With version 10.0.44, Microsoft has updated how license requirements are determined in Dynamics 365 Finance and Supply Chain Management.
Previously, license needs were inferred from the security roles, duties, and privileges assigned to a user. Starting with this release, license requirements are instead calculated at the object level, specifically through menu items in the AOT.
Because of this shift, there may be inconsistencies between licensing outcomes in 10.0.44 and earlier versions, though Microsoft has stated that introducing discrepancies is not their intent. The goal is greater transparency, but organizations must now re-evaluate how they analyze license usage and manage potential downgrades.
Key points:
- Each menu item is either “entitled” under one or more licenses or not entitled at all.
- Entitlement is what drives the license requirement for a given feature.
- A menu item may be entitled by multiple SKUs, a single SKU, or none.
- Role SKUs are calculated as the combination of fewest SKUs that cover every menu item in the role, preferring lower-priority SKUs wherever they’re enough.
- If a role requires multiple SKUs, Microsoft requires you to purchase the SKU in the highest-priority group (see table below) that exists for that role as your base license. Higher-priority SKUs generally represent broader functionality and higher cost.
- If additional licenses are required, Dynamics 365 allows you to purchase attach licenses at a steep discount to fulfill your remaining access requirements if they exist for those SKUs.
This table shows the SKUs separated into groups by color. The SKUs in red are the highest priority licenses. If a red SKU is required for a security role, one of the red SKUs will need to be the base license. Likewise, if a green SKU is required for a security role, and no red SKUs are required, one of the green SKUs will need to be the base license.
This table is simplified. We always confirm entitlements against Microsoft’s official licensing guide when they are available.
Higher priority licenses do not necessarily include all the menu items that lower priority licenses do. That’s why a combination of different licenses may be needed, and why the highest priority licenses will still not give you all the menu item access you require.
A single higher-tier menu item included in a role will elevate the entire role’s license requirement. Microsoft does not provide a built-in mechanism for analyzing which objects could be removed to reduce license tier.
For example, say a role contains some menu items that are entitled under Project Operations only and some other menu items which are entitled under Supply Chain Management licenses only. The role must use Supply Chain Management as the base license, because it exists in the highest priority group of the licenses needed to get all the menu items you want for that role. Project Operations can then be purchased as an attach license.
If a security role requires the Project Operations, Finance, and Supply Chain Management licenses, either Finance or Supply Chain Management must be the base license, because those licenses exist in the highest-priority group (red) of those 3 licenses. Then the remaining licenses may be applied as attach licenses. You can either purchase Finance and Project Operations as attach licenses or Supply Chain Management and Project Operations as attach licenses.
Alternatively, if a security role requires only the Project Operations license, the base license would be Project Operations, since Project Operations exists in the highest-priority group (green) and there are no red SKUs. In this scenario, you would have no attach licenses.
Please note that the highest-priority license required may not be your base license. If a role requires both Finance and Supply Chain Management, you’ll need to determine what is most cost effective for your organization. Optimizing licenses may be counter-intuitive especially if minimum license requirements are a consideration.
For example, to purchase one Finance license, you must purchase a minimum of 20 Finance licenses, even if you cannot use all of them. If you have one additional user who requires a Supply Chain License only, it would be more cost effective to apply a Finance license as the base license for that role, since that’s already available, and then purchase Supply Chain Management as an attach license. This user’s role will be unexpectedly expensive, be this approach will prevent the purchase of 19 unnecessary full Supply Chain Management licenses.
This is a screenshot of a sample licensing requirement for a user. It gives the option to choose between 2 base licenses, similar to the example above, with additional options for the attach licenses.
Version 10.0.45 updates
Updates in 10.0.45 are improving on some known issues with the current licensing functionality in 10.0.44.
- The license validation will bypass certain system users who do not require licenses.
- Two new security roles, System agent and Device store manager, will be created to exclude users with this role from license validation.
- External users will also be excluded from user license enforcement. This includes users that are a part of the vendor portal functionality or that are associated with certain vendor collaboration roles.
- A hard block has been implemented which redirects users with invalid licenses to an error page.
- A flight feature will be enabled starting 11/1/2025 to fully enforce license validation.
