Power Platform Administration

Contents
Power Platform
Administer Power Platform
Overview
Working with the Admin Portals
Support
Get Help + Support
Support overview
Determine your organization ID and name
Manage email notifications to admins
Policies and communications
Notifications explained
Licensing
Overview
About licensing and license management
Manage licenses in your org
Administer without a license
Purchase Power Apps
About Power Apps per app plans
Power Apps and Power Automate licensing FAQs
Requests limits and allocations
Getting started
What's the role of a Power Platform administrator?
Management and monitoring
Power Apps enterprise deployment whitepaper
Try Power Apps and customer engagement apps
Move between your apps
Sign in to your apps
Manage subscription with Microsoft 365 admin center
How do I check my online service health?
Enabling preview features
Unified Interface
About Unified Interface
Enable Unified Interface Only
Update apps to Unified Interface
Enable the hybrid experience
Environments
Manage environments
Environments overview
Create environment
Control environment creation
Change environment type
Add database to environment
Delete environment
Recover environment
Reset environment
Copy environment
Move environment
Back up and restore environment
Administration mode
Customer managed encryption key
Trial environments
Sandbox environment
Project Oakdale environment (Preview)
View apps in your environments
Language collations
Manage updates
Opt in to early access updates
General availability deployment
Manage settings
Power Platform
Common Data Service settings
Environment database settings
Product
Behavior
Features
Enable languages
Privacy preferences
Configure Relevance Search
Business
Business closures
Fiscal year
Connection roles
Manage transactions with multiple currencies
Queues
Customize regional options
Relationship roles
Create or edit a site
Add resources to a site
Users + permissions
Create or edit business unit
Delete business unit
Assign business unit a different parent business
Hierarchy security
Mobile configuration
Positions
Security roles
Teams
Users
Audit and logs
Audit log management
Audit settings
Audit summary view
Entity and field audit settings
System jobs
Templates
Access team templates
Article templates
Contract templates
Data import templates
Document templates
Email signatures
Email templates
Mail merge templates
Email
Email settings
Email tracking
Mailboxes
Server profiles
Integration
Enable server-based SharePoint integration
Document management settings
Manage document suggestions
OneDrive for business
OneNote
Outlook
SharePoint document locations
SharePoint sites
Synchronization
Yammer
Data management
Add ready-to-use business process
Announcements
Auto-numbering prefixes
Automatic record creation policies
Bulk deletion
Data import wizard
Data maps
Duplicate detection jobs
Duplicate detection rules
Duplicate detection settings
Asynchronous processing of cascading transactions
Imports
Sample data
Encryption
Encryption
Resources
All legacy settings
Dynamics 365 for Outlook
System
Overview
General tab
Calendar tab
Formats tab
Auditing tab
Email tab
Marketing tab
Customization tab
Outlook tab
Reporting tab
Goals tab
Sales tab
Service tab
Synchronization tab
Mobile Client tab
Previews tab
On-off switch for Learning Path (guided help)
Advanced environment operations
Environment cleanup process
Power Platform Geos
Multiple online environments or tenants
Administration mode
Support environment
Automation of tasks with PowerShell
Automation of tasks with Power Automate
Manage users
Overview of user security
View active users
Create users and assign security roles
Reset a user's password
Assign licenses to users
Assign service admin role to users
Add users to an environment
Configure user security to resources
Configure user access to an environment
Diagnose user access
View user profile
Assign security roles
About security roles and privileges
Use service admin roles to manage your tenant
Create or edit a security role
Copy a security role
Create an administrative user
Troubleshoot common user access issues
Assign security roles to a form
Manage user account synchronization
Hierarchy security to control access
Add or remove sales territory members
User session management
Conditional access with Azure AD
B2B collaboration with Azure AD
Analytics
Common Data Service analytics
Power Automate analytics
Power Apps analytics
Storage
What's new for storage
New capacity storage model
Legacy capacity storage model
View self-service capacity
Add-on capacity management
Free up storage space
Resources
Overview
Manage Dynamic 365 apps
Manage Power Apps
Manage Power Automate flows
Portal administration
Activity logging
Power Apps activity logging
Data loss prevention activity logging
Audit data and user activity for Dynamics 365 entities
Common Data Service and model-driven apps
PowerShell support for Power Apps
About PowerShell support
Data loss prevention SDK
Requirements
Requirements/supported configurations
Internet accessible URLs required
Required URLs for North America-based organizations
Required URLs for South America-based organizations
Required URLs for Europe, Africa, and Middle East-based organizations
Required URLs for Asia/Pacific area-based organizations
Required URLs for Japan-based organizations
Required URLs for India-based organizations
Required URLs for Canada-based organizations
Required URLs for Oceania-based organizations
Required URLs for Dynamics 365 US Government-based organizations
Required URLs for United Kingdom-based organizations
Plan for deployment and administration
Supported web browsers and mobile devices
Web application requirements
On-premises server cipher suites and TLS requirements
Security
Overview
Governance considerations
Security concepts in Common Data Service
System and application users
Configure user security
How access to records is determined
Email exfiltration controls for connectors
Configure environment security
Control user access to environments
Restrict cross-tenant access
Data loss prevention policies
Create a DLP policy
Manage DLP policies
Data loss prevention SDK
Configure field-level security
Overview
Set permissions for a field
Enable or disable field security
Add teams or users to field security profile
Configure teams and team templates
Manage teams
Team templates
Team templates for access rights
Encryption
Encryption
Manage encryption key
SharePoint and Power Apps
Manage your documents using SharePoint
SharePoint document management software requirements
Setup
Set up customer engagement apps to use SharePoint online
Configure server-based authentication with SharePoint on-premises
Configure
Enable SharePoint document management for specific entities
Edit existing SharePoint site records
Create and edit document location records
Permissions required for document management tasks
Troubleshoot
Troubleshooting server-based authentication
Troubleshoot set up with SharePoint online
Troubleshooting document management issues
Known issues with document management
Application lifecycle management
Data integration
Integrate data into Common Data Service
Data Integrator Error management and troubleshooting
Data sources and gateway clusters
Preview: About on-premises gateway
Preview: On-premises data gateway management
Preview: Data source management
Manage data
Add or remove sample data
Import data
Template for data import
Merge data
Detect duplicate data
Detect duplicate records
Duplicate detection rules
Turn duplicate detection rules on or off
Bulk duplicate detection
Bulk deletion
View and take action on bulk deletion jobs
Monitor and manage system jobs
Remove user personal data
Recover database space by deleting audit logs
Enable change tracking to control data synchronization
Replicate data to Azure SQL Database
Move configuration data
About moving configuration data
Create a schema to export configuration data
Configure date settings for demo data
Modify a configuration data schema
Import configuration data
Deploy packages using Dynamics CRM Package Deployer and Windows
PowerShell
Work with templates
Article templates
Email templates
Mail merge templates
Excel templates
Word templates
Troubleshooting Word templates
Integrate (synchronize) your email system
Overview
Deploy Dynamics 365 App for Outlook
Enable accessible email flow
Server-side sync overview
About server-side sync
Supported email service configurations
Set up server-side sync
Overview
Connect to Exchange Online
Connect to Exchange Server (on-premises)
Connect to POP3 or SMTP servers
Connect to IMAP or SMTP servers
Connect Gmail accounts using OAuth 2.0
Troubleshooting and monitoring server-side synchronization
When would I want to use this check box?
Error logging for server-side synchronization
Best practices for server-side synchronization
Create forward mailboxes or edit mailboxes
Configure Outlook or Exchange folder-level tracking
Use Outlook category to track appointments and emails
Track Outlook email by moving it to a tracked Exchange folder
Set incoming and outgoing email synchronization
Choose records to synchronize with Exchange
Control field synchronization with Outlook
How field security affects synchronization with Outlook
What fields can be synchronized with Outlook?
View the fields that are synchronized with Outlook
Frequently asked questions about synchronizing records
Set personal options that affect tracking and synchronization
Monitor email processing errors
Why does the email sent have a "Pending Send" status?
Email message filtering and correlation
Forward mailbox vs. individual mailboxes
Recover from Exchange Server failure
Extend with integration and solutions
Manage Bing Maps
Enable Power Automate integration
Preview feature: Live Assist powered by Café X
Use Power BI
Install, update, or remove a preferred solution
Add Microsoft 365 Online services
Overview
Connect to SharePoint Online
Set up Microsoft Teams integration
Skype for Business and Skype integration
Set up Skype or Skype for Business
Deploy Microsoft 365 Groups
Enable viewing profile cards
Set up OneNote integration
Enable OneDrive for Business (online)
Enable OneDrive for Business (on-premises)
Connect to Yammer
Performance tuning and optimization
Overview
Verify network capacity and throughput for clients
Data query performance
Compliance and data privacy
GDPR - Responding to DSR requests
System-generated logs
Data integrations for Common Data Service
Power Apps customer data
Overview
Export data
Delete data
Common Data Service customer data
Power Apps US Government
Datacenter regions
Australia
Canada
China
About China datacenter
Business applications availability
21 Vianet support
France
Germany
India
Japan
Dynamics 365 US Government
Dynamics 365 US Government - Feature availability
Geo to geo migrations
Partners
Add a Partner of Record
For partners: get credit when customers subscribe
For partners: Delegated Administrator
Administer Power Apps
Environments
Edit environment properties
Create an environment in Power Apps
Working with environments and Power Apps
Manage environments in Power Apps
Troubleshooting Unblock required URLs
Power Apps Preview Program
Administer Power Automate
Administer Power BI
Administer customer engagement apps in Dynamics 365
Overview
Overview
Sales territories
Define subjects to categorize cases, products, and articles
Enhanced service level agreements
Manage product catalog configuration
Rich text experience for appointment activities
Reference: Videos and PowerPoint presentations
Important changes (deprecations) coming
International availability
Adoption best practices
Center of Excellence (CoE) Kit
Administer Power Platform
10/16/2020 • 2 minutes to read • Edit Online
The Power Platform admin center provides a unified portal for administrators to manage environments and
settings for Power Apps, Power Automate, and customer engagement apps (Dynamics 365 Sales, Dynamics 365
Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service
Automation).
Power Platform admin center capabilities

