Smart licensing in Dynamics 365 F&O: How to cut costs and prepare for upcoming changes?

Starting September 1, 2025, Microsoft will begin enforcing user license validations in the Microsoft Dynamics 365 Finance & Operations (D365FO). Active users without appropriate licenses aligned to their system access will start receiving notifications within the D365FO Production environment.

The User license validation notice is part of Microsoft Proactive Quality Updates (PQU) and has been rolled out into customer environments as mandatory feature since May 2025 itself.

Read further: What does the Microsoft D365 F&SCM license enforcement 2025 mean?

So, how do you prepare for this change and evaluate your existing licenses to optimize user license costs? This blog guides you through the process, providing insights from our experienced ERP consultants.

Why is it important to optimize Dynamics 365 F&O licensing cost

As we get closer to the date when notifications will start appearing for users in D365FO, it’s a strategic necessity and important for ERP Admins to consider options for optimizing user licensing costs. Here are some reasons why:

Licenses have a direct cost impact

This one’s obvious. Microsoft D365FO operates on a per-user license model where each user role (e.g., Finance, Operations, Team Member) has a different monthly cost. This means if users are unnecessarily assigned higher-tier roles, your organization is paying more without the added benefit.

For instance:

• Operations Activity License ≈ $50/user/month
• Finance or Supply Chain full license ≈ $210/user/month
• Team Member license ≈ $8/user/month

Unused or overallocated licenses waste money

Many organizations do not periodically review user roles and licenses they are consuming. This results in overallocated subscription costs. Here’s what you can do:

• Look for inactive users: Dormant or inactive users still consuming paid licenses
• Users with full licenses performing only basic tasks: Identify users with multiple higher privileges or full license roles (e.g., Operations) but are using only low-tier features.
• Over-licensing or misaligned licensing: E.g., assigning a Finance license to someone doing only data entry.

In short, users should only be granted access to the resources necessary to perform their specific job functions.

Scalability and forecasting

When expanding operations, inadequate licensing can impact scalability and system performance, potentially leading to unexpected costs or delays in business operations. Optimizing D365FO licenses is not about reducing functionality; it’s about paying only for what you use.

Microsoft allocates resources based on the user licenses subscribed; therefore, an optimal license enables organizations with:

• Agile onboarding for new teams
• Better compliance and license budget forecasting

Ensuring compliance and optimizing licensing in Dynamics 365 Finance & Operations: A self-assessment checklist

Managing licenses efficiently in Dynamics 365 F&O isn’t just about cost control; it’s also key to maintaining compliance. As a user, you can take proactive steps through a self-assessment to identify optimization opportunities and reduce unnecessary licensing expenses. Here’s how to get started:

1. Analyze user activity: Review user login patterns and system usage to understand who is actively using the application and how.
2. Compile a list of users and security roles: Gather a comprehensive list of all users, along with their assigned security roles, in the system.
3. Identify compliance vs. non-compliance: Cross-check assigned roles against Microsoft licensing requirements to flag any non-compliant user-role combinations.
4. Evaluate high-cost roles: Identify which roles are mapped to higher license tiers, and assess if they’re truly needed based on user responsibilities.
5. Spot optimization opportunities: Identify instances where roles can be adjusted, combined, or reassigned to align with lower license requirements.
6. Downgrade security roles where applicable: If certain users don’t need full functionality, consider downgrading them to roles that require a less costly license, without affecting productivity.

Read more: A guide to effective license management for Dynamics 365 F&O

How to downgrade licensing cost without hurting business operations?

Let’s say you’ve completed the steps above, but now you’re facing one key challenge: reducing licensing costs through role downgrades. To help with this, our experts have curated practical steps to guide you in identifying and downgrading excessive licenses without disrupting user productivity.

Step 1: Enable user security governance in Microsoft D365 F&O

The User Security Governance feature is a valuable addition to Dynamics 365 Finance & Operations. It provides an easy and better approach to define custom security roles, inquiry, and optimize license utilization. Now, system administrators can track changes in security privileges, access to entry points, and license consumption by each user.

To enable User Security Governance (preview), go to System Admin > Workspaces > Feature Management, as shown in the screenshot below.

Note: Please note that Microsoft will continue refining the USG feature to ensure stability ahead of its general availability in July 2025 with the 10.0.44 release. As a result, the features available in build 10.0.43 may differ from those in 10.0.44 due to ongoing enhancements.

You should be able to see the “Security Governance” under System Administration > Security > Security Governance.

Set up user aging periods (parameter)

Now it is time to set up user activity aging periods. To do this, navigate to System Administration > Setup > Security Governance Setup > Parameters and set the values for Periods 1 to 5 (as shown in the screenshot below).

Step 2: Analyze user activity

You are now ready to conduct a “User activity audit” which helps understand and analyze active users in the system and start a cleanup activity. This will help optimize license utilization, reducing unnecessary costs, and potentially avoiding the need to purchase additional licenses.

Navigate to System Administration > Security > Security Governance > User Activity Aging

The screenshot below shows the user activity inquiry screen. Use this to identify users with extended periods of inactivity. Collaborate with relevant departments to review these users, remove unnecessary licenses, and disable accounts inactive for more than 60 or 90 days.

If you only want to identify inactive users (without removing licenses or blocking them), simply comment out the -BlockedUsers and -RemovedLicenses filters in the User names field under System Administration > Users.

Unused accounts not only consume valuable licenses but also pose compliance and security risks. Proactively managing these accounts ensures better license allocation and reduces administrative overhead.

Step 3: Conduct license usage audit

Now it’s time to conduct a “License usage audit” to understand who has which license and why. This will help review user access, assign appropriate roles, and identify security roles that may require optimization.

