Create users in Dynamics 365 for Customer Engagement apps and assign security roles

Applies to Dynamics 365 for Customer Engagement apps version 9.x
Applies to Dynamics 365 for Customer Engagement apps version 9.x (on-premises)

You use the Office 365 Admin Center to create user accounts for every user who needs access to Customer Engagement apps. The user account registers the user with Microsoft Online Services environment. In addition to registration with the online service, the user account must be assigned a license in order for the user to have access to the service. Note that when you assign a user the global administrator or the service administrator role in the Microsoft Online Services environment, it automatically assigns the user the System Administrator security role in Dynamics 365 for Customer Engagement apps . More information: Differences between the Microsoft Online services environment administrative roles and Dynamics 365 for Customer Engagement apps (online) security roles

Create a user account

When you create a user account in the Office 365 Admin Center, the system generates a user ID and temporary password for the user. You have the option to let the service send an email message to the user as clear text. Although the password is temporary, you may consider copying the information to send to the user through a more secure channel, such as from an email service that can digitally encrypt the contents. For step-by-step instructions for creating a Microsoft Online Services user account, see Create or edit users in Office 365.

Video symbol Check out the following video: Add People to Dynamics 365 for Customer Engagement.

Note

When you create a user and assign a license in the Office 365 Admin Center, the user is also created in Customer Engagement apps. The synchronization process between the Office 365 Admin Center and Customer Engagement apps can take a few minutes to complete.

By entering a user ID and password, a user can access the Office 365 Admin Center to view information about the service. However, the user will not have access to Customer Engagement apps until you assign at least one Customer Engagement apps security role to this user.

Tip

To force an immediate synchronization between the Office 365 Admin Center and Customer Engagement apps, do the following:

  • Sign out of Customer Engagement apps and the Office 365 Admin Center.
  • Close all open browsers used for Customer Engagement apps and the Office 365 Admin Center.
  • Sign back in to Customer Engagement apps and the Office 365 Admin Center.

User profile information

Some user profile information is maintained and managed in the Office 365 Admin Center. After you create or update a user, these user profile fields are automatically updated and synchronized in your Customer Engagement instances.

The following table shows the fields that are managed in the Users section of the Office 365 Admin Center.

Dynamics 365 for Customer Engagement apps user form Office 365 / Azure Active Directory user
User Name Username
Full Name First name + Last name
Title Job title
Primary Email* Email
Main Phone Office phone
Mobile Phone Mobile phone
Fax Fax number
Address Street address
Address City
Address State or province
Address Country or region

*To prevent data loss, the Primary Email field does not automatically update and synchronize with Dynamics 365 for Customer Engagement apps (online).

The following are Office 365 user contact fields.

Office 365 user contact info

Add a license to a user account

You can license the user when you create the user account, or you can license the user later. You must assign a license to every user account that you want to access the online service.

For step-by-step instructions, see Assign, reassign, or remove licenses.

Important

Licensed users must be assigned at least one Dynamics 365 for Customer Engagement apps security role to access Customer Engagement apps.

About user licenses

  • Dynamics 365 for Customer Engagement apps uses user licenses to provide access to your organization. You need one user license per person with an active user record who logs into your organization.

  • When you add a new person, the New user account form displays the number of user licenses available. If you reach your limit, the On button is no longer available. You can add additional licenses by choosing Billing > Purchase Services from the left-side menu in the Office 365 Admin Center.

  • An unaccepted invitation requires a user license until the invitation expires two weeks after it was issued.

  • If you have more user licenses than you are using, contact support to reduce the number of licenses. You cannot reduce the number of licenses to less than you are currently using or less than your offer allows. Any changes are reflected in your next billing cycle.

  • Each user license requires a unique Microsoft account, and every user who logs on to Dynamics 365 for Customer Engagement apps needs a license. Most Customer Engagement apps subscriptions include a specific number of user licenses.

Assign a security role to a user

Security roles control a user’s access to data through a set of access levels and permissions. The combination of access levels and permissions that are included in a specific security role sets limits on the user’s view of data and on the user’s interactions with that data.

Dynamics 365 for Customer Engagement apps provides a default set of security roles. If necessary for your organization, you can create new security roles by editing one of the default security roles and then saving it under a new name.

You can assign more than one security role to a user. The effect of multiple security roles is cumulative, which means that the user has the permissions associated with all security roles assigned to the user.

Security roles are associated with business units. If you have created business units, only those security roles associated with the business unit are available for the users in the business unit. You can use this feature to limit data access to only data owned by the business unit.

For more information about the difference between Microsoft Online Services administrator roles and Customer Engagement apps security roles, see Grant users access to Microsoft Dynamics 365 for Customer Engagement apps (online) as a Microsoft Online service.

Important

You must assign at least one security role to every Customer Engagement apps user. The service does not allow access to users who do not have at least one security role. Even if a user is a member of a team with its own security privileges, the user won’t be able to see some data and may experience other problems when trying to use the system.

In Customer Engagement apps:

  1. Click Settings > Security > Users.

  2. In the list, select the user or users that you want to assign a security role to.

  3. Click Manage Roles.

    Only the security roles available for that user's business unit are displayed.

  4. In the Manage User Roles dialog box, select the security role or roles you want for the user or users, and then click OK.

(Optional) Assign an administrator role

You can share Microsoft Online Services environment administration tasks among several people by assigning Microsoft Online Services environment administrator roles to users you select to fill each role. You might decide to assign the global administrator role to a second person in your organization for times when you are not available.

There are five Microsoft Online Services environment administrator roles with varying levels of permissions. For example, the password reset administrator role can reset user passwords only; the user management administrator role can reset user passwords as well as add, edit, or delete user accounts; and the global administrator role can add online service subscriptions for the organization and can manage all aspects of subscriptions. For detailed information about Microsoft Online Services administrator roles, see Assigning Admin Roles.

Note

Microsoft Online Services environment administrator roles are valid only for managing aspects of the online service subscription. These roles don’t affect permissions within the Customer Engagement apps service.

Enable or disable users

To enable a user, assign a license to the user and add a user to the security group that is associated with an instance of Customer Engagement apps. If you enable a user that was disabled, you must send a new invitation for the user to access the system.

To disable a user, remove a license from the user or remove the user from the security group that is associated with an instance of Customer Engagement apps. Removing a user from the security group doesn’t remove the user’s license. If you want to make the license available to another user, you have to remove the license from the disabled user.

Note

Removing all security roles from the user prevents the user from signing into and accessing Customer Engagement apps. However, it doesn’t remove the license from the user and the user remains in the list of the enabled users in Customer Engagement apps. Removing security roles from a user isn’t a recommended method of removing access to Customer Engagement apps.

You must be a member of an appropriate administrator role to do these tasks. More information: Assigning Admin Roles

Enable a user by assigning a license to the user and adding a user to the security group

  1. Browse to the Office 365 admin center and sign in.

  2. Click Users > Active users and select the user.

  3. Under Product licenses, click Edit.

  4. Turn on a **Dynamics 365 for Customer Engagement apps ** license, and then click Save > Close.

  5. In the Office 365 Admin Center, click Groups > Groups.

  6. Choose the security group that is associated with your Customer Engagement apps organization.

  7. Under Members, click Edit, and then Add members. Select from the list of users with Office 365 licenses or use Search to find users.

  8. Select the users to add to the security group, and then click Save > Close multiple times.

    To add multiple users, see: bulk add users to Office365 groups.

Disable a user by removing a license from the user

  1. In the Office 365 Admin Center, click Users > Active Users and select a user.

  2. In the right-side menu, under Product licenses, click Edit.

  3. Turn off the **Dynamics 365 for Customer Engagement apps ** license, and then click Save > Close multiple times.

Disable a user by removing the user from the security group that is associated with an instance of Dynamics 365 for Customer Engagement apps (online)

  1. In the Office 365 Admin Center, click Groups > Groups.

  2. Choose the security group that is associated with your Customer Engagement apps organization.

  3. In the right-side menu, under Members, click Edit.

  4. Click Remove members, and then the select users to remove from the security group.

  5. Click Save > Close multiple times.

Note

You can also delete users in the Office 365 Admin Center. When you remove a user from your subscription, the license assigned to that user automatically becomes available to be assigned to a different user. If you want the user to still have access to other applications you manage through Office 365, for example Microsoft Exchange Online or SharePoint, don't delete them as a user. Instead, simply remove the Dynamics 365 for Customer Engagement apps license you've assigned to them.

Note

When you sign out of the Office 365 Admin Center, you aren’t signing out of Customer Engagement apps. You have to do that separately.

