Licensing is an ironically evergreen subject in the Dynamics 365 Finance and Operations community. As a user, you want to be sure your organization has the licenses it needs when it needs them, but that doesn’t mean you want to overpay. Thankfully, the Fastpath solution is able to help users see a clearer picture of their licensing needs and potentially reduce costs where possible.
Determining D365 Finance and Operations Licensing
User licenses within D365FO are determined by two different processes:
- Analyzing entry point (menu item) security assigned
- Analyzing the privileges assigned
In D365FO there are 3 entry-point-based license types situated in a hierarchy structure:
- Operations (will be listed as Enterprise in AOT)
- Team Members (will be listed as Universal in AOT)
Each entry point in the system has two parameters that pertain to licensing that are visible in the AOT: ViewUserLicense and MaintainUserLicense. If a user has Read access to the entry point the user requires the license listed in the ViewUserLicense parameter, if the user has the ability to maintain the entry point (update, create, or delete) then they require the license listed in the MaintainUserLicense parameter.
In October 2019, Microsoft split the Operations license out into separate module areas within D365FO (Figure 2):
- Supply Chain Management
- Project Operations
Figure 2 – Operations module areas module areas within D365FO
If a user requires multiple licenses they can be added in a base/attach scenario where one license will become the base and then the additional licenses are ‘attached’ to the base license.
To determine the license requirements of a user Microsoft takes both the entry point and privilege-based licensing methodologies and combines them. First, entry-point-based licensing determines the level of license and then the privilege-based licensing determines the license types required within the license level.
Figure 3 shows a decision tree that shows how combining these licensing methodologies work:
Figure 3 – Decision tree for combining licensing methodologies
In terms of price, license types at the top of the hierarchy will cost more. This means that over provisioning a user’s access could be costing your organization unnecessarily by paying for higher licenses than are actually needed. A key point here, the user will be assigned a licensed based on their highest access level. If user has 99 entry points at a lower level and one at the Operations level, they will require an Operations license.
What can Fastpath do to help?
The Fastpath solution has reporting capabilities that allow organizations to see users, roles, duties and privileges. While the main purpose of these reports is security, they do an excellent job of laying out which license types are needed. Here is a rundown of some of the reports:
Role License Report
This report shows each role within your environment (custom or standard) and shows which shows both entry-point-based licensing (License Type) and privilege-based licensing (License SKU) required for each. We also take it one step further and show the number of entry point accesses at each license level. This gives a breakdown to show where there are potential places where role access can be modified to reduce license costs.
Figure 4 – Fastpath Role License Report for D365FO
This report is also available at a duty and privilege level.
Role License Details Report
The role license details report shows each entry point access for each role and then shows the access type and license required for that access. This allows for determining what object access may need to be modified to reduce license costs.
Figure 5 – Fastpath Role License Details Report for D365FO
Role License SKU Details
This report shows the privilege-based licensing side to show the role, duty, privilege, license SKU information. This helps to determine what privilege assignment may need to be modified to reduce license costs.
Figure 6 – Fastpath Role License SKU Details for D365FO
User License Report
The user license report shows the license required for each user based on their access at an entry point and privilege level. This report again shows the breakdown of the entry point access by license type. It also considers whether the user is assigned the system administrator role when determining licenses.
Figure 7 – Fastpath User License Report for D365FO
User License Details Report
The user license details report shows the user to role association and then each entry point those roles have access to, the access type of each entry point, and the license that the particular access requires.
Figure 8 – Fastpath User License Details Report for D365FO
User License SKU Details
The user license SKU details report shows the user to role association and then each privilege that is tied to a license SKU requirement.
Figure 9 – Fastpath User License SKU Details for D365FO
User License Base Attach Counts
The user license base attach counts report shows the total number of base/attach licenses that are required in your environment based on your current security setup.
Figure 10 – Fastpath User License Base Attach Counts for D365FO
Security setup and license check
The Fastpath Security Designer module has several features that users will find useful for analyzing and adjusting their Dynamics 365 licenses. The risk analysis tool provides a mock draft-like experience that previews the before and after impact of changes. This is useful from both a separation of duties (SoD, also referred to as “segregation of duties”) and licensing perspective at both a user and role level.
Figure 11 – Fastpath Security Designer module
Figure 12 – Fastpath Security Designer risk analysis results
The before and after view of what will be impacted by the changes allows you to modify the changes BEFORE they go live and effect your licensing costs.
Another helpful component in our Security Designer module is the task recording analysis tool. This feature takes the out-of-the-box task recording functionality, already a very useful tool when used properly, and enables users to bring a task recording into Fastpath for analysis. The Fastpath solution will show menu items used, access type required, and license required for each menu item in the recording.
The example below shows a D365 task recording of a user creating a vendor. From the recording, Fastpath Security Designer can tell us that user will need a Team Member license to perform the task of creating a vendor.
Figure 13 – Fastpath Security Designer task recording tool
Figure 14 – Fastpath Security Designer task recording result
This feature helps to set up least privilege security, you can read more about what this process is and why it is important in our "Develop And Implement Least Privilege Security For Dynamics 365 For Finance And Operations" whitepaper.
Ready to watch it in action? Watch the video to see how to use Fastpath to help reduce unnecessary license costs.
Hopefully this blog post has provided some helpful insight into how Fastpath can not only help your organization address security challenges, but even reduce your Dynamics 365 for Finance and Operations licensing costs. If you would like to learn more from our subject matter experts, check out these additional resources or contact us directly:/p>
- The Current State of D365FO User Licensing – the data in this blog post by Alex Meyer will be updated periodically to remain current
- Become a Security and Licensing Superhero with Fastpath – March 2022 DynamicsCon session with Alex Meyer and Frank Vukovits
- D365FO User Licensing Overview - YouTube
- Determining User Licenses in Dynamics 365 for Finance & Operations
- Introduction to Dynamics 365 Licensing
- On-Demand Webinar: Develop and Implement Least Privilege Security for Dynamics 365FO