My team mate had the same question for me. He was in the middle of preparing demo with the customer and he opened up Sales person security role to make some modifications and guess what, he sees something new in there. Just like the one in below screenshot.
A new option with two values – 1) Default – Team Privileges only & 2) Direct User (Basic) access level and Team privileges.
To be honest, I didn’t get much from the options. So I fell back to my bible – Microsoft Docs. And this is what I found.
There has been few times when even after reading Microsoft Docs I could not get much and this was one of them. I was not able to understand much but what I could get is it has to do something with Azure AD groups. Before continuing further to understand this, you should first understand that Azure AD groups (Office 365 & Security) can now own records in Dynamics 365. I have detailed this in my blog here. I would suggest you understand that first before continuing.
We all know that a user in Dynamics 365 inherits security privileges from the teams it is associated with. First things first, this option we are talking about is only valid when a user inherits security privileges from Azure AD Office 365 team or Azure AD Security team in Dynamics 365. This option is not valid for owner teams.
Now that we have limited the set, what is this feature all about? For a long time Dynamics 365 had a peculiar behavior that there there must be a security role explicitly assigned to user even though the user may be part of multiple teams which have security roles and privileges to access Dynamics 365. If the user logs in, he would get an error like the screenshot below.
I have explained this in my blog some time back – Can a user work only with team roles in Dynamics 365. So to make it work you just needed to assign a security (dummy one) explicitly to the user. It does not matter whether the security role has any privilege or not.
This setting takes care of just this in case of Azure AD Office 365 and Security Team. If you set the option “Direct User (Basic) access level and Team privileges”
CRM would no longer throw an error even if no security roles are explicitly assigned to the user. The user can just work with team roles in Dynamics 365. If we keep the default option – “Default – Team Privileges only”, it falls back to the same behavior where an explicit role is required by the user to work with CRM.
Please note that for traditional owner teams this has no effect.
Hope this helps!
Our product offerings:
Role based views for Dynamics 365 (http://www.xrmforyou.com/role-based-views.html)
CRM-Sharepoint Attachment uploader and metadata manager (http://www.xrmforyou.com/sharepoint-integrator.html)
Record Cloner for Dynamics 365 (http://www.xrmforyou.com/record-cloner.html)
Multiselect picklist for Dynamics 365 (http://www.xrmforyou.com/multi-select-picklist.html)