Dynamics 365 Apps security roles and other security considerations

I have recently built a few Microsoft Dynamics 365 Apps for a Dynamics 365 CRM Solution. I personally found the whole Dynamics 365 Apps idea to be brilliant as it does remove a lot of the clutter / noise / unnecessary entities, buttons, etc. that users don’t need. These are then replaced with a single App that only has what a user requires for their day to day operations. For example, a CRM call centre user will have an App that only shows the entities, forms, dashboards, business process flows, etc. that they need and nothing more. This provides a greater customer experience and higher user adoption and engagement (I saw this first hand).

Back to the subject of the post! Dynamics 365 Apps security can be applied using security roles as follows (source: :

  1. Go to Settings > My Apps.
  2. In the lower right corner of the app tile you want to manage access for, click the More options button , and then click Manage Roles.
  3. In the Manage App dialog box, Choose whether you want to give app access to all security roles or selected roles.
  4. Roles. If you choose Give access only to these roles, select the specific security roles (Important: see point “a” below)
  5. Click Save and
  6. Finally, re-publish your App (the last step is optional).

Sounds simple, correct? Well, there are a couple of “Gotcha” considerations that you have to be aware of:

a. Any security role that you choose from the list of roles that can access an App, MUST (I repeat MUST) have the “Read App” privilege. You can check that by opening the required security role and navigate to “Customizations” and you will see the “App” privilege in the first line under security role -> customisations. This is really important:

b. You can hide the “Custom” app which is basically the original conventional Dynamics CRM standard access app to all security roles (except to administrators) by clicking on “Hide for all Roles” on the “Custom / Full” App. This makes this app disappear from the left hand list of available Apps to standard users. However, if the user types in the standard CRM url they will still be able to access it, yet with limited data access based on their security roles. For example, if a user typed in: https://yourcrminstance.crm4.dynamcis.com they will access the custom / full app. You should always make sure your users only use the Apps in this case so for example:


Finally, we all know that this great new features, Dynamics 365 Apps, is still a brand new capability so it will continue to evolve and improve in the upcoming releases – so watch this space!

Hope this helps.


3 Replies to “Dynamics 365 Apps security roles and other security considerations”

  1. Thank you for this great post.
    You mention a critical limitation in that the user can enter the standard CRM URL. In fact, the URL is there in the App address bar for them to use.

    From what I am learning about this otherwise great feature,Apps are NOT appropriate to ‘secure’ a CRM. More of a Navigation tool based on standard CRM security architecture practices.

    1. Thanks Ian

      You are right. Apps are not there to apply security and this is why you have to do all your security as before through security roles etc. However the ability to access the “full” or “custom” app is a limitation from a usability and user experience in my view. Users who go the full version will see lots of “red” “you don’t have access” messages as well as they will be confused to see the full sitemap.

  2. This post was a life-saver…. thanks so much for taking the time to document these important configuration considerations!

Please comment or leave feedback