Since I’ve written multiple posts on this topic in the past, I thought it would be a good idea to combine the different posts and create a place that I can continually update with the latest information. So going forward, while I will still have individual posts on user licensing as well, this post will always be updated with the latest information.
Last Updated: 1/25/2021
Where We Started
In AX 2012 and versions of D365FO prior to October 2019, the only licensing mechanism within the system was ‘Entry Point Based Licensing’. In this methodology, each menu item had two separate parameters:
- ViewUserLicense – user requires this license if they are assigned Read access to this object
- MaintainUserLicense – user requires this license if the are assigned Update/Create/Delete to this object
The D365FO license types available were hierarchy based (from highest to lowest):
- Operations (will be listed as Enterprise in AOT)
- Team Members (will be listed as Universal in AOT)
You could report on the licensing either from:
- The user interface in the View Permissions area of System Administration -> Security Configuration
- From the ‘View Related Objects and Licenses for All Roles’ report in the AOT.
The licensing model looked like the following:
Where We Are Now
The change that Microsoft made to user licensing in October 2019 was that the Operations level licensing is now broken out by application area into what are now called ‘license SKUs’. There was no overarching license for either Customer Engagement or Finance & Operations, there were different areas within each application that required a particular license.
The way to determine which license SKUs a user is now required to have is based on the privileges the user is assigned. These privileges come from the roles assigned to the user via the role -> duty -> privilege hierarchy structure of the security model.
So now there are two separate licensing models in use currently:
- Entry Point Based Licensing (explained above)
- Privilege Based Licensing
Base vs Attach Licenses
When licensing for a user there are two categories of license: Base and Attach.
And they have the following characteristics:
- Must be the first license assigned to a user
- Must be the highest priced license
- Every user must be assigned a ‘base’ license to access the application
- Added on to a ‘base’ license
- A user can have as many ‘attach’ licenses as needed
What is Privilege Based Licensing?
Microsoft designates certain privileges to be associated to one or more license SKUs and then determines if that license SKU is required or if any listed license SKU will meet the requirements. This is done from a static JSON file loaded into the LicensingServicePlansPrivilege table.
The PrivilegeIdentifier is the system name of the privilege, the SkuName is the license SKU, and the IsUnique column determines if that particular license is required to be assigned to the user or if any of the license SKUs associated to the privilege will meet the requirements. So an IsUnique value of 1 dictates that a user assigned that privilege is required to have that license SKU either as a base or an attach license, an IsUnique value of 0 means any of the listed license SKUs for that privilege will meet the licensing requirements.
So How Does Entry Point Licensing and Privilege Based Licensing Work Together?
I’ve created a Visio diagram to help with the process of showing how these two licensing methodologies work together:
User License Estimator Report
This report shows the license SKUs required for each user based on their current access, this report can be found at System Administration -> Inquiries -> License Reports.
The View Permissions report now shows the new licensing requirements, this report can be found in System Administration -> Security -> Security Configuration -> Selecting a role/duty/privilege -> View Permissions.
Also when assigning roles to a user, the License required for that role is shown in the Assign Role to User form: