“Team Members Privilege Inheritance”–What is this doing in Security role screen of Dynamics 365?

My team mate had the same question for me. He was in the middle of preparing demo with the customer and he opened up Sales person security role to make some modifications and guess what, he sees something new in there. Just like the one in below screenshot.


A new option with two values – 1) Default – Team Privileges only & 2) Direct User (Basic) access level and Team privileges.

To be honest, I didn’t get much from the options. So I fell back to my bible – Microsoft Docs. And this is what I found.

There has been few times when even after reading Microsoft Docs I could not get much and this was one of them. I was not able to understand much but what I could get is it has to do something with Azure AD groups. Before continuing further to understand this, you should first understand that Azure AD groups (Office 365 & Security) can now own records in Dynamics 365. I have detailed this in my blog here. I would suggest you understand that first before continuing.

We all know that a user in Dynamics 365 inherits security privileges from the teams it is associated with. First things first, this option we are talking about is only valid when a user inherits security privileges from Azure AD Office 365 team or Azure AD Security team in Dynamics 365. This option is not valid for owner teams.

Now that we have limited the set, what is this feature all about? For a long time Dynamics 365 had a peculiar behavior that there there must be a security role explicitly assigned to user even though the user may be part of multiple teams which have security roles and privileges to access Dynamics 365. If the user logs in, he would get an error like the screenshot below.


I have explained this in my blog some time back – Can a user work only with team roles in Dynamics 365. So to make it work you just needed to assign a security (dummy one) explicitly to the user. It does not matter whether the security role has any privilege or not.

This setting takes care of just this in case of Azure AD Office 365 and Security Team. If you set the option “Direct User (Basic) access level and Team privileges”

CRM would no longer throw an error even if no security roles are explicitly assigned to the user. The user can just work with team roles in Dynamics 365. If we keep the default option – “Default – Team Privileges only”, it falls back to the same behavior where an explicit role is required by the user to work with CRM.

Please note that for traditional owner teams this has no effect.

Hope this helps!

Debajit Dutta

(Dynamics MVP)

For consultation/ corporate training visit www.xrmforyou.com or reach out to us at info@xrmforyou.com

Our product offerings:

Role based views for Dynamics 365 (http://www.xrmforyou.com/role-based-views.html)

CRM-Sharepoint Attachment uploader and metadata manager (http://www.xrmforyou.com/sharepoint-integrator.html)

Record Cloner for Dynamics 365 (http://www.xrmforyou.com/record-cloner.html)

Multiselect picklist for Dynamics 365 (http://www.xrmforyou.com/multi-select-picklist.html)

4 thoughts on ““Team Members Privilege Inheritance”–What is this doing in Security role screen of Dynamics 365?”

  1. Hello Debajit,

    Thank you for sharing this! I have a question though, reading the docs site you’ve shared, they note the following: “This member’s privilege inheritance role is applicable to Owner and Azure Active Directory (Azure AD) Group teams.”.
    Have you tested whether this setting only applies to AAD Group teams?


    1. Hi,
      Thanks for reading my blog. I guess I did test this for one of my customer and it worked. Having said that I will verify it again.

      Debajit Dutta

  2. Hi Debajit,

    Thank you so much for sharing this article!

    The new option Direct User (Basic) access level and Team privileges works great for me. It eliminates the necessity of assigning user-level security role explicitly for each user.

    However, this option does not seem to persist after solution export/import, being default to Default – Team Privileges only after solution export/import.

    Wondering do you have similar issue, and if yes, do you have any suggestion going around it?


    1. Hi Abby
      I have faced the same challenge way back when it was introduced. But I was of the notion that it had been fixed. However let me see if can work out.


Leave a Reply