Customer experience | Sales, Customer Insights,...

All users have CRM access by default

(1) Share

Report

Posted on by pianotoad

Hi community,

I manage our Dynamics 365 Sales CRM - please note I am not a full time admin, but do this only besides my main job (being sales, so I'm also a user myself).

We have the Dynamis 365 Sales Enterprise edition, cloud only. We have roughly 20 users, while we globally have roughly 100 users for normal Office 365. The normal users obviously have no Dynamics 365 Sales Enterprise license, only their normal Office 365 Business license (for office programs, outlook, etc.).

I now shockingly noted that ALL our users can access the CRM, independent of their license status. It seems, Dynamics gives all of them a default user role (Basic User) and they can access and view the sales data, although none of them has a license for the CRM and I have not given anyone a user role.

How can I change this, so no one has access, as long as they are not being assigned a user role? This is quite an urgent security issue.

Thanks and regards, Daniel

I have the same question (0)

All responses (10)

Answers (0)

Suggested answer

CRMJetty 3,512 on at

Like (0)

Report

Hi pianotoad,

You will manage user access/roles from Microsoft admin center.

To remove the dynamics 365 access log in into Microsoft Admin center and click on User ->Active User from left menu.

The Active users of your organization will be listed. Click on context menu of an user for which you want to change access.

From context menu click on Manage product license.

The edit user panel will be open, here you can select/deselect license for that user. If you disable CRM license then that user not able to log in into CRM.

For more information about Microsoft/Office license and user management, refer below link:

https://docs.microsoft.com/en-us/microsoft-365/admin/manage/assign-licenses-to-users?view=o365-worldwide

I hope it helps,

Thanks.

Please mark as verified if the answer is helpful. Welcome to join hot discussions in Dynamics 365.

Was this reply helpful? Yes No
pianotoad 5 on at

Like (0)

Report

Hello Maulik,

thank you for the quick response, but this does not help. I know how to assign and remove product licenses.

The problem is that none of the the "normal" users have a CRM license assigned. They all only have the standard Office 365 Business license. (see screenshot)

But they can all still access our CRM.

This is the issue I seem to be unable to solve.

Regards, piano

Was this reply helpful? Yes No
Suggested answer

Bipin D365 28,983 Moderator on at

Like (0)

Report

Hi,

Are they part of any groups in Azure AD and that group has licenses assigned which is why user is able to access CRM?

Was this reply helpful? Yes No
pianotoad 5 on at

Like (0)

Report

Hi Bipin,

we have various security groups of course, but none of them has licenses assigned, no.

This is an example of available licenses for a user, who still has access to the CRM.

Was this reply helpful? Yes No
Veronica 5 on at

Like (0)

Report

Hi pianotoad!

Maybe your users have acces to the herited app (in my prod environment, its name is Dynamics 365 - Custom)?

To fix it, try to go on tha Power Platform Admin Center (from make.powerapps click on 'settings' and then the first option is 'Admin Center':

There, you will have the list of all your environments. Select the one on which you are experiencing the issue and than select 'Settings'

.

Than choose Product > Behaviour. On the right side, you will see an option saying 'Show herited App for all users, not only admins. Deactivate the option.

Let me know if it works! :)

Was this reply helpful? Yes No
Suggested answer

PerezAguiar Microsoft Employee on at

Like (1)

Report

Hey!

I understand the rest of users (who shouldn't have access) have O365 licenses or M365 licenses. If you go to admin.microsoft.com and check the licenses, at the bottom you should see a "Apps" section. If you deploy, you'll see that probably they have "Common Data Service" enabled:

This is allowing your users to be synchronized to the Dynamics environment. If you're also assigning the Basic User role to the team that is associated with the default business unit, then your users are getting access to the environment.

How to prevent this?
a) remove the roles assigned to team/default business unit.

b) Perhaps, the most secure way to do it: Create a Security Group (either on O365 portal or Azure), add the relevant members (those 20 users that have a license) and assign this security group to the environment.

c) you can also remove the Common Data Service app license from the license assignment

Was this reply helpful? Yes No
pianotoad 5 on at

Like (1)

Report

Hi Daniel,

thanks, I believe that is probably the reason, they all have Common Data Service assigned.

Can you help me find out what happens if I remove that? I am not sure if that has other implications as well.

Although it sounds as if b) is the best way.

As a "quick fix", I have removed the "Basic User" role from all of the colleauges, they now can no longer access the CRM system. But that is not a permanent fix, as I believe as soon as a new user is created, that user will automatically have the Basic User role again and gain access, so it is not a secure measure.

Was this reply helpful? Yes No
Suggested answer

PerezAguiar Microsoft Employee on at

Like (1)

Report

Hey.

For sure: if you remove this license, users won't be able to login to any Dataverse environment. But also, they will lose the ability to work with PowerAutomate or PowerApps or the Default environment. You can also perform a test on your side, by removing this particular license on a test user and check the outcome.

Particularly, the approach of using the Security group associated to the environment seems to have less impact on the rest of functionality while achieving the same result (restricting access to only a few people) without affecting other accesses.

Was this reply helpful? Yes No
pianotoad 5 on at

Like (0)

Report

Hi Daniel,

ok thank you. I guess the security group is the right way then. Some users use Power Automate and I am not sure whatelse I would be damaging if I took their assignment on Common Data Service.

I seem to not be able to assign the access to our CRM Dynamics environment to multiple security groups though. Is that not possible?

We have already some security groups for our sales people, divided into different regions and I would have assigned access now to all of these groups, instead of creating another "main" security group for sales.

If assigning multiple groups is not possible, I will need to do that though.

Was this reply helpful? Yes No
Suggested answer

PerezAguiar Microsoft Employee on at

Like (0)

Report

Hey. Unfortunatelly, you can't assign different security groups to one environment.

You can use nested security groups, but the users won't be automatically pre-provisioned. Instead, users will be provisioned upon access to the environment (on runtime)

This is documented on docs.microsoft.com/.../control-user-access

Was this reply helpful? Yes No