Tip

To force an immediate synchronization between the Office 365 Admin Center and Customer Engagement apps, do the following:

  • Sign out of Customer Engagement apps and the Office 365 Admin Center.
  • Close all open browsers used for Customer Engagement apps and the Office 365 Admin Center.
  • Sign back in to Customer Engagement apps and the Office 365 Admin Center.

Create an Administrative user account

An Administrative user is a user who has access to the Settings and Administration features but has no access to any of the customer engagement functionality. It is used to allow customers to assign administrative users to perform day-to-day maintenance functions (create user accounts, manage security roles, etc). Since the administrative user does not have access to customer data and any of the customer engagement functionalities, it does not require a Dynamics 365 for Customer Engagement apps (online) license (after setup).

You need to have the System Administrator security role or equivalent permissions in Dynamics 365 for Customer Engagement apps to create an administrative user. First, you’ll create a user account in Office 365 and then in Dynamics 365 for Customer Engagement apps (online), select the Administrative access mode for the account.

Note

See Create an administrative user and prevent elevation of security role privilege for an example of how an Administrative user account can be used.

  1. Create a user account in the Office 365 Admin Center.

    Be sure to assign a Customer Engagement apps license to the account. You'll remove the license (step 6) once you've assigned the Administrative Access Mode.

  2. Go to Customer Engagement apps.

  3. Go to Settings > Security.

  4. Choose Users > Enabled Users, and then click a user’s full name.

  5. In the user form, scroll down under Administration to the Client Access License (CAL) Information section and select Administrative for Access Mode.

    You then need to remove the Customer Engagement apps license from the account.

  6. Go to the Office 365 Admin Center.

  7. Click Users > Active Users.

  8. Choose the Administrative user account and under Product licenses, click Edit.

  9. Turn off the Customer Engagement apps license, and then click Save > Close multiple times.

Create a non-interactive user account

The non-interactive user is not a ‘user’ in the typical sense – it is not a person but an access mode that is created with a user account. It is used for programmatic access to and from Dynamics 365 for Customer Engagement apps between applications. A non-interactive user account lets these applications or tools, such as a Dynamics 365 for Customer Engagement apps to ERP connector, authenticate and access Dynamics 365 for Customer Engagement apps (online), without requiring a Dynamics 365 for Customer Engagement apps (online) license. For each instance of Dynamics 365 for Customer Engagement apps (online), you can create up to five non-interactive user accounts.

You need to have the System Administrator security role or equivalent permissions in Dynamics 365 for Customer Engagement apps to create a non-interactive user. First, you’ll create a user account in Office 365 and then in Dynamics 365 for Customer Engagement apps, select the non-interactive access mode for the account.

  1. Create a user account in the Office 365 Admin Center.

    Be sure to assign a Customer Engagement apps license to the account.

  2. Go to Customer Engagement apps.

  3. Go to Settings > Security.

  4. Choose Users > Enabled Users, and then click a user’s full name.

  5. In the user form, scroll down under Administration to the Client Access License (CAL) Information section and select Non-interactive for Access Mode.

    You then need to remove the Customer Engagement apps license from the account.

  6. Go to the Office 365 Admin Center.

  7. Click Users > Active Users.

  8. Choose the non-interactive user account and under Product licenses, click Edit.

  9. Turn off the Customer Engagement apps license, and then click Save > Close multiple times.

  10. Go back to Customer Engagement apps and confirm that the non-interactive user account Access Mode is still set for Non-interactive.

Create an application user

Introduced in December 2016 Update for Dynamics 365 (online), you can use server-to-server (S2S) authentication to securely and seamlessly communicate with December 2016 update for Dynamics 365 (online) with your web applications and services. S2S authentication is the common way that apps registered on Microsoft AppSource use to access the Dynamics 365 (online), version 8.2 data of their subscribers. All operations performed by your application or service using S2S will be performed as the application user you provide rather than as the user who is accessing your application.

All application users are created with a non-interactive user account, however they are not counted towards the five non-interactive user accounts limit. In addition, there is no limit on how many application users you can create in an instance.

Application user

How stub users are created

A stub user is a user record that has been created as a placeholder. For example, records have been imported that refer to this user but the user does not exist in Dynamics 365 for Customer Engagement apps (online). This user cannot log in, cannot be enabled, and cannot be synchronized to Office 365. This type of user can only be created through data import.

A default security role is automatically assigned to these imported users. The Salesperson security role is assigned in a Dynamics 365 for Customer Engagement instance and the Common Data Service User security role is assigned in a PowerApps environment.

