Export (0) Print
Expand All

Create users and assign Microsoft Dynamics CRM Online security roles

Applies To: Microsoft Dynamics CRM Online

If you manage your subscription to Microsoft Dynamics CRM Online through the Microsoft online services environment using the Office 365 admin portal, you create a user account for every user who needs access to CRM Online. The user account registers the user with Microsoft online services environment. In addition to registration with the online service, the user account must be licensed in order for the user to have access to the service. Assign a license to the user account to allow access to the online service. Notice that when you assign a user the global administrator role in the Microsoft online services environment, it automatically assigns the user the System Administrator security role in Microsoft Dynamics CRM. More information: Differences between the Microsoft online services environment administrative roles and CRM Online security roles

When you create a user account in the Office 365 admin portal, the system generates a user ID and temporary password for the user. You have the option to let the service send an email message to the user as clear text. Although the password is temporary, you may consider copying the information to send to the user through a more secure channel, such as from an email service that can digitally encrypt the contents. For step-by-step instructions for creating a Microsoft online services user account, see Create or Edit Users.

noteNote
When you create a user in Office 365 and assign a license to the user by using the Office 365 admin center, the user is also created in Microsoft Dynamics CRM Online. The synchronization process between the Office 365 admin portal and Microsoft Dynamics CRM Online can take a few minutes to complete.

By entering a user ID and password, a user can access the Office 365 admin portal to view information about the service. However, the user will not have access to Microsoft Dynamics CRM Online until you assign at least one Microsoft Dynamics CRM Online security role to this user.

If you manage your Microsoft Dynamics CRM Online subscription in the Microsoft online services environment, you can license the user when you create the user account, or you can license the user later. You must assign a license to every user account that you want to access the online service.

For step-by-step instructions, see Assign a license to a user.

ImportantImportant
Licensed users must be assigned at least one Microsoft Dynamics CRM security role to access CRM Online. More information: Set up and assign security roles in Microsoft Dynamics CRM Online.

About user licenses

  • Microsoft Dynamics CRM Online uses user licenses to provide access to your organization. You need one user license per person with an active user record who logs into your organization.

  • When you add a new person, the Add Users Wizard displays the number of user licenses available. If you reach your limit, the Next button is no longer available. You can add additional licenses with the Add User License Wizard.

  • An unaccepted invitation requires a user license until the invitation expires two weeks after it was issued.

  • If you have more user licenses than you are using, contact support to reduce the number of licenses. You cannot reduce the number of licenses to less than you are currently using or less than your offer allows. Any changes are reflected in your next billing cycle.

  • Each user license requires a unique Microsoft account, and every user who logs on to Microsoft Dynamics CRM needs a license. Most CRM subscriptions include a specific number of user licenses.

Security roles control a user’s access to data through a set of access levels and permissions. The combination of access levels and permissions that are included in a specific security role sets limits on the user’s view of data and on the user’s interactions with that data.

Microsoft Dynamics CRM Online provides a default set of security roles. If necessary for your organization, you can create new security roles by editing one of the default security roles and then saving it under a new name.

You can assign more than one security role to a user. The effect of multiple security roles is cumulative, which means that the user has the permissions associated with all security roles assigned to the user.

Security roles are associated with business units. If you have created business units, only those security roles associated with the business unit are available for the users in the business unit. You can use this feature to limit data access to only data owned by the business unit.

For more information about the difference between Microsoft online services administrator roles and Microsoft Dynamics CRM Online security roles, see Grant users access to Microsoft Dynamics CRM Online as a Microsoft Online service.

ImportantImportant
You must assign at least one security role to every CRM Online user. The service does not allow access to users who do not have at least one security role. Even if a user is a member of a team with its own security privileges, the user won’t be able to see some data and may experience other problems when trying to use the system.

In CRM Online:

  1. Make sure you have the System Administrator security role or equivalent permissions in Microsoft Dynamics CRM.

    • Follow the steps in View your user profile.

    • Don’t have the correct permissions? Contact your system administrator.

  2. Follow the steps for the app you’re using.

    1. On the nav bar, click or tap Microsoft Dynamics CRM > Settings.

      Settings appears on the nav bar.

    2. Click or tap Settings > Administration > Users.

    1. In the Navigation Pane, expand your organization if necessary, and then click or tap Settings > System > Administration, and then click or tap Users.

  3. In the list, select the user or users that you want to assign a security role to.

  4. Click or tap More Commands (More commands icon) > Manage Roles.

    Only the security roles available for that user's business unit are displayed.

  5. In the Manage User Roles dialog box, select the security role or roles you want for the user or users, and then click OK.

You can share Microsoft online services environment administration tasks among several people by assigning Microsoft online services environment administrator roles to users you select to fill each role. You might decide to assign the global administrator role to a second person in your organization for times when you are not available.

There are five Microsoft online services environment administrator roles with varying levels of permissions. For example, the password reset administrator role can reset user passwords only; the user management administrator role can reset user passwords as well as add, edit, or delete user accounts; and the global administrator role can add online service subscriptions for the organization and can manage all aspects of subscriptions. For detailed information about Microsoft online services administrator roles, see Assigning Administrator Roles. For step-by-step instructions for assigning a Microsoft online services environment administrative role, see Assign or Remove Administrator Roles for an Existing User.

noteNote
Microsoft online services environment administrator roles are valid only for managing aspects of the online service subscription. These roles don’t affect permissions within the CRM Online service.

If a user loses a password, you can reset it. To reset a user’s password, you must be a Microsoft online services environment global administrator, user management administrator, or password administrator.

For step-by-step instructions, see Reset a User’s Password.

noteNote
The reset password is temporary. The user must change the temporary password at the next sign in. To help users meet the requirements for creating a new password in the Microsoft online services environment, see Password Policy.

To enable a user, assign a license to the user and add a user to the security group that is associated with an instance of CRM Online. If you enable a user that was disabled, you must send a new invitation for the user to access the system.

To disable a user, remove a license from the user or remove the user from the security group that is associated with an instance of CRM Online. Removing a user from the security group doesn’t remove the user’s license. If you want to make the license available to another user, you have to remove the license from the disabled user.

noteNote
Removing all security roles from the user prevents the user from signing into and accessing Microsoft Dynamics CRM Online. However, it doesn’t remove the license from the user and the user remains in the list of the enabled users in Microsoft Dynamics CRM Online. Removing security roles from a user isn’t a recommended method of removing access to CRM Online.

You must be a member of an appropriate administrator role to do these tasks. More information: Assigning administrator roles in Office 365

  1. In Office 365 admin portal, click or tap users and groups > active users and click or tap the user.

  2. In Assign Licenses, check the Microsoft Dynamics CRM Online check box. Click or tap Save.

  3. In the Office 365 admin portal, click or tap users and groups > security groups.

  4. Click or tap the security group that is associated with your CRM Online organization.

  5. In Available members, click or tap the user and then click or tap Add. Click or tap Save and Close.

  1. In the Office 365 admin portal, click or tap users and groups > active users and select a user.

  2. In Assign Licenses, clear the Microsoft Dynamics CRM Online check box. Click or tap Save.

  1. In the Office 365 admin portal, click or tap users and groups > security groups.

  2. Click or tap the security group that is associated with your CRM Online organization.

  3. In Selected members, click or tap the user and then click or tap Remove. Click or tap Save and Close.

noteNote
You can also delete users on the Office 365 admin portal. When you remove a user from your subscription, the license assigned to that user automatically becomes available to be assigned to a different user. If you want the user to still have access to other applications you manage through Office 365, for example Microsoft Exchange Online or Microsoft SharePoint, don't delete them as a user. Instead, simply remove the Microsoft Dynamics CRM license you've assigned to them.

noteNote
When you sign out of the Office 365 admin portal, you aren’t signing out of CRM. You have to do that separately.

TipTip
To force an immediate synchronization between the Office 365 admin portal and CRM Online, do the following:

  • Sign out of CRM Online and the Office 365 admin portal.

  • Close all open browsers used for CRM Online and the Office 365 admin portal.

  • Sign back in to CRM Online and the Office 365 admin portal.

See Also

Send comments about this topic to Microsoft.
© 2014 Microsoft Corporation. All rights reserved.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft