Small and medium business | Business Central, N...

Business Central for IWs trial license gives unlimited access to Production environment

(0) Share

Report

Posted on by Rob F.

522

I'm aware from past experience and other forum posts that there is a BC trial license in our tenant that enables users to use self-service sign-up without system admins being aware of their activity. However, I was a bit shocked to discover that one of our staff who is not a BC user was able to use the self-service sign-up and as a result was provisioned the IWs license with SUPER permissions to our live production environment / company, which normally requires an internal approval process and proper security setup, including data security. Does anyone know how we can disable and/or remove the IWs licenses from our tenant to prevent this from happening again? This is a significant security and internal audit risk for our company.

I have the same question (0)

All responses (4)

Answers (0)

Sort by

Suggested answer

IB-29041624-0 1,191 Moderator on at

Like (1)

Report
Copy link

Link copied!

I do not have the full solution or explanation for you. But if this is BC SaaS i would start by checking what permission this user are assigned in your Azure AD. And i would look for any kind of admin rights that might enable the users to assign them self licenses.

If you are not able to figure it out i will recommend that you raise a support ticket with Microsoft through your CSP partner and maybe they can help you figure out what has been going on.

Was this reply helpful? Yes No
Suggested answer

MahGah 15,613 on at

Like (1)

Report
Copy link

Link copied!

Hi

To add to Inge info

if you like to disable self service sign up for your Azure AD check this article https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-business-central-manage-selfservice-signups

Also, in your Business Central Admin center look for Security Group (SaaS version) this way you can limit the access to your environment.

Was this reply helpful? Yes No
Suggested answer

YUN ZHU 101,846 Super User 2026 Season 1 on at

Like (1)

Report
Copy link

Link copied!

Hi, Just to add a little information, if the user is the first to log into the Production environment, it will initialize the environment and automatically grant Super permissions. For example, they tried to login from Business Central Sign In | Microsoft Dynamics 365

PS: Security Group

https://yzhums.com/18304/

Hope this will help.

Thanks.

ZHU

Was this reply helpful? Yes No
Rob F. 522 on at

Like (2)

Report
Copy link

Link copied!

Thank you everyone for the replies.

Inge - This is BC SaaS and the user does not have any admin rights on the tenant. They are a basic/standard user with an Office 365 E3 license. I'll submit a ticket through our Partner to see what additional insight they or Microsoft can provide on this.

MahGah - Thank you for the reminder about using AD groups on the environment. I added one to our Production environment that includes all the authorized BC users. I was aware of the AD power shell setting that you linked, but it would disable self-service to all applications and our IT department may still want to allow access to those. We may need to use it though at least temporarily until we can remove the IWs licenses from the tenant (if that is possible).

Zhu - Thank you for the reminder, I was aware of that as well but in this case the environment has been up and running since late December and so this wasn't a first-time login.

Was this reply helpful? Yes No