Help! User license enforcement in Dynamics 365 F&O

Recently, Microsoft announced a blog about Simplifying License Management for Dynamics 365 Finance and Operations, which I shared on LinkedIn, as this post contains a super important update that might impact your Dynamics 365 environment. Microsoft will actively check for users’ valid license assignments when starting the application. Starting May 15, 2025 September 1, 2025, in case the license is not assigned, users will start seeing a warning. As of August 30 November 1, there will be a hard license enforcement. If a user then tries to log in without having a Dynamics 365 license assigned, they will be stopped from accessing the application.

In this post, you will find important information and some tips for becoming license compliant. There were some recent updates in Dynamics 365 F&O and Lifecycle Services (LCS), which will be highlighted.

Disclaimer
Information in this post is according to my current understanding of the license enforcement, and with the information available today. There were some recent changes to the initial plans, and some details may be subject to future change. I aim to keep this post up to date.

In this post

License enforcement! Why?
License enforcement! How?
Pushbacks and concerns
Available license reporting (including new report option in LCS)
Entra ID groups and missing license reporting
Frequently asked questions
Recommended actions

Updates after initial publishment

May 9, 2025: FAQ updated

May 15, 2025: Due to issues in reporting, the dates are pushed back in time. In-app notifications warning the users will start on September 1, 2025. The hard enforcement will be effective as of November 1, 2025. The blog about simplifying license management has been updated with the new dates, too: Simplifying License Management for Dynamics 365

License enforcement! Why?

I would like to start this post by talking about why Microsoft will enforce license assignment. When Microsoft acquired NavisionDamgaard, the Axapta product was licensed based on concurrent users. This was the case until Dynamics AX 2009. As of Microsoft Dynamics AX 2012, the license model was changed to have named user licenses. At that time, several Microsoft solutions did not have an active check for licensing. With periodic alignments, the number of users was validated, and Microsoft trusted the companies to buy the correct number of licenses. This was also the case for AX 2012.

When Microsoft introduced the cloud version, I was expecting a license enforcement. There shouldn’t be a difference in assigning a Microsoft 365 or Dynamics 365 license. Then, Microsoft was splitting the product into multiple license SKUs like Dynamics 365 Finance, Dynamics 365 Supply Chain Management, and Dynamics 365 Project Operations. Separate product licenses in a single product where some entities, like customers and workers, are shared by multiple products. Microsoft initially mentioned which standard roles are part of what license and mentioned that assigning multiple roles or custom roles with features from several products could lead to the requirement for multiple licenses for a single user.

When Project Operations was introduced, a lot of customers had existing licenses for Finance, which were not up for renewal yet. Having a license check on particular SKUs was impossible for that reason.

The customer is required to buy and assign the correct number of licenses, but there was (and still is) a lot of confusion, as correct reporting on required licenses was missing. The recent years, Microsoft has taken steps in improving the underlying solution and reporting options. The concept of privilege-based licenses was one of the improvements, where standard privileges are managed in a list together with a license SKU. If you then build a custom security role where you will reuse existing duties and privileges, the application can be aware of the used licenses and mention which SKU or SKUs are required for each role. Alex Meyer wrote updates on the user licensing on his blog. See: Current State of D365FO User Licensing.

Now, where the current state is that the licensing guide described the license SKUs and roles per SKU, and the list with privileges matched the base SKUs, it looks like the time is here to start enforcing licenses.

License enforcement! How?

When opening the Dynamics 365 F&O application, there will be a check if the proper license is, or licenses are, assigned to the user in Microsoft Entra ID. As of May 15, 2025 September 1, 2025 there will be an in-app notification for the user in case the license assignment is not present or incorrect. This is a soft warning and will initially not block the user from performing their tasks in the application.

This screenshot was shared by Microsoft in their first blog where they talked about license enforcement. Looking at the details, there is no option to close this warning. In addition to the in-app notification, LCS administrators will receive emails with details about missing licenses.

As announced by Microsoft, the customers will get time until August 30, 2025 November 1, 2025 to acquire the correct licenses and assign these to the users. Starting from that date, the areas that are not licensed will not be accessible to the users. In case the user has security roles for Finance and Project Operations, where, e.g., there is no attach license assigned, the user can operate in the Finance areas, but will lose access to Project Operations features.

