Dynamics CRM Security Roles
  • The Dynamics CRM allows complex customization making it a powerful tool for organizations to use, however it can be a daunting task for even the most seasoned IT professional when confronted with the platform initially.
  • User roles within the Dynamics CRM can be customized on many levels and in many different ways. We will go through the different options step by step.
Which option is best for my organization?
  • User and Group roles for the organization can be created for all interconnected Microsoft products in use. Outlook, Teams, CRM, Powerapps, Power BI, etc.
  • More technical high level organization recommended for IT experts.
  • Top level administration for all platforms including licensing. 
  • Users for any platform including CRM must be initially created here.

  • Similar high technical level as Users, Groups, and Roles for all platforms can be accessed here.
  • Manage licenses and roles for groups of users with Azure Active Directories. Licenses and security roles are added when users are added and removed when users are removed.

  • Manage anything power platform related including CRM, portals, users, roles, and teams.
  • Recommended for small to medium organizations at a technical level.

  • Similar access as Manage the CRM from within the CRM. Users, roles, and teams can be created here.
  • Recommended for a non-technical level.


Tutorials for each method


  • Security roles are cumulative. Users can be assigned multiple roles individually or through teams with different privileges. The User has all privileges combined from each role or team.
  • Some features require steps between different methods and will reference other tutorials.



Tutorial 1


  • Business Units
    • Each user is part of only one Business Unit.
    • There will always be at least one Business Unit. Larger organizations may want to create more to structure around their business. Such as Sales, Marketing, HR Business Units.
    • The Records created by a User or Team will only be in the Business Unit they belong to.
    • Security roles that affect Business units include:
      • Organizational-level-access allowing access to all records within all Business Units.
      • Business-level-access allowing access to other users records within the Business Unit.
      • User-level-access allowing access to records the user created.
    • Business Units can be Hierarchal. Parent and Child Business Units can be created giving users in a Parent unit access to Child units.


  • Teams
    • Teams can be used to organize users.
    • Team Types include:
      • Owner Type will provide all team members with ownership access to records and also share security privileges. 
      • Access type will not provide team members with ownership access to records or share security privileges.
      • AAD Groups is needed when setting up Azure Active Directories from the method.


  • Users
    • Users must be created initially from and provided license(s).


  • Security Roles
    • Security Roles can be assigned to Users individually, through Teams, or by Azure Active Directories in the method.
    • Privileges can be given for individual Records and Entities.
    • Access Levels can be given to all Records and Entities within a Business Unit or the entire Organization.


Step 1 -  Accessing Security

  • Click the Settings Cog in the top right corner, then select Advanced Settings.



  • Click the Settings Dropdown on the top left, then select Security.



  • From here you can access the features for the rest of the tutorial.



Step 2 - Create or manage a User.
  • Select the Users page from the Security page from Step 1.
  • Selecting New will bring you to New users can only be created from with an Administrator account. If you do not have access, talk to your IT department.
  • To Manage a User, search for them or navigate to the user with the alphabetical filter on the bottom.



  • Select the user you wish to manage.



  • From here you can Manage Roles, Teams, or Business Units for the User.
  • Select Manage Roles.
  • Default roles and custom roles that you have made will be available here.



Step 3 - Create and Manage Teams.

  • Select Teams from the Security page in Step 1.
  • Most of the form should be self explanatory with a couple exceptions.
  • Team Type
    • Owner type will provide all team members with ownership access to records and also share security privileges. 
    • Access type will not provide team members with ownership access to records or share security privileges.
    • AAD Groups is needed when setting up Azure Active Directories from the method.
  • Azure AD Object Id is only needed when creating Azure Active Directory groups from the method.



  • From the Teams page select a Team.
  • Here you can Manage Roles, Assign Records, or Add Users.
  • Managing Roles and Records is only for Owner Type Teams.
  • Access Type Teams will Manage Users at an individual level, and AAD Groups will be managed from with Azure Active Directories.



Step 4 - Create and Manage Security Roles.

  • Select Security Roles from the Security page in Step 1.
  • Create a new Security role by selecting New, or select an existing Role to Manage it.
  • To save time you can copy an existing role into a new role and modify from that point onward. This is done by checking off an existing role and going to More Actions - Copy Role.



  • Fill in the basic information, then select the Records or Entities you wish to add to the role.



  • You can customize each Record or Entity by selecting the access level for Create - Read - Write - Delete - Append - Append To - Assign - Share categories.
  • The Key at the bottom of the page shows the different access levels. For more information see the beginning of this tutorial.



Step 5 - Create and Manage Business Units.

  • Select Business Units from the Security page in Step 1.
  • Select New or an existing Business Unit to Manage it.
  • For more information on how Business Units work, see the beginning of this tutorial.






Tutorial 2


  • The security roles here will be the same as the CRM method. For more information see tutorial 1.