Currently, the admin center provides the following capabilities.
F EAT URE DESC RIP T IO N
Environments View, create, and manage your environments. Select an

environment to see details and manage its setting. More
information: Manage environment settings
Analytics Get a detailed view of key metrics for Power Platform apps.
More information: Common Data Service analytics
Resources More information: View and manage resources
Help + support Get a list of self-help solutions or create a support ticket for
technical support. More information: Get Help + Support
Data integration More information: Integrate data into Common Data Service
Data gateways More information: Set up data transfer between on-premises

data and cloud services
Data policies More information: Create and manage data loss prevention
policies.
See also
Working with the admin portals
In a perfect world as an administrator you would only visit a single portal to perform all your administrative tasks
but given the scope and breadth of the different products involved and their differing release cycles, there are
multiple portals with which you will interact. The following outlines the different portals and the most common
tasks you perform there.
P O RTA L C O M M O N TA SK S
Power Platform admin center The new unified administrative portal for Power Platform
https://admin.powerplatform.microsoft.com admins. Currently this portal can be used for Common Data
Service environment Management, to submit Dynamics 365
and Microsoft Power Automate focused support tickets, and
to view Power Apps and Power Automate admin analytics. The
following admin experiences have now migrated and been
replaced by the Power Platform admin center:
1. Power Apps Admin Portal
2. Power Automate Admin Portal
3. Business platform admin center
4. Dynamics 365 admin center
Power Apps admin center You now use the Power Platform admin center.
Power Apps maker portal This portal is focused on building Power Apps but can also
https://make.powerapps.com view and manage Common Data Service components,
manage connectors and gateways. You can also see
application statistics from details on apps here.
Power Automate admin center You now use the Power Platform admin center.
https://admin.flow.microsoft.com
Business platform admin center You now use the Power Platform admin center.
https://admin.businessplatform.microsoft.com
Dynamics 365 admin center You now use the Power Platform admin center.
https://port.crm. dynamics.com/G/manage/index.aspx
Environment Management You now use the Power Platform admin center.
https://port.crm.dynamics.com
/G/Instances/InstancePicker.aspx
Microsoft 365 admin center Here you will manage users and their license assignment as
https://admin.microsoft.com/AdminPortal well as you can launch into many of the individual admin
centers from here.
Microsoft Azure Advanced Azure AD management tasks like conditional access

https://portal.azure.com is managed here. Also if you support any developer
application registration it is also done here. This is also where
you start setup of your on-premises gateways.
P O RTA L C O M M O N TA SK S
Security and Compliance Center In addition to the general compliance tasks, administrators
https://protection.office.com can come here to search the Audit log to see Power Automate
audit events
Over the near-term future we will see consolidation of the Power Apps, Power Automate, and the Dynamics 365
administration portals into a more unified administrative portal experience. For partners helping their customers
manage their cloud services using delegated administration capabilities you will not be able to use delegated
access to the Power Apps and Power Automate portals. Currently, you would need to have a user in the customer's
tenant and assign that user a Power Apps plan.
Get Help + Support
Admins can use the Help + suppor t experience in the Power Platform admin center to get self-help solutions in
real-time for their issue. If the issue can't be resolved through self-help, you can use the same Help + suppor t
experience to contact a Microsoft support representative.
An example of solutions provided for Dynamics 365 App for Outlook issues:
Prerequisites
You have a security role that is enabled for creating support requests. Users having one of these security
roles can create support requests:
AAD Role Admin
Power Apps Full Admin
Power Apps Environment Admin (Environment Admin, System Admin)
Company Admin
Billing Admin
Service Admin
CRM Service Admin
Power Platform Admin `
Security Admin
CRM Organization Admin
Partner Delegated Admin
SharePoint Admin
Teams Admin
Exchange Admin
Power BI Admin
Compliance Admin
Helpdesk Admin
For the following support plans:
Subscription Support
Enhanced Support
Professional Direct Support
Premier Support
Unified Support
NOTE
In the following cases, you might not be able to create a support request or we can't provide relevant solutions:
There is an issue with your Premier Support contract. Please contact your Technical Account Manager (TAM).
Your Support subscription has expired. Please renew.
We couldn't find your Support plan.
If you have a Premier Support plan, please contact your Technical Account Manager (TAM).
If you have a non-Premier Support plan, please verify the plan is active. For support information, see Community
Forums.
View solutions or enter a support request through the new support center
1. Sign in to the Power Platform admin center with your admin credentials.
2. Select Help + suppor t > New suppor t request .
3. Select the product with the issue. Fill in the problem type, a description of the issue, and then select See
solutions .
Based on the information you provided, you'll see a list of possible solutions to your issue. Select the
relevant solution and see if the content can successfully guide you to a fix.
4. If the guidance doesn't resolve your issue, scroll down and select Create a suppor t request and fill in the
fields in the form pages.
NOTE
If you have one of the plans listed in Prerequisites, you can set the severity to a higher level than Minimal.
5. If you have a Premier support plan, select Yes for File as a Premier suppor t request? and fill in the
fields. If you don't know your access or contract ID, please contact your service admin or Technical Account
Manager (TAM).
NOTE
For Contract ID/Password , please enter your Premier contract ID.
The Contract ID/Password defaults to the Premier contract ID. If you have changed the password when registering
online in the Premier portal, you should use the updated password instead of the contract ID.
Once you submit your request it will appear in the list of support requests.
You can check the status and edit your request on this page.
Limited Preview: Report outage

We're rolling out a new Preview feature to a limited set of customers to try out. If you're experiencing a service
outage, we want your support request to get more timely review and action. Select the Repor t outage link to
report the outage. If you don't see this link, don't worry! We'll be bringing this feature to all customers in the
future.
Fill out the pages and then submit to have your support request receive an expedited review.
We'd love to know your thoughts on the new outage reporting process. Or, if you'd like to be considered for this
limited Preview, please fill out this form.
See also
Support overview
Support overview
About support
Where is support available?
Support is available in markets where Common Data Service services are offered. Some specific services might
not be covered in all regions immediately after general availability (GA).
For which languages does Microsoft provide support?
Microsoft provides support in English globally and provides additional languages within certain regions. These
additional languages include: Japanese, Spanish, French, German, Italian, Portuguese, Traditional Chinese, and
Simplified Chinese.
SPA N ISH , F REN C H ,

GERM A N , ITA L IA N , T RA DIT IO N A L C H IN ESE,
EN GL ISH JA PA N ESE P O RT UGUESE SIM P L IF IED C H IN ESE
* Provided globally all day, * Provided to customers in Available to customers in Available to customers in
every day Japan all day, every day Europe/Middle East/Africa Asia/Pacific region during
regions during those that region's business hours
regions' business hours
Spanish/Portuguese
available to customers in
South America during that
region's business hours
*24/7 (all day, every day) support is available based on issue severity and your support offering.
NOTE
Translation services might be available to assist with additional languages outside normal business hours.
Do I get 24/7 support?

Microsoft provides all day, every day support for all Severity A issues and might provide all day, every day
assistance for issues of other severity based on your support offering.
For those issues that do not qualify for all day, every day support, Microsoft provides assistance during local
business hours only.
What hours are considered local business hours for support?
For most countries and regions, business hours are from 9 AM to 5 PM weekdays (weekends and holidays
excluded). For North America, business hours are defined as 6 AM to 6 PM Pacific Time, Monday through Friday,
excluding holidays. In Japan, business hours are from 9 AM to 5:30 PM weekdays.
Do I need a support plan if I need assistance with a technical issue?
Yes, you need a support plan to receive one-on-one technical support. Some subscriptions include subscription
support plans. You can find more information about the existing support plans at Support Plans. The following
table outlines the best way to submit a new support request based on your product or service and customer
support plan. Microsoft partners should use the Partner Center portal or the support option listed in the table, as
applicable.
SUB SC RIP T IO N P RO F ESSIO N A L P REM IER SUP P O RT UN IF IED SUP P O RT
( IN C L UDED) DIREC T
Customer Power Platform admin center

engagement apps
(such as Dynamics
365 Sales and
Customer Service)
and AI apps including
mixed reality apps
and Insights apps
Finance and Lifecycle Services

Operations (online
and on-premises)
Dynamics 365 Support is provided through partners only. Contact your Cloud Solution Provider (CSP) for assistance.
Business Central
Software Assurance Advantage/Advantag Premier Support Unified Support

e+
Dynamics Support for Business Services Hub
What support is included with a support plan?

We have designed our support plans to meet different business needs. All support plans provide access to
Technical Support for break-fix issues. Higher tiers of support plans offer Technical Support on an all day, every
day basis, faster initial response times and access to Advisory Support, and other benefits. You can find more
information about the existing support plans at Support Plans.
Customer engagement apps are covered by the Subscription, Professional Direct, Premier, and Unified support
plans.
What is a break-fix issue?
Break-fix issues are technical problems you experience while using services. "Break-fix" is an industry term that
refers to "work involved in supporting a technology when it fails in the normal course of its function, which
requires intervention by a support organization to be restored to working order."
How functionality works is not considered a break-fix issue but is more closely related to training. These "how-
to" questions involve a transfer of knowledge and can often be answered by reviewing product documentation,
raising a question in online community forums, or contacting a knowledgeable individual such as a partner.
While there might be some elements of knowledge transfer involved in solving a break-fix issue, in general,
assisted training is not included in support plans.
How does Professional Direct Limited Advisory support compare to Premier Advisory support?
Professional Direct (ProDirect) Limited Advisory support provides you access to Support guidance based on (1)
publicly available, best practices documentation regarding customer engagement apps and (2) information from
the Dynamics 365 Forums. ProDirect advisors offer you support based on their access to Microsoft
documentation, to the support engineers, and also to the product group. Best practices guidance might include:
Planning for deployments and migrations.
Boosting performance.
Improving reliability and recoverability.
Enhancing security.
ProDirect, however, is more limited than Premier Advisory Support. ProDirect advisors do not provide detailed
advisory assistance specific to an individual customer, such as design, architecture, or code reviews; detailed
instructions for application or configuration tuning (for example, performance tuning); or the verification of
specifications. ProDirect does not provide onsite support or engage in implementation activities such as, but not
limited to, coding or configuration for customer development or deployment.
What is a preview (beta) service or feature?
Microsoft may provide access to customer engagement apps preview, beta, or other prerelease features, services,
software, or regions, to obtain feedback and for evaluation purposes. There are many different kinds of preview
services and features, with service availability and program access being the biggest differentiators:
Public Preview : Made available to subscribers through the Power Platform admin center, these services are
intended to give subscribers an early look into what is coming and a chance to test upcoming services and
features.
Private Preview : Provided only to a small subset of customers, in direct contact with the engineering teams,
focused on direct and constant feedback during the development phase of a service.
Limited Preview : A fixed and limited number of customers can have access to this preview program, and once
a maximum threshold is met, no more users are allowed into the program.
When Microsoft offers you early access to customer engagement apps preview services and features, these
preview services and features are subject to reduced or different service terms as set forth in your service
agreement and the preview supplemental terms. Preview services and features are provided "as-is," "with all
faults," and "as available," and are excluded from the Service SLAs or any Limited Warranties provided by
Microsoft for services released to general availability (GA), and are made available to you on the condition that you
agree to these terms of use, which supplement your agreement governing use of customer engagement apps.
Do support plans cover preview (beta) services or features?
Support for customer engagement apps services and features is provided only for "generally available"
programs—see the previous question. Public preview and/or beta services may be supported through our
forums or other channels.
Any technical support for a public preview service or feature is limited to break-fix scenarios and is available
only in English with no 24/7 support available.
Using Support
How do I contact Support?
You get easy access to model-driven apps in Support by selecting the portal from the following table that
matches the product for which you need assistance. Microsoft partners should use the Partner Center portal or
the Premier support path listed in the table, as applicable.
SERVIC E SUP P O RT P O RTA L
Customer engagement apps and AI apps including mixed Power Platform admin center
reality apps and Insights apps
Finance and Operations (online and on-premises) Lifecycle Services
Dynamics 365 Business Central Support is provided through partners only. Contact your
Cloud Solution Provider (CSP) for assistance.
Product
Dynamics Support for Business

or
Premier Support
Why is submitting a request online the preferred method of contacting Support?
Submitting support requests online allows us to deliver fast and deep technical expertise in the most effective and
efficient manner possible. Due to the detailed nature of the requests, it is much easier to provide relevant
information online, compared to reading this information over the phone. This model also eliminates unproductive
hold time and provides instead a simple, intuitive online process. As a result, customer problems are routed more
quickly, to the most qualified engineer.
Is there a phone number I can call to contact Support?
Contacting Support over the phone will not speed up the processing of your request, and you will get a much
better and faster experience by contacting support via the correct support portals listed earlier in this topic. If you
cannot submit a request online, you can find a local support number from our list of regional Global Customer
Service Centers.
How do I submit a support request?
Access to technical support is provided through one of the support plans included with customer engagement
apps or through one of the premium support plans. Submit a technical support request from the correct
support portal for the product or service for which you need assistance (see the table earlier in this topic). To
begin the support-request submission process:
From the Power Platform admin center, select Help + suppor t from the left navigation pane and then New
suppor t request from the top navigation.
From the Lifecycle Services portal, choose a project, select Suppor t from the option list, and then select
Submit an incident .
From Support for Business, select the Dynamics 365 product family followed by the specific Dynamics 365
product or service for which you need help.
From the Premier Portal, select New suppor t request from the Support requests page navigation, enter your
access ID and password or select your associated access ID, and proceed with your submission.
Access to subscription management and billing support is included with your subscription. To open a Billing
and Subscription Management support request, sign in to the Microsoft 365 Portal, select the Admin app, and
select the Suppor t – New Suppor t Request option from the left navigation. This provides access to the
Need Help? pane, where you can type your Subscription Management question. If the recommended articles
do not address your issue, select the Contact Suppor t link at the bottom of the Need Help? pane and
provide the additional information needed to submit the support request.
How do I submit a support request if I cannot sign in to the support portal for my product or service?
If you cannot submit a support request online, you can find a local support phone number from our list of regional
Global Customer Service Centers.
How do I get support if I don't have a subscription yet, and I get an error message while creating one?
You can open a Subscription Management support request through the Microsoft 365 Admin Portal, as long as
you have a Power Platform admin sign-in credentials to the portal. To open a Subscription Management support
request, sign in to the Microsoft 365 Admin Portal, select the Admin app, and select the Suppor t – New Suppor t
Request option from the left navigation. This provides access to the Need Help? pane, where you can type your
Subscription Management question. If the recommended articles do not address your issue, select the Contact
Suppor t link at the bottom of the Need Help? pane, and provide the additional information needed to submit
the support request.
Who can submit a support request?
Any users with the Power Platform admin roles on the tenant containing the subscriptions can submit a support
request. End users are not enabled for opening a support request and will need to have their permissions elevated
within the tenant to accomplish this task. There is no alternative to this experience.
How do I authorize another person to submit support requests for a particular subscription?
To grant permission, you must have a Power Platform admin role on the tenant that contains the subscription.
Assign the Service Administrator role to all users who want to create and manage support requests for that given
tenant but do not require other permissions. Learn more about role assignments in the portal.
I am developing applications on behalf of my client or assisting my client who is running customer engagement
apps. How do I get support?
You can get support in two ways:
Being an administrator of your customer's tenant, you can use or purchase a Support plan for that account, as
any subscription you own under the same account is covered by the same support plan. You can also use your
Partner benefits (for example, Advanced Support for Partners or Microsoft Partner Network Support) to submit
a support request.
Get support using your customer's account. To do so, the Partner (you) must have administrator or owner
privileges to the customer's subscription, most often through being a Delegated Administrator on the tenant.
The Partner can then use the customer's subscription, or the Partner can use their Support Benefits (for
example, Advanced Support for Partners or Microsoft Partner Network Support) to submit a support request.
What is Initial Response Time, and how quickly can I expect to hear back from someone after submitting my
support request?
Initial Response Time is the period from when you submit your support request to when a Microsoft Support
Engineer contacts you and starts working on your support request. The Initial Response Time varies with both the
support plan and the Business Impact of the request (also known as Severity). Initial Response Times are calculated
using business-hours support for subscription-based support. Elevated support plans will contain non–business
hours response times.
SEVERIT Y L EVEL C USTO M ER'S SIT UAT IO N IN IT IA L RESP O N SE T IM E
Critical Critical business impact Unified Core/Advanced: < 1 hour, 24/7

Customer's business has significant loss Unified Performance: < 30 minutes,
or degradation of services and requires 24/7
immediate attention.
Severity A Critical business impact Subscription: < 1 hour, 24/7

Customer's business has significant loss ProDirect: < 1 hour, 24/7
or degradation of services and requires Premier: < 1 hour, 24/7
immediate attention.
Severity B Moderate business impact Subscription: < 4 hours

Customer's business has moderate loss ProDirect: < 2 hours
or degradation of services, but work Premier: < 2 hours, 24/7
can reasonably continue in an impaired
manner.
Standard Standard business impact Unified Core: < 8 hours, 24/7

Customer's business has moderate loss Unified Advanced/Performance: < 4
or degradation of services, but work hours, 24/7
can reasonably continue in an impaired
manner.
Severity C Minimum business impact Subscription: < 8 hours

Customer's business is functioning with ProDirect: < 4 hours
minor impediments of services. Premier: < 4 hours
How quickly will you resolve my support request?

Microsoft is committed to assist you in resolving your issue as soon as possible. Sometimes that means focusing
efforts on reducing the business impact and mitigating any negative impact to your operation, before moving to a
full solution. Therefore, we make a commitment to Initial Response Time and working with you until the impact of
your issue is mitigated, having no direct SLA for support request resolution. The time it takes to troubleshoot and
resolve a support request varies greatly based on the specifics of the issue. We will work with you to get the issue
resolved as fast as possible. This applies to all levels of support.
I'm running a non-Microsoft technology with customer engagement apps or a custom application built using
Open Source Software (OSS ). Does my plan support it?
Microsoft offers customers the ability to run non-Microsoft technologies along with customer engagement
apps. For all scenarios that are eligible for support through a Support plan, Microsoft Support will help in
isolating the issue between the environment and your custom application.
Full technical support will be provided if the issue is determined to be caused by a service or platform.
Commercially reasonable support will be provided to all other scenarios. When an adequate solution to your
issue is not achieved, you might be referred to other support channels that are available for the non-Microsoft
software.
How do I get support during an outage or Service Interruption Event (SIE)?
View the service health in Microsoft 365 at a glance. You can also check out more details and the service health
history.
Use Message center in Microsoft 365 to keep track of upcoming changes to features and services. We post
announcements there with information that helps you plan for changes and understand how they might affect
users.
Finally, if service health and Message center do not show any active or recent service issues, contact support
using your technical support plan.
Which support plan do I need in order to request a Root-Cause Analysis (RCA )?
Technical support does not conduct RCAs as part of any support experience. If any RCA is conducted, the
engineering team will conduct the RCA. RCAs are only provided to published service-related incidents when
multiple customers or services are not available. Any RCA created will be published through the Microsoft 365
Message center and will not be emailed directly to Power Platform admins. These published RCAs are only
available in English. Any other request for an RCA to a specific scenario impacting your tenant will not be honored
by the engineering team.
Purchasing and billing

How do I purchase Support?
Support plans may be purchased either online or through an Enterprise Agreement. The Professional Direct
support plan is available online through the Microsoft 365 Admin Center. You must be the Power Platform
admin or owner to purchase a support plan.
If you purchase customer engagement apps through an Enterprise Agreement (EA), you can add a Professional
Direct support plan to your Enterprise Agreement by contacting your Large Account Reseller (LAR).
When will I be billed for Support?
When you purchase a Support plan online, you will be charged immediately for the first month. You will be
charged the monthly amount on the first day of each subsequent billing cycle. Enterprise Agreement (EA)
purchases will follow the agreement billing cycle.
What happens at the end of the term?
At the end of your term, your plan will automatically renew to the same Support plan, using the same payment
method.
How do I change or cancel my Support plan?
Manage your support plan subscriptions through the Microsoft 365 Admin Portal.
To change your support plan, first cancel your existing support plan, and then purchase a new support plan.
To cancel your support plan, select the support plan subscription that you want to cancel, and then select
Cancel subscription . Learn more by reviewing this article.
If you still have questions, open a new support request with the Billing team in the Microsoft 365 Admin Portal.
Support requires commitment for the duration of the subscription term. Cancellation will not result in a prorated
refund.
Support for Enterprise Agreement (EA)

How do I purchase a Support plan under an Enterprise Agreement?
Enterprise Agreement (EA) customers can purchase Dynamics 365 ProDirect and Premier technical support
through their reseller.
How do I upgrade to a higher-tier Support plan?
Enterprise Agreement (EA) customers can purchase an upgrade to move from Subscription to Professional Direct,
where available. To purchase the upgrade, contact your Large Account Reseller (LAR).
I have multiple EA enrollments. Do I need a support plan for each EA enrollment?
Yes, each EA enrollment requires a separate support plan. If you have one Support plan and multiple EA
enrollments, then support is only covered under the enrollment the support plan is tied to. Please note that if you
have multiple subscriptions under a single EA enrollment with a support plan, then all those subscriptions will
have access to Technical Support.
Support for Premier

How do I submit a support request using my Premier contract?
Power Platform admin center (PPAC) and the Lifecycle Services (LCS) are designed to recognize and entitle Premier
and Unified Access IDs.
In PPAC : You can link your Premier contract to your account by entering your Premier Access ID and Contract ID
information in the Power Platform admin center, which you can do by selecting Help + Suppor t and turning on
the Premier support toggle in the new incident submission experience. This is a one-time process, and your
Premier contract information will be saved with your account, being accessible from all subscriptions where you
have Owner/Administrator privileges.
In LCS : You can link your Premier contract to your account by selecting a project within LCS. Select the Suppor t
option from the drop-down menu, and then select Manage Contracts . This is a one-time process, and your
Premier contract information will be saved for use with any support incident you create in LCS.
Contact your Technical Account Manager (TAM) if you don't have your access ID and contract ID information.
Although Premier customers can continue to use the Microsoft Premier Online portal or phone channels to submit
a support request, using the Power Platform admin center or Lifecycle Services has a number of significant
advantages, including:
Self-help content to find answers to known issues quickly.
Faster resolution, thanks to a Dynamics 365–specific submission experience.
Ability to create Severity A/1 cases online.
Providing you with in-context help regarding the issue you're facing.
How do I purchase a Premier support contract?
To purchase Premier support, you should contact your Microsoft Account Manager. If you are not sure who to
contact, please submit a request through the Premier contact form.
What if I already have a Premier contract, and I want to learn more about how to get the most from it?
Contact your Technical Account Manager (TAM) to discuss options for best using your existing Premier support
agreement or rightsizing your Premier agreement to better suit your needs. You can find your TAM's name and
contact information on the Microsoft Premier Online portal.
Can Partners use the Premier Support for Partner (PSfP) contract for Support?
Yes, Partners with Premier Support for Partners (PSfP) contracts are able to use their benefits to get Support for
their internal needs, as well as to assist their customers, as long as the Partner has been delegated admin/owner
access to their customer's subscription. See the FAQ earlier in this section on how to submit a support request
using your Premier contract.
Support for Partner

I have a Microsoft plan (such as MSDN, BizSpark or TechNet) that includes as a benefit a number of technical
support requests. Can I use those for Customer Engagement (on-premises) technical support?
Yes, if you are eligible for these benefits and have activated your support access on the Visual Studio subscription
portal. If you have these benefits, then from New support request, select Add contract under the Suppor t Plan
– Add or purchase a suppor t plan step, and enter your access ID and contract ID information to proceed.
Determine your environment's organization ID and
name
There are two ways to find your organization ID and name.
Using Advanced Settings

1. Go to Settings ( ) > Advanced Settings .
2. Go to Settings > Customizations > Developer Resources .

3. Under Instance Reference Information , make note of ID and Unique Name . Unique Name is the
organization name.
Using the web app

1. In the web app, go to Settings > Customizations > Developer Resources .
2. Under Instance Reference Information , make note of ID and Unique Name . Unique Name is the
organization name.
The organization ID and unique name

Manage email notifications to admins
The service team regularly sends email notifications to the administrators in your organization. Now, using a new
cmdlets for Power Platform Admin Center, you have control over who should receive these email communications.
As an administrator, you can set up a list of additional recipients that you choose. For example, you can add to the
list of recipients:
People outside of your organization, such as your partners.
People inside and outside of your company.
If you have been added as an additional recipient, and you want to stop receiving email notifications, please
contact your admin. If you’re not sure who your admin is, see: Find your administrator or support person.
For a complete overview of Cmdlets, see PowerShell support for Power Apps.
Obtain a list of email to be notified

If you need to pull a list of email addresses that will receive admin notification use the Get-
AdminPowerAppCdsAdditionalNotificationEmails cmdlet. It will return email addresses of users, other than default
admins, linked to an environment that receive notifications.
Send email notifications to multiple recipients

By default, admins will receive update notifications. You can add others to receive update notifications using the
Set-AdminPowerAppCdsAdditionalNotificationEmails cmdlet. It will allow you to set email addresses of users linked
to an environment, other than default admins, that should receive notifications.
Policies and Communications for service incidents
Introduction
Microsoft regularly communicates work done to maintain and update Dynamics 365, Power Platform (Power Apps,
Power Automate, Power Virtual Agents, and other services) and all integrated Apps to ensure security, performance,
availability, and to provide new features and functionality. Microsoft also communicates details of service incidents
including the potential user experience, the start and end times of the incident, and any workaround that may be
available. For each of these activities, communication is provided through the Microsoft 365 Admin center in the
Message Center, and the Service health dashboard. From time-to-time, Microsoft may also send direct email to
users with the System Administrator role in a specifically impacted environment. For example, during a service
incident we attempt to deliver an organization-specific email to impacted System Administrators.
If you’re not sure who your admin is, see Find your administrator or support person.
If you want to add additional recipients who receive email communications, see Manage email notifications to
admins.
If you’re an admin, you can also see the latest status of updates and incidents in the Microsoft 365 service health
page. To learn how to get to the Microsoft 365 service health page, see View the status of your services.
Scheduled system updates

The Service teams regularly performs security updates and minor service updates on a weekly basis. There are also
two major events in April and October that are delivered through the weekly update mechanism, and details can be
found in the Business Applications Release Notes.
Security updates
The Service teams regularly performs the following to ensure the security of the system:
Scans of the service to identify possible security vulnerabilities
Assessments of the service to ensure that key security controls are operating effectively
Evaluations of the service to determine exposure to any vulnerabilities identified by the Microsoft Security
Response Center (MSRC), which regularly monitors external vulnerability awareness sites
The teams identify and track any identified issues, and takes swift action to mitigate risks when necessary.
How do I find out about security updates?
Because the Service teams strives to apply risk mitigations in a way that doesn’t require service downtime,
administrators usually don’t see Message Center notifications for security updates. If a security update does require
service impact, it is considered planned maintenance, and will be posted with the estimated impact duration, and
the window when the work will occur.
For more information about security, see Trust Center.
Major release events
We are transforming how we do service updates. We will deliver two major release events per year (April and
October), offering new capabilities and functionality. These updates will be backward compatible, so your apps and
customizations will continue to work post update. New features with major, disruptive changes to the user
experience are off by default. This means administrators will be able to first test then enable these features for their
organization.
In addition to the two major updates, we will continue to deploy regular performance and reliability improvement
updates throughout the year. We are phasing deployments over several weeks following safe deployment practices
and monitoring updates closely for any issues. Notifications about when the major release events are enabled in
each geographic region are published in the Message Center.
IMPORTANT
Be sure to check out Opt in to early access updates for important information about updating to the latest version.
How do I find out about Major release events?

