Grant users access
To have users up and running in model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer Service, you complete some administrative tasks in the Microsoft 365 admin center—which you generally do only once—followed by administrative tasks.
model-driven apps in Dynamics 365 are an online service subscription. When you signed up for this service, you received a set of licenses with your subscription, one license for each user. You can purchase additional licenses if you need them.
As described in step one that follows, in the Microsoft 365 admin center, register your users so that they are recognized in the Microsoft Online Services environment, assign a license to each user, and then assign administrative roles to the users you choose to fill those roles. More information: Assigning admin roles
In model-driven apps in Dynamics 365, populate the service with your organization’s data, including users and their security roles, business units, and any existing data that you want to import from other applications or services. If your organization uses business units, assign users to the appropriate business unit, and then assign a security role to each user. model-driven apps in Dynamics 365 includes predefined security roles that aggregate a set of user permissions to simplify user security management. An organization can define additional roles or edit predefined security roles to meet its unique security needs. For more information about security roles, see Security roles and privileges.
When you assigned any of the licenses or the Microsoft Power Automate license to a user, the user is automatically added to all your environments, however users can’t access any model-driven apps in Dynamics 365 until they’ve been assigned at least one security role. See Step Two: Assign security roles.
Differences between the Microsoft Online services environment administrative roles and Common Data Service security roles
Administrative roles are available to assign to users in the Microsoft 365 admin portal. The administrative roles cover a set of rights and permissions related to managing the service subscription, such as adding users and assigning licenses. The global administrator role has rights to control every aspect of the subscription and to add subscriptions to other online services. The password administrator role has rights to reset a user’s password, create service requests, and monitor the service.
Security roles are assigned within model-driven apps in Dynamics 365 and cover rights and permissions-related aspects, for example, permission to update records or to publish customizations.
The roles are similar in that both types contain aggregated sets of permissions that allow access to some items and not to others, and that allow some actions to be taken but not others. The roles are different in that the first one applies to the management of the subscription but not to the service itself, and the second applies only within the service.
Using roles is a powerful way to group a set of rights that are common to a job title or business unit. This way, the administrator can grant a whole set of permissions to users simply by assigning a user or group of users to a given role.
Step One: Provision users, and assign licenses and administrative roles in the Microsoft 365 admin center
Your organization’s subscription to model-driven apps in Dynamics 365 provides access to the Microsoft 365 admin center through a global administrator account. The global administrator manages every aspect of the subscription and may add subscriptions to other Microsoft Online Services.
As the global administrator for your organization, one of your first tasks is to create users in the Microsoft 365 admin center. This registers users in the system and enables users to be licensed to use services available within the online service environment. You decide which service you want your users to have by assigning a license for that service to a user. For instructions about creating users in the Microsoft Online Services environment, see Create or edit users in Office 365. For instructions about assigning a license to a user, see Assign or remove licenses.
During your planning phase, you might have identified a set of key administrative roles that you want to fill. More information: Plan for deployment and administration. Because the administrative roles provide coverage for administrative tasks when the global administrator is not available, it’s a best practice to assign these roles to users, including assigning the global administrator role to a second user. More information: Assigning admin roles and Permissions in Office 365.
The online service sends an invitation to each user
After you set up a user in the Microsoft 365 admin center, that user receives an email invitation with a link and a password for the Microsoft Online Services environment. The credentials in the invitation provide access to the portal and to documentation. However, the users who receive these invitations can’t access model-driven apps in Dynamics 365 until you complete step two in this process.
Step Two: Assign security roles in Dynamics 365 apps
Sign in to model-driven apps in Dynamics 365 and add business units (if your organization needs more than one business unit), and assign security roles and business units to users. The users you registered with the online service in step one are automatically added to model-driven apps in Dynamics 365. After you assign at least one security role to a user, that user can click the link in the email invitation, enter credentials, and begin using model-driven apps in Dynamics 365. More information: Assign a security role to a user.
Before you start adding information to model-driven apps in Dynamics 365, we recommend that you turn off or disable your browser’s pop-up blocker. Pop-up blockers can block data-entry dialog boxes.
You might have data located in other systems. In your planning phase, you considered how you’ll import this data. Before you invite users into model-driven apps in Dynamics 365, ensure that you have completed the data migration process. More information: Import data (all record types).