We strongly believe that the fact that the Finance and Operations Basic User role is only assigned when a user has a fully qualified Finance license is a mistake. As outlined in the Microsoft Learn documentation on Authentication and Authorization (https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/power-platform/authentication-and-authorization#security-model), this role is intended to provide access to Virtual Entities-a feature that is not limited to Finance-related functionality alone. Given this, the role should also be assigned to ALL users with a fully qualified FnO license (like project operations license, SCM license). We believe this is simply a design flaw or bug in the automatic role assignment process. Additionally, the same documentation only discusses the assignment of this role, not its revocation, which further adds to our concerns regarding the current behavior.

Customers are often choosing to use Project Operations licenses for their FnO operations, as this license is cheaper then a Finance license, and qualifies as a full FnO license according to the licensing guide of March 2025:

• on page 24: "Project Operations licenses have no roles at the Operations – Activity level, but full users of Project Operations have rights to Operations – Activity roles for other Dynamics 365 products, such as Finance and Supply Chain Management"
• on page 39: In the table of capacity licenses, you can see that the same capacity is foreseen in the Operations database for Commerce, Finance, Project Operations and SCM licenses.

It does not make any sense that rights to use virtual entities would not be applicable to the other fully qualified FnO licenses like project operations or supply chain management.