Licensing Advent Calendar – Day 17 – Licensing SKU on Duplicate Roles and Duties

We are getting closer to Christmas and the license enforcement. The first clients of Dynamics 365 have experienced the in-app warnings. In the post for day 17, I will explain a new selection option that got introduced by Microsoft, where you can choose what license SKU should remain after duplicating a security role or duty.

Duplicate security objects

On the Security configuration form, you can duplicate existing objects. After the duplication, you can make changes by, e.g., removing or adding references for tweaking the role, duty, or privilege. I used this option quite often when an organization-specific copy of a duty or privilege is required. You can then fine-tune security for specific use cases.

For about a month, a new parameter has been available on the Duplicate feature. This started to roll out to preview versions and later in quality updates for supported Dynamics 365 F&O versions. I talked and demoed about this at my last two in-person events: D365 Community Summit, November 22, Lisbon, Portugal, and the DynUG Høstkonferanse 2025, November 25/26, Oslo, Norway.

While writing a blog about the new License SKU parameter on the Duplicate feature, I got the idea for creating this Licensing Advent Calendar and planned it to be part of this blog series.

License SKU parameter

When you have installed the latest quality update for your Dynamics 365 F&O version, there is a new parameter available on the Duplicate feature. It allows you to select one license SKU. When the duplicate logic executes, it will duplicate only the references that are fully entitled for the selected license SKU. The additional parameter only shows up when you try to duplicate a security role or duty. It is not supported for privileges.

Let’s first have a look at the process and then talk about some conclusions. In my demo environment, I have a Project Manager role that requires two base licenses: Project Operations and Finance. As the role was intended to be used with a Project Operations license, I want to explore the differences when cleaning the role for only one base license.

Go to the Security configuration page, select a role, and click on Duplicate. This opens a dialog window where you can next to providing a new name, select the desired License SKU.

You can select only one license SKU. In case you have a security role requiring three different licenses SKUs and want to remove only one, then this feature does not support you. Instead of a base license, you can also choose for e.g. a Team members or Operations – Activity SKU. Click OK.

The security object will be duplicated, and a message appears telling you that particular references were excluded from the copy process. You can click on Message details to get more information. A dialog form appears where you can also download a report about the excluded references.

In this example, there were only two elements excluded. The maintenance of the customer master record requires a Finance or SCM license and is therefore excluded. The Inquire into collections status exclusion is weird, as this is supposed to be a Team members license SKU. The report also mentions the number of entitled and not entitled objects. As the Inquiry duty contains privileges with write permissions that require another license, this is excluded as well.

Excluded elements

When duplicating a role, it will review all referenced duties, privileges, and sub-roles. When duplicating a duty, it will check only for fully entitled privileges.

In case a security layer has one element that is not entitled, it will be excluded from the duplicated role. In case, e.g., sub-roles are removed from the duplicated role, this will also be listed in the report. The duplicate function will not check which exact securable elements are entitled or not. E.g., the 456 entitled objects part of the inquiry duty from the example above are not copied to a new privilege. It is checking it on the role, duty, or privilege level.

You must be aware that the duplicate function with the license selection does not know anything about the intended process and what features a user should have access to. In many cases, using the License SKU selection will not give a result that will be directly applicable in your environment. Most likely, you will need additional manual work to get the desired result. In case you want to split roles for having a role per license, then this new feature is your friend.

In case you want to reduce the license requirement for an existing role, then this feature cannot be used. Maybe you can get the report on which elements are not entitled to the desired license to know what duties and privileges to focus on. Another option for this has been provided on Day 12 – Find privileges for not entitled objects

Possible missing report

A few days ago, Alex Meyer also wrote a blog about this new feature, where he mentioned that the excluded elements were not reported in a specific case. I had not noticed that before. Alex mentioned that it was missing when duplicating a duty. When I tried to reproduce that behavior, initially, I got the report as expected. I used a custom duty for this scenario. Then I tried it with the same duty as Alex referred to in his blog post, and I can confirm that no excluded privileges were reported. You can read Alex’s blog post here: New Security Duplication Feature in D365FSC – Alex Meyer

There is more…

During the Advent period, each day in December, I will share some thoughts and tips related to the Dynamics 365 user license enforcement. If you have questions about this topic, feel free to contact me via LinkedIn, the comments section below, or the contact form on this blog. I will then either update one of the planned blogs for the coming 24 days or answer questions in a new post.

Dynamics 365 Licensing Enforcement Advent Calendar

I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!