I want to make sure we're looking at the right thing.
     
    Can you share some additional detail on how you're creating and provisioning the dynamic Entra ID groups end-to-end? Specifically, the use of dynamic membership rules to add/remove users from an Entra ID group is supported.
     
    What we'd want to understand is the full provisioning chain:
    - How the Entra ID group is being created (manual via portal, automated via PowerShell, Graph API, etc.)?
    - How the group is being imported/created in F&O as a security group?
    - How security roles are being assigned to that group in F&O?
    - Whether users are being added/removed from the F&O security group automatically or manually synced?
     
    These detail matters because the license usage reporting pipeline depends on how the group and its role assignments are surfaced within F&O and there are scenarios where the Entra side looks correct but the F&O-side representation isn't fully hydrated on the same cadence, which may explain the reporting gap.
     
    Any details you can share on the above would help us narrow this down. Thanks!
  • James Fox Profile Picture
    James Fox 20 on at
    Hi, yes, certainly happy to share those details.

    - How the Entra ID group is being created (manual via portal, automated via PowerShell, Graph API, etc.)?
         These are created manually via the Azure portal.

    - How the group is being imported/created in F&O as a security group?
         In F&O, the group is then imported by going to Groups, clicking the Import groups button, selecting the Entra group from the list, giving it an ID, and clicking Import.
     
    - How security roles are being assigned to that group in F&O?
         Upon importing the group, we open the new group that was imported and assign the roles directly to that group.
     
    - Whether users are being added/removed from the F&O security group automatically or manually synced?
         Members are only add/removed by way of the dynamic group's rules in Entra - users are not manually added or removed in Entra (and I don't know of a way to even add them to the group within F&O, so that is also not being done.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Meet the Microsoft Dynamics 365 Contact Center Champions

We are thrilled to have these Champions in our Community!

Congratulations to the April Top 10 Community Leaders

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Giorgio Bonacorsi Profile Picture

Giorgio Bonacorsi 620

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 521 Super User 2026 Season 1

#3
CP04-islander Profile Picture

CP04-islander 430

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP
License usage reporting (in-app and PPAC) with Entra dynamic groups

Product updates

Dynamics 365 release plans