Pushbacks and concerns

When Microsoft published its first blog post about the license enforcement on March 28, not everyone was aware and notified. Microsoft also sent an email to administrators around April 9. The hard license enforcement will be effective August 30, 2025 November 1, 2025. Microsoft will start notifying users soon with a soft warning. This warning would start on April 30, but on May 1, clients received an email stating that this would now be effective as of May 15, 2025 September 1, 2025.

What are the pushbacks and concerns about? There were a lot of questions and comments related to the timing and the state of the application. Also, there were contradictory and confusing paragraphs in the licensing guide.

As the initial soft warning would start on April 30, a lot of customers and partners complained about the notification period. I can understand the position from both the customers and Microsoft. In an ideal world, the correct number of licenses was already acquired and assigned to the users. Assigning a user license is part of the documentation for creating users in Microsoft Dynamics 365. SKUs and SKUs per privilege are effective for some time, and when deploying customized roles or for configured roles, the View permissions page can be started from the Security configuration form, which will show the required licenses. End of last year, I shared a video on how you can export a list with roles and the required license SKU from your environment. (YouTube: How to get a list of security roles including the required license level)

With this information and a list of users with assigned roles, you can create a list of required licenses in your organization. So far, this has been, in my opinion, underestimated by a lot of customers and partners. However…

When creating custom roles using standard privileges and duties, there are still quirks in the outcome. E.g., read-only can be covered by a Team-member license, but in some cases, privileges aren’t in the SKU list, or some entry points do have more permissions than just read access. To fix those issues, you can spend some more time creating new privileges or report issues to Microsoft Support. The issue here is that there are time constraints to get security roles ready for an organization, and a lot of existing customers did not review security roles after they went live, e.g., before the product and license split. As there was never a license enforcement or proper guidance, for several reasons, customers might be underlicensed. In the past, when I configured roles. I always tried to ensure the security role was at the correct level by either reporting an issue to Microsoft or creating new privileges when really required. If a role ends up as e.g., SCM, where this was expected, I did not focus on individual privileges that end with the operations-activity SKU, where ideally it should be a Team member.

For about a year, there has been a licensing report available on the Power Platform admin center. I will mention more about this report below. Even after a lot of efforts from Microsoft, there are comments that the report is not correct. In that case, even when, according to the security role assignments, the license assignment is correct, users might get an incorrect in-app warning.

The time between the announcement and the initial plan for in-app warnings was very short. An idea raised by another person was to have an email notification to the administrator initially, and, e.g. from July start warning the users. From Microsoft’s point of view, there is just a warning, and the hard enforcement will start August 30 November 1, so there is time to ensure companies have the correct licenses assigned to users. The warnings can have an impact on the load of support requests to internal IT teams. Ideally, you want to prevent users from seeing the in-app warning, but the time was too short for a lot of companies. Microsoft is now keen on solving license reporting issues before May 15, the new date for the soft warnings to end users. I think that there will be some wrong reports after that date. The future will tell…

Update May 15, 2025: The license report still shows incorrect information in PPAC, and the dates have been pushed back.

Available license reporting

There are some reports available today. Some are there for a longer period, others are recently added or changed in the past few weeks.

Power Platform Admin Center

For about a year, a license report has been available on Power Platform Admin Center (PPAC), which shows information about available, assigned, and required licenses. With the correct permissions, you can access this report with the link. Licenses | Power Platform admin center. It is recommended to open this using the new admin center experience on PPAC. Note that the report refreshes only every 72 hours (3 days). When you made changes, the effect is not directly visible. I’m wishing for a quicker refresh rate.

The initial view shows the number of seats counted from the production environment. At the top right corner, there is a filter option where you can also include non-production environments.

Per User license level, you can click on View users to see details about the users and status of assigned licenses. The same person can be listed twice in case there are multiple security roles assigned. In this view, you can quickly check which users have the correct license or not.

Note that there are some reports where as on this day (May 5), some information is listed incorrectly. I do hope this gets resolved soon. Also in my report, I have some quirks which is currently under investigation by Microsoft. In my example, the numbers do not tally with the subscriptions in this environment. Other reports are about wrong license levels for particular security roles.

