Simplify your user onboarding process with Dynamics 365 Business Central & Azure Security Groups

If you are involved with onboarding new users this post is for you.

Until recently, when provisioning a new user to Dynamics 365 Business Central, you needed to do all the usual steps in AAD and then also access the BC application itself to refresh the user list and assign the new user to one or more User Groups or User Permissions.

The good news is that, after a short setup, you no longer need to leave the comforting Light Blue of the Azure portal (assuming there is no DDoS going on) to onboard new BC users. 

This blog post runs through the steps to create Azure Security Groups and configure them in BC which will in turn grant users permissions and the entitlement to access BC.

Here is the reference documentation page - Control Access Using Security Groups - Business Central | Microsoft Learn & feature release page Manage user permissions using security groups | Microsoft Learn.


  • Create one or more Azure Security Groups. 
    • In this example I have created two groups just to line up with the license types "Essential" and "Team Member". 
    • The Essential users are all members of the finance team who need full business access. 
    • The Team Member users are all procurement team people, so I'll give them basic access plus purchase side access.
Creating a new Security Group in Azure
  • Once the group is created you should assign any members and optionally assign the BC License you want these users to have.
Configure the Security Group
  • Set the permissions for this group in BC. Navigate to the Security Groups page in BC.  
    • Here I am in the process of selecting the 2nd of my two demo groups:
Pick the Security Group you need - you can give it a different name inside BC - the BC code field is limited to 20 characters.
  • Using the 'Permission Set by Security Group' action you can easily review and apply permissions to all the groups
This page is very handy as you can drill into the specific permissions, copy and easily review across all security groups what has been granted. 

One word of warning - when you add permissions on this page the company specification is set as 'blank', i.e. the wildcard for all companies. So if you need to restrict the company access better to use the other page shown below:
Security Group Permissions - showing company specification  
  • I would recommend to move all control of permission sets to the security groups and remove the setup in License Configuration.
    • Security Group permissions are Dynamic
    • License Config permissions are granted on initial login only
I recommend removing the permissions setup from the License Config page and instead adopt the approach of always holding all permission config on the Security Group only 
  • Any special permissions required over and above those granted dynamically by the security group membership can simply be added directly to the user card. But of course the whole reason for using Security Groups was so we didn't need to do that!
Any user added to AAD and assigned to a Security Group that's been setup in BC and has been assigned a BC license (either directly or indirectly) can login to BC right away! You no longer need to run the 'Update Users from M365' action on the user list page. Huzzah!