This article is a guide on how to install and configure the Dynamics 365 F&O License Automation solution. Configuration is required in Azure Entra ID, Azure Key Vault, and Power Automate flow.
In this article:
System requirements
Create and configure app registration in Microsoft Entra ID
Create and configure KeyVault in Azure
Download the solution and related files
Excel worksheet preparations
Import the solution into Power Automate
Configure the Power Automate flows
Verify the first flow runs
Additional resources
System requirements
The Dynamics 365 F&O License Automation solution requires the deployment of Microsoft Dynamics 365 F&O with a current supported version (10.0.44 and above). Preferably, the User Security Governance features are enabled.
Your Dynamics 365 F&O environment must be linked with a Dataverse environment. The link is already available for all Microsoft-hosted production and sandbox environments deployed via Lifecycle Services (LCS) and all unified environments deployed via Power Platform Admin Center (PPAC). Dataverse is not automatically configured for cloud-hosted environments deployed via your own Azure subscription. If Dataverse isn’t already set up for your environment, follow the instructions in Enable Power Platform Integration.
In case you install the solution on a cloud-hosted environment, the license details for security roles should be copied from another environment.
Create and configure app registration in Microsoft Entra ID
An app registration is required to be able to interact with Microsoft Graph on user and license details. The app registration will get client credentials and specific API permissions on Microsoft Graph. It is recommended to perform this task using an administrator account, as consent is required to activate the permissions.
From the Azure portal, go to the Microsoft Entra ID resource. Navigate to App registrations. Then click on New registration.
You need to provide a name for the app registration. You can choose your own name. It is recommended to give a meaningful name for recognition. There is no need to change the Supported account types, as the app should be restricted to your own tenant only for the highest possible security. Click on Register to complete the registration and have it available in Azure.
When the resource is created, copy the values of the Application (client) ID, and Directory (tenant) ID, and store these for next steps. Then click on Add a certificate or secret.
On the Certificates & secrets page, navigate to the Client secrets tab page and click on New client secret. A dialog will open where you can provide an optional description and choose how long the secret will remain valid. Then click on Add.
The client secret is created. Copy the Value for the next steps and future reference. Note that it is not possible to view the secret value after you leave this page. Ensure you store it in a safe place.
Next, you need to configure API permissions. Go to API permissions in the left menu and then click on Add a permission. A dialog window Request API permissions will open. On this dialog, click on Microsoft Graph.
On the next step, click on Application permissions.
On the next page, there are options to enable distinct Microsoft Graph permissions. Read permissions on users are already enabled by default. You need to enable the options Directory > Directory.Read.All and LicenseAssignment > LicenseAssignment.ReadWrite.All. Then click on Add permissions.
The next step requires access to manage and change permissions in your directory. Click on Grant admin consent for {organization name}.
There will be a pop-up box visible with the text to confirm the grant admin consent. Click yes. The result will be that access is granted for your organization.
This app registration is required for the flow to read user data and read + write license data. Secrets of this app registration will be used to get an authorization token to interact with Microsoft Graph from the Power Automate flow.
Create and configure Key Vault in Azure
To ensure the secrets will not be visible to someone who can interact with the Power Automate flows, values need to be stored in a safe place that will not be readable by other users. For this purpose you need to create a Key Vault. In the Azure Portal, navigate to the Key Vault resource.
On the Create a key vault page you need to provide values for:
- (new) resource group
- Key vault name
- Region
The key vault name should have a unique value. The standard pricing tier is recommended for this flow. The cost of secrets operations is $0.01 (one dollar cent) per 10000 transactions for both the standard and the premium tier. Running the core flow will trigger 2 secrets operations per run.
Details on the other tab pages can remain on default values. Access will be done via the recommended Role Based Access Control (RBAC). Click on Review + create.
On the review page, check the details and click Create.
After about 30-60 seconds, the key vault is created and ready for use. Click on Go to resource.
Next steps are to configure access control and the secrets. Without additional access, you are not able to configure the secrets. Go to Access control (IAM) and then click on Add > Add role assignment.
Search for the Key Vault Administrator in the Job function roles. Select this value and click Next.
On the Members step, click on Select members. A dialog window will open. Search for your user and click on it. The user will be added as Selected members. Click on Select.
When the details are correct, click on Review + assign.
Repeat the step to add a role assignment for the Key Vault Secrets User role.
The app registration created earlier will be used as a service principal for the Key Vault Secrets.
When you have executed two role assignments, you can go to the Secrets and click Generate/Import. In case you see a message about Role Based Access Control on this page, you might not have the correct security role applied to your user for this Key Vault.
On the Create a secret page, fill the next entry fields:
Name: fill this field with the value ClientID. This must not have a different name to prevent additional edits in the Power Automate flow.
Secret value: fill this field with the value of the Application (client) ID you copied before from the newly created app registration.
Repeat the step for creating a secret. Fill the values with the next instructions.
Name: fill this field with the value Secret. This must not have a different name to prevent additional edits in the Power Automate flow.
Secret value: fill this field with the secret value of the created client secret from the new app registration.
Download the solution and related files
For the license automation, you need to download the solution with Power Automate flows and an Excel worksheet to support the license automation flow.
