- Copy a built-in permission set to tailor it so Microsoft updates never overwrite your work.
- Link a security group to an Entra ID group so new hires inherit access automatically.
- A Team Member license is capped by design; if access is missing, check the license before permissions.
- Test access by signing in as a scoped test account in a sandbox before going live.
Giving everyone the SUPER permission set because it's easier is the access-control equivalent of leaving the office unlocked because keys are a hassle. It works right up until it doesn't. This guide sets up real access control in Business Central, Microsoft's enterprise resource planning (ERP) system for small and mid-sized businesses, using permission sets to define what someone can do and security groups to assign those permissions to people in bulk. By the end you'll have a tailored permission set, a security group linked to a Microsoft Entra ID group (Entra ID is Microsoft's cloud identity service, formerly Azure Active Directory), and a safe way to test exactly what a user can see and do before you turn them loose.
Before you start
- You need an admin account with the SUPER permission set in Business Central.
- It helps to have your people already grouped in Entra ID (for example, a
Financegroup and aSalesgroup), since security groups work best when they map to Entra groups you already maintain. - Know each person's license. A Premium or Essential license unlocks full functionality; a Team Member license is limited by design no matter what permissions you grant. More on that below.
Step 1: Understand built-in vs. custom permission sets
- Choose the search icon, type Permission Sets, and open the page.
- You'll see many built-in sets shipped by Microsoft (and your apps), marked with a Type like System or Extension. These are read-only: you can use them but not edit them directly.
- The good practice is to leave the built-in sets alone and build your own by copying. That way a Microsoft update never overwrites your tailoring.
Step 2: Copy a built-in set and tailor it
- On the Permission Sets page, select a built-in set close to what you want (for example one scoped to sales or finance).
- Choose Copy Permission Set, give the copy a clear name like
WC-SALES-CLERK, and confirm. The copy has Type = User-Defined, which you can edit. - Open your new set and choose Permissions to see the objects it grants. Adjust the Read, Insert, Modify, and Delete flags per object, or remove objects the role shouldn't touch.
- Save. You now have a permission set that grants exactly the access a role needs and nothing more.
Name your custom sets with a consistent prefix (we use a short company tag like WC-). When you're scanning a long list during an audit, your sets jump out from the dozens of built-in ones, and it's obvious which were made on purpose.
Step 3: Create a security group and link it to Entra ID
Security groups let you assign permissions to many users at once, and linking them to Entra ID means adding someone to the right Entra group automatically gives them the right Business Central access.
- Search for Security Groups and open the page.
- Choose New. Give the group a Code and Name like
FINANCE. - In the Microsoft Entra security group name field, select the matching Entra ID group. (For Business Central online, this is the Entra group; for on-premises it's a Windows group.)
- Save. From now on, a licensed user added to that Entra group is automatically added to this security group in Business Central.
Step 4: Assign permission sets to the security group
- On the Security Groups page, select your group and choose Permissions.
- To add one set, use the Permission Set field and pick your custom set (for example
WC-SALES-CLERK). - To add several at once, choose Add multiple and select the sets you want.
- Everyone in that group now inherits those permission sets. To change access for the whole role later, you change it here once.
Step 5: Mind the license, full vs. Team Member
Permissions and licenses are two different gates, and a user has to pass both.
- A Team Member license is intentionally limited: even with the SUPER permission set, a Team Member can read most data but can only make a narrow set of changes (light entries, their own time, basic approvals). It is not a way to give cheap full access.
- A full user (Essential or Premium license) can do everything their permission sets allow.
- So if a user can't do something you think you granted, check the license before you rebuild permissions. The permission set might be fine; the license is the wall.
Don't try to stretch a Team Member license to cover a role that needs to post invoices, edit orders, or run finance. That's a licensing question, not a permissions one, and the answer is the right license, not a creative permission set.
Step 6: Test what a user can actually do, safely
Never find out a permission set is wrong by watching a real user hit a wall. Test first.
- The cleanest test is a non-production environment: in a sandbox copy of your company, assign the user (or a test account) only the security group you're validating, sign in as them, and click around the areas they should and shouldn't reach.
- Confirm the allowed actions work and the disallowed ones are blocked or hidden.
- When it behaves, promote the same setup to production.
Verify it
With your test account holding only the new security group, confirm three things: the user can do their core job (open and edit the right documents), the user is blocked from the sensitive areas you scoped out (for example, vendor bank details or G/L setup), and a brand-new hire added to the matching Entra group inherits the access automatically without you touching Business Central. If all three hold, the model works.
What to do next
Map each role in your company to one security group and one or two permission sets, then make new-hire access a matter of dropping someone into the right Entra group. Review the list of users with SUPER every quarter and trim it to the few who truly need it. If you want help designing the role map, separating duties for an audit or a cyber-insurance questionnaire, or wiring the Entra groups, that's squarely the kind of access cleanup we do with clients.