-
Granular Roles for Business Central Admin Center
Summary
Currently, the Dynamics 365 Business Central Admin Center only offers a single, overarching administrator role and permission set. We propose introducing granular roles and API permissions to allow for safer, more specialized management of environments, apps, and settings.
Reasoning & Security Context (Principle of Least Privilege)
The current all-or-nothing security model forces organizations to violate the Principle of Least Privilege (PoLP). Because there is only one blanket admin permission, any user or service principal that needs to perform a single, routine task—such as updating an app or modifying a setting—must be granted full administrative access.
This creates a significant security and operational risk. For example, a service principal designed exclusively to automate app updates currently holds the power to delete, copy, or rename entire environments. By introducing granular roles, organizations can strictly limit service principals and administrative users to only the permissions necessary for their specific job functions, greatly reducing the blast radius of compromised credentials or accidental misconfigurations.
Proposed Roles
- Dynamics 365 Business Central Administrator
- Permissions: Full access.
- Capabilities: Create, Copy, Restore, Delete, Rename Environments, and all other administrative tasks.
- Dynamics 365 Business Central Environment Contributor
- Permissions: Environment-level management without destructive capabilities.
- Capabilities: Change environment states (start, stop, restart, manage sessions), perform Database Exports, create Support Requests, change environment settings (telemetry connection strings, update windows, application versions), and manage apps.
- Restrictions: Cannot Create, Copy, Restore, Delete, or Rename environments.
- Dynamics 365 Business Central App Contributor
- Permissions: App lifecycle management only.
- Capabilities: Install, update, and manage apps.
- Restrictions: Cannot change environment states or environment-level settings.
- Dynamics 365 Business Central Support Contributor
- Permissions: Support and diagnostics.
- Capabilities: Create Support Requests, perform Database Exports.
- Dynamics 365 Business Central Notification Recipient Administrator
- Permissions: Administrative communications.
- Capabilities: Manage notification recipients (could alternatively be rolled into the main admin role).
- Dynamics 365 Business Central Entra Application Administrator
- Permissions: Identity and access integration.
- Capabilities: Manage and authorize Entra apps within the BC Admin Center.
- Dynamics 365 Business Central Reader
- Permissions: Global read-only access.
- Capabilities: Read all settings, environments, and logs.
- Restrictions: No edit/write permissions whatsoever.
Proposed API Permissions / Scopes
To support these roles programmatically (especially for service principals and CI/CD pipelines), the API permission scopes should be expanded as follows:
https://dynamics.microsoft.com/business-central/overview/AdminCenter.ReadWrite.All(Currently exists)https://dynamics.microsoft.com/business-central/overview/AdminCenter.Read.Allhttps://dynamics.microsoft.com/business-central/overview/AdminCenter.ReadWrite.Environmentshttps://dynamics.microsoft.com/business-central/overview/AdminCenter.Read.Environmentshttps://dynamics.microsoft.com/business-central/overview/AdminCenter.ReadWrite.Appshttps://dynamics.microsoft.com/business-central/overview/AdminCenter.Read.Appshttps://dynamics.microsoft.com/business-central/overview/AdminCenter.ReadWrite.EntraApplicationshttps://dynamics.microsoft.com/business-central/overview/AdminCenter.Read.EntraApplicationshttps://dynamics.microsoft.com/business-central/overview/AdminCenter.ReadWrite.NotificationRecipientshttps://dynamics.microsoft.com/business-central/overview/AdminCenter.Read.NotificationRecipients
You’re offline. This is a read only version of the page.