After you download the solution, extract the files and read the provided text files to be aware of the MIT Open Source License. The Excel sheet with the name Dynamics 365 Role Licenses.xslx should be placed in a cloud storage location accessible by the Power Automate flow. This can be, e.g., a SharePoint or Teams location, but also your OneDrive for Business.
Excel worksheet preparations
When the Excel sheet is placed in the correct location, you can open the file.
On the sheet with the name LicensingRoleLicenseAssignments, data needs to be pasted from a table with the same name in Dynamics 365 Finance and Operations. You can open the table browser from your environment by altering the URL in your browser. After the core F&O URL you need to set the parameters to
?mi=SysTableBrowser&TableName=LicensingRoleLicenseAssignments
In case your Dynamics environment has the next URL
https://dynamicspedia-prod.operations.eu.dynamics.com/?cmp=USMF&mi=ImmersiveHome
Then this needs to be changed to
https://dynamicspedia-prod.operations.eu.dynamics.com/?mi=SysTableBrowser&TableName=LicensingRoleLicenseAssignments
This will open the details of the table that is required as knowledge in the Excel file. It includes the license details for standard and custom roles. Click on the Office button and choose the option Export to Excel.
On the Export to Excel dialog, either download or save the file to OneDrive or SharePoint and open the Excel sheet. Select all the data rows, excluding the table headers.
Now, copy the data and paste it into the Dynamics 365 Role Licenses.xslx file on the first worksheet. Ensure you leave the preformatted table with the headings, as this sheet is a reference for a Power Query in the worksheet.
In the menu, go to Data and click on Refresh all. This will combine the first two worksheets into a table on the worksheet Role License Table. Save the changes and close the Excel workbook.
Import the solution into Power Automate
In your web browser navigate to https://make.powerautomate.com/. Select the correct environment in the top bar. Go to the Solutions page. Click on Import solution.
On the dialog Import a solution, browse for a ZIP file beginning with the name Dynamics365FOlicenseautomation, ending with a version indication, and the ZIP extension. Then click Next.
Check for the correct name and version to ensure you import the correct solution. Click Next.
On the Connections step, you need to provide credentials for the connectors used in the solution. Some might be recognized already automatically via your login. The Azure Key Vault Dynamics 365 License Automation needs to be configured when importing the solution the first time.
Click on the ellipsis icon and then choose Add new connection.
On the Azure Key Vault connection settings, set the Authentication type to Service principal authentication and fill the other fields with the information you copied before when creating the App registration.
When the connection is successfully created, you can click on Import.
When the import is complete, you will see a warning. Click on Publish all customizations.
Configure the Power Automate flows
When the previous step is complete, go to the tab page My flows. Two instant flows are enabled, the third flow is disabled by default. Select the flow Dynamics 365 F&O License Automation – base, and click on the Edit icon.
In the flow, select the Excel action with the name List Role License Table. In the Parameters, choose your file location. It is also possible to change the Location for a Teams channel or SharePoint location. Do not change the Table parameter. This will be reinstated when you Publish the change.
In case you are not able to change the location, try switching off the New designer experience (top-right setting).
Go back to My flows and check if the two instant cloud flows starting with the name Dynamics 365 F&O License Automation are enabled.
The flow with the name Dynamics 365 F&O License Automation – role assignment change is optional. When you enable this flow, it will run automatically when you add a security role to a user in Dynamics 365 F&O.
When you want to enable the flow Dynamics 365 F&O License Automation – role assignment change, you need to provide your tenant ID in the flow. If there is no or an incorrect value, the base flow will fail. In a previous step, the Tenant ID was copied and saved. Optional: You can provide one or more email addresses to enable email notifications after each run.
Verify the first flow runs
To ensure the flows run correctly in your environment, first start the base flow for a few users. Select some users with, e.g., a single base license, a Team members license, and one that requires a base and attach license (if applicable in your environment).
When you run the base flow, in the input parameters, you must only provide the UserID. The TenantID field may be left empty. This will be automatically retrieved by logic in the flow. See also: Use the Microsoft Entra tenant ID in Power Automate Flow
As an example. I will run the flow for David who needs a Supply Chain Management license. After entering the user ID, click Run flow.
The duration of the flow run is about 20-30 seconds, depending on the number of licenses to be assigned. You can check the assigned licenses in the Microsoft 365 admin center.
The flow that runs for all users is set to run the license automation for 10 users in parallel. Running this flow for 100 users will take about 150-180 seconds. In case of retries of particular flows, the time can be longer. Setting a higher number for the flows to run in parallel does not gain a lot of time. Instead, it can consume licenses that are not available in your tenant due to concurrent calls to the Microsoft Graph license API.
The flow Dynamics 365 F&O License Automation – all users will send an email notification with a summary of the users checked for required licenses.
At the end of the email, there is a paragraph with the next steps and links to the Microsoft 365 admin center and Power Platform admin center for reviewing the status or manual overrides, and assigning licenses.
Additional resources
Dynamics 365 F&O License Automation overview
This article provides an overview on the Dynamics 365 F&O License Automation solution.
Dynamics 365 F&O License Automation download
This page has the asset to download the solution with related files.
Introducing Dynamics 365 F&O License Automation
This is a blog post announcing the availability of the Dynamics 365 F&O License Automation solution.
Extend Dynamics 365 F&O License Automation with custom flows
Coming soon!