Dynamics 365 F&O Last-minute Questions on License Enforcement
As of September 1, the rollout will start for in-app notifications in case users do not have the proper licenses assigned. The past week, after returning from my vacation, I noticed that many clients are still not fully prepared and have various questions. However, some clients are ready from their point of view. In this post, I will share some experiences and recommendations about what I have seen and heard.
Update September 25, 2025: The license enforcement has been postponed and will now follow contract renewal or anniversary dates. Read more here: LinkedIn Post.
September 1
September 1 is only a few hours away. When you read this blog, the date might even have passed. The soft warning will start to be rolled out to clients. Users can expect a message like the screenshot below. The date of August 30, 2025 will be updated to November 1, 2025 when the actual enforcement starts.
When exactly will these users get the message?
The validation will happen only in Dynamics 365 F&O production environments. Sandboxes are not impacted. Users without the required Dynamics 365 licenses, as listed in the License usage report available on PPAC and LCS, will receive a warning with a call to action to contact an administrator. The exact date can be different for each client. The roll-out can take up to September 18. So, in case the users don’t get warnings on, e.g., September 5, that does not mean that they have sufficient licenses assigned.
Are all users impacted?
No. Only the users without the required licenses will get warnings, and when no action is taken, they will be denied access to the application when the license enforcement is enabled, starting November 1, 2025. In case a user needs a base and one or multiple attach licenses, then all licenses should be assigned. So, in case one or more licenses are missing while a base license is assigned, the user will still receive the in-app notification.
Will administrators get notifications?
From discussions, I understood that emails will be sent to system administrators. This will most likely be a weekly summary email. My recommendation will be not to wait for these emails, but to check the User license consumption reporting on PPAC or LCS.
What can you do to prevent this?
Most obviously, you can prevent the in-app warnings and the license enforcement by assigning the licenses to the users when they are available in your subscription. If you start by reviewing the User license consumption report just now, you are pretty late, and the report might have unexpected results.
Some users might require higher or more licenses as per expectation. In that case, you will need to review the required licenses per security role. There can be excessive access or a bug causing this. While working with clients to get the correct roles and license counts, I have encountered several bugs. Some bugs were caused by wrong requirements for write access to a securable object. These were mostly solved by Microsoft already. Other bugs are within the implementation of security by product teams in the application. E.g., a standard view privilege can contain securable objects with write access. You can read more about this in a previous blog: Dynamics 365 F&O license enforcement status – July 2025 – Dynamicspedia
In case users see the notification, your IT support might get a higher inflow of issues. You can prevent this by sending the users with missing licenses or all application users an email that the situation is known, complex, requires time, and your team is already on top of it to ensure no disruption will happen on or after November 1, 2025.
Recent questions and concerns
Where I helped several clients and participated in preview and feedback programs, these all brought up questions. There are many questions answered in the User Security Role Reporting and Technical Validation for Dynamics 365 Finance and Operations Apps – FAQ.
Still, there are some generic and specific questions I would like to mention in this post.
Will the new license calculation require higher licenses?
There can be differences in the outcome between the legacy license calculation and the new calculation. This is not because Microsoft changed the requirements. This is because Microsoft realized that there were errors with the previous calculation logic. The calculation logic was based on menu item properties and overrides per privilege. In case you copied standard security objects, then the role could end up with a different license than intended. With the Dynamics 365 licensing guide as the source of truth, a new way of calculating the licenses was introduced. There is no intention from Microsoft to enforce higher license requirements.
In case you see differences, you will need to go into the details to find out what securable elements are causing the differences. Based on the details and whether users need access or not, you can decide to remove access or lower the license by setting write permissions to read.
Is my tenant eligible for the 12-month grace period?
The FAQ document has answers, like the need to renew licenses in a specific period. Despite there are questions as clients expect some communication or confirmation. The grace period is automatically added to your tenant, you will not receive an additional confirmation from Microsoft. Unfortunately, there is no information where you can check if the grace period is active and until what date. The grace period starts from the date of the renewal.
In case you switched from, e.g., an Enterprise Agreement (EA) to a Cloud Service Provider (CSP), then this also counts as a renewal in case the duration of the agreement is for a minimum of a year. There are also options to add additional licenses as CSP on top of an existing EA.
What to do in case device users are listed on the User license consumption report?
Devices are currently not enforced. Microsoft needs additional engineering to be able to link devices to a license. The POS and warehouse mobile device applications don’t have an active check on licenses when starting the application. Some clients have seen device service users being reported when a license needs to be assigned. This can happen if custom security roles are assigned to these device users.
You can prevent it by providing the standard roles as this is taken into account in the license calculation logic. E.g., the warehouse management device user should have the security role Warehouse mobile device user. For manufacturing execution, the security roles Manufacturing execution workload machine operator, and Manufacturing execution workload shop supervisor should be used.
In case you have one PC with, e.g., the option to maintain sales orders shared by people working in different shifts or on different days, then this is not a feature that qualifies for a Device license. Instead, the users should be licensed. You can read more about Device licenses in the Dynamics 365 licensing guide.
Can you assign another base license than mentioned in the report?
The answer is: No. There are a few scenarios where a security role can end up where you have a choice between Commerce, SCM, or Finance. Users with missing licenses for these roles are reported in a different section at the bottom of the report. I have seen scenarios where the partner suggested buying, e.g., 50 Finance licenses, where 25 users needed Finance and 25 SCM. This was because the licenses had the same price, and it “just didn’t matter”. Unfortunately, this was a wrong advice. The Dynamics 365 Licensing guide is clear about which roles require what license. Luckily, there are options for a license swap. You can exchange, e.g. Finance licenses for SCM licenses
Approve vendor invoices is causing a Finance license instead of a Team member
According to the Dynamics 365 license guide, the task for approving vendor invoices is a Team member functionality. Some clients see a requirement for assigning a Finance license.
This is reported where Microsoft is investigating. As my clients mostly use an ISV for processing vendor invoices, I had not encountered this myself. I did a check this weekend myself and found the next in a standard Dynamics 365 F&O environment. The privilege Approve vendor invoice workflow can be used with a Team member license. This is in line with the licensing guide.
The Approve vendor invoices requires a Finance license. Initially, this looks wrong, but when reviewing the details, this not only has permissions for the workflow approval, but also permissions for e.g., creating vendor approval journals and purchase order matching. This duty is linked in the standard application only to the roles Accounting manager, and Accounts payable manager. These roles do require a Finance license as per the licensing guide. I do agree that the wording of the duty name is confusing. Apart from this, there are a few privileges in this duty, managing rights for approval tasks that are now raised from Team members to a Finance license. For this part, we need to await a reply from Microsoft.
In case you need to provide access to a worker to perform the task for approving an invoice via the workflow without additional write access to other functionality, the duty Approve vendor invoices as employee can be used, which is part of the standard Employee role. This does not have approvals for all vendor invoice workflow types. Check if you can use this duty instead.
In case you are using custom or newly configured security for the vendor invoice approval workflow, you need to check which securable objects are causing a higher license cost.
Other scenarios where Team member is expected
There are more scenarios than only the approval of vendor invoices where another license is suggested. Typically, a read-only role should not trigger enterprise licenses, but it should be a Team member. In case the security role contains all standard view and inquiry privileges or duties, then the license does not show the Team member as the eligible SKU. As mentioned above and in a previous blog, some view privileges also have write permissions, and for that reason, trigger higher licenses. This can be solved by using custom privileges and duties.
Also, custom roles intended for, e.g., expense reporting or purchase requisitions can have more permissions than only what is entitled to be used as a Team member. In that case, it is recommended to review the contents of the security role.
Users missing on the User license consumption report
In case you miss users, here are the conditions when the users are not listed
- System administrator: Users with only this role are not listed. If they perform only administrative tasks, then they don’t need a license. In case they are contributing to the business, like entering sales orders daily, then they still need a proper license.
