Skip to content

Managing Permissions and Security Groups

This page describes our recommended approach to managing user permissions in Business Central SaaS using security groups and process-based permission sets. This is the most important topic for any new administrator.

Overview

In Business Central, what a user can see and do is controlled by permission sets. Permission sets are collections of access rights to specific data and functionality.

Instead of assigning permission sets to each user individually, we strongly recommend using security groups from Microsoft Entra ID. This way:

  • You manage access centrally in Entra ID
  • When an employee changes roles, you move them between security groups — their permissions update automatically
  • New users get the right permissions immediately based on their role

What is Microsoft Entra ID?

Microsoft Entra ID is Microsoft's cloud service for identity and access management — sign-in, permissions, and security for applications and services. It was formerly known as Azure Active Directory (Azure AD).

Security groups are created in Entra ID and then used by Business Central to control permissions.

Where to manage Entra ID:

How it all fits together

The diagram shows two job roles — Accountant and Head of Accounting. Both are defined as security groups in Microsoft Entra ID (left). Each group is assigned process-based permission sets in Business Central (right). The Head of Accounting has access to everything the Accountant has, plus approvals and reports.

graph LR subgraph entra["Microsoft Entra ID"] G1["BC-Role-Accountant<br/>(Accountant)"] G2["BC-Role-HeadOfAccounting<br/>(Head of Accounting)"] end subgraph bc["Business Central — Permission Sets"] P1["Invoice Processing<br/>create and post<br/>sales invoices"] P2["Journal Work<br/>post financial<br/>journals"] P3["View Accounting Data<br/>view G/L entries<br/>and chart of accounts"] P4["Document Approval<br/>approve invoices<br/>and payments"] P5["Financial Reports<br/>view and export<br/>financial reports"] end G1 -->|assigned| P1 G1 -->|assigned| P2 G1 -->|assigned| P3 G2 -->|assigned| P1 G2 -->|assigned| P2 G2 -->|assigned| P3 G2 -->|assigned| P4 G2 -->|assigned| P5

Key principle

Security groups represent who (job role). Permission sets represent what they can do (a specific piece of a process). You can assign one permission set to multiple groups — e.g. both the Accountant and the Head of Accounting need "Invoice Processing".

Two types of security groups

Business Central uses security groups for two different purposes. It's important to understand the distinction:

Environment access group Role-based group
Purpose Controls who can log in to a specific environment Controls what the user can do once logged in
Where assigned In the Administration Center → environment settings Inside Business Central → Security Groups page
How many per environment Exactly one per environment As many as you need (one per job role)
What it controls Acts as a gate — if you're not in the group, you can't open BC at all Determines which permission sets apply to the user
Example name BC-Production-Users BC-Role-Accountant, BC-Role-WarehouseWorker

Both types are created the same way (as security groups in Entra ID), but they serve completely different purposes and are configured in different places.

How they work together

A user must be in the environment access group to log in. Once logged in, their permissions come from whichever role-based groups they belong to. Think of it as: the environment group is the front door key, and the role groups determine which rooms you can enter.

Step-by-step setup

Step 1: Create a security group for environment access

Create a security group in Entra ID that controls who can access the Business Central environment at all.

  1. Go to Microsoft 365 Admin CenterTeams & groupsActive teams & groups
  2. Click Add a security group
  3. Name it clearly, e.g. BC-Production-Users or BC-Sandbox-Users
  4. Add all users who should have access to that environment

Then assign this group to the environment:

  1. Open the Business Central Administration Center
  2. Select the environment (e.g. Production)
  3. Go to SettingsSecurity Group
  4. Assign the security group you created

Note

Only users in this security group will be able to log in to that specific environment. This is your first layer of access control.

Step 2: Create security groups per job role

Create additional security groups in Entra ID that represent job roles in your organization. For example:

Security Group Name Purpose
BC-Role-Accountant Financial staff — G/L, journals, customers, vendors
BC-Role-WarehouseWorker Warehouse operations — items, picks, put-aways
BC-Role-Salesperson Sales team — orders, quotes, customers
BC-Role-Purchaser Purchasing — purchase orders, vendors, requisitions
BC-Role-Manager Department managers — reports, approvals

Tip

If you already have security groups for job positions in your Entra ID, reuse them. Don't create duplicates just for Business Central.

Step 3: Add security groups to Business Central

  1. In Business Central, search for Security Groups
  2. Click New and select the Entra ID security group from the list
  3. Repeat for each role-based group

The security groups now appear in Business Central and you can assign permission sets to them.

