When a new user signs in for the first time, D365BC creates a user card and assigns permission sets. Administrators can now define the permission sets (and user group used to assign the permission sets) that will be assigned when a new user signs in for the first time. This is a new feature added in D365BC 2022 release wave1.
Docs(英語):Security administrators can define default permission set assignments when users sign up – Dynamics 365 Release Plan | Microsoft Docs
1. Prerequisite
Check the M365 Admin Center for the D365BC license that the tenant has. We will use a free trial environment for this explanation. The tenant has a license “Dynamics 365 Business Central for IWs” as shown below. There are many other BC licenses available. Generally, if you purchase from a partner, “Dynamics 365 Business Central Premium” is assigned to the tenant in most cases.
2. Assign a default permission set and default user group for a license
Find and run the “License Configuration” feature.
Licenses are listed. As a side note, this page will detect that a new license has been added. Back to the main topic, select the row for the license you have confirmed in the M365 admin center and click “Configure”.
You will see a list of user groups and permission sets to assign to this license. It looks similar to the user card screen. (You will see why later.)
Both user groups and permissions have a “Company” column with the value “(first company sign-in)”. This means that user groups and permission sets are assigned only to the Company to which the user first signs in.
If you are opening this page for the Lisence Configuration page first time, “Customize permission” should be OFF. This indicates that the default configuration values have not been changed. I will try to change from the default value later. For now, I will leave it OFF and proceed with the investigation.
Create one new user in the M365 Admin Center; assign the BC license (the license for which you just confirmed the user group and privilege set assignments) to the new user.
Sign in as the newly created user.
Check permissions on user card. You can see that user groups and permission sets have been assigned. These user groups and permission sets correspond to the user groups and permission sets that were assigned to the license in the previous configuration page.The “Company” column is set to the company you are currently signed in with. This is quite a tricky one. (See the summary at the end.)
Return to the “Licensing Configuration” page for editing the user groups and permission sets for the license. Turn the ” Customize permission” ON. Then user groups and permission sets can be edited.
As a test, edit the following. Delete one of the BC standard user groups and blank the “Company” columns for the remaining two user groups. Then assign one user-defined user group. As a result, the permission sets will look like this
Create a new user. Assign a BC license as before.
Sign in as the newly created user and review the user card. You can see that the user groups and permission sets are assigned as customized above.
3. Reset user groups and permission sets
User groups and permission sets are assigned when you sign in for the first time, but you can later change user groups and permission sets. You can reset it if you change too many things and lose track of them. For example, you can add Super permission on the User Card page to a user who has just created a new user and signed in. Note that this feature was not added in 2022Wave1, but has existed for quite some time.
From the User List page, select Action > Restore User’s Default User Group.
After running the process, open the user card and you will see that the user group and permission set have been reverted as configured in License Configuration.
4. Summary
In some cases, users had too strong permissions when they signed in immediately after the administrator created them. It is a good thing that this new feature eliminates the possibility of granting too strong permissions, since it is not good for auditing purposes to have too strong permissions, even if only temporarily.
In addition, as you will see when you actually operate as a user administrator, there are cases where you may want to assign WITHOUT Company restrictions during the requirement definition or training phases. Nevertheless, the administrator had to delete the Company column value for each user on a case-by-case basis because any user’s ”Company” would actually be assigned to the user. This change to Wave 1 will eliminate this hassle.
I think this is a very useful feature and I hope you will actively use it.
Thanks for your reading.