How to find privileges and duties for not-entitled securable objects
As part of the upcoming license enforcement for Microsoft Dynamics 365 F&O, the license calculation logic was completely rebuilt and now executed outside of the application. The results are brought back in new licensing-related tables. The legacy calculation logic has been deprecated, and where the outcome was used, the fields showing a particular license were removed. When the View permission page showed the license levels in the past, it was easy to find which privileges and duties as part of a security role were causing a higher license requirement than intended. Today, you can relatively easily find the securable objects that can be removed or set as read-only to lower the license requirement for a security role, but then there is no drill-down to find the related privileges and duties. In this post, I will share a trick to make you more productive.
Update September 25, 2025: The license enforcement has been postponed and will now follow contract renewal or anniversary dates. Read more here: LinkedIn Post.
View permissions
As mentioned in the introduction and in a previous blog post, the View permissions form that you can open from the Security configuration page does not show the details of licenses anymore. In case you will now install the latest available quality update for Dynamics 365 version 10.0.43 or above, the summarized license requirement field is also removed. Similarly, the license information is also not available on the Security analysis inquiry form, part of the new User Security Governance features.
Using this form made me productive in the past. Now I don’t know what objects are triggering an unwanted license, and this can only be found on the License usage summary page, where there is no cross-reference to privileges and duties. A combination of these forms will give you the insights, and then you will be able to take action on reducing access to lower the license requirement for a security role.
In the video below, you will learn how to find the privileges and duties for non-entitled securable objects based on a real-life example while performing an optimization for one of my clients.
There is more…
In case you don’t know the exact role where some securable objects are used, you can perform the same trick by finding the objects from the tab User licenses. The Security analysis form can then be used to filter the objects in the same way as demonstrated in the video.
The document with frequently asked questions has been updated. There is no clear change log, but it now shows standard security roles that are excluded from license calculation, as they are supposed to be used with a service account, device, or for system administration tasks.
Some known issues are listed on the Support page. E.g., currently, external users from another tenant are not included in the licensing report. You can monitor their status to know when the issues are resolved.
It is worth checking for the latest available binary updates for your environment, which also contain fixes around license enforcement.. You can find these from the environment page on LCS. You can choose to install the latest released fixes or wait for the quality update to be available for your version. Release schedule for proactive quality updates – Finance & Operations | Dynamics 365 | Microsoft Learn
Note that there is no need to update from Microsoft Dynamics 365 F&O version 10.0.43 to a more recent version (10.0.44 or 10.0.45) for the license enforcement. All calculation is performed outside of the application, and fixes are made available for multiple versions via the quality updates.
At this moment, still, clients are not fully prepared and are looking for additional help. I compiled a list of resources available online to help you with this topic.
Microsoft Learn
Simplifying License Management for Dynamics 365
View license consumption for finance and operations apps – Power Platform | Microsoft Learn
Dynamicspedia
Help! User license enforcement in Dynamics 365 F&O
Dynamics 365 F&O license enforcement status – July 2025
A picture says more than words – User license consumption report reimaged
Dynamics 365 F&O Last-minute Questions on License Enforcement
Other blogs
D365FSC License Enforcement Overview – Alex Meyer
Updated D365FSC User Licensing in 10.44 – Alex Meyer
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!
Image by Kris from Pixabay 
Thanks for sharing this, as it confirms my way of doing it!
I do have a question however.
In the video you mention around time-stamp 5:00 the following
“If you only have Grant on the Read and everything else unset, it’s Read. And in case something is triggered on Update, Create, Delete, Correct or Invoke, if that’s Grant on one of these, it’s Write”
Within the Security Configuration-screen of the action menu items within a privilege, I can only change the settingd of Read, Update, Create and Delete.
Where can I find Correct and Invoke, and how to change this to Unset or Deny?
Hi Patrick,
You can find an instruction how to get rid of the Correct and Invoke settings on another blog: Help! My configured read-only role requires an operations or activity license
Hi André,
Thanks!
Your trick of “…remove the menu items from the privilege and add them again.” worked.
As you stated, this will be a tedious job since I have many security resources with this issue.
I will also check your other options/suggestion, to check if those are easier/faster.
From the video I have two (2) questions. a. For the added privileges related to maintain and view item requirements is it required to check the type of license attraction first? b. For the user the Supply Chain Management entitlements were 1037. How do we know what entitlements are used up so far to have catered for the added two privileges to ensure overall the license consumption for the user was overall Supply Chain Management.