To find out what’s new and how to prepare for the next release, check the Business Applications Release Notes.
Minor service updates
Minor service updates contain customization changes to support new features, product improvements, and bug
fixes. They are deployed on a weekly basis, region-by-region, according to a “Safe Deployment Process” we have
defined. Each week, every region gets:
An updated deployment, starting with our “First Release” region
A Message Center notification is published that details when the deployment will be delivered into the
environment
A link to the Weekly Release Notes that contain the list of fixes that are included
A list of service updates can be found on our Version Availability page.
System maintenance
Planned maintenance
Planned maintenance includes updates and changes to the service to provide increased stability, reliability, and
performance. These changes can include:
Hardware or infrastructure updates
Integrated services, such as a new version of Microsoft 365 or Azure
Service changes and software updates
Minor service updates that occur several times per year. See Service updates.
Maintenance timeline
To limit the impact on users, the maintenance window is planned according to the region where environments are
deployed. The following list shows the maintenance window for each region. The times are shown in Coordinated
Universal Time (UTC, which is also known as Greenwich Mean Time).
The following are service update times. Database updates run 24 hours after service updates.
REGIO N URL W IN DO W ( UTC )
NAM crm.dynamics.com 2 AM to 11 AM
DEU crm.microsoftdynamics.de 5 PM to 2 AM
SAM crm2.dynamics.com 12 AM to 10 AM
CAN crm3.dynamics.com 1 AM to 10 AM
REGIO N URL W IN DO W ( UTC )
EUR crm4.dynamics.com 6 PM to 3 AM
FRA crm12.dynamics.com 6 PM to 3 AM
APJ crm5.dynamics.com 3 PM to 8 PM
OCE crm6.dynamics.com 11AM to 9PM
JPN crm7.dynamics.com 10 AM to 7 PM
IND crm8.dynamics.com 7:30PM to 1AM
GCC crm9.dynamics.com 2 AM to 11 AM
GBR crm11.dynamics.com 6 PM to 3 AM
ZAF crm14.dynamics.com 5 PM to 2 AM
UAE crm15.dynamics.com 3 PM to 12 AM
GER crm16.dynamics.com 6 PM TO 3 AM
CHN crm.dynamics.cn 3 PM to 9 PM
Service Update Release Schedule

To see the Service Update release schedule for your regions see our new Released Versions page.
Prior notification
Your organization will receive a Maintenance notification through the Microsoft 365 Message Center.
You can also view notifications in the Microsoft 365 Admin mobile app on your mobile device.
In addition, you can see the schedule and status of planned maintenance activities on the Microsoft 365
service health page. To learn how to get to the Microsoft 365 service health page, see View the status of your
services.
The following stakeholders will be notified about upcoming maintenance when there is expected to be downtime
or user impact:
Organization admins
Users that are assigned the System Admin user role
During the update
To report an issue that is identified during update validation, file a support ticket with Microsoft and append the
title with ‘Planned Maintenance Window’.
If the update fails or takes longer than the specified maintenance window, a notification will be posted on the
Service health dashboard. This issue is considered the highest priority, and the product team becomes involved to
address it.
Post-update notification
If your update is completed within the defined maintenance window, you won’t receive any notification when the
update is completed. You can verify that the update was completed successfully by checking the version number on
the About page. Some updates are two part and the version number will change after the background processes
are completed.
How to sign up for notifications
To receive communications regarding incidents, updates, or features, reach out to your Microsoft 365 administrator
and ask to have your email address added to the Admin center notification page.
Unplanned maintenance
The customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation) inevitably encounter unplanned
issues that require changes to ensure availability. Microsoft strives to provide as much notification as possible
during these events. Because these events can’t be predicted, they are not considered planned maintenance.
When this happens, your organization receives an “Unplanned Maintenance” email. These emails go out to all
System Administrators in every environment that is affected by the unplanned maintenance. You can see the status
of current unplanned maintenance activities on the Microsoft 365 service health page. To learn how to get to the
Microsoft 365 service health page, see View the status of your services.
Minor Service incidents

A service incident occurs when your organization is inaccessible or you’re unable to use the service or one of its
components. Examples include:
Page not found or 404 error when trying to access customer engagement apps
Unable to sign into your organization
Slow performance for customer engagement apps
Any customer engagement apps are unavailable or produce errors when accessing
Major service incidents
A major service incident occurs when multiple organizations can’t access the service, there is significant
degradation, or Microsoft Azure is experiencing degraded functionality.
How do I find out about major ser vice incidents?
Check the Service health dashboard to view the status of the service. If you are experiencing an issue that is not
displayed in the Service health dashboard you can open a ticket here.
If the Service health dashboard is not available, the status of customer engagement apps can be reviewed at the
backup status site.
If the service incident breaches your Service Level Agreement, you can claim a billing credit according to the
conditions of your Online Service Terms outlined in our Product licensing.
Service restored
You can see the Service incident marked as Service restored in your Microsoft 365 service health page. To learn
how to get to the Microsoft 365 service health page, see View the status of your services.
Post-Incident Repor t
When there is a major service incident that impacts multiple customers, the Dynamics 365 team publishes a post-
incident report (PIR) after 5 business days to the Microsoft 365 Service health dashboard. This report summarizes
the following details about the incident:
Summary
User Experience
Start date and time
Resolution date and time
Root Cause
Next steps
Communications for releases, package deployments, and awareness
The Microsoft 365 Message Center will display information specific to managing the service, including changes
with the service and releases or feature offerings. The messaging can be informational in nature, drive specific
actions, or both. The target audience for these communications are System Administrators or individuals
designated to run the service.
Post-purchase customer lifecycle communications
Once a customer has purchased customer engagement apps, we send a series of email communications to
administrators during the first year. These communications direct customers to several resources that will assist
both administrators and users to successfully adopt and expand their use of customer engagement apps. This
information can be found in the Microsoft 365 Message Center as well.
Notice about Online Policies
Please review Notice About Online Policies and Similar Documents.
If you have any feedback, please fill out our survey, and share your thoughts!
Notifications for Business Application Group services
Microsoft regularly sends communications regarding service incidents, service changes, maintenance, releases, and
customer action needed. These communications come primarily in the form of a post to the Microsoft 365 Service
health dashboard and the Message center. From time-to-time we will also use direct email communications to
provide status, updates, or information about the service.
Message Center
The Microsoft 365 Message Center will display any maintenance notifications, service changes, release information,
or customer action requests.
Service health dashboard

The Service health dashboard will show the latest status of updates and incidents regarding your service. To learn
how to get to the Microsoft 365 Service health dashboard, see Check your service health.
Email notifications
The notifications sent from the Business Application Group communications team will be for the following services
and email addresses. Please be sure to check your spam folder for these messages.
SERVIC E N OT IF IC AT IO N EM A IL
Dynamics 365 apps msdynamics365@microsoft.com
Dynamics 365 Business Central msdynamics365@microsoft.com
Dynamics 365 Marketing msdynamics365@microsoft.com
Dynamics 365 Market Insights marketinsights@microsoft.com
Dynamics 365 Finance & Operations msdyn365finops@microsoft.com
Microsoft Power Automate mspowerautomate@microsoft.com
Microsoft Power Apps mspowerapps@microsoft.com
Microsoft Power BI mspowerbi@microsoft.com
Email notifications are sent to Common Data Service users who have the System Administrator role in an impacted
environment. If you want to change who receives email communications, see Manage email notifications.
Incident Communications
Major service incident emails can easily be identified by the red banner.
Microsoft will send you an email when normal system services have been restored. You can easily identify these
emails by the green banner.
Maintenance communications
Planned maintenance includes updates and changes to the service to provide increased stability, reliability, and
performance. Planned and unplanned maintenance emails can be identified by the light-orange banner.
Communications for releases, package deployments, and awareness

Communications can be informational in nature, drive specific actions, or both. The target audience for these
communications are System Administrators or individuals designated to run the service. You can easily identify
these by the light-blue banner.
Power BI will display with the following yellow banner:
Power Apps/Power Automate will display with the following purple banner:
Action requested communications

Action requested notifications are sent when we detect that a configuration or a setting for your environment is
causing the service to perform below expectations. The notification will include details on the situation as well as
guidance on how to return performance to normal.
Post-purchase customer lifecycle communications
Once a customer has purchased customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), we
send a series of email communications to administrators during the first year. These communications direct
customers to a number of resources that will assist both administrators and users to successfully adopt and expand
their use of customer engagement apps.
You can easily identify these communications by the dark-blue banner.
Licensing overview for Microsoft Power Platform
The topics in this section provide detailed information about Power Apps and Microsoft Power Automate
licensing.
For information about Power BI licensing, see Power BI Pricing.
Power Apps/Power Automate for Microsoft 365

Power Apps/Power Automate capabilities for Microsoft 365 enable users to extend and customize the Office
experience with Power Apps and Power Automate. Users can create applications and flows based on Microsoft
365 data. These productivity apps can also utilize data outside of Microsoft 365 by connecting to common
services including Box.com, Facebook, and many more via the use of standard connectors.
Here is a brief overview of capabilities included with Power Apps for Microsoft 365 plan. More details around
which Microsoft 365 plans include these capabilities can be found in Microsoft Power Apps and Power Automate
Licensing Guide
F UN C T IO N A L IT IES P O W ER A P P S F O R M IC RO SO F T 365
Create, run and share apps Yes
Run canvas apps in context of Microsoft 365 Yes
Connect to Microsoft 365 data Yes
Connect to cloud services using standard connectors Yes
Run apps in a browser or Power Apps mobile for iOS and Yes
Android
Run Canvas apps offline Yes
Support for data policies established by the Microsoft 365 Yes

administrator
Access on-premises data or use premium or custom -

connectors
Access to Common Data Service Yes (see the next section for details)
Common Data Service capabilities with Microsoft 365 licenses