To perform this audit, navigate to System Administration > Security > Security Governance > License Usage Summary.

This report provides two(2) important pieces of information:

1. User licenses – which users are consuming which and how many licenses
2. User Role licenses – Licenses consumed by each user role

User licenses explained

The “User Licenses” tab, in the “License Usage Summary report”, lists the type of license that each user is currently consuming, based on their cumulative assigned roles, duties, and privileges.
User licenses (tab) inquiry provides details of License (e.g, Finance, Supply Chain Management) and License type (Base or attach) applicable for each user (as shown highlighted in screenshot below).

How do “user licenses” help organizations?

• Cost: Indicates the actual license level being billed for a user (e.g., Operations, Finance, Activity, Team Member)
• Cost optimization: Helps identify users assigned high-tier licenses unnecessarily
• Correct licensing: Correlates license level, higher-tier licenses usually grant broader system access

For example, “User 1” (shown in red, highlighted in the screenshot above) is listed as consuming three licenses: (1) “Finance”, (2) “Human resource”, and (3) “Supply chain management.” However/their job is limited to reviewing and posting vendor payments. This means that unnecessary system access is adding to the cost of licenses.

• Action: Review his/her roles. It is likely that the user only needs the Finance license (Base).
• Impact: Downgrading could save ~$60/month/user while minimizing unnecessary access rights

User role licenses explained

The “User role Licenses” tab in the “License Usage Summary report” lists all security roles assigned to users and maps them to the minimum required license based on the highest privilege of any duty or privilege in that role, as shown in the screenshot below.

In the User Role Licenses section, you’ll find two key pieces of information:

1. License type
2. License quantity per user and role (highlighted in red in the screenshot above).

Focus only on entries where the License quantity equals 1, as this indicates an active license. Entries with a value of 0 can be ignored. That’s why only three licenses apply to User-1 (highlighted in yellow).

You can now correlate license information for User-1 across both the “User Licenses” and “User Role Licenses” sections.

You’ll notice that both sections indicate three licenses assigned to User-1. However, the User Licenses section provides additional details, including the license type (e.g., Finance, Supply Chain Management, Human Resources) and whether it’s a base or attach license. This distinction is important, as the cost difference between Base and Attach licenses can be significant.

How do “user roles licenses” help organizations?

• License eligibility check: Determines which roles push a user into a higher license bracket
• Security role impact analysis: Identifies which roles are license-intensive and shall be reviewed and optimized
• Custom role assessment: Identify candidate roles for re-designing or modification to ensure they stay within a desired license tier

For example, the role “AP_DirectPayment_Custom” is mapped to a Finance license because it includes the duty to approve vendor invoices, a task that requires a higher-tier license. This role is also assigned to multiple users, making it essential to determine whether all users truly need access to this level of functionality.

• Action: Redesign the role to exclude review & approval privileges, keeping only entry-level tasks
• Impact: Brings the role under Activity license, allowing more users to use it cost-effectively.

Using “User Licenses” and “User Role Licenses” for security and cost optimization

Out-of-the-box security roles in Dynamics 365 Finance & Operations often don’t align with the unique needs of an organization. They may lead to higher licensing costs if assigned as-is. To optimize both security and cost, organizations should consider creating custom roles while reusing standard privileges wherever possible. This approach simplifies setup and ensures proper access control.

Key principle: Optimizing D365FO licenses isn’t about reducing functionality; it’s about ensuring you’re only paying for what you use.

By conducting a structured review of license usage and security roles, organizations can:

• Reduce over-licensing and redundant privileges
• Align user roles more closely with actual job responsibilities
• Improve compliance and forecasting
• Strengthen overall system security

Best practices for license and security optimization

1: Correlate user licenses with job roles
If a user has a high-tier license, determine which role(s) triggered it and redesign accordingly to reduce licensing requirements.
2: Ongoing license monitoring
Continuously monitor license usage and schedule regular reviews with IT and department heads.
3: Implement HR-offboarding policies
Ensure user licenses are removed during the HR offboarding process.
4: Clean up inactive and duplicate users
Remove test/demo accounts and inactive users that consume real licenses.
5: Comply with Microsoft licensing policies
Reevaluate and redesign security roles to minimize permissions and avoid unnecessary high-cost licenses.
6: Use custom roles where appropriate
Avoid assigning default high-privilege roles, such as “System Admin,” to general users. Instead, use modular custom roles such as:

• Read-only roles
• Data entry roles
• Task-specific roles (e.g., AP clerk, warehouse user)

7: Leverage Microsoft’s User Security Governance (USG) feature
The USG feature in D365FO eliminates the need for third-party ISV security tools. It supports:

• Mapping security roles to business processes
• Managing access rights and tracking changes
• Enhancing audits and operational security
• Ensuring compliance with Microsoft licensing policies
• Generating license utility reports for better insights

By following these practices, organizations can establish a secure and cost-effective user access structure tailored to real-world usage.

Preparing for licensing updates: Why it matters?

Licensing updates in Dynamics 365 F&O can significantly impact your ERP budget, potentially costing millions if overlooked. With this self-assessment guide, you’re already well on your way to identifying gaps and optimization opportunities.

Now is the ideal time to evaluate your current Dynamics 365 F&O/SCM licensing setup, ensure compliance, and prepare for long-term success. At Confiz, we offer a comprehensive License Compliance Assessment to help organizations assess their current licensing landscape and get ready for Microsoft’s upcoming enforcement policies.

For expert guidance on Dynamics 365 Finance and Operations licensing, cost optimization, or implementation, contact us at marketing@confiz.com.