You can also export the raw report data to CSV. Then you are able to open the details in Excel and start some analysis. You can make changes in your Excel file with comments and use it as a to-do list, as the report is only refreshed every 72 hours.

Lifecycle services

As of April 30, there is a licensing report is available in Lifecycle services (LCS). The information on this report is the same as provided on PPAC, but with some limitations. In case LCS administrators don’t have access to PPAC yet, it is possible to check details and follow up on getting the correct license assignments.

The report shows data from the production environment only. With permission from a client, I took the below screenshot as I don’t have a production instance on my demo tenant.

Via LCS, there is no option to view which users require what license. You can then download the CSV with all details. This will generate the same CSV as available from PPAC. The download is working when you are a user in the same tenant. In case you are invited as a guest user on LCS, the download was not working for me. This might be due to privacy protection.

In-app reports and inquiries

Before Microsoft acquired an ISV for security governance, the available reporting was not giving answers to all licensing-related questions. In version 10.0.43, Microsoft added features for User Security Governance in preview which will be generally available in version 10.0.44.

During the preview phase and the plans for license enforcement, one of the forms got a redesign and is now available when you enable a new feature in feature management called (Preview) User security governance license usage summary report. This feature is available in the latest quality update for 10.0.43 and in 10.0.44.

Initially, the screen remained empty as data is managed by Microsoft in the back-end. There is no batch job in the application itself. As of about a week ago, data is flowing into sandboxes and production environments.

You can open the page License usage summary using the next navigation path: System administration > Security governance > License usage summary (preview).

Unfortunately, there is no documentation yet, and either the information on the tab page User licenses is overcomplicated, contains errors or both. When trying to read the form, I think it shows a summary of all entry points for the users and if these are covered by licenses. In my environment, the user Alfonso has the Accounts Payable Manager and Human Resources Manager security roles assigned. It reports that not all permissions are related to the Finance SKU, but also that an attach HR license is required. Initially, I think the columns Covered entitlements and Remaining entitlements are intended to show how many entry points are part of a Finance and HR license SKU. If you look at the details in the lower grid, there are some entry points marked as Not entitled. This information is changing per record. In case you want to know which “12” entitlements are remaining, you will find out that there are way more marked as not entitled. This tab page is not understandable in my opinion, apart from having a list per user and the required license. It is also missing security role information to verify which roles are responsible for what entitlements. Note that in this environment, the user Alfonso does not have a license for Human Resources, so the entitlements do not tell anything about the correct assigned licenses. Probably you will have a question about what an “entitlement” is. In that case, we can shake hands, as I’m also not able to understand what Microsoft is trying to explain to us on this tab page. I will keep an eye on updates for either documentation or data on this page.

The tab page User role licenses currently has information in the upper grid only. This information, in case it displays the correct information, is very helpful. It shows all roles assigned to the user, and in the column License quantity, there is a value of 1 or 0. This is not to indicate whether a license is required or not. This has logic to be able to count the required number of licenses in your tenant. For the two HR roles assigned to Alfonso, the license is required, but only one of these two has the value of 1. It does not provide information whether the license per user is for a base or an attach license.

The other three tab pages currently display incorrect data in my environment. It looks like the wrong query was used, where all security objects now require all licenses. This needs to be fixed by Microsoft.

To know which role requires what license, you can use the Security configuration form and show View permissions. So far, it looks like this form is showing trustworthy information. It might be the case that the information is not as expected. E.g., a read-only role shows the requirement for a higher license than a Team member. In that case, the standard or custom privileges used might have more permissions on particular menu items than just the grant for the Read permission only. Potentially, you can review or have someone review the details of security roles for options using cheaper user licenses when possible.

