Fastpath Blog- Articles on Security, Audit and Compliance

Save on Licensing Costs in D365 Finance and Operations with Fastpath

Written by Alex Meyer | Nov 15, 2022 4:02:43 PM

Licensing is an ironically evergreen subject in the Dynamics 365 Finance and Operations community. As a user, you want to be sure your organization has the licenses it needs when it needs them, but that doesn’t mean you want to overpay. Thankfully, Fastpath is able to help users see a clearer picture of their licensing needs and potentially reduce costs where possible.

Determining D365 Finance and Operations Licensing

User licenses within D365FO are determined by two different processes:

  • Analyzing entry point (menu item) security assigned
  • Analyzing the privileges assigned

In D365FO there are 3 entry-point-based license types situated in a hierarchy structure:

  • Operations (will be listed as Enterprise in AOT)
  • Activity
  • Team Members (will be listed as Universal in AOT)

Each entry point in the system has two parameters that pertain to licensing that are visible in the AOT: ViewUserLicense and MaintainUserLicense. If a user has Read access to the entry point the user requires the license listed in the ViewUserLicense parameter, if the user has the ability to maintain the entry point (update, create, or delete) then they require the license listed in the MaintainUserLicense parameter.

In October 2019, Microsoft split the Operations license out into separate module areas within D365FO (Figure 2):

  • Finance
  • Supply Chain Management
  • Retail
  • Talent
  • HR
  • Project Operations

Figure 2 – Operations module areas module areas within D365FO

If a user requires multiple licenses they can be added in a base/attach scenario where one license will become the base and then the additional licenses are ‘attached’ to the base license.

To determine the license requirements of a user Microsoft takes both the entry point and privilege-based licensing methodologies and combines them. First, entry-point-based licensing determines the level of license and then the privilege-based licensing determines the license types required within the license level.

Figure 3 shows a decision tree that shows how combining these licensing methodologies work:

Figure 3 – Decision tree for combining licensing methodologies

In terms of price, license types at the top of the hierarchy will cost more. This means that over provisioning a user’s access could be costing your organization unnecessarily by paying for higher licenses than are actually needed. A key point here, the user will be assigned a licensed based on their highest access level. If user has 99 entry points at a lower level and one at the Operations level, they will require an Operations license.

What can Fastpath do to help?

Fastpath has reporting capabilities that allow organizations to see users, roles, duties and privileges. While the main purpose of these reports is security, they do an excellent job of laying out which license types are needed. Here is a rundown of some of the reports:

Role License Report

This report shows each role within your environment (custom or standard) and shows which shows both entry-point-based licensing (License Type) and privilege-based licensing (License SKU) required for each. We also take it one step further and show the number of entry point accesses at each license level. This gives a breakdown to show where there are potential places where role access can be modified to reduce license costs.

Figure 4 – Fastpath Role License Report for D365FO

This report is also available at a duty and privilege level.

Role License Details Report

The role license details report shows each entry point access for each role and then shows the access type and license required for that access. This allows for determining what object access may need to be modified to reduce license costs.

Figure 5 – Fastpath Role License Details Report for D365FO

Role License SKU Details

This report shows the privilege-based licensing side to show the role, duty, privilege, license SKU information. This helps to determine what privilege assignment may need to be modified to reduce license costs.

Figure 6 – Fastpath Role License SKU Details for D365FO

User License Report

The user license report shows the license required for each user based on their access at an entry point and privilege level. This report again shows the breakdown of the entry point access by license type. It also considers whether the user is assigned the system administrator role when determining licenses.

Figure 7 – Fastpath User License Report for D365FO

User License Details Report

The user license details report shows the user to role association and then each entry point those roles have access to, the access type of each entry point, and the license that the particular access requires.

Figure 8 – Fastpath User License Details Report for D365FO

User License SKU Details

The user license SKU details report shows the user to role association and then each privilege that is tied to a license SKU requirement.

Figure 9 – Fastpath User License SKU Details for D365FO

User License Base Attach Counts

The user license base attach counts report shows the total number of base/attach licenses that are required in your environment based on your current security setup.

Figure 10 – Fastpath User License Base Attach Counts for D365FO

Security setup and license check

Fastpath Access Control has several features that users will find useful for analyzing and adjusting their Dynamics 365 licenses. The risk analysis tool provides a mock draft-like experience that previews the before and after impact of changes. This is useful from both a separation of duties (SoD, also referred to as “separation of duties”) and licensing perspective at both a user and role level.

Figure 11 – Fastpath Access Control

Figure 12 – Fastpath Access Control risk analysis results

The before and after view of what will be impacted by the changes allows you to modify the changes BEFORE they go live and effect your licensing costs.

Another helpful component in Fastpath Access Control is the task recording analysis tool. This feature takes the out-of-the-box task recording functionality, already a very useful tool when used properly, and enables users to bring a task recording into Fastpath for analysis. Fastpath will show menu items used, access type required, and license required for each menu item in the recording.

The example below shows a D365 task recording of a user creating a vendor. From the recording, Fastpath Access Control can tell us that user will need a Team Member license to perform the task of creating a vendor.

Figure 13 – Fastpath Access Control task recording tool

Figure 14 – Fastpath Access Control task recording result

This feature helps to set up least privilege security, you can read more about what this process is and why it is important in our "Develop And Implement Least Privilege Security For Dynamics 365 For Finance And Operations" whitepaper.

Ready to watch it in action? Watch the video to see how to use Fastpath to help reduce unnecessary license costs.

What now?

Hopefully this blog post has provided some helpful insight into how Fastpath can not only help your organization address security challenges, but even reduce your Dynamics 365 for Finance and Operations licensing costs. If you would like to learn more from our subject matter experts, check out these additional resources or contact us directly: