All insights
ProtectBusiness CentralHow-To Guide

Permission sets and security groups in Business Central: locking down who can do what

Control access in Business Central using permission sets and security groups linked to Entra ID groups, including how to tailor a custom permission set, what the Team Member license can and can't do, and how to safely test a user's access.

Wired CIOJune 16, 2026
The short version
  • Copy a built-in permission set to tailor it so Microsoft updates never overwrite your work.
  • Link a security group to an Entra ID group so new hires inherit access automatically.
  • A Team Member license is capped by design; if access is missing, check the license before permissions.
  • Test access by signing in as a scoped test account in a sandbox before going live.
Bottom line: Define access with tailored permission sets and assign it through Entra-linked security groups, then prove it in a sandbox before anyone relies on it.

Giving everyone the SUPER permission set because it's easier is the access-control equivalent of leaving the office unlocked because keys are a hassle. It works right up until it doesn't. This guide sets up real access control in Business Central, Microsoft's enterprise resource planning (ERP) system for small and mid-sized businesses, using permission sets to define what someone can do and security groups to assign those permissions to people in bulk. By the end you'll have a tailored permission set, a security group linked to a Microsoft Entra ID group (Entra ID is Microsoft's cloud identity service, formerly Azure Active Directory), and a safe way to test exactly what a user can see and do before you turn them loose.

Access hierarchy Entra ID group Security group Permission set User access
Membership flows down: Entra group to security group to permissions to the user.

Before you start

  • You need an admin account with the SUPER permission set in Business Central.
  • It helps to have your people already grouped in Entra ID (for example, a Finance group and a Sales group), since security groups work best when they map to Entra groups you already maintain.
  • Know each person's license. A Premium or Essential license unlocks full functionality; a Team Member license is limited by design no matter what permissions you grant. More on that below.

Step 1: Understand built-in vs. custom permission sets

  1. Choose the search icon, type Permission Sets, and open the page.
  2. You'll see many built-in sets shipped by Microsoft (and your apps), marked with a Type like System or Extension. These are read-only: you can use them but not edit them directly.
  3. The good practice is to leave the built-in sets alone and build your own by copying. That way a Microsoft update never overwrites your tailoring.

Step 2: Copy a built-in set and tailor it

  1. On the Permission Sets page, select a built-in set close to what you want (for example one scoped to sales or finance).
  2. Choose Copy Permission Set, give the copy a clear name like WC-SALES-CLERK, and confirm. The copy has Type = User-Defined, which you can edit.
  3. Open your new set and choose Permissions to see the objects it grants. Adjust the Read, Insert, Modify, and Delete flags per object, or remove objects the role shouldn't touch.
  4. Save. You now have a permission set that grants exactly the access a role needs and nothing more.
Prefix your custom sets

Name your custom sets with a consistent prefix (we use a short company tag like WC-). When you're scanning a long list during an audit, your sets jump out from the dozens of built-in ones, and it's obvious which were made on purpose.

Step 3: Create a security group and link it to Entra ID

Security groups let you assign permissions to many users at once, and linking them to Entra ID means adding someone to the right Entra group automatically gives them the right Business Central access.

  1. Search for Security Groups and open the page.
  2. Choose New. Give the group a Code and Name like FINANCE.
  3. In the Microsoft Entra security group name field, select the matching Entra ID group. (For Business Central online, this is the Entra group; for on-premises it's a Windows group.)
  4. Save. From now on, a licensed user added to that Entra group is automatically added to this security group in Business Central.

Step 4: Assign permission sets to the security group

  1. On the Security Groups page, select your group and choose Permissions.
  2. To add one set, use the Permission Set field and pick your custom set (for example WC-SALES-CLERK).
  3. To add several at once, choose Add multiple and select the sets you want.
  4. Everyone in that group now inherits those permission sets. To change access for the whole role later, you change it here once.

Step 5: Mind the license, full vs. Team Member

Permissions and licenses are two different gates, and a user has to pass both.

  • A Team Member license is intentionally limited: even with the SUPER permission set, a Team Member can read most data but can only make a narrow set of changes (light entries, their own time, basic approvals). It is not a way to give cheap full access.
  • A full user (Essential or Premium license) can do everything their permission sets allow.
  • So if a user can't do something you think you granted, check the license before you rebuild permissions. The permission set might be fine; the license is the wall.
Licensing isn't a permissions problem

Don't try to stretch a Team Member license to cover a role that needs to post invoices, edit orders, or run finance. That's a licensing question, not a permissions one, and the answer is the right license, not a creative permission set.

Step 6: Test what a user can actually do, safely

Never find out a permission set is wrong by watching a real user hit a wall. Test first.

  1. The cleanest test is a non-production environment: in a sandbox copy of your company, assign the user (or a test account) only the security group you're validating, sign in as them, and click around the areas they should and shouldn't reach.
  2. Confirm the allowed actions work and the disallowed ones are blocked or hidden.
  3. When it behaves, promote the same setup to production.

Verify it

With your test account holding only the new security group, confirm three things: the user can do their core job (open and edit the right documents), the user is blocked from the sensitive areas you scoped out (for example, vendor bank details or G/L setup), and a brand-new hire added to the matching Entra group inherits the access automatically without you touching Business Central. If all three hold, the model works.

What to do next

Map each role in your company to one security group and one or two permission sets, then make new-hire access a matter of dropping someone into the right Entra group. Review the list of users with SUPER every quarter and trim it to the few who truly need it. If you want help designing the role map, separating duties for an audit or a cyber-insurance questionnaire, or wiring the Entra groups, that's squarely the kind of access cleanup we do with clients.

Filed under
How-To Guide
Read more insights
Free strategy session

See where you stand. Then move forward.

Book a free intro call. We'll talk through where you are today and map a strategic plan for growth, protection, automation, and alignment.

A 30-minute discovery call, no obligationA full team of specialists at a fraction of in-house costA clear next step before you spend a dollar
Loading scheduler…