“Team Members Privilege Inheritance”–What is this doing in Security role screen of Dynamics 365?

My team mate had the same question for me. He was in the middle of preparing demo with the customer and he opened up Sales person security role to make some modifications and guess what, he sees something new in there. Just like the one in below screenshot.

image

A new option with two values – 1) Default – Team Privileges only & 2) Direct User (Basic) access level and Team privileges.

To be honest, I didn’t get much from the options. So I fell back to my bible – Microsoft Docs. And this is what I found.

There has been few times when even after reading Microsoft Docs I could not get much and this was one of them. I was not able to understand much but what I could get is it has to do something with Azure AD groups. Before continuing further to understand this, you should first understand that Azure AD groups (Office 365 & Security) can now own records in Dynamics 365. I have detailed this in my blog here. I would suggest you understand that first before continuing.

We all know that a user in Dynamics 365 inherits security privileges from the teams it is associated with. First things first, this option we are talking about is only valid when a user inherits security privileges from Azure AD Office 365 team or Azure AD Security team in Dynamics 365. This option is not valid for owner teams.

Now that we have limited the set, what is this feature all about? For a long time Dynamics 365 had a peculiar behavior that there there must be a security role explicitly assigned to user even though the user may be part of multiple teams which have security roles and privileges to access Dynamics 365. If the user logs in, he would get an error like the screenshot below.

image

I have explained this in my blog some time back – Can a user work only with team roles in Dynamics 365. So to make it work you just needed to assign a security (dummy one) explicitly to the user. It does not matter whether the security role has any privilege or not.

This setting takes care of just this in case of Azure AD Office 365 and Security Team. If you set the option “Direct User (Basic) access level and Team privileges”

CRM would no longer throw an error even if no security roles are explicitly assigned to the user. The user can just work with team roles in Dynamics 365. If we keep the default option – “Default – Team Privileges only”, it falls back to the same behavior where an explicit role is required by the user to work with CRM.

Please note that for traditional owner teams this has no effect.

Hope this helps!

Debajit Dutta

(Dynamics MVP)

For consultation/ corporate training visit www.xrmforyou.com or reach out to us at info@xrmforyou.com

Our product offerings:

Role based views for Dynamics 365 (http://www.xrmforyou.com/role-based-views.html)

CRM-Sharepoint Attachment uploader and metadata manager (http://www.xrmforyou.com/sharepoint-integrator.html)

Record Cloner for Dynamics 365 (http://www.xrmforyou.com/record-cloner.html)

Multiselect picklist for Dynamics 365 (http://www.xrmforyou.com/multi-select-picklist.html)

Author: Debajit

I am a Dynamics CRM Most Valuable Professional (MVP) with 12 years of experience in Microsoft .NET Technologies and 9 years of dedicated experience in Microsoft Dynamics CRM. I have worked with companies like Microsoft, SanDisk, PwC, TMF Group and have extensive experience of implementing complex CRM solutions from both offshore and client side. Currently the face of XrmForYou.com with significant experience in delivering corporate training on Dynamics CRM and have already delivered multiple projects to client through XrmForYou.com Author of multiple tools on codeplex including the 'Role Based Views' and 'CRM-Sharepoint Metadata manager & Attachment Extractor' which are available for commercial use under XrmForYou.com For consulting/ training, drop me a note at info@xrmforyou.com or visit our website www.xrmforyou.com

2 thoughts on ““Team Members Privilege Inheritance”–What is this doing in Security role screen of Dynamics 365?

  1. Hello Debajit,

    Thank you for sharing this! I have a question though, reading the docs site you’ve shared, they note the following: “This member’s privilege inheritance role is applicable to Owner and Azure Active Directory (Azure AD) Group teams.”.
    Have you tested whether this setting only applies to AAD Group teams?

    Cheers!

    1. Hi,
      Thanks for reading my blog. I guess I did test this for one of my customer and it worked. Having said that I will verify it again.

      Cheers!
      Debajit Dutta

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s