Limiting Users to specific Dynamics 365 Organizations

Whenever a new user is created in Office 365 and assigned a Dynamics 365 CE license, by default they are added as a user to *every* Dyn365 instance in the tenant.

The particular user will still need to be assigned a security role in each instance before they will be able to access the system.  They will appear in the enabled user list and Dyn365 will show a “nagware” message about needing to assign users to security roles.


If an instance is copied, the user and their related security role assignments are copied as well, for both full and minimal instance copy processes.

Sometimes it may be important to limit or manage user access to other instances.

The following is a recent Skype conversation with Dave *, a customer of mine.

*Name changed to protect the identity and in no way reflects the intelligent or competency of all the Dave’s I know.

Dave: “My data is missing!  I entered some opportunities yesterday and they are not there!”

Me: “Are you sure? Let me check.”

I login to the customer’s D365 production instance and I find his opportunities.

Me: “They are there… hmm… it doesn’t happen to say ‘sandbox’ at the top does it?”


Dave: “Darn it.  Never mind”

In this case a copy of the production was made for the purposes of a training exercise a while back.  Dave and a group of users used this system for their training and Dave was never removed as a user from this training system.  Dave happened to login into the sandbox instance and found himself in a familiar (but incorrect) place.

Note: A good tip when setting up training or dev environments would be to adjust the particular Dyn365 theme to highlight a sandbox environment.


This is just one example of where additional safeguards should be in place to prevent users from having access to all the instances in a particular tenant.  Companies using Dynamics 365 may have other security and compliance reasons to restrict users from accessing different instances.

Don’t be a Dave.

The Solution

Thankfully, Office 365 groups can be setup and assigned to specific Dynamics 365 instances.  This provides a system administrator another tool to manage user access to Dynamics 365.  Here’s how:

In the Office 365 Admin center, Locate the Groups tab

Groups tab

Click “Add a group” and provide a group name to reflect the instance for which this group will apply.

Group Naming

Once you have created a group for your instances, you can now add users to these groups.

A Group for each Instance

You can add users as well as embed groups.  This may be a good way to provide and remove access for a team of training or testings quickly without having to individually add/remove them from Dyn365.


The next step is to navigate to the Dynamics 365 Administration Center and for each instance choose “edit”.

Edit the Instance to assign the Office 365 group

You will see a lookup field to assign a particular Office 365 group.  Choose the group and hit next.


After the group has been applied, the users must be a member of the group in order to access Dynamics 365.

If they are not part of the group, they will exist in Dynamics 365 as “disabled” users.

If the particular instance is copied, you can specify and Office 365 group at that time so that even though the users are copied, they will not have access to the copied tenant.

Office 365 Groups provides another option to manage security and groups of Dynamics 365 users.  With groups, a Office 365 admin can remove a entire group of users by removing an embedded group from the main group.  This would prevent the Dave’s of the world freaking out.

Don’t be a Dave


Nashville Summit - CRMUG
I will be in Nashville this week at the CRMUG Summit.  I will be participating in the following sessions:

Thursday, October 12 at 2:30pm ADC12 – The BA vs Developer Solution Envisioning Cage Match! – This is where a Business Analysts and Developers battle it to address specific requirement either by code or configuration.


Friday, October 13 at 8:30am UPG03 – “Aleve”iate Your Onpremises to Online Migration – I will be moderating a panel discussion about strategies in moving your on-premise deployment to Dynamics 365.

Migration shouldn’t be a Migraine

I also might be pulling into helping out or participating in other sessions.  If you are going to Summit, please don’t hesitate to reach out and say Hi!

Nick Doelman is a Microsoft Business Solutions MVP and also a Nationally qualified Powerlifter and is considering a career option as a professional Goat Rodeo clown.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s