Manage users in Microsoft Dynamics 365 (on-premises)

With Microsoft Dynamics 365 (on-premises), you can add users to your organization one at a time, or add multiple users at the same time by using the Add Users wizard.

Add a user

  1. Go to Settings > Security.

  2. Choose Users.

  3. On the toolbar, choose New.

  4. On the New User page, in the Account Information section, specify the User Name for the user.

  5. In the User Information section, specify the Full Name for the user.

  6. In the Organization Information section, verify the Business Unit for the user.

  7. Follow the step for the task you’re doing:

    • To save the information for the new user, choose Save.

    • To save the information for the user and add another user, choose Save & New.

    • To add another user without saving the information you entered for the user, choose New, and then in the Message from webpage dialog box, choose OK.

    Next, you’ll need to assign a security role to the newly added user. See “Assign a security role to a user” later in this topic.

Add multiple users

You can add multiple user records for the same set of security roles by using the Add Users wizard. Any users you add must be in the Active Directory directory service.

  1. Go to Settings > Security.

  2. Choose Users.

  3. On the toolbar, choose New Multiple Users.

    The Add Users wizard opens.

  4. On the Select Security Roles page, select one or more security roles, and then choose Next.

  5. On the Select Access and License Type page, under Access Type, select the appropriate access type for this set of users.

  6. Under License Type, specify the license type for this set of users.

  7. Under Email Access Configuration, specify how this set of users will access incoming and outgoing email messages, and then choose Next.

  8. On the Select Domain or Group page, specify to select users from all trusted domains and groups or users from a particular domain or group, and then choose Next.

  9. On the Select Users page, type a part of the name of user you want to add to Microsoft Dynamics 365. Use semi-colons between names.

  10. Choose Create New Users.

  11. On the Summary page, review the information about the user additions, and then follow the step for the task you are performing:

    • To close the Add Users wizard, choose Close.

    • If you need to add more users, for example with a different set of security roles, choose Add More Users to begin the wizard again.

    Note

    To edit a specific user record, close the wizard, and then open the user record from the list.

Assign a security role to a user

After you create users, you must assign security roles for them to use Microsoft Dynamics 365. Even if a user is a member of a team with its own security privileges, the user won’t be able to see some data and may experience other problems when trying to use the system. More information: Security roles and privileges

  1. Go to Settings > Security.

  2. Choose Users.

  3. In the list, select the user or users that you want to assign a security role to.

  4. Choose More Commands (...) > Manage Roles.

    Only the security roles available for that user's business unit are displayed.

  5. In the Manage User Roles dialog box, select the security role or roles you want for the user or users, and then choose OK.

Enable a user

  1. Go to Settings > Security.

  2. Select Users.

  3. Select the down arrow next to Enabled Users, and then choose Disabled Users.

  4. Select the checkmark next to the user you want to enable, and on the Actions toolbar, select Enable.

  5. In the Confirm User Activation message, select Activate.

Disable a user

  1. Go to Settings > Security.

  2. Choose Users.

  3. In the Enabled Users view, select the checkmark next to the user you want to disable.

  4. On the Actions toolbar, select Disable.

  5. In the Confirm User Record Deactivation message, select Deactivate.

Update a user record to reflect changes in Active Directory

When you create a new user or update an existing user in Microsoft Dynamics 365 (on-premises), some fields in the Dynamics 365 user records, such as the name and phone number, are populated with the information obtained from Active Directory Domain Services (AD DS). After the user record is created in Dynamics 365, there is no further synchronization between Active Directory user accounts and Dynamics 365 user records. If you make changes to the Active Directory user account, you must manually edit the Dynamics 365 user record to reflect the changes.

  1. Go to Settings > Security.

  2. Choose Users.

  3. In the list, select the user you want to update, and then choose Edit.

The following table shows the fields that are populated on the Dynamics 365 user form (user record) from the Active Directory user account:

Dynamics 365 user form

Active Directory user

Active Directory object tab

User name

User logon name

Account

First name

First name

General

Last name

Last name

General

Main Phone

Telephone number

General

Primary Email

Email

General

*Address

City

Address

*Address

State/province

Address

Home phone

Home

Telephones

  • The Dynamics 365 Address field is comprised of the values from the City and State/province fields in Active Directory.

See also

Manage subscriptions, licenses, and user accounts
Assigning Admin Roles
Add users to Office 365 for business
Security roles and privileges
Manage Microsoft Dynamics 365 for Customer Engagement apps (online) licenses