Applies To: Microsoft Dynamics 365 / Dataverse, Work 365
Audience: System Administrators, IT Governance Teams, Licensing Managers
Overview
In Work 365 environments on Microsoft Dynamics 365/Dataverse, you can restrict which licensed users are enabled in an environment by associating a Microsoft Entra ID (Azure AD) security group with that environment. Only users in the assigned security group get enabled in Dynamics. Work 365 license usage then counts only active, enabled users with read/write access.
When to Use This
Limit active Work 365 users to remain within your licensed tier.
Restrict access to specific teams (Billing, Support, Admin).
Separate access across environments (Production, Sandbox, Training).
Reference: Work 365 Support Portal – Security Group Configuration
Prerequisite: Global Administrator privileges in your Microsoft 365/Entra ID tenant.
Steps to Configure Access via Security Groups
Step 1: Create a Security Group in Microsoft 365/Entra
Go to portal.office.com or the Microsoft 365 Admin Center.
Navigate to Groups → Add a group.
Choose Type = Security Group.
Enter a Name and Description (e.g.,
Work365_Users).Add all users who should have access to the Work 365 environment.
Save.
Tip (naming):
Work365-Prod-UsersWork365-Sandbox-Users
Step 2: Assign the Security Group to the Dynamics/Work 365 Environment
Open the Power Platform Admin Center:
admin.powerplatform.microsoft.com.Environments → select your target environment → Edit.
Under Security group, select the group you created.
Save.
Result: Only users in the group (with valid Dynamics licenses) are enabled in the environment.
Effect
| Condition | Result |
|---|---|
| User is in the assigned security group and licensed | Enabled in environment |
| User is licensed but not in the group | Disabled automatically |
| Admin user excluded from group | May retain global admin access; add to group for consistency |
| Work 365 license count | Reflects enabled users only |
More info: Microsoft Learn – Control user access to environments by using security groups
Impacts & Considerations
| Scenario | Impact / Action |
|---|---|
| Assigning a group to an existing environment with many users | Users not in the group are automatically disabled |
| System Admins not in the group | They can still access as global admins, but should be added for visibility |
| Environment-level access | Group controls who can access; Dynamics roles still define privileges |
| Work 365 license usage | Counts enabled users only |
Note: Using security groups simplifies governance—adding/removing users in the group updates access without manual user enable/disable in Dynamics.
Best Practices
Naming: Use environment-based names (
Work365-Prod-Users,Work365-Dev-Users).Layered Security: Combine group access (entry) with Dynamics roles (privileges).
Periodic Reviews: Audit group membership quarterly; remove inactive users.
Separate per Environment: Distinct groups for Prod, Sandbox, Training.
Document: Track group names, mapped environments, and admin contacts.
Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| “You can’t access this environment.” | User not in assigned security group | Add the user to the correct group and retry |
| Users remain enabled after removal | Directory sync delay or cache | Wait for sync or manually disable user in Dynamics |
| All users disabled after assignment | Group missing required members | Verify membership; add admins/service accounts |
| License count not reduced | Old users still marked enabled | Review users and disable stale accounts |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article