As Common Data Service continues to grow, more Microsoft applications like Microsoft Project are using
Common Data Service. To enable these Microsoft applications, limited Common Data Service functionality is
added to select Microsoft 365 licenses. This is achieved by adding a new service plan named "Common Data
Service" to the Microsoft 365 licenses. To see the new service plan in the Microsoft 365 admin center, select a
user, select the Licenses and Apps tab, and then scroll down and expand the Apps section.
Capabilities included
Common Data Service functionality required by other Microsoft 365 applications appears as the"Common Data
Service" service plan in theApps section of the Microsoft 365 admin center.
This new service plan allows select Microsoft 365 applications to take advantage of Common Data Service as a
platform for storing application data and use the underlying business logic tier as part of extending application
capabilities. This extension also helps these applications to use Common Data Service instances within the default
environment. However, if you need to create a Common Data Service instance within production or sandbox
environments (other than the default environment), you're still required to have a premium Power Apps or Power
Automate license.
These limited capabilities of Common Data Service are only available through select Microsoft 365 licenses and
can't be used to run any custom Power Apps applications or Power Automate flows, or run any Power Virtual
Agent bots, or use any other data that doesn't belong to the Microsoft 365 applications that take advantage of
these capabilities.
These limited capabilities aren't the common set included with every Office application. They can be different
based on the Microsoft 365 applications that use these capabilities. For the complete list of various limited
capabilities, customers should refer to the service description of these Microsoft 365 applications that contain
these Common Data Service plans. These limited capabilities of Common Data Service don't entitle the licensed
user to run standalone Power Apps or Power Automate, or any other Microsoft Power Platform applications that
use Common Data Service.
Review the Microsoft Project Service description for more details on the limited use of Common Data Service
that comes with Project.
Frequently asked questions
What are the select Office applications where Common Data Service plans are included?
For now, the Common Data Service service plan is included for Project. This list will evolve as more Office
applications take advantage of Common Data Service and Microsoft Power Platform.
Does this addition of Common Data Service in Microsoft 365 mean that customers don't need a Power Apps license to use Common
Data Service?
No, the capabilities of Common Data Service included with select Microsoft 365 licenses don't allow customers to
create custom apps with Power Apps or use the premium connectors with Power Automate. The capabilities
included with this license entitle Microsoft 365 applications to use Common Data Service for the purpose of
enhancing the capabilities of the base Microsoft 365 application where Common Data Service is included.
If customers can't use Common Data Service, why is this being shown in the Microsoft 365 admin center during the license
assignment experience?
The service plan for Common Data Service is shown to provide visibility to customers that Common Data Service
is being used to store and manage customer data related to the Microsoft 365 application that's using Common
Data Service. Additionally, this was communicated to all customers so that customers can prepare for this change
and update any internal training or user documentation that they might need.
What will be the impact if the service plan for Common Data Service is turned off (unselected)?
Common Data Service functionality appears as theCommon Data Ser vice plan in theApps section of the
Microsoft 365 admin center. Turning off the service plan will result in the Microsoft 365 features being disabled
for the users of such a license. For example, when this capability is turned off, any Office application reading data
from Common Data Service will fail to load for the user.
When can Office-licensed users be seen inside of Common Data Service?
Users who have any Microsoft Power Platform or Dynamics 365 license are always synced into the Common
Data Service environments. However, for Office licenses where Common Data Service service plans are included,
users aren't automatically synced into Common Data Service until the Office application is accessed by the user.
After this occurs, the user can get access to Common Data Service entities and records based on the additional
security roles and privileges that the administrator assigned to this user. Such users, who just have the Office
license, aren't automatically assigned any other security roles or privileges, other than the Maker role privilege in
the default environment. As a security best practice, the administrator needs to ensure that security roles and
privileges are assigned based on functional roles and needs only, and not automatically assigned based on the
user being synced or present in Common Data Service.
Known issues
If you're an existing customer and a user with this license who comes directly to Common Data Service, you
might get an error message that states "You are not a member of the organization." We're addressing this
problem in the coming weeks.
We currently sync some of these Microsoft Common Data Service licensed users to all Common Data Service
environments. We're addressing this right now. Currently, these users won't be able to open Power Apps for
Microsoft 365 with this license.
Power Apps and Power Automate Standalone plans

Standalone Power Apps and Microsoft flow plans provide users the ability to create and run apps across data
sources that extend beyond Microsoft 365, such as Salesforce, on-premises and custom data sources. These plans
also include access to Common Data Service to store and manage data. Learn more: What is Common Data
Service?
More details around pricing and capabilities of standalone plans can be found in Microsoft Power Apps and
Power Automate Licensing Guide.
Community Plan
If you want to build skills and learn more about Power Apps, Power Automate, and Common Data Service, the
Power Apps Community Plan is the right plan for you. The Power Apps Community Plan gives you a free
development environment for individual use to learn with full functionality of Power Apps. More information:
Power Apps Community Plan.
Power Apps and Power Automate for Dynamics 365

Power Apps is the platform to customize and extend applications in Dynamics 365, such as Dynamics 365 Sales
and Customer Service, in context of the use rights.
Dynamics 365 Applications can be customized using Power Apps and Power Automate capabilities.
More information: Dynamics 365 Licensing Guide.
About licensing and license management
Organizations can obtain licenses by either licensing Microsoft Power Apps or Microsoft Power Automate
specifically or by it being included in the license of another Microsoft cloud service offering. For example, both
Microsoft 365 and Dynamics 365 provide entitlements for Power Apps and Power Automate. As with most
Microsoft licensing, you can mix and match for users as appropriate giving some additional entitlements.
In the rest of this section we will highlight some of the key implications and scenarios related to licensing, but it is
not the product licensing documentation, you should consult that for any of the latest details. Pricing and specific
plan details for Power Apps and Power Automate can be found in the licensing guide.
Use of connectors
Power Apps and Power Automate use connectors to interact with services. Connectors can be standard, premium or
custom. To use premium connectors users must be licensed with Standalone Power Apps or Power Automate
licenses.
Trial Plans
Trial plans are available for both Power Apps and Power Automate. Free trials last 30 days for Power Apps and 90
days for Power Automate plans. Users can self-service sign up for these trials in your organization. This can be done
by explicitly visiting the pricing pages or by being prompted when they attempt an action in the apps that require
additional licensing.
For Power Automate, an unlicensed user that signs in to flow.microsoft.com will be setup with the free Power
Automate plan. If later they try to perform an action like sharing a flow, they will be prompted to sign up for a trial.
In this example, if the user accepted the offer for trial they would be signed up for a Power Automate trial. This trial
would not show up under the user licenses in the Microsoft 365 Portal, however you would be able to see it in the
Power Apps license report discussed later in this security section.
For Power Apps, if a user signs up for a Power Apps trial they will get a Power Apps per user trial if needed for any
of the actions they take such as creating an environment.
As the administrator, you will likely be assisting users that had started in a trial and either want to continue
experimenting or are ready to get a regular license to keep working with the app they are building. If you are
moving to a regular license for a user, it would also be a good time to work with them to see if their app should stay
where it was built or should be moved according to the environment strategy you adopt. For those not ready to get
a full license but want to keep experimenting you could help them get setup on the community plan and help them
move their application and flow assets into their new developer environment.
Power Apps Community Plan

In addition to the trial plans, there is also a free Power Apps Community Plan. This is a special plan that allows
individual self-service sign up and it provides an individual environment that the user can use to build apps and
flows. These environments will show up on the administrator’s list of environments and will list the type of
environment as “Developer”. The environments are for individual use, so there is no ability to share with other
users. Users in your organization can self-service signup for this plan even if they have Power Apps and Power
Automate license entitlements via another licensing plan. Signup for the community plan can be found
here https://powerapps.microsoft.com/communityplan/ and more details on its features
here /powerapps/maker/dev-community-plan
What users are licensed
You can always look at individual user licensing in the Microsoft 365 admin center by drilling into specific users.
You can also use the following PowerShell command to export assigned user licenses.
Get-AdminPowerAppLicenses -OutputFilePath '<licenses.csv>'
Exports all the assigned user licenses (Power Apps and Power Automate) in your tenant into a tabular view .csv file.
The exported file contains both self-service sign up internal trial plans as well as plans that are sourced from Azure
Active Directory. The internal trial plans are not visible to admins in the Microsoft 365 admin center.
The export can take a while for tenants with a large number of Power Platform users.
Manage Power Apps licenses in your organization
This topic describes how users in your organization can get access to use Power Apps, and how you can control
access to the Power Apps service.
Sign up for Power Apps

What is Power Apps?
Microsoft Power Apps enables users to create applications for Windows, iOS, and Android mobile devices. Using
these apps, you can create connections to common SaaS services, including Twitter, Microsoft 365, Dropbox, and
Excel.
How do users sign up for Power Apps?
The only sign-up option for individual users in your organization is the Power Apps trial, which they can sign up for
through the Power Apps website:
Option 1
Users can sign up by going to powerapps.microsoft.com, selecting Sign up free , and then completing the sign-up
process for Power Apps through admin.microsoft.com.
Option 2
Users can sign up by going to powerapps.microsoft.com, selecting Sign in , signing in with their work or school
accounts, and sign up for the Power Apps trial by accepting the Power Apps terms of use.
When a user in your organization signs up for Power Apps, that user is assigned a Power Apps license
automatically.
NOTE
Users who sign up for a trial license from within Power Apps don't appear in the Microsoft 365 admin portal as Power Apps
trial users (unless they have another license to Microsoft 365, customer engagement apps (Dynamics 365 Sales, Dynamics
365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service
Automation), or Power Apps).
See Self-service sign up for Power Apps for more details.

