Control Access to Business Central Using Security Groups
Security groups make it easier for administrators to manage user permissions. For example, for Business Central online, they're reusable across Dynamics 365 applications, such as SharePoint Online, CRM Online, and Business Central. Administrators add permissions to their Business Central security groups, and when they add users to the group the permissions apply to all members. For example, an administrator can create a Business Central security group that gives salespeople the ability to create and post sales orders. Or, let purchasers do the same for purchase orders.
Business Central online and on-premises
You can use security groups for the online and on-premises versions of Business Central. Depending on your version, create groups in one of the following ways:
- For the online version, use Azure Active Directory security groups. To learn more about creating the group, go to Create, edit, or delete a security group in the Microsoft 365 admin center.
- For on-premises, use Windows Active Directory groups. To learn more, go to Create a Group Account in Active Directory.
Afterward, create a corresponding security group in Business Central, and then link it to the group you created. To learn more, go to Add a security group in Business Central.
Note
If you've set up a special type of user with a Windows Group license type in a version of Business Central on-prem that's earlier than 2023 release wave 1, when you upgrade Business Central converts the user to a security group. The new security group has the same name as the Windows group name. The security group gives you a better overview of the group members and their effective permissions.
Add a security group in Business Central
Choose the icon, enter Security Groups, and then choose the related link.
Choose New to create a group.
Create the link to your group, as follows:
- For Business Central online, choose the group in the AAD security group name field.
- For Business Central on-premises, choose the group in the Windows group name field.
Note
The users show in the Members card on the FactBox pane or the Security Group Members page only if they're added as users in Business Central. To learn more about adding users, go to To add users or update user information and license assignments in Business Central.
Assign permissions to a security group
On the Security Groups page, choose the group, and then choose the Permissions action.
Assign permissions in the following ways:
- To assign permission sets individually, in the Permission Set field, choose the permissions to assign.
- To assign multiple permission sets, choose the Select Permission Sets action, and then choose the sets to assign.
Review the permissions in a security group
On the Security Groups page, the FactBox pane shows the Permission Sets that are assigned to the group. Each user listed in the Members card has those permissions. The Permission Set by Security Group action provides a more detailed view. There you can also explore the individual permissions in each security group.
Permissions are also available on the Users page. The FactBox pane shows the Permission Sets from Security Group and Security Group Memberships cards for the selected user.
Security groups and user groups
Note
User groups will no longer be available in a future release.
Security groups are very similar to the user groups that are currently available. However, user groups are only relevant for Business Central. Security groups are based on groups in Azure Active Directory or Windows Active Directory, depending on whether you're using Business Central online or on-premises, respectively. Groups benefit administrators because they can use them with other Dynamics 365 apps. For example, if salespeople use Business Central and SharePoint, administrators don't have to recreate the group and its members.
Optional: Convert user groups to permission sets
In 2023 release wave 1 and later, you can convert user groups to permission sets in your tenant. The permission sets provide the same functionality as user groups. Here are some examples:
- You can use the Users FactBox to manage permissions for users.
- You can drill down on the permission set name to add other permission sets to the set you're working on. To learn more, go to To add other permission sets.
Use the User Group Migration assisted setup guide to convert your groups. To start the guide, on the Feature Management page, find Feature: Convert user group permissions, and then choose All Users in the Enabled For field. The assisted setup guide offers the following options for the conversion.
Option | Description |
---|---|
Assign to user | Assign the permissions in user groups directly to the users who were assigned to the group, and remove their user group assignments. |
Convert to a permission set | Create a new permission for the permissions in each user group. The new permission set is assigned to all members of each user group. |
See Also
Create Users According to Licenses
Set Up Business Central Access in Teams with Microsoft 365 Licenses
Learn about groups and access rights in Azure Active Directory
Active Directory security groups