License Validation in Power Platform Admin Center
Beginning in fall 2025, Microsoft will designate the Power Platform Admin Center (PPAC) as the official source of truth for validating Finance & Supply Chain Management license consumption.
- What it shows:
- Summary cards with total users, unlicensed users, and assigned vs. required licenses.
- Product-level breakdowns (Finance, SCM, Project Operations, Team Members, etc.).
- Drill-downs to view which roles or privileges trigger specific license requirements.
- What it does not show:
- Any guidance on how to restructure user responsibilities or trim access to lower license tiers.
- Changes made in D365 may take up to 24 hours to appear in PPAC.
How to Access
- Sign in at admin.powerplatform.microsoft.com.
- In the left navigation, select Licensing.
- Under Licensing, open the Finance and Operations tab within the User License Consumption section.
In-Application License Usage Summary
Microsoft also provides an in-app form for analyzing license usage under System administration > Security > Security governance > License usage summary
To use it, enable these features in the Feature management workspace:
- User security governance
- User security governance license usage summary report
This form shows license entitlements by user, role, duty, or privilege, and helps you understand how security design translates into required SKUs.
However, the many-to-many relationships between privileges, duties, and roles mean the results can be complex. A single privilege may appear across multiple duties or roles, creating different license outcomes. This makes it important to analyze carefully, especially for custom roles.
Optimizing licenses
We’ve prepared three SQL queries that use Microsoft’s entitlement views to identify license requirements.
Query #1: Reduce SKU of Role
This query identifies the menu items associated with the highest priority license assigned to a security role.
This is valuable because a single user with access to just one high-priority menu item will be charged for that expensive license, even if 99% of their tasks could be covered by a lower-priority license. This query helps you find the "common denominator" and identify potential licensing over-provisioning.
Run this query against a copy of your production database to identify the role’s current highest-priority (base) license and the menu items driving it. Remove those menu items from the role through privilege/duty edits, an extension, or a new role, and run the query again. The result should show a lower-priority base license. Repeat until the base license aligns with your target tier. Lower-priority attach license requirements will not appear in the query results for this query.
If this query is executed for any role, you will see the “LowestCommonSKU” column shows the highest priority SKU demanded by PPAC. To downgrade to a lower-priority, cheaper license, you’ll need to remove access to the menu items specified in the “AOTName” column from the role. That means finding all references for the menu item inside the role. Typically, menu items are assigned to security privileges which are assigned to security duties which are finally assigned to security roles.
When all menu items that are causing the highest priority license designation are removed from the role, then the query results will update to a lower-priority license.
Query #2: Lowest License by Role
This query identifies the licenses required for all menu items tied to a security role, showing only the menu items that are forcing these remaining license requirements.
In the query output, the ItemEntitledSkus column lists the licenses required for each menu item, sorted from lowest to highest priority and separated by commas.
Examine the ItemEntitledSkus values, looking for rows that contain a high-priority license with the fewest total number of licenses. If the ItemEntitledSkus field lists only Supply Chain Management and Supply Chain Management Premium. Both are high-priority, and there’s only two licenses in the field. You'll choose the lower priority of the two: Supply Chain Management. You'll then add Supply Chain Management to the list of acceptable licenses at the start of the query.
After rerunning the query, the number of results will decrease, showing the new, reduced list of remaining licenses and menu items for that role. Repeat this process, adding the lowest-priority license from another row to the query.
Rerun the query after each addition until no results are produced. When the query returns no results, all licensing requirements for the role have been satisfied. This is exactly which licenses must be assigned to users who have this role.
Example:
This is a sample output of the query for a hypothetical custom role. We will start out not entering any licenses in the VALUES part of the query except for Human Resource Self Service, which is the lowest priority license.
Like described above, I’ll look for a row where there are higher priority licenses and not many of them in the ItemEntitledSkus field. Like above, I found a row that contains only Supply Chain Management and Supply Chain Management Premium. I’ll replace Human Resource Self Service with Supply Chain Management and rerun the query.
The output will show the remaining required licenses besides Supply Chain Management.
In the output below, you can see that the next license we’ll need is a Finance license. I’ll pick the lower priority of the 2, in this case Finance.
