Since I’ve written multiple posts on this topic in the past, I thought it would be a good idea to combine the different posts and create a place that I can continually update with the latest information. So going forward, while I will still have individual posts on user licensing as well, this post will always be updated with the latest information.
Last Updated: 11/11/2025
Where We Started
In AX 2012 and versions of D365FO prior to October 2019, the only licensing mechanism within the system was ‘Entry Point Based Licensing’. In this methodology, each menu item had two separate parameters:
- ViewUserLicense – user requires this license if they are assigned Read access to this object
- MaintainUserLicense – user requires this license if the are assigned Update/Create/Delete to this object
The D365FO license types available were hierarchy based (from highest to lowest):
- Operations (will be listed as Enterprise in AOT)
- Activity
- Team Members (will be listed as Universal in AOT)
You could report on the licensing either from:
- The user interface in the View Permissions area of System Administration -> Security Configuration
- From the ‘View Related Objects and Licenses for All Roles’ report in the AOT.
The licensing model looked like the following:
October 2019 Licensing Update
The change that Microsoft made to user licensing in October 2019 was that the Operations level licensing is now broken out by application area into what are now called ‘license SKUs’. There was no overarching license for either Customer Engagement or Finance & Operations, there were different areas within each application that required a particular license.
The way to determine which license SKUs a user is now required to have is based on the privileges the user is assigned. These privileges come from the roles assigned to the user via the role -> duty -> privilege hierarchy structure of the security model.
So now there are two separate licensing models in use currently:
- Entry Point Based Licensing (explained above)
- Privilege Based Licensing (explained below)
Base vs Attach Licenses
When licensing for a user there are two categories of license: Base and Attach.
And they have the following characteristics:
Base
- Must be the first license assigned to a user
- Must be the highest priced license
- Every user must be assigned a ‘base’ license to access the application
Attach
- Added on to a ‘base’ license
- A user can have as many ‘attach’ licenses as needed
What is Privilege Based Licensing?
Microsoft designates certain privileges to be associated to one or more license SKUs and then determines if that license SKU is required or if any listed license SKU will meet the requirements. This is done from a static JSON file loaded into the LicensingServicePlansPrivilege table.
The PrivilegeIdentifier is the system name of the privilege, the SkuName is the license SKU, and the IsUnique column determines if that particular license is required to be assigned to the user or if any of the license SKUs associated to the privilege will meet the requirements. So an IsUnique value of 1 dictates that a user assigned that privilege is required to have that license SKU either as a base or an attach license, an IsUnique value of 0 means any of the listed license SKUs for that privilege will meet the licensing requirements.
November 2023 Update
In the 10.0.34 release, Microsoft silently released a new feature parameter that impacted how licensing is calculated. This update effectively made all ‘Read’ access assigned to any menu items require only a ‘Team Member’ license.
Full blog post on the update: https://alexdmeyer.com/2023/11/06/hidden-feature-flag-changing-how-user-licensing-is-performed-in-d365fo/
So How Does Entry Point Licensing and Privilege Based Licensing Work Together?
I’ve created a Visio diagram to help with the process of showing how these two licensing methodologies work together:
Pricing Update Oct 1st 2024
Microsoft announced that they are planning on updating the pricing of all Dynamics 365 licensing on October 1st 2024.
Full overview of this update can be found here: https://alexdmeyer.com/2024/04/15/microsoft-updates-dynamics-365-license-pricing-to-take-effect-october-1st-2024/
2025 Licensing Update
In March of 2025, Microsoft announced that they would be starting to implement ‘license enforcement’ within D365FSC. Along with this, they would also change the licensing model again to help accommodate the enforcement process. In 10.44 Microsoft has deployed a number of new tables which are storing the licensing information being analyzed within the Power Platform Admin Center (PPAC). Below is a (non-comprehensive) listing of tables and queries I have found / am using to help determine the license requirements.
LicensingEntitlementObjects
A listing of all objects within the system.
LicensingAllSKUs
A table that stores all current licenses, their priority order in the analysis, and the ‘group name’ they are a part of.
LicensingElementsRequiringEntitlement
This table stores the objects that have a license requirement.
LicensingAllEntitledPermissions
A table that stores the association between an object and the licenses that would meet the requirements for assignment.
Object License Query
This is a query I developed that joins the above tables to help determine the lowest license requirement for each object.
Based on the tables above we can see that objects themselves actually drive all licensing. We can also see that we have added some additional object types that can drive license requirements:
- Menu Items (menu item displays, menu item outputs, menu item actions)
- Service Operations (new)
- Data Entities (new)
- Data Entity Methods (new)
Also all Read access to objects will require a Team Member, the only exception to this if is the ‘EnforceReadPermission’ value of the object is set to 1 (true). If this is the case, then whatever licenses are listed are required for read access to the object. If a user has Update, Create, or Delete access to the object the the licensing information from the LicensingElementRequiringEntitlement table is what is used to determine the license.
The licenses themselves are arranged in a hierarchy model with the SCM / Finance Premium licenses at the top and Team Member / HR Self Service at the bottom. This is based on the ‘Priority’ value from the LicensingAllSkus table. They are further grouped based on license cost:
The overall process for determine user licenses is based on the following process:
- Determine user access based on all of the roles assigned to a user, this will generate a user -> object assignment matrix
- Determine the license requirement for each object assigned to a user based on the query I shared from above
- Analyze the object license requirements to find the best combination of licenses that cover all objects assigned to the user (eg: ensure the user is ‘Entitled’ to all objects they are assigned)
Deprecated License Reports
Microsoft has deprecated all ‘legacy’ license reports, this includes:
- View Permissions report
- License shown during user role assignment
- User License Counts
- User License History
Dynamics 365 License Reporting
Microsoft is now directing all users to utilize the User Security Governance functionality for license reporting, specifically the License Usage Summary reports which includes license reporting at the user, user role, role, duty, and privilege levels. These reports can be found at System Administration -> Security -> Security Governance -> License Usage Summary:
User License Enforcement Date
This has been changed multiple times but the latest announcement is the postponement of license enforcement from November 1st, 2025 to align with the a D365 customer’s contract anniversary or renewal date. This change will start on January 15, 2026 with ‘soft enforcement’ happening 30 days prior to the actual enforcement date, with the ‘hard enforcement’ happening 15 days after the contract / renewal date.
Additional Licensing Enforcement Call Outs
- License validation is performed at the tenant level, if a customer has multiple tenants each tenant could potentially have its own validation start date.
- A separate license is required for each tenant a user has access to
- A separate license is not required for multiple production instances under the same tenant
- If your organization has a license renewal date before January 15th 2026, you will move to the new user license validation model at your next contract renewal date.
- Users assigned the SysAdmin role do not require a license
- B2B guest users must be licensed like any other user – even if they are from another domain / tenant
- Service accounts do not require a license as long as they are not assigned roles that provide ‘interactive or business functionality’.
- Multiplexing rules still apply – if an external user accesses D365 data through an application / automation they must be assigned the appropriate license as if they accessed that data within the application itself
- All custom objects will require a Team Member license
- Device licenses are not going to be considered for enforcement during this initial phase
- Microsoft has designated 50+ out of the box roles that do not require a license
Resources
Optimizing ERP Security Configuration and Licensing within Microsoft Dynamics 365
Simplifying License Management in Dynamics 365
User security role reporting and technical validation for finance and operations apps FAQ
Determining User Licenses in D365FO
October 2019 User Licensing Update for D365FO
Current State of D365FO User Licensing for August 2020
Dear Alex,
Thank you for this clear post. Very helpful as a summary of the posts about the licensing. One question however, did you notice a difference of the results on licensing if you ran the User License Count report against the License Estimator report?
For me it seems the results from the ‘view permissions’ and the user count license report are the same, which are different from the needed licenses needed for the Security roles and thus users that have these assigned, if you run the license estimator report or try to assing roles to the user.
Do you also experience these differences, or is this related only to custom roles in the system? I was wondering how the table LicensingServicePlanPrivilege is getting filled. Because if you change privileges, will it also be reflected in this table, and thus in the license estimator report? So the question is how to know the amount and type of licensing needed for your environment if these reports show different results.
Thanks in advance to share your thoughts or ideas on this.
Best regards,
Ken
Ken,
Keep in mind that the User License Count report does not take into account the different license SKUs assigned to a user, it will still list out licenses as Team Member, Activity, Operations. And the User License Estimator report will only show users that require a license SKU be assigned. Are you saying that the number of Operations level users in the User License Count report does not match the number of users in the User License Estimator report?
I guess I haven’t seen that before but it wouldn’t surprise me as Microsoft keeps changing the logic used to determine which license SKUs are required for a user.
The LicensingServicePlanPrivilege table is currently being filled by a static json file, I talk about this more here: https://alexdmeyer.com/2019/12/19/current-state-of-user-licensing-in-d365fo-pu31/
As far as how do you determine which licenses are actually required, I go back to the Visio diagram I created as this is the current logic that should be applied. It’s basically a combination of both entry point based licensing and the new privilege based licensing. If you would like a more automated way to determine the licensing requirements please refer to our Fastpath Access Reviews licensing reports that are available at the user, role, duty, and privilege level that will show the licensing information:
Feel free to reach out if you have any questions!
Hi Alex,
Thank you for this answer. I think it’s as close as we can get to determine the needed licenses. Indeed, I saw a difference in numbers between Operations licenses on the User License Count report and the number of users in the User License Estimator report. But was wondering where this difference was situated.
Thanks again for your explanation above, perhaps we’ll have to create a ticket at MS to support on the numbers coming out of the reports.
best regards,
Ken
Ken,
Once last thing I will say is that there were known bugs in the User License Estimator report from PU31 -> PU39 at least. Not sure what version you are on but Microsoft has continually updated this report throughout their releases. Also would be curious to know if there is any pattern to the users who require an Operations license but don’t show up in the report (are they all assigned a specific role/duty/privilege, or hit some other edge case that the report doesn’t cover, etc)
Hi Alex,
Thank you for this post.
I have customized form and menu item, I set “configuration key” value to control the access. I generated license file and sent it to the client. all user have full access on that form.
now, I want to grant specific users full access on this form, and others read only access. can I achieve this using the license file, or other security options? (security roles will not work, coz they are controlled by the admin).
Thank you very much!
Mustafa,
The license file cannot perform the action you are looking for, they are only meant to enable/disable particular features. If you want to have some users have full access to a form while others have read access, this would have to be done via normal security roles.
Thank you Alex,
is there any way to utilize the ViewUserLicense/ MaintainUserLicense properties of the menu item?
using security roles, admin can add/remove users to that security role, so he has the control. and I need to have the control over how many users can access my form (full), and how many users can access it (read only/ view)
Thank you again.
Mustafa,
There’s no out of the box functionality to be able to achieve what you are looking for, you would have to write some logic within your form to do a custom license validation check.
Thank you Alex,
yes, I can add custom logic to the form. is there any reference or hint that I can check to write this custom validation?
Mustafa,
There isn’t any guide from Microsoft or anything like that, you may be able to find others that have tried and implement something like this but I am unaware of any.
There are a number of different ways to go about implementing this but you would probably need something to have the association between user -> access to your form. I don’t think you would be able to do this live as there is too much role access data to process so you would have to do it as a background batch job and store it in a custom table. And then have someway to report whether the licenses assigned to the users matches their access (if a user has the Read license then they should only have read access, if they have a Maintain license then they can have Update/Create/Delete access). If it doesn’t you would have to have some logic to stop the form init() or throw up an error message or something.
Thank you very much Alex, Appreciate your feedback!
Thanks
How to get technicaly through x++ all related objects and licenses for all roles ?
Shon,
You can find this report in a development Visual Studio environment by going to Dynamics 365 -> Addins -> View Related Objects and Licenses for All Roles
Hi Alex,
Thanks a lot for your answer, in fact i’m looking on how to do that through x++, if there is any class or API or data entity that contains all information about Related Objects and Licenses for All Roles as they exist in View permission button in Security configuration form in the UI
Shon,
There is not a publicly available method to generate all of that data, but you may want to check out the SecurityRepository class.
what’s define a security role if it is a Finance one or not ?
what is the highest license, and how the standard calculate and aggregate them
Shon,
As stated in the blog post, licensing SKUs are determined by the privileges assigned to the particular security role or user. You must look at all privileges assigned to a security role, Microsoft has designated certain privileges to requirement certain license SKUs. You must combine all license requirements from the privileges and then aggregate them.
Hi Alex,
I’m trying to use
Management.Querying API to get all security related objects to a specific security role, but i can’t define the parameter type used in this method : System.Collctions.Generic.IEnumerable1[System.String] roleIdentifiers
Microsoft.Dynamics.AX.Security.Management.Querying.RelatedSecurityObjectsFinder rr;
rr.FindRelatedSecurityObjectsForRoles();
Shon,
I can’t provide any code as this is getting close to Fastpath IP but the roleIdentifiers parameter is a list of system names of roles you want to return results for.
Hello Alex, I hope you are doing well. I have created some security roles in D365FO and when I run the “User license estimator” report some of these roles seems to trigger SKU license levels they are not supposed to (for example, Commerce). I am now trying to understand which menu items are triggering this type of license. I had a look at the LicensingServicePlansPrivilege table and it at least gave me some privilege names and license levels connected to the privileges but that is not quite enough.
My question is: is there any way to go a level deeper and get a list of menu items and their connected SKU license levels? Either through the application or via SQL, as I am not using the AOT at the moment. I am aware of the “View permissions” functionality you also mention above but the license levels mentioned there are not matching the ones found in the “User license estimator” report, as the first one is showing the license types Operations, Activity and Team Members while I am looking for a similar report that shows the license SKUs Finance, Supply Chain Management, Commerce and Project.
I have been in contact with the Microsoft support regarding this for a long time but they have not been able to help me so far. Since your blog has already helped me a lot in the past, I am hoping you might have that magical answer that can finally put my mind at ease.
Thank you in advance!
Pontus,
At this point in time, the SKU licensing is done at the privilege level not the menu item level. Eventually I would assume that Microsoft would move this licensing to be done at the menu item level but it has not been done yet. That is why there are two different licensing mechanisms in place currently. The entry point based licensing determines the license level (Team Member, Activity, Operations) and then for users that require an Operations level license the privilege based licensing determines what license SKU is required.
If you are looking for more detailed license reporting I would take a look at the Fastpath licensing reports for D365FO (which I am the lead developer on). Because we look at both the entry point and privilege based licensing we are able to generate reports like the ones below at the user, role, duty, and privilege level to give you detailed insights into your security and licensing requirements.
Feel free to reach out with any questions.
Thank you Alex, I just had a look at some of the Fastpath demo videos and I can see that it contains the reports that I have been looking for in the application itself. I will need to check with my manager first to get clearance but I also have two follow-up questions regarding Fastpath:
1) While I am pretty sure that the answer is “yes”, I just want to make sure that Fastpath is supporting both AX 2012 and D365FO.
2) I was unable to find a price list of what Fastpath will cost to implement. Should I use the contact form to get a price list?
Thank you and have a nice day!
Pontus,
1) Yes, Fastpath supports all versions of AX 2012 (RTM, R2, R3) as well as AX 2009 and AX 4. (And obviously D365FO)
2) Pricing is dependent on the number and license type (Team Member, Activity, Operations) of users you are analyzing, feel free to use the contact form on the Fastpath site or reach out to me at meyer@gofastpath.com for more details
Hi Alex,
I have scenario where the license configurator report list all the users as SCM. Then the User Counts, list the users as Team license, which is the correct. How do I solve this discrepancy? For the licenses renew, which report I use as a source of truth?
I also have another scenario where an user is listed as Commerce license but customer has no usage of Retail model and the Users Securities roles are under the finance module.
Who at Microsoft can address this discrepancies?
Thank you,
Maria
Maria,
This is an area where Microsoft does not have a great answer for either of your questions. Without having detailed reports there is no way to tell which report is correct or why a particular user is requiring a particular license. There also isn’t a single team or person at Microsoft to address these questions to.
If you would like some more detailed licensing reports, I created a number of different reports as part of our Fastpath Assure solution. You can find more information about these here:
How Fastpath Can Help Reduce User Licensing Costs in Dynamics 365 for Finance and Operations
Fastpath Can Help Reduce User Licensing Costs
Thank you very much for the response Alex.
Very appreciated.
Maria
Thanks for this interesting post ,
i have a question about License estimator report and License counts report,
When i add a new sys user, i can find the user instantly added in License estimator, but i can’t find it in License counts, is it normal ?
Is the License counts report, show only active users, (i mean users that have interacted or at least accessed one time in the system ? )
Shon,
The licensing reports within AX/D365FO are populated by a batch job that gets ran periodically (Named user license count reports processing). If a user is added it will take some time before they start to show up in the licensing reports unless you manually execute this process.
The licensing reports should only include ‘Enabled’ users, if a user is set to disabled they should not be included. It does not matter if a user is ‘active’ in the system or not, if they are ‘Enabled’ and assigned security they require a license to be assigned.
Thank you Alex,
I have one more question, what is the different between User License estimator report and User license counts reports ? should i have all system users in both reports ? for example, i have on user license estimator report 8 users , but on the license counts report, i can see all users that exist in the system, even if those i can’t see in users form.
Shon,
The User License Estimator report will only show users that require at least 1 ‘base’ license (from an entry point licensing perspective this report will only show users that require an Operations level license).
The User License Counts reports (and all other licensing reports) will report on the entry point based licensing so will show Team Member, Activity, and Operations level licenses.
Hi,
Regarding to latest D365 FO Licensing guide. At page 41 there is table describing database capasity per tenant. As I remember I will receive 20GB + 20*500MB as minimum purchase. How database capacity is calculated? Are we able to estimate database size in next 2-3 years? How I could check used space of DB and files?
Hello,
Within LCS you can get a rough idea of how large your database capacity is by going to the D365FO environment, finding the Monitoring section, click on Full System Diagnostics, then the Report header, selecting the right environment from the drop down and then scrolling down to find the SQL section which will show you the MDF/LDF sizes as well as the overall database size.
Dear Alex,
One of my clients printed the user license count report. All users appear on the report (Operations to Team Member). On the user license estimator report, I expected an overview of the Base and Attach apps from the Operations users in the user license count report (except the sys admin users). The user names are listed on the report, but without green bullets, so no mention of the different ERP apps. This customer works primarily with modified security roles. Could that be an explanation? Thanks!
Andre,
The User License Estimator report is built to show the licenses a particular user needs based on the privileges they are assigned. Microsoft has designated certain privileges to require certain license(s), but obviously these designated roles are only those delivered through Microsoft as out of box privileges. So if a user is setting up custom security at the privilege level, Microsoft has no way to determine which license SKU that privilege requires but it knows that user requires some base license based on their entry point access.
I go over the entire licensing methodology on this YouTube video: D365FO User Licensing Overview
Hello Alex, thank you for this valuable info…What happens if I only have the licenses available in our tenant but not assigned to specific users? For example, we have many Operations-Activity and Finance licenses, but not assigned. How are they consumed?
Hello,
In Entra ID or PPAC you should see a listing of ‘available’ licenses and ‘assigned’ licenses, the ‘available’ licenses are licenses you have purchased but have not assigned to a user. So these ‘available’ licenses are not being consumed but are still being paid for, this scenario is potentially one where you could look to reduce your licenses at your next licensing renewal.
Thank you Alex! You are right, I can see our license pool in Entra, as we have many for Finance, Human Resources, Operations-Activity and SCM. The thing is that only Finance licenses have been assigned as is required to attach SCM. Operations-Activity are just available in the tenant and in some way they are consumed as we have many users with security roles that demand it and they complete transactions with no issues. It’s kind of strange.
Hi Alex,
With the new security governance, I have noticed some inconsistencies on the licensing info. e.g. when assigning a role, the license is showing as ‘Team members’ but when checked on the security governance – licences usage summary, the same role has a base sku licence. Which one is correct?
Thanks
Nico
Nico,
MSFT is starting to deprecate ‘legacy’ licensing reports including the license shown when assigning a role to a user, I talk about this in the following blog post: https://alexdmeyer.com/2025/06/25/updated-d365fsc-user-licensing-in-10-44/
The ‘source of truth for licensing’ will be PPAC, which will feed data to the User Security Governance functionality within D365FSC.
Hi Alex – looks like the user login license validation warning and hard stop implementation has changed again.
As of today, the external documentation has been updated to be relative to the customer’s renewal/anniversary date. Also, the validation will not go into effect before Jan 15, 2026.
This document is the source:
https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/bade/documents/products-and-services/en-us/bizapps/FAQ-User-security-role-reporting-and-technical-validation-for-Dynamics-365-finance-and-operations-apps-9-24.pdf
Mike,
Yes you are correct, I posted about this update on LinkedIn but will be sure to update this blog post to reflect the new dates.
Hi Alex,
I’m running into something confusing with a custom security role that includes some standard D365 privileges.
What I’m seeing
In the old security form → View permissions, the “Highest License” for the role shows Activity, which is expected.
But when I deploy the same role to a sandbox v45 environment, the License usage summary → User Role Licenses and User Licenses both show Supply Chain Management as the required license for the user assigned to the role.
Additional detail
Under License usage summary → Role Licenses, there is a hidden field called UserLicenseType.
When I expose/filter this field for the same role, it actually shows Activity, which matches the old security form.
My question
How does this licensing evaluation work?
Shouldn’t the user also receive Activity instead of Supply Chain Management, since the role’s highest license appears to be Activity?
Why is the environment assigning SCM instead, even though the underlying role shows Activity in UserLicenseType?
Thank you in advance
Phillipe,
A couple things:
1) There was recently a MSFT update which is causing a lot of licensing reporting issues, I mentioned it in a recent LinkedIn post: https://www.linkedin.com/posts/alex-meyer-b6338837_if-you-are-noticing-some-major-changes-to-activity-7396934395070193664-Ha7X
2) MSFT has deprecated all of the old licensing reports (including the View Permissions Licensing column, see this blog post for more details: https://alexdmeyer.com/2025/06/25/updated-d365fsc-user-licensing-in-10-44/), the only licensing reports that are ‘accurate’ are the ones listed within the License Usage Summary report