Licensing Advent Calendar – Day 12 – Find privileges for not entitled objects

With Day 12, I posted half of the promised blogs as part of the Licensing Advent Calendar. When you read all other posts, you now know to find which users require what license(s), what roles are assigned, what causes the requirement for particular license SKUs, which application elements are not entitled to particular licenses per security role, and how these elements are connected to security roles via privileges and duties. Now you need to know if security roles can be adjusted to lower licenses and what privileges should be adjusted or replaced. Read more to find out how to find these privileges.

Security roles

Which security roles do you need to focus on? You will need to find out if the licenses are in line with the expected license, where the Dynamics 365 licensing guide or experience can help.

For each product, the guide contains a table listing the security roles, a brief description, and which licenses are valid, as shown in the example below.

The minimum license for, e.g., the Maintenance requester role is Team members, but in case a user has a higher license assigned, this is also possible. A user with the Cost accountant role needs a Supply Chain Management license.

There is also additional information about Team members and Operation – Activity licenses. This is written on pages 40 and 41 (December 2025 version). In addition, you can read more details in Appendices D and G.

When a role, e.g., requires 2 licenses, a read-only role is not on the Team members level, or if (you think) the users are not performing the tasks that belong to a specific license, you can check on the form Licenses usage summary in Dynamics 365 on the Role licenses tab page on the record of the desired license level which elements are not included for that license. I wrote about this in post Day 10 – Licenses usage summary.

Find privileges and duties

If you know what elements should be removed from the role or changed from write access to read access, you need to adjust or replace the privileges or duties. In case standard privileges are used, I suggest replacing the privilege (and/or duty). In case the privilege is custom, you can reconfigure it to meet your new requirements.

To find the privileges, you can take the next steps. Go to the Licenses usage summary page, filter on the role, and select the required license level. In this example, the custom project manager role requires more licenses than only Project Operations. A simple calculation of the difference per user when there is now a requirement for Finance + Project Operations. These two roles costs $ 210 +$ 30 = $ 240 per month. Only Project Operations is $ 135 per month. This is a difference of $ 210 – $ 135 = $105 per user per month. This year, I had a client with 50 project managers, where we could reduce the role to Project Operations only. This is a cost saving of about $ 60K a year.

When you select the required record in the top grid, in the lower grid, you can either sort the column Not entitled from Z to A or set a filter value 1. You will then have all not entitled objects grouped. There is no direct option to see the related privilege or duty from this form. Here is a workaround.

Click on the first record in the column AOT Name and use the scroll bar (or scroll wheel on your mouse) to move to the last not-entitled element. Then hold the Shift key and click on the last record in the AOT name column. A blue line rectangle will be visible around the column and the selected records.

Now copy the values (CTRL+C) and open the Security configuration form, find the security role.

Click on View permissions to open the content details for this security role.

Open the filter option on the column Context\Resource, change the filter option to is one of, and paste the copied values. This works with a larger number of elements as well. Then click on Apply.

You now have a list of the menu items and can see the privilege and duties name. Note that data entities and service operations do have a prefix in the context\resource and are, for that reason, not visible using this trick. For the data entities and service operations, you will need to filter differently, e.g., using the filter type contains.

In this example, the Inquire into collections status and maintain customer master duties were removed. The duty Inquire into customer master was only granting read permissions and did not raise the license level. In case menu items are referenced in different privileges, they show up based on the filter on the Context\Resource. You will need to verify, using the permission fields, which privileges contain any menu item with write permission.

YouTube

I shared the trick for finding the privileges and duties earlier in a YouTube video. You can watch the demo below.

There is more…

During the Advent period, each day in December, I will share some thoughts and tips related to the Dynamics 365 user license enforcement. If you have questions about this topic, feel free to contact me via LinkedIn, the comments section below, or the contact form on this blog. I will then either update one of the planned blogs for the coming 24 days or answer questions in a new post.

Dynamics 365 Licensing Enforcement Advent Calendar

I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!