I’ll add Finance to the query and get the output again.
I’ll repeat the same process until I get no output when I run the query.
Query #3: Lowest License by Menu Item
This query identifies the minimum license requirement for a specific menu item, and shows the privilege tied to that entitlement. This report confirms the lowest-tier license needed for a given menu item and it also highlights the privilege tied to that license entitlement. If a higher-tier license was required by a menu item in Query #1 or #2, you can use Query #3 to pinpoint which privileges are driving the higher SKU.
This is a sample output of the query. You can see that the Finance license would be the minimum required license for this specific menu item.
How to Get Licensing Under Control
We’re happy to help you navigate these changes and reduce unnecessary licensing costs. Based on Microsoft’s new entitlement model, here’s the least invasive approach we recommend:
- Start in PPAC
Use the Power Platform Admin Center (PPAC) to identify users who are consuming unexpectedly high-tier licenses. Collect their assigned roles into a reference table. - Run Query #1
Apply Query #1 to determine which menu items are driving those users into higher license tiers. - Analyze Responsibilities
Investigate the flagged menu items and evaluate their purpose in your business process. Compare those functions against each user’s actual responsibilities:- Does this person truly need that access?
- Could responsibilities be shifted or consolidated across fewer users while still maintaining effective staffing?
If so, access to those menu items can often be removed from the role.
- Run Query #2 and #3 for Edge Cases
When specific menu items trigger higher license requirements than expected, use Query #3 to review privilege details. In many cases, a user only needs read-only access, but the role grants write access—adjusting this can bring the license requirement back in line. Or, if you want to test out different combinations of licenses for a role, you can experiment with Query #2
If you’re ready to get started, we can assign a project accounting analyst to begin working with your team this week to review user responsibilities, align access with real needs, and bring your license usage under control.
Addendum
Most of the logic to determine whether a license is entitled or not entitled, in addition to the logic for determining if a menu item is even eligible for licensing, is contained in stored procedures located inside the SQL database. This logic is not readily available in the AOT, through x++, or through standard debugging. Some of the licensing and security tables involved in these procedures only exist and are created in the SQL database, and do not exist in the AOT. Microsoft’s documentation has not yet been updated to cover the details of how the licensing engine works in D365.
We are currently examining this logic and its true function in the context of the new licensing functionality. Based on our analysis, the stored procedures will update the licensing-specific tables with a snapshot of the current licensing data, preventing any irrelevant records from remaining from previous runs. The procedures will first identify the privileges and determine which objects are eligible for licensing and entitlement and then go through various sub-procedures to identify relevant privileges and security relationships.
The critical license-designation logic then executes. The system will run procedures which generate a detailed security-to-license mapping starting with a truncation of the previous data and rebuild an entire map that links security roles, their privileges, and the menu items they access to appropriate licensing requirements.
These procedures appear to refine the original generic license assignments specified in earlier procedures to the more granular, functional SKUs described at the beginning of this document.
The logic that Microsoft uses to decide which menu items are entitled under which license, and how the specific license “groupings” and “tiers” are determined starts to become more visible in this part of the logic and is particularly interesting for analysis. It provides a more comprehensive picture of the distribution of the menu items in the license groupings, in terms of how many menu items are included in a specific grouping based on a prior designation in 1 of the earlier procedures and illuminates some of Microsoft’s reasons for entitling certain licenses under specific license priorities.
The procedures will wrap by directly assigning the license type to each security role by matching input parameters from the previous steps.
Our analysis of which procedures are relevant, and their applicable context is ongoing. As the new licensing logic becomes more formalized, updates or deprecations to the existing procedures should be monitored to gain more insight into licensing code that would otherwise be unavailable. More analysis should be conducted into the timing and dependencies of these stored procedures.
Currently, some of the licensing procedures look like they may be referring to old licensing methodologies. More research must be done to differentiate the background, deprecated processes from the new logic. Furthermore, some procedures may not be visible at all. Some SQL stored procedures start up, run, and then delete themselves. This may be captured using SQL profiling but will require a considerable time investment to reverse engineer. We are hopeful that Microsoft will release corresponding documentation before this effort becomes necessary.