How can users in my organization gain access to Power Apps?
Users within your organization can gain access to Power Apps in three different ways:
They can individually sign up for a Power Apps trial as outlined in the How do users sign up for Power Apps?
section.
You can assign a Power Apps license to them within the Microsoft 365 admin portal.
You can purchase Power Apps Per App Plans and allocate them in the Power Platform admin center. See Power
Apps per app plan.
The user has been assigned a Microsoft 365 and Dynamics 365 plans that includes access to the Power Apps
service. See the Power Apps pricing page for the list of Microsoft 365 and Dynamics 365 plans that include
Power Apps capabilities.
Can I block users in my organization from signing up for Power Apps?
Any individual can try out the features of Microsoft Power Apps for 30 days, and incur no costs as outlined in the
How do users sign up for Power Apps section. This option is available to any user in a tenant and cannot be
disabled by an admin. After the user's trial expires the user will lose access to Power Apps capabilities.
If a person signs up for a 30 day trial of Microsoft Power Apps , and you choose to not support them inside of your
organization, they can in no way incur costs to your company. When an individual signs up for Microsoft Power
Apps, that is a relationship between that individual and Microsoft directly, like any many public cloud services from
Microsoft, such as Bing, Wunderlist, OneDrive or Outlook.com, and does not in any way imply that the service is
provided by your organization.
Finally, if your company wishes to restrict the use of organizational-only data inside of Microsoft Power Apps, that
is possible through Data loss prevention (DLP) policies. For more details, See Data loss prevention (DLP) policies.
Administration of Power Apps

Why has the Power Apps icon appeared in the Microsoft 365 app launcher?
Microsoft Power Apps is a fundamental part of the Microsoft 365 suite and is enabled as a service as a part of
existing Microsoft 365 SKU's. As users everywhere in the world can now use Microsoft Power Apps, it appears in
'All apps' in the app launcher screen. See Licensing overview to understand which Microsoft 365 SKUs now include
Power Apps.
See the following section if you'd like to remove the Power Apps tile from 'All apps' by default.
How do I remove Power Apps from existing users?
If a user was assigned a Power Apps license then you can take the following steps to remove the Power Apps
license for that user:
1. Go to the Microsoft 365 Admin Portal.
2. In the left navigation bar, select Users , and then select Active Users .
3. Find the user you want to remove the license for, and then select their name.
4. On the user details pane, in the Product licenses section select Edit .
5. Find the Power Apps license, set the toggle to Off , and then select Save .
If a user has access to Power Apps through their Microsoft 365 and Dynamics 365 plan license, then you can
disable their access to the Power Apps service by taking the following steps:
1. Go to the Microsoft 365 Admin Portal.
2. In the left navigation bar, select Users , and then select Active Users .
3. Find the user you want to remove access for, and then select their name.
4. On the user details pane, in the Product licenses section select Edit .
5. Expand the user's Microsoft 365 or Dynamics 365 license, disable access to the service, and then select
Save .
Bulk removal of licenses is also possible through PowerShell. See Remove Microsoft 365 licenses from user
accounts with PowerShell for a detailed example. Finally, further guidance about bulk removal of services within a
license can be found at Disable access to Microsoft 365 services with PowerShell.
Removing of the Power Apps license or service for a user in your organization will also result in the removal of the
Power Apps and Dynamics 365 icons from the following locations for that user:
Office.com
Microsoft 365 AppLauncher "waffle"
How can I restrict my users' ability to access my organization's business data using Power Apps?
Power Apps allows you to create data zones for business and non-business data, as shown below. Once these data
loss prevention policies are implemented, users are prevented from designing or running Power Apps that
combine business and non-business data. For more details, See Data loss prevention (DLP) policies.
Why did 10,000 licenses for Microsoft Power Apps show up in my Microsoft 365 tenant?
As a qualifying organization, users in your organization are eligible to try out Microsoft Power Apps for 30 days,
and these trial licenses represent the available capacity for new Power Apps users in your tenant. There is no charge
for these licenses. Specifically, there are two possible reasons why you may see a capacity 10,000 (trial) licenses for
Power Apps showing up in the Microsoft 365 admin portal:
If at least one user in your tenant participated in the Power Apps public preview that spanned from April
2016 to October 2016 then you will see 10,000 licenses labeled as "Microsoft Power Apps and Logic flows"
If at least one user in your tenant has signed-up for a Power Apps trial by going through trial signup Option
1 outlined in the How do users sign up for Power Apps section then you will see 10,000 licenses labeled
"Microsoft Power Apps & Power Automate"
You can choose to assign additional licenses to users yourself through the Microsoft 365 admin portal, but please
note that these are trial licenses for Microsoft Power Apps and they will expire after 30 days of being assigned to a
user.
Is this free? Will I be charged for these licenses?
These licenses are free trial licenses for your users to try-out the Microsoft Power Apps for 30 days.
How will this change the way I manage identities for users in my organization today?
If your organization already has an existing Microsoft 365 environment and all users in your organization have
Microsoft 365 accounts, then identity management does not change.
If your organization already has an existing Microsoft 365 environment but not all users in your organization have
Microsoft 365 accounts, then we create a user in the tenant and assign licenses based on the user's work or school
email address. This means that the number of users you are managing at any particular time will grow as users in
your organization sign up for the service.
If your organization does not have an Microsoft 365 environment connected to your email domain, there is no
change in how you manage identity. Users will be added to a new, cloud-only user directory, and you will have the
option to take over as the Power Platform admin and manage them.
What is the process to manage a tenant created by Microsoft for my users?
If a tenant was created by Microsoft, you can claim and manage that tenant using the following steps:
1. Join the tenant by signing up for Power Apps using an email address domain that matches the tenant domain
you want to manage. For example, if Microsoft created the contoso.com tenant, then join the tenant with an
email address ending with @contoso.com.
2. Claim admin control by verifying domain ownership: once you are in the tenant, you can promote yourself to
the admin role by verifying domain ownership. To do so, follow these steps:
3. Go to https://admin.microsoft.com.
4. Select the app-launcher icon in the upper-left corner, and then choose Admin.
5. Read the instructions on the Become the admin page, and then choose Yes, I want to be the admin .
NOTE
If this option doesn't appear, an Microsoft 365 administrator is already in place.
If I have multiple domains, can I control the Microsoft 365 tenant that users are added to?
If you do nothing, a tenant is created for each user email domain and subdomain.
If you want all users to be in the same tenant regardless of their email address extensions:
Create a target tenant ahead of time or use an existing tenant. Add all the existing domains and subdomains that
you want consolidated within that tenant. Then all the users with email addresses ending in those domains and
subdomains automatically join the target tenant when they sign up.
IMPORTANT
There is no supported automated mechanism to move users across tenants once they have been created. To learn about
adding domains to a single Microsoft 365 tenant, see Add a domain to Microsoft 365.
Global admins and Power Platform admins can
administer without a license
By default, all Global admin and Power Platform admins who do not have a license are granted the following two
levels of permission in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation).
System administrator security role
Administrative access mode
The System administrator security role is typically granted to administrators giving them unrestricted access to the
administrative (Settings) areas, which are used for managing and configuring features of customer engagement
apps.
Administrative access mode limits access to those areas of Dynamics 365 apps used to configure or customize the
system.
To give these administrators access to additional areas, such as the Sales, Marketing, and Service areas, a license
must be added to the Microsoft 365 Global administrator or Power Platform admin user account, by using the
Microsoft 365 admin center. Note that Administrative access mode cannot be changed on the user form.
Create a Power Platform admin account

1. Sign in to the Microsoft 365 admin center, and then choose Users > Active Users .
2. Select an existing user in the list. If you want to create a new administrative user, see Create or edit users
and Assigning admin roles.
3. Next to Product licenses , click Edit .
4. Make sure a license is not assigned to this user, and then click Save .
IMPORTANT
Unlicensed Microsoft 365 Global and Power Platform admins have access to the administrative areas. However, if the
administrator also needs access to additional areas you must select a license for the user.
5. Select Manage roles , and then select either Global administrator or Show all by categor y > Power
Platform admin . For more information about these roles, see Assigning admin roles.
6. Select Save changes .
NOTE
Global and Power Platform admins who don't have a license are automatically synced into the environment with an access
mode of 'Administrative' while administrators who have a license are synced into the environment with an access mode of
'Read-Write'. These administrators are assigned a System Administrator security role.
Unlicensed administrators who need to work with Power Apps for Admins PowerShell module or management connectors
need to sign into the Power Platform admin center at least once before invoking these administrative commands.
See also
Assigning admin roles
Create an Administrative user account
Purchase Power Apps for your organization
This topic provides information on how to purchase Power Apps for your organization as an administrator. You can
purchase Power Apps through the Power Apps website directly, through the Microsoft 365 admin center, or
through your Microsoft representative or partner. This article will also provide information about the trial options
available for a Power Apps plan and then explain how to purchase a Power Apps plan as an organization. For more
information, see Manage licenses in your organization.
NOTE
To purchase Power Apps for an organization, you must already be an Microsoft 365 Global or Billing Admin of a tenant, or
you must create a tenant.
Beginning January 2020, self-service purchase, subscription, and license management capabilities for Power Platform
products (Power BI, Power Apps, and Power Automate) are available for commercial cloud customers in the United States. For
more information, including steps to enable or disable self-service purchasing in your organization, see Self-service purchase
FAQs.
Choosing the right plan

For details about what licenses you can choose for your organization, see Licensing overview for Power Platform.
Purchase Power Apps directly

You can purchase Power Apps subscriptions for your organization from Power Apps pricing page and then assign
Power Apps licenses to your users. Learn more.
1. Visit the Power Apps pricing page.
2. Select Buy now for the plan you want.
3. Provide information to make the purchase, and then navigate to the Microsoft 365 admin center to assign
Power Apps licenses to your users.
Get Power Apps through Microsoft 365

You can purchase Power Apps subscriptions for your organization from the Microsoft 365 admin center and then
assign Power Apps licenses to your users. Learn more.
Get a subscription trial
1. Browse to the Microsoft 365 admin center.
2. On the left navigation pane, select Billing -> Purchase ser vices .
3. In the search box, enter trial and then select the magnifying glass.
4. Choose a trial, and then select Get free trial . Proceed through the order confirmation.
Purchase a subscription
1. Browse to the Microsoft 365 admin center.
2. On the left navigation pane, select Billing -> Purchase ser vices .
3. Scroll down and select Dynamics 365 under Other categories that might interest you .
4. Choose an app plan, and then select Buy .
5. Proceed through the purchase pages.
Power Apps per app plan

See About Power Apps per app plans.
Power Apps per app plan allows individual users to run two applications and one por tal for a specific business
scenario in a specific environment based on the full capabilities of Power Apps. This plan provides an easy way
for users to get started with Power Apps before broader scale adoption. These are available to purchase from the
Office admin center and you can allocate add-ons in the Capacity area in the Power Platform admin center. More
information: Capacity add-ons.
The following release plan topic announces the availability of this feature: New licensing options for Power
Automate standalone paid plans.
IMPORTANT
Although, Power Apps per app plans appear in the Microsoft 365 admin center, you shouldn't attempt to assign them to
users there. Power Apps per app plans must be allocated to an environment (and not to users) by an admin in the Power
Platform admin center.
After per app plans are allocated to an environment, they are assigned when apps are shared with users in the environment.
You cannot assign Power Apps per app plan baseline access licenses to users in a trial environment.
Steps for using per app plans

