Dynamics 365 F&O license enforcement status – July 2025

In this blog, I will share my experiences on the license enforcement status after interaction with clients and Microsoft. Microsoft is working hard to solve all reported issues. In the meantime, due to the wrong presentation of data and changes made on the Licenses usage summary page, the clients are still lost or think they need to acquire a lot of additional licenses.

I will explain the current status and how to interpret the new information, like the data on the User license consumption report, and form Licenses usage summary, and also when not to trust the reported data, as there are still errors in the reported license requirement per user. In addition, the standard or duplicated privileges might have wrong settings.

Update September 25, 2025: The license enforcement has been postponed and will now follow contract renewal or anniversary dates. Read more here: LinkedIn Post.

License enforcement

A short introduction about this topic, as I do hope everyone is already aware of the upcoming license enforcement for Dynamics 365 F&O users. On March 28, 2025, Microsoft announced a license enforcement in a blog post about simplifying license management. As this was a more generic blog with a few words about the license enforcement, and time to prepare for clients and partners was short, I directly shared the blog on LinkedIn, stating the importance of waking up and reviewing the license reports and starting to assign licenses if this hadn’t been done yet. It turned out that both clients and Microsoft weren’t able to meet the earlier announced dates for an in-app warning and the enforcement. After a lot of feedback, Microsoft moved the dates after the summer break. As of now, an in-app warning will appear in case users do not have the appropriate license assigned starting September 1, 2025. The hard enforcement will start on November 1, 2025.

In another blog, I wrote about all you can do to prepare yourself to know the correct licenses and have them assigned in time: Help! User license enforcement in Dynamics 365 F&O – Dynamicspedia

Now, a lot has happened in the meantime. Microsoft seems to be aware of the complexity they created with one platform, one application, and different SKUs. A lot of feedback is sent to Microsoft in various ways. E.g., there are discussions on Viva Engage feedback groups, Microsoft organized partner office hours, and as an MVP, we had an additional program group interaction about this topic. Let’s talk about the changes and current state in the next paragraphs.

License calculation

Before the announcement, several reports were available within Microsoft Dynamics 365 F&O, and an explanation was available via View permissions on the Security configuration page. This information was not always aligned with the Dynamics 365 licensing guide and had some errors. When you duplicated a standard role or other object, it could end up with a different license requirement than intended.

Alex Meyer wrote several blogs in the past, explaining privilege-based and menu item-based license details. Unfortunately, that information is not applicable anymore.

Microsoft wants to have a single source of truth and has built the license calculation in the Power Platform Admin Center (PPAC) based on security metadata, security implementation, and users per environment. For the calculation, now not only menu items are taken into account, but also other object types. For that reason, we can refer to the new calculation as being an object-level calculation.

The next objects are part of the calculation:

• Menu item display
• Menu item action
• Menu item output
• Data entity
• Data entity method
• Service operation

For all objects part of the standard application, in addition, there is a list of which object needs what license in case of a specific access level. All read permissions are by default a Team member role, while, e.g., maintaining commission settings requires a Supply Chain Management or Finance license.

The object types are all related to accessing or maintaining data. The menu items are within the application, where the data entities and service operations are objects used from external applications. E.g., a data entity can be used by virtual entities. On its turn, this can be a data source in a Power App.

If you want to learn deep technical details about the table structure related to the license calculation, I recommend reading a post from Alex Meyer: Updated D365FSC User Licensing in 10.44 – Alex Meyer

Legacy license calculation

Microsoft has announced that the legacy license calculation has been deprecated, and this has an impact on features we used before to check for what license was required or what exact security configuration was responsible for a particular license level. The most common question I have seen on the Dynamics Community is about missing license information on the View permissions page.

If you installed quality updates recently, then there was one item mentioning the removal of the legacy license information.

1031106: Information exposing Licenses in Assign Roles to User and View permissions forms should be removed

Removed License column from Assign Roles to User dialog form, which can be opened from the Users form. In addition, removed License column from View permissions form, which can be opened upon clicking on View permissions button after selecting any individual role from the Security configuration form. This information will not be visible anymore.

This information was based on calculation logic that had some incorrect outcomes in specific cases. By opening the Assign roles to user, I was used to exporting data from the grid to Excel to have a list with roles and their required licenses. I even created a YouTube video with this trick, which is no longer applicable.

While configuring security roles, the license level is crucial to consider, so I provided feedback to Microsoft, hoping to get back values in these columns based on the new calculation logic. The underlying data is available; it just needs to be calculated for the security objects. Let’s hope this will be implemented again soon.

User license consumption reporting

On PPAC and LCS, there are now reports available that show information about how many licenses are required and which users have what licenses assigned or missing. The current reports aren’t perfect and a bit hard to understand.