Entra ID groups and missing license reporting

Next to assigning security roles in Dynamics 365 manually or using rule for automatic assignment, there is an option to use Entra ID groups for managing users and permissions without performing user maintenance in Dynamics 365. I wrote several blogs about this topic before. In the next blog, you can read more about using Entra ID groups. After writing the post, Azure Active Directory got renamed to Microsoft Entra ID. How to use Azure Active Directory for managing users and security in Dynamics 365 for Finance and Operations

In this blog post, you can read that there are some downsides of using Entra ID as e.g., license reports aren’t aware of the assigned security roles to the users. This now also applies to the above-mentioned license reporting options. In case you are using Entra ID groups for managing Dynamics 365 F&O permissions, I would recommend having a look at the open-source GitHub project called D365 Admin Toolkit. One of my contributions to this toolkit is an enhanced Entra ID group integration where based on Entra ID group memberships, the security roles will be assigned using automatic rules. You can learn more and download and use the toolkit for free by reading the next post. Enhanced Entra ID group integration in D365FO Admin Toolkit

Talking about Entra ID groups, there is an option to assign the licenses to Entra ID groups. In case users are added and there are sufficient licenses, there will be an automatic claim on the license for the user. Whether you can use this approach depends on what products you are using, the security matrix with all users and required roles. If one particular role is used where one user would need a base license and another an attach license for the same role, this approach will not work. Instead of an attach, it will then also try to assign the base license.

Frequently asked questions

I can understand in case you have a lot of questions. By monitoring all the latest changes, a lot of my questions are answered, but there are still some open questions and issues. Microsoft provided information that should give more clarity on various questions. In this paragraph, I will share information and documentation that you can use to find your answers. In several meetings and in feedback programs, there are a lot of discussions. Microsoft created an FAQ page and had to update the Dynamics 365 licensing guide to clarify concerns. There are many updates in the May 2025 version to provide clarity about required licenses.

There is clarity if users with the role of system administrator do need a license. In case this role is used to administer the application, no license is required. In case the role is assigned where the user will contribute to the process, like creating orders or posting journals, then the appropriate license is required. Ensure you remove other licenses from system administrators in your environment. Other roles will be used for license reporting despite having the system administrator role assigned.

The below information does not answer questions about whether all or only the production environment will be checked and licenses enforced. From discussions with Microsoft, I understood that the enforcement will be performed initially in production environments. Be prepared that, according to the licensing guide, a user must be licensed for any Dynamics environment. In case the enforcement indeed starts in production environments, I do expect non-production environments like sandboxes will follow soon.

Update May 9, 2025

It is confirmed by Microsoft in a partner meeting this week that the license enforcement will be effective as of August 30 in production environments only.

In my opinion, the next links are a must-read to get clarity on your questions and the next actions.

Simplifying License Management for Dynamics 365

Dynamics 365 licensing guide (PDF download)

User security role reporting and technical validation for finance and operations apps FAQ (Microsoft Learn)

Update May 9, 2025

There are several questions about why particular security role assignments are included in the report where the user does not have the role assigned and even where the particular role is not used for several years. This is caused by having records in the Security User Role table with an Assignment status of Disabled. You can learn more about the root cause and mitigation in this video: License reporting – incorrect user role assignments (YouTube)

Recommended actions

To ensure users will not be blocked access to the Dynamics 365 F&O application, you would need to review the security and license requirements. Ensure that, before August 30, 2025, the correct licenses are assigned. You can read how to assign licenses

Coming May 15 September 1, the soft check will start where users can get in-app warnings about user licenses. This is far from ideal, as you can expect a load on your internal IT support. As of the writing of this post, you only have 10 days available to assign the correct licenses. This might be too short for acquiring additional licenses or fixing issues with the current security role configurations to comply with the various license SKUs.

Alert the employees before they alert you.

You can consider sending an announcement from your IT department to the users. In a statement, you can inform your employees and tell them that in case of a warning, there is no need to log an internal support case, as you can tell you have the process under control. Appropriate action will be taken before the date of August 30, 2025 November 1, 2025.

In case you see issues in your reports or the license calculation in your reports is incorrect, you can create a support ticket for Microsoft via the Power Platform Admin Center.

Keep an eye on all communication being published related to this topic. As there are some issues in correct license reporting today, ensure you validate the outcome of your reports. Microsoft expects to publish some fixes tomorrow, but we don’t know if this covers all or what pending issues will remain open.

I will try to keep this post up to date. Alex Meyer also has a blog about this topic and aims to keep his posts up to date. You can find it using the next link. Dynamics 365 Finance & Supply Chain License Enforcement Overview – Alex Meyer

I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!