- External users: Users from another tenant are currently not included in the report. According to the licensing guide, they need a license if they contribute to the business. Microsoft will add these users in the future. Until then, they are excluded from the license enforcement check.
- Entra ID groups: Users getting permissions via Entra ID groups do not have a security role assigned in the application. For that reason, they are not recognized in the report. Microsoft will add these users in the future. Until then, they are excluded from the license enforcement check.
- Roles with custom or ISV entry points only: Currently, only securable objects from the standard application are recognized in the license calculation. In case of reusing standard elements, like a sales order or project details form, with another menu item to support a specific vertical requirement is considered multiplexing and for that reason, the correct license is required, but today not recognized. In case a role from an ISV is used in the reports, then there is most likely a mix of standard and ISV objects in the role. Note that here also the outcome is as per standard elements; multiplexing is not considered yet. Microsoft will extend the license validation logic to support custom and ISV securable objects in the future.
With this information, you should realize that in case all your users are meeting the license enforcement validation, this does not guarantee you are fully compliant.
Users reported with a GUID instead of an email address
In this scenario, you need to check if there are invalid users in your environment. In case the user is deactivated or deleted from Entra ID and still active in Dynamics 365 with roles assigned, they will be included on the report.
Wrongly reported users
When talking with a client this week, I learned that it is possible to have users listed for a missing license, despite the correct licenses being assigned. In this example, the users will end up with a need for both Finance and SCM. For the majority of users, the base and attach licenses are recognized correctly on the PPAC report. Still, 5 users are reported for missing licenses, where they are assigned correctly. The weird thing is that over 60 users with the same license assignments (base+attach) are OK, but only 5 are not with the same license SKUs. This is an inconsistency with the same licenses, but different users.
In case we add two times the base license to these users, then the report takes them out. Reverting back to one base and one attach, again list these users with missing licenses. Microsoft just started an investigation into the details of this issue.
Is another postponement for the license enforcement expected?
Several clients are wondering if another postponement is expected. So far, there is no indication. If that is the case, Microsoft will update its initial blog: Simplifying License Management for Dynamics 365. Clients really need to prepare themselves for a license enforcement. It is now two months before the hard enforcement will start.
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!
Image by Gerd Altmann from Pixabay
Where can we report issues to Microsoft? I keep having an issue with a single access which I think is incorrectly marked as ‘not entitled’. Its frustrating that they gives this much information, but no basic process where to report issues, or even simple examples that guide you how to use the tools/reports.
Hi Robin,
You can create support tickets via the support option on Power Platform Admin Center or LCS. In case you also asked the question on the Dynamics Community forum about the single menu item, then I replied to it in detail explaining this is part of HR functionality and might be for that reason marked as HR and not for e.g. Finance.
Hi Andre,
We are having issue finding the correct license requirement. We have role “Manager” which shows “Team members” in View Permissions form in D365. But in PPAC, the user assigned to that role shows required license for Finance. which report report should we trust and what actions we can take to avoid having issues of access when MS deadline is reached.
Hi Zeeshan,
As mentioned in another blog, the information on View permissions has been deprecated and is not valid. The License consumption report on PPAC and LCS do have the source of truth.
In this case, the standard Manager role should be a Team member and not Finance. Does the user have more roles assigned, or is the manager role customized or extended? You can check which exact securable objects does trigger the higher license using the License usage summary form in Dynamics 365 F&O. After you know these, you can check if too many roles are assigned, if the manager role was customized, or if there is an entry point tagged with a wrong license requirement. In my environment, the standard Manager role still shows up with a Team member license.
Thanks Andre for quick response. We do have some customization on the Manager role.
If View permission is obsolete, where can we check which Entry point is causing the license upgrade.
Should we check “Not Entitled” column in PPAC Manager role object list.
Appreciate your help.
Hi Zeeshan,
You can read my other post on how to check for Not entitled permissions while checking roles, duties, or privileges. Dynamics 365 F&O license enforcement status – July 2025
Thanks Andre it is super useful.
