Setting Up an Application User for Work 365

Applies to: Work 365 (Dynamics 365 / Power Platform) | Audience: System Administrators, Implementation Engineers

Overview

For optimal performance, security, and cost control, run Work 365 under a dedicated Application User (service principal) instead of a licensed human account. Application Users authenticate via a Microsoft Entra ID app registration, do not consume a Dynamics 365 license, and keep background operations running even when staff accounts change.

Prerequisites

• System Administrator in Dynamics 365 / Power Platform

• Work 365 v3.5+ installed and configured in the target environment

Steps to Configure the Application User

1) Open Power Platform Admin Center

1. Go to https://admin.powerapps.com.

2. Environments → select the environment with Work 365.

3. Click Settings.

2) Create a New Application User

1. Users + Permissions → Application Users → + New App User.

2. Click + Add an App.

3. Paste the Work 365 Application ID for your region, then select the app:

   Region	Application ID
   US Data Center	e4b1a995-abe3-4350-a61c-65fccd32e8bd
   EU Data Center	5e56ae97-9be1-40d3-938b-99ea52175a30

4. Click Add, then Create to finalize the Application User.

Tip: If the app doesn’t appear, toggle Show only enabled for my org, or clear filters and try again.

3) Assign Security Roles

1. On the new app user row, select ⋯ → Edit Security Roles.

2. Assign:

   • Work 365 Service

   • Work 365 Portal Service

3. Save & Close.

4) Confirm the User Configuration

• In Dynamics 365, open Users (switch view to Application Users).

• Open the new app user → Manage Roles and verify both roles are assigned.

5) Set the Application User in Work 365

1. In Dynamics 365, open Work 365 → Admin Hub.

2. Administration → Change Service User (name may vary by version).

3. Select Application User as the Service Account → Proceed.

4. After success, choose Clear Cache from the same menu.

5. Verify: Hover the user icon in Work 365; the Application ID of the App User should be visible.

Why This Matters

• No license required: Reduces licensing costs.

• Stronger security: Not tied to a person; safer during staffing changes.

• Always-on operations: Background jobs and automations continue if human accounts are disabled.

• Governance: Consistent, auditable service identity.

Post-Setup Validation (Quick Checks)

• Work 365 Jobs: Admin Hub → confirm scheduled jobs run without errors.

• Provisioning: Trigger a non-impact test (e.g., Verify Connectivity for providers).

• Invoices: Generate a test invoice in a sandbox to confirm end-to-end execution.

Troubleshooting

Can’t find the Work 365 app during Add an App

• Confirm you pasted the correct regional Application ID (US vs EU).

• Toggle the Show only enabled for my org filter; refresh the list.

Background jobs fail after the switch

• Reopen Change Service User and re-select Application User, then Clear Cache.

• Confirm both Work 365 Service and Work 365 Portal Service roles remain assigned.

Portal invitations/emails stop sending

• Ensure the Application User has required roles (above).

• If you recently retired a human “service” account, verify email templates and any Power Automate connections aren’t still bound to that account.

Notes & Best Practices

• New installs: Setup wizards may auto-create the app user; this guide targets existing environments.

• Least privilege: Review assigned roles periodically.

• Document it: Record App ID, assigned roles, and environment details for audits.

• Sandbox first: Validate the change in sandbox before production where feasible.