Business Central Security Groups: How They Work and When to Use Them

Access management vs permissions. The difference between the two has always been a blurred line in Business Central, with User Groups linked to Permission Sets. Security Groups were introduced in Business Central in the 2023 release wave 1, and user groups were removed entirely in the 2024 release wave 2. Business Central now uses Microsoft Entra ID Security Groups for access management

With that change, Business Central now supports a clear distinction between access management (who can access what) and permissions (who can do what).

Security groups vs permission sets: what is the difference

Permission sets define the detailed actions a user can perform. They control whether someone can read, insert, modify or delete records on specific tables and pages.

Security Groups manage the access layer. You create the group in Microsoft Entra ID and add the users who should be able to log into Business Central. In BC, you then assign permission sets to that Security Group.

Take a warehouse team of 15 people. You add all 15 users to one Entra ID Security Group so they can access the system. In Business Central, you assign the warehouse permission set once to the group. Every team member who has access now inherits the same permissions automatically. When the process changes, you update the permission set in one place. You do not open 15 individual user cards.

Users can belong to multiple Security Groups. You can still assign additional permission sets directly to a user card when someone needs rights that do not fit the group.

In this case, you can create a security group for Admins and one for Managers. The Managers Security Group will grant full access in read and write mode to all companies and environments, while the Admin group will only grant read mode to the live company.

Within the Admin group, you set up the Warehouse team Security Group with read and write permissions that add more privileges to the Admin group.

When working with multiple groups, use the concept of least privileges. You can stack permission sets to add more access to what's defined on groups or for nominated users, but you cannot take away permissions that users inherit from their group. For more info about permissions, check this post.

This separation keeps access management centralised in Entra ID while you control detailed permissions inside Business Central. See how permission sets work in detail in our guide to permission sets in Business Central.

How to set up Security groups in Business Central

Start in Microsoft Entra ID or the Microsoft 365 Admin Centre. Create the group and add the users who need access.

In Business Central, search for Security Groups. Create a new record and enter the exact name of the Entra group. BC pulls the membership automatically.

Next, assign permission sets to the group. Open the group record, choose Assign Permission Set, and select the sets the team needs. Decide whether they apply to one company or all companies.

Users in the Entra group then inherit the permissions. The Members FactBox shows who is included. Changes in Entra ID usually appear in BC within a few minutes.

When to use security groups and when not to

Use Security Groups when you manage 10 or more users who share the same role. Warehouse operatives, accounts payable clerks, or sales order processors are typical cases. They also help when people join or leave frequently or when you need the same access across multiple companies. In these situations, you avoid hours of repetitive work every time roles change.

Skip Security Groups when you have very few users or when each person needs highly unique permissions. They can also make auditing harder if you must prove exact permissions for strict segregation-of-duties requirements. In small teams or sensitive finance setups, assigning permission sets directly to users often stays cleaner.

The test I run on every implementation is simple. If updating one person’s access today would mean touching more than three records, I would build a Security Group. If the team is under five people and permissions rarely change, I assign permission sets directly.

Checking effective permissions and common troubleshooting

After you set up a Security Group, always check what a user can actually do. Open the user card, choose Effective Permissions. This page shows the combined result of all Security Groups plus any direct permissions assigned.

Two issues appear often. Entra ID sync can take up to 15 minutes. Permission sets assigned at the “all companies” level also behave differently from company-specific ones. When a user reports missing access in one company only, double-check the scope you set on the group.

Getting your team up and running on Business Central

Security group configuration is the first step. Getting your team to actually use the system correctly is the second, and the one most organisations underestimate, after go-live.

If you are responsible for BC adoption in your organisation, our Dynamics 365 adoption training programme covers role-based training delivery, train-the-trainer for team leads, and the standard operating procedures your team needs to use BC the way it was configured for your business. Find out more about our adoption training here.