If you are on the Power Platform Admin Center, you can go to Licensing and then select the tab Finance and Operations.

A similar report is available on LCS when you go to the default page and then open the tile User License Consumption.

It is a bit hard to understand the mentioned license levels and the numbers. When you look at the distinct base licenses, such as Finance or Project operations, then the numbers are correct as far as I noticed. When you notice an overusage, you can click View users, which gives details and warning indicators.

In this overview, you see which users are missing a Dynamics 365 Finance license. Let’s switch to the harder part. This overview does not show users having a wrong license assigned. It will also not tell you if the user already has another base license, and for that reason, you could assign a Finance – Attach license for users. To create reports across security roles and licenses, you can download a CSV file with all underlying data and create your own reports or pivot tables.

In this overview, you can find that, e.g., Kevin has a Finance license assigned, but needs a Supply Chain Management license. Another advantage of custom reports in Excel is that you can use them as a to-do list, as the user license consumption report is not directly refreshed after you assign licenses or make changes to security role assignments in Dynamics 365.

The first versions of the PPAC reports and form in Dynamics 365 had indications about a difference in the base and attach licenses to be assigned. This was very confusing as customers had, e.g., a Finance base and SCM attach assigned, but the report mentioned the requirement for an SCM base and Finance attach. Either option is allowed, so Microsoft is now removing all areas where and mentions that a license is required, not which one. For Finance and SCM, you also might have premium licenses available.

Another hard part is the mention of license levels Commerce or Finance or Supply Chain Management and Human Resources or Project Operations. When looking at specific security roles, such as the Landed cost manager, this is included in three license SKUs. In this case, you can choose what base license to assign. Either Finance, SCM, or Commerce will fulfill the license requirement. In case a user has this role and also the Accountant role, then the calculation logic will suggest a distinct Finance license for this user. So, in case you see required seats for the combination license levels, there is no need to assign all licenses (one base and multiple attach), you can choose. For these combined license levels, the columns Available seats and Assigned Seats are cumulating the details from all Finance, SCM, and Commerce licenses in your tenant.

PS. In my test tenant, the HR and Project Operations licenses do show correct numbers for the distinct licenses, but on the combined view, there is an issue as of today.

Now we know what users need licenses, we also need to know what makes the requirement, and is it all correct?

User security governance

With the introduction of the User security governance features, Microsoft also introduced a form called License usage summary. This is in preview and should be enabled via Feature management first. The form is available in versions 10.0.43 and 10.0.44. The data on the form is based on the new PPAC object-level calculations, and with the help of a data flow pushed to the individual Dynamics 365 F&O environments. There is no batch job or X++ coding used to fill the new license tables. The refresh rate is currently about 8 hours, but Microsoft is looking to have more refreshes available. A manual refresh is not possible, but it will be a very welcome option.

When you open the form, there are various tab pages, and on each tab page, multiple grids with information. The details are not intuitive and need some help to understand what you are looking at and how to validate all details. Fatih Demirci wrote a blog before on how to read and analyze this form: How to Read and Analyze the Dynamics 365 F&O License Usage Summary Report – A Real-Life Scenario. I would suggest reading his post, as it explains how to look at this form, how to analyze some data, and see if you can lower license requirements by removing a security role.

When I did several reviews for clients over the past months, initially, I also had a hard time using this form, where I wished that the information on View permissions was correct. As this is now deprecated, I learned how to use the new form. Still, I use the deprecated legacy license information for comparison in case of differences. As I had seen several issues with the new calculation as well, I think it is good to share examples I had seen in the past and how I use the new form myself.

Some issues I have seen were due to errors in the underlying data, but also custom security roles with a wrong implementation. In case of errors due to wrong metadata, these are corrected by Microsoft already. A few examples of errors I had seen:

• Additional requirement for an HR attach due to write permissions on a menu item HcmWorkerLogisticsContactInfoGrid. As this was not only on the client’s custom roles, but also on several standard roles, I made a note to report this as a bug to Microsoft. When validating it in a standard demo environment the next day, I couldn’t find it anymore, and it was already corrected by Microsoft.
• The Manager role required a license level of Commerce or Finance or Supply Chain Management. I reported this in an email to Microsoft, and this is fixed as well, correcting the object requirement to ensure this Manager role is a Team members license.

User licenses

So, don’t just accept high license requirements, but review the details if you expected a lower license. Let’s start with the User licenses and see what license requirements are reported by the PPAC calculation.

