Dynamics 365 Business Central seamlessly integrates with Azure Security Groups, offering a centralised and straightforward approach to managing user permissions and system access


User management is a crucial aspect of any organisation’s operations, so creating new users in a secure and streamlined manner is essential. Dynamics 365 Business Central can now use Azure Security Groups to manage application permissions and license entitlement.

This feature not only simplifies the process, but also enhances security by leveraging Azure Active Directory (AAD) capabilities. In this blog, we will explore the new way to onboard users in Dynamics 365 Business Central using Azure Security Groups, as well as the benefits it brings to organisations.

The challenges of traditional user onboarding processes

Previously, creating users in Dynamics 365 Business Central involved accessing the application directly to complete the user setup and configuration. IT admins had to navigate through various menus, assign roles and define permissions. This process could be time-consuming and error-prone, therefore posing a significant challenge to ensuring consistent security policy.

The Power of Dynamics 365 Business Central and Azure Security Groups Integration

The adoption of Azure Security Group membership by Dynamics 365 Business Central to manage user access and application permissions, simplifies and streamlines user onboarding and access management, offering a more efficient and secure solution. Let’s explore the key advantages of this feature:

  1. Centralised user management with Azure Active Directory

Using Azure Security Groups to manage Dynamics 365 Business Central permissions, centralises user management within Azure Active Directory (AAD). Administrators can create and manage user accounts directly in AAD, eliminating the requirement for administrators to access Dynamics 365 Business Central directly. This centralisation ensures consistency, simplifies user administration and reduces the chances of access discrepancies.

  1. Role-Based Access Control (RBAC) for user provisioning

Azure Security Groups provide robust RBAC capabilities, allowing organisations to define access levels based on job roles or responsibilities. By mapping roles and permissions within Dynamics 365 Business Central to Azure Security Groups, admins can easily provision new users with the appropriate access rights. This approach ensures that users have the necessary permissions to perform their tasks while maintaining a granular level of control over system access.

  1. Streamlined onboarding process

With this new feature, the onboarding process becomes more efficient and streamlined. Admins can assign new users to specific Azure Security Groups, which automatically grant access to relevant resources, such as shared folders, SharePoint sites, and now also specific permissions for Dynamics 365 Business Central. This automation eliminates the need for manual resource provisioning, reducing errors and saving time during the onboarding process.

  1. Enhanced security and compliance

Azure Security Groups offer robust security features, such as multifactor authentication and conditional access policies, strengthening overall security and compliance efforts. By leveraging these capabilities, organisations can enforce additional security measures when creating new user accounts in Dynamics 365 Business Central. This ensures that only authorised individuals can access critical data and reduces the risk of unauthorised access or data breaches.

  1. Simplified user offboarding

User offboarding is just as important as onboarding, and the integration with Azure Security Groups simplifies this process as well. When an employee leaves an organisation, disabling or removing their user account from Azure Active Directory revokes access to all associated systems and resources. This seamless offboarding process minimises security risks and ensures data remains protected even after an employee’s departure.

In this blog, we will guide you through the step-by-step process of creating Azure Security Groups and configuring them within Dynamics 365 Business Central. By following these instructions, you will be able to grant users the appropriate permissions and access to Dynamics 365 Business Central.


Step 1:  Create one or more Azure Security Groups.

In this scenario we have created two groups that align with the license types “Essential” and “Team Member”.

The “Essential” users are all members of the finance team who require full comprehensive business access. The “Team Member” are users from the procurements team who only require basic purchase side access.

Figure 1: Creating a new Security Group in Azure
Figure 2: Configure the Security Group

After creating a group (Figure 1) you can then assign relevant members to it. You also have the option to assign the Dynamics 365 Business Central license you want each of these users to have (Figure 2).

Step 2: Set the permissions for this group in Dynamics 365 Business Central.

Navigate to the Security Groups page in Dynamics 365 Business Central. Figure 3 shows us selecting a security group from Azure Active Directory for use in this scenario.

Figure 3: Select the Security Group needed. The security group name can be customised within Dynamics 365 Business Central to a maximum of 20 characters.

Step 3: Using the ‘Permission Set by Security Group’ action you can easily review and apply permissions to all the groups.

Figures 4a and 4b: The Security Groups page allows you can drill into the specific permissions, copy and easily review permissions across all Azure security groups. 

A word of caution – when granting permissions on this page the company specification is set to ‘blank’ by default. If you need to restrict the company basis, it is advisable to use the alternative page in Figure 5 below:

Figure 5: Security Group Permissions – showing company specification

Incremental suggests transferring control of permission sets to the security groups and to then remove any setup in the License Configuration page. This approach ensures that permissions are managed centrally within the Azure security groups, simplifying the overall management process.

Security Group permissions are dynamic, while the License Configuration permissions are granted upon initial login only.

Figure 6: Incremental recommends removing the permissions setup from the License Configuration page and instead adopt the approach of always holding all permission configurations on the Security Group only.

Any user added to Azure AD and assigned to a Security Group that’s been setup in Dynamics 365 Business Central and who has been assigned a Dynamics 365 Business Central license (either directly or indirectly) can login to BC right away. You no longer need access Dynamics 365 Business Central as part of your onboarding process!


The use of Azure Security Groups to manage access rights and permissions for Dynamics 365 Business Central presents a new way to create and manage users effectively. This approach simplifies user provisioning and enhances security. By leveraging centralised user management, role-based access control, streamlined resource provisioning and enhanced security measures, organisations can optimise user creation workflows and maintain a consistent and secure access control framework.

Organisations can now save time, reduce errors and enforce stricter security measures when creating new users in Dynamics 365 Business Central. By embracing this modern approach to user management, organisations can unlock the potential to efficiently onboard new users, maintain strict control over access rights and significantly enhance operational efficiency and security. This shift towards a more streamlined and centralised user management system empowers organisations to stay agile, adapt quickly to changing user needs and mitigate potential security risks.

For more information please contact your Incremental account manager or visit Microsoft’s dedicated resource – Manage user permissions using security groups | Microsoft Learn – within Dynamics 365 Business Central.