Unfortunately, License usage summary report in our environment is not working it is giving below error
The menu item with name usersecgovlicenseobjects could not be opened.
Invalid sort field type.
We are on 10.0.44, i will raise MS ticket for this.
Hi Zeeshan,
I haven’t seen this issue before. Does this issue occur for all users? Have you tried updating to the latest available quality update?
Hi Andre,
Things have changed this week. as Manager role which was Team member last week, now marked to Project Operations. When checking the Not Entitled list in Team member license, surprisingly it is showing below Purchase approval menuitems like
PURCHTABLEAPPROVALAPPROVE as not entitled under Team members.
Hi Zeeshan,
According to the licensing guide, the purchase order approval is allowed to be used by Team members, so this is wrong. Microsoft announced quality updates to become available for 10.0.43 and 10.0.44 where some permissions on privileges will be corrected. In the meantime, you can solve this by lowering the access to these menu items to Read only. Grant on update, create, and delete permissions can be set to Unset.
Thanks Again Andre, it resolves the issue.
One more doubt, we have many roles having Project manager which makes them required Project Operations license. We have assigned SCM license but it says Missing Project Operations license. Do we need to purchase attached license for project operations?
Hi Zeeshan,
In case it mentions a missing license for Project Operations, that can be due to the features from this product being used, or a bug. Without any review of the role, yes, you would need an attach license for Project Operations. You can check what securable object triggers this license, and check if it is a bug or if you can reduce access to some objects by either taking them out of the role or making them read-only. Watch my updates as I’m working on a demo video on how to find these elements and take action. The video will be published within 12 hours from now.
Hello Andre,
Thanks for the explanation. I have one question, how will the system behave if a user has a base SCM license assigned, but their role requires Finance and they don’t have either an attach license or a Finance license assigned? Will they be able to access the system but only perform actions allowed by the SCM license? Or will they not be able to access the system at all? I think is partial access option, but I haven’t found an official sites that confirms this answer. Appreciate your help
Hi Miguel,
Your question is already answered in the User Security Role Reporting and Technical Validation for Dynamics 365 Finance and Operations Apps – FAQ. Here it is stated that users will lose access to the application in case not all required licenses are assigned.
On page 3 you see the statement: “Starting November 1, 2025, users without the required licenses will lose access to the application and will be prompted to request the necessary licenses from their administrator.“
Hi André,
Thanks for your answer and explanation and congratulation for your website.
Have a nice day
Hi André,
I’ve been working hard to ensure my company is compliant with this. When I’ve come in this morning my world has completely changed and we now require a multitude of commerce licences (previously none) and project operations licences (previously none). When I’ve looked at a few examples, Microsoft have added some copilot functionality in to standard duties/privileges which has pushed people to require higher licences. They have also changed some objects which previously required SCM to now require Commerce.
Microsoft is making it incredibly difficult to comply with this when the goal posts keep moving and if licence enforcement were in place, I’d have had over 100 users this morning calling to say they cannot get in to the system.
Do you have any information on this? It seems quite perverse and unfair that even a quality update (automatically pushed by MS) can suddenly change our position so much.
Hi Robert,
Can you provide some details? You mentioned you were working on ensuring your company is compliant. Did you make changes to existing roles? If so, what were the contents of the role before and currently? Some securable objects can be covered by more licenses. In case you, e.g., removed some Finance objects, then perhaps some other objects that were still in the role had a choice between Finance and Commerce. In that case, the role might change from SCM+Finance to e.g., SCM+Commerce or SCM+ProjOps. It is hard to judge, as I don’t know your exact details.
Also, it would be great to understand what you mean by 100 users who could not get into the system. The hard enforcement is not yet effective. That will start as of November 1.
Hi André,
Appreciate your response. The report this morning had changed dramatically. I can only assume Microsoft were making some changes. By mid-day the report had reverted to the same state as yesterday.
When I mentioned I would have 100 users that would not have access to the system. I was simply making a reference that if the hard enforcement were live, I would have had a huge problem this morning.
Do you have any insight as to how Microsoft will manage changes to standard security objects. If after a quality or feature update Microsoft have made changes, are we at risk of having users that would not be able to access the system until the roles and licence reports were checked after this update?
Thanks for the update and clarification, Robert. Glad to hear that the report was corrected already. There are some additional checks within the license enforcement that should prevent users from being denied if they were meeting the requirements a few days ago. Besides, in a sandbox, you can check the required licenses per role when performing a regression or UAT test for Dynamics 365 updates.
I was so glad to see this thread. The commerce licensing requirement went from less than 50 for our user base to over 400 between August and September. We identified one specific AOT item that was suddenly no longer entitled by Finance or SCM license by reviewing the old data we exported from the license usage summary to the current data. We reported it to Microsoft but so far nothing has changed with the license consumption report and unless we revoke access to that form, we will be on the hook for many more commerce licenses than were previously required. This kind of sudden change from Microsoft seems unfair and would suggest that at any time, they could change the requirements and cause business to come to a halt until the newly required licenses were purchased and assigned. Have you heard of this type of situation from anyone else? I continue to be in disbelief that Microsoft will begin enforcement so quickly with tools that are inaccurate and still being updated. We’ve spent a lot of time trying to be compliant, only to see the rules change and our numbers increase suddenly. Execs at the companies I work with are very unhappy with Microsoft.
Hello André, I saw that in the blog post you wrote “The validation will happen only in Dynamics 365 F&O production environments. […] The exact date can be different for each client. The roll-out can take up to September 18. So, in case the users don’t get warnings on, e.g., September 5, that does not mean that they have sufficient licenses assigned.”
Today it is September 19 and I have some users who are mentioned in the report by Microsoft as being non-license compliant. However, they do not see the warning banner at the top yet in the production environment. Do you know if the September 18 roll-out deadline has been moved by Microsoft?
Hi Pontus,
The observation is correct. So far, it seems like no user got the in-app warning. There are rumors that the soft warning has been postponed. We already asked Microsoft for clarity. So far no official statement. I think there will be some announcements or clarity soon.
Hi Andre,
We have enabled the ‘User Licence Validation Notice’ feature with the intention of having the banner displayed to users who are not correctly licensed. However, the banner is not appearing and we are sure that the user is not licensed.
Did you encounter this issue?
Thanks,
Kris
Hi Kris,
So far, I have not heard about any in-app warnings appearing at clients world-wide. I asked the question to the engineering team as September 18 is due. There will be a reply from Microsoft soon.
Noticed the same over here, so happy to read we (as a company) are not the only one!
Overall, my feeling is that the provided tooling of Microsoft is not sufficient yet to enforce the Licensing hard-cutoff as per November 1st. Also take into account the 1 Version concept, where we are allowed to skip one Version, and this can go from .43 to .45. Based on that, current availability is purely to (preview)-version of Security Governance.
An enforcement sounds only realistic in my opinion once all clients are on the “final”-version, and at least for several months (let’s say: 6 months), to have the opportunity to actually work with the Security Governance-elements.
Nevertheless, your articles are helping a lot @Andre!
For information, F&O license enforcement by Microsoft to begin from 15-01-2026
https://www.microsoft.com/en-us/dynamics-365/blog/it-professional/2025/09/25/simplifying-license-management-dynamics-365-finance-operations/?WT.mc_id=DX-MVP-5000413
That is correct, Mark. I posted this yesterday on LinkedIn. I need to update my blogs.
Hi André, you wrote about “Luckily, there are options for a license swap. You can exchange, e.g. Finance licenses for SCM licenses”. Some clients bought licenses for 3 years. As we contacted Microsoft the contact person didn’t know anything about a swap option. Do you know more?
Hi Alex,
I’m not a contract specialist, but what I understood (three people explained to me) is that there might be options for anniversary changes. Depending on the contract, there are even options to add one license and remove another one more often. I don’t have clients with experience myself.