The user Alfonso has a requirement for three licenses. On this tab page, you can see additional information, which is, in my opinion, not that helpful for the current example. Suppose we expected the requirement for a Finance license only; this page shows that, in total, 25 objects are not covered within the Finance license for this user. The bottom grid shows the securable objects with access for Alfonso. On this grid, you can find the Not entitled objects. Which objects out of these are part of HR or SCM is not clear. When you put the focus on the other two licenses, you can focus on what is included, but there can be an overlap with entitled objects. To learn more details, we should continue looking at the tab User role licenses.

User role licenses

Alfonso has two roles assigned. The system user role does not require a license. The custom role (AAC) Operations is causing the license requirement. There is an issue with the generated data as two times Finance is listed, where one of these two rows should mention Supply Chain Management.

The License quantity column can be used to create custom reports. The CSV file has this column included as well. In this example, the user APRIL has several roles, all requiring Finance licenses. For counting the number of required licenses, only on one row, the quantity has the value 1. To understand more about the details of the roles. we can move to the next tab page.

Role licenses

When you set the focus on the Role licenses, you may be very confused. You might think that roles have a relation to the Commerce SKU. The page shows all combinations with a security role and available license SKUs. The columns Entitled and Not entitled should be understood to be able to read this page. In case the column Not entitled has the value 0, the SKU can be used to fulfill the license requirement. My suggestion is to set a filter on the Role name and focus on single roles for better understanding. Let’s take the Landed cost manager role as the first example.

As mentioned above, for this role, you can choose between several license SKUs. The Commerce, Finance, and SCM SKUs do have the value 0, and are eligible for a correct license assignment. Other licenses are not allowed for this role. This is quite easy to understand, but let’s focus again on my custom role.

The Role licenses with this example are unwieldy. There is at least one single SKU possible. The role requires at least two licenses. From the User and User role licenses, we already know the required licenses, but when configuring security roles, you would need to wait for a refresh of all license calculation data. When you don’t know the details, you might think that the Finance SKU comes closest, but is this correct, and what other SKU or SKUs are required? Maybe we can deep dive into the 25 not entitled objects, but what to do in case of 1811 object in a security role, and about 474 not entitled objects?

For this reason, I provided some feedback to Microsoft to have the information about license requirements for security roles, duties, and privileges reinstated on the View permissions form and possibly also on this form, but then based on the new object-level calculations.

For more deeper analysis, you can go to the tab pages Duty licenses and Privilege licenses. You then again need to filter on individual duties and privileges to understand the requirement in a similar way as I explained for the current Role licenses tab page. Doing this for a security role with e.g. 36 duties and for that reason about 211 privileges, it will be Mission Impossible. At least, I don’t have the time to check them.

Privilege licenses

As mentioned above, this tab can be used in a similar way to the Role licenses. It has a focus on another level of the security hierarchy with fewer securable objects. Using this view, I would like to highlight some other issues causing too high license requirements for security roles. When looking at the standard roles as listed in the Dynamics 365 licensing guide, on the role level, the correct license is (or should be) the outcome from the new license calculation. This is, I think, the first focus from Microsoft. In case you create custom roles by reusing or duplicating duties and privileges, the license can be too high. As a simple example, I will take the fact that read-only permissions are defined as a Team members license as mentioned in the licensing guide. While creating a security role with all privileges starting with the word View, the role ended up as requiring multiple licenses, like Finance, SCM, and HR.

The issue is not within the engine of the new license calculation, but due to Write permissions in privileges intended to be read only. As an example, I set the next filters on the Privilege licenses tab page:

• Privilege name matches *view*,!maintain
• SKU Name is exactly Team members
• Not entitled greater than or equal 1

This gives a list where a potential intended read-only privilege requires a higher license requirement than the Team members license. As an example. the privilege View posted sales tax information is read-only, but has not entitled objects.

The reason is that some objects are recognized with an Access level of Write instead of Read. When checking the details via the Security configuration form, the three mentioned menu items do have more access than read-only. In this case, it is not an error in the license calculation, but the privilege provided in the standard application.

To get this privilege for your role on a Team members level, you can duplicate the privilege and set the Update, Create, and Delete permissions to Unset. Then use the new privilege instead of the standard one. In addition, you can create a support incident and report the incorrect license requirement for the standard object.

In case you have a privilege where Write is recognized, and you don’t see CUD actions enabled, then check my other blog for the reason and what to do: Help! My configured read-only role requires an operations or activity license

Does this mean that you should find all incorrect read-only permissions and make changes in your environment? The answer is No as this would be too much of an effort. Only focus on those that is impacting your license requirement negatively.

There is more…

Microsoft is working on a V2 version of the User license consumption reports in PPAC and LCS. The new style gives a better understanding and is actionable with relevant information in different places. It is expected that the report will be generally available in early August. I’m part of the private preview program, but I’m at this moment in time under NDA and can’t share exact details or screenshots.

I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!