Step 4: Create and assign permission sets

Permission sets define what each role can do. There are three approaches to creating them:

Approach A: Start with existing (wider) sets, then restrict

  1. Assign a broad existing permission set (e.g. D365 BUS FULL ACCESS or D365 TEAM MEMBER)
  2. Identify which areas the role should not access
  3. Create a custom exclusion set or remove unnecessary sets

Best for: Quick initial setup, progressive tightening later.

Approach B: Start with narrow sets, then add what's missing

  1. Assign the most specific existing permission sets (e.g. D365 JOURNALS, POST)
  2. Have the user test their daily workflow
  3. When they get permission errors, add the missing permission sets

Best for: Maximum security from the start, but more initial effort.

Approach C: Record permissions from a process

  1. In Business Central, search for Permission Set by User Group or use the Permission Set page
  2. Use the Record Permissions action
  3. Perform the complete business process (e.g. create a sales order, post it, create an invoice)
  4. Stop recording — Business Central generates a permission set covering exactly what was used
  5. Assign this recorded set to the appropriate security group

Best for: Creating precise, process-specific permission sets.

Why use existing permission sets when possible?

When Microsoft releases a Business Central update, standard permission sets are updated automatically to cover new objects. Custom permission sets are not — you may need to manually add new tables and pages after an update.

Step 5: Assign users to security groups

For each user, assign them to the appropriate security groups in Entra ID based on their job role:

  1. Go to Microsoft 365 Admin CenterUsersActive users
  2. Select the user
  3. Under Groups, add them to the relevant security groups (e.g. BC-Production-Users + BC-Role-Accountant)

The user will get the combined permissions of all their security groups.

Concrete role examples

Accountant

Security group: BC-Role-Accountant

Needs access to:

  • General Ledger — posting journals, chart of accounts, G/L entries
  • Accounts Receivable — customers, customer ledger entries, sales invoices
  • Accounts Payable — vendors, vendor ledger entries, purchase invoices
  • Bank management — bank accounts, bank reconciliation
  • VAT — VAT entries, VAT statements
  • Financial reports

Recommended permission sets to start with:

  • D365 JOURNALS, POST — posting journals
  • D365 VENDOR, EDIT — managing vendors
  • D365 CUSTOMER, EDIT — managing customers
  • D365 FA, JOURNAL — fixed asset journals (if applicable)
  • Additional company-specific sets as needed

Warehouse Worker

Security group: BC-Role-WarehouseWorker

Needs access to:

  • Items — item cards, item ledger entries (read-only or edit depending on role)
  • Warehouse — warehouse receipts, warehouse shipments, picks, put-aways
  • Inventory — inventory journals, physical inventory
  • Bin management — bins, bin contents (if using directed put-away and pick)

Recommended permission sets to start with:

  • D365 WHSE, EDIT — warehouse operations
  • D365 ITEM, EDIT or D365 ITEM, VIEW — item management (edit vs. read-only)
  • Additional sets for inventory counting if needed

Salesperson

Security group: BC-Role-Salesperson

Needs access to:

  • Sales — sales quotes, sales orders, posted sales invoices (read-only)
  • Customers — customer cards, customer ledger entries
  • Items — item cards, item availability (read-only)
  • Contacts — contact cards, activities
  • Reports — sales statistics, pipeline reports

Recommended permission sets to start with:

  • D365 SALES DOC, EDIT — creating and editing sales documents
  • D365 CUSTOMER, EDIT — managing customers
  • D365 ITEM, VIEW — viewing items (read-only)
  • D365 CONTACT, EDIT — managing contacts (if using CRM features)

When to set up permissions during implementation

Phase What to do
Project start Create security groups for environment access. Assign them to environments.
After defining job roles Create role-based security groups in Entra ID. Add them to Business Central.
During implementation Create permission sets and name them. Temporarily assign broad rights (e.g. SUPER or D365 BUS FULL ACCESS) so testing is not blocked.
Pre-go-live Replace broad permission sets with process-specific ones. Test with real users.
After go-live Monitor permission errors, fine-tune sets based on user feedback.

Common mistakes and pitfalls

Don't leave SUPER assigned

SUPER gives full access to everything including system administration. Never leave it assigned to regular users in production. Only designated administrators should have SUPER.

Don't assign permissions directly to users

While it's technically possible to assign permission sets directly to individual users, this becomes unmanageable as your user count grows. Always use security groups.

Don't forget about license permissions

Each license type (Essential, Premium, Team Member) has built-in permission limitations. A Team Member license cannot access all areas even if you assign full permission sets. See Managing Users for license details.

Test before go-live

Always test permission sets with actual users performing their real daily workflows before going live. Permission errors during go-live cause frustration and support tickets.

Further reading