There are three steps to follow to use a per app plan:
1. Purchase Power Apps per app plans
2. Allocate per app plans to environments
3. Set up apps to use per app plans
4. Share the app
Step one: Purchase per app plans

You can purchase per app plans from your sales channel or in the Microsoft 365 admin center.
You can see your purchased plan in the Microsoft 365 admin center (Billing > Your products ).
Once you've made your purchase, there are no further actions needed in the Microsoft 365 admin center such as
license assignment since this license is not assigned to users but rather to environments.
Step two: Allocate per app plans

After purchase, you allocate per app plans to environments. If you have multiple environments like test and
production, you need to allocate per app plans capacity to all these environments appropriately.
In the Power Platform admin center, select Resources > Capacity in the left-side navigation pane. If your
organization has purchased add-ons that includes per app plans, an Add-ons tile appears on the Capacity screen
displaying summary information about the capacity add-ons that your organization has.
To allocate add-ons, select Manage . For detailed information, see Allocate or change capacity in an environment.
NOTE
As an admin, you can restrict who can allocate add-on capacity to environments. More information: Control who can
allocate add-on capacity
If there are users who want to transition to per app, follow the two steps below in order:
1. Allocate capacity of the per app licenses to the required environment.
2. Remove any user license from the user.
Step three: Set up apps to use per app plans

After an admin allocates Power Apps per app plan to an environment, they're assigned to unlicensed users when
an app in that environment is shared with them.
Follow these steps to turn off assigning per app plans for users when an app is shared with them:
1. Choose the app in Power Apps.
2. Select ... > Settings .
3. Under Pass assignment , change the Auto assign per app passes toggle to Yes . The Auto assign per
app passes toggle appears in all app setting.
IMPORTANT
Turning off the per app plan is currently available only for canvas apps. Model-driven apps and portals will have this ability in
the future.
Check capacity
Check the App passes capacity for the environment with the app you're sharing. Make sure you have sufficient
app passes assigned for the number of users using the app.
Go to Resources > Capacity > Add-ons tab.
Step four: Share the app
After completing the first three steps, you can now share apps.
Sharing model-driven apps
Share the model-driven app. See Share a model-driven app with Power Apps.
IMPORTANT
When the user launches the app, we create the user in the required Common Data Service environment. Users will not get
added at the time of app sharing.
Sharing canvas apps

To share canvas apps, see Share a canvas app in Power Apps.
Consumption of per app licensing

The per app license gives a user access to two Power Apps and one portal for a single environment. See the table
below for an example of the consumption of licenses by the number of applications and the environments used.
NOTE
Sharing an app with a user consumes the per app capacity.
The consumption reporting for the per app license is a work in progress. Please check back for more details once the
reporting is launched.
Known issues
Reducing per app capacity to zero
If you allocate per app capacity to an environment and later reduce per app capacity to zero, users that were added
to Common Data Service while per app capacity was greater than zero will not get disabled in Common Data
Service. However, these users won’t be able to launch apps since there is no per app capacity allocated to the
environment. Admins should remove the role of the user they do not intend to access the platform.
Disabled user account
If a user account is disabled in an environment, adding per app capacity, sharing the app with the user, and the
user launching the app will not enable the user. We are working to address this issue.
FAQ
I assigned the baseline access license to my users as a workaround suggested earlier. Now that this workaround
is not needed, what should I do to ensure my users are setup correctly?
Ensure that the per app capacity is allocated to the environment. After this step, you can remove the baseline
access license from the user using these instructions.
What happens if I assign a user the Power Apps per user license when earlier they were using apps by
consuming the per app license?
Once the user is allocated a Power Apps per user license, when per app license consumption reports are available
they will show per app licenses aren’t consumed by users that are assigned a per user plan.
When will I be able to see the list of users who are using the Power Apps per app license?
We are currently working on this report. Please check back again for more details. This report will be available in
the Power Platform admin center.
What are the differences in the admin experience between the Power App per app and the Power App per user
license?
Power Apps per user plan is a user license assigned by admins from https://admin.microsoft.com. Once the user
has this license they can access any number of Power Apps apps. However, the Power Apps per app plan provides
a capacity to run apps and the management experience for this license is in the Power Platform admin center. The
license is assigned to users when apps in the environment are shared with them. Admins allocate the capacity of
per app to an environment and the makers share the app with users. This sharing consumes the per app capacity.
Once the reporting is available, admins can see the users who are consuming capacity in the Power Platform
admin center and not in the Microsoft 365 admin center.
Can I assign Power Apps per app plans in the Microsoft 365 admin center (admin.microsoft.com)?
No. Although after purchasing Power Apps per app plans they appear in https://admin.microsoft.com, they
shouldn't be assigned to users in this website. Power Apps per app plans are to be allocated to an environment by
an admin in https://admin.powerplatform.microsoft.com. After per app plans are allocated to an environment, the
plans are assigned to users when apps are shared with users in the environment.
For users expected to use a Power Apps per app plan, why are they prompted to start a trial after signing in to
https://make.powerapps.com?
https://make.powerapps.com is being updated to not require a license to begin making an app. Licenses are
required for users to run apps.
For users expected to use a Power Apps per app plan, why are they prompted to start a trial when attempting
to create a premium connection?
https://make.powerapps.com is being updated to not require a license to begin making an app. Licenses are
required for users to run apps.
For users expected to use a Power Apps per app plan, why are users that use an app shared with them
prompted to start a Power Apps trial?
For users to run Power Apps apps they must have a license, this includes being assigned a trial, per user plan or be
accessing an app in an environment with Power Apps per app plan allocation.
Why are makers prompted to start a trial when creating a premium connection using gateways?
This is an artifact of previous, but no longer required, licenses being assigned to Power Apps makers. This license
check and prompt to start a trial will eventually be removed.
Mitigation steps : The maker should sign up for the trial to proceed with creating the connection that uses a
gateway.
Power Apps and Power Automate licensing FAQs
We have found some common questions on licensing and plan options. We’ve included several here with their
answers. For more details about Microsoft Power Apps and Microsoft Power Automate licensing, see Licensing
Guide.
General licensing questions

How is Microsoft Power Apps and Power Automate licensed?
Power Apps plans:
Power Apps per app plan which allows individual users to run applications (2 apps and a single portal)
for a specific business scenario based on the full capabilities of Power Apps for $10/user/app/month. This
plan provides an easy way for customers to get started with the platform before broader scale adoption.
Power Apps per user plan which equips a user to run unlimited applications (within service limits) based
on the full capabilities of Power Apps for $40/user/month.
Power Automate Plans:
Power Automate per user plan which equips a user to run unlimited flows (within service limits) with the
full capabilities of Power Automate based on their unique needs for $15/user/month.
Power Automate per flow plan which enables organizations to implement flows with reserved capacity
that serve teams, department, or the entire organization without having to license each end user. This plan
starts at $500/month for 5 flows.
More details can be found in Microsoft Power Apps and Power Automate Licensing Guide.
How do I use Power Apps per app plans?
See Power Apps per app plan.
The Power Apps per app plan allows users to run specific apps. Can you explain what this means in terms of the
number and types of apps I can use?
The Power Apps per app plan is designed to help organizations solve for one business scenario at a time, which
may involve a combination of individual apps. Each “per app” license provides an individual user with rights to two
apps (canvas and/or model-driven) as well as one Power Apps Portal, all within a single environment. A single user
might be covered by multiple “per app” licenses to allow the user to use multiple solutions targeted at various
business scenarios, without requiring a per-user license. In other words, the “per app” license is stackable.
Do embedded canvas apps in model-driven apps count toward the two -apps limits?
No. Embedded canvas components within the model-driven app will not count towards the two apps limit in the
per app licensing model.
What are the self-service purchase options for the Power Platform products?
See the FAQ: Self-service purchase FAQ.
What license must be assigned to a guest so they can run a canvas app shared with them?
The guest user must have a Power Apps license assigned through one of the following tenants:
The tenant hosting the app being shared
The home tenant of the guest user
Also, the guest must have the same license that’s required for non-guests to run an app. A collection of examples is
available here.
Is non-profit, government, and academic pricing available?
Yes, non-profit, government and academic pricing is available in respective program channels.
What will happen to the Power Apps P1/P2 and Power Automate Plan 1 and Plan 2 plans on December 31, 2020?
Power Apps P1 and P2, and Power Automate P1 and P2 plans will no longer be available for purchase, including via
auto-renewal, after December 31, 2020. Customers with these plan licenses that have renewals falling on or after
January 1, 2021 will need to transition to the Power Apps per user or per app plans, or the Power Automate per
user or per flow plans to continue using the Power Platform services. Please contact your Microsoft account rep for
more information.
Are full Power Automate capabilities included in Power Apps licenses?
Power Apps licenses will continue to include Power Automate capabilities. However, flows will need to run within
the context of the Power Apps application, which refers to using the same data sources for triggers or actions as the
Power Apps application. Consuming standalone Power Automate flows unrelated to the Power Apps application(s)
will require purchase of a standalone Power Automate license.
Is there a plan for developers?
Yes, we have a free Community Plan to learn and build skills on Power Apps, Power Automate, and Common Data
Service. Learn more.
What happens when I use all the data storage, file storage, and flow runs included in my per user licenses?
You can buy additional data storage, file storage and flow runs. See the Power Apps Licensing overview page for
more information.
Who can buy Microsoft Power Apps and Power Automate plans?
Any customer can sign up for a free trial. Microsoft 365 admins can buy Power Apps plans for their teams or
organization. Contact your Microsoft 365 admin when you’re ready to buy.
Do all my users need to be licensed with the same Power Apps plan, or can I mix plans?
You can mix and match Power Apps licenses, and licenses that include Power Apps capabilities, across the users in
your organization.
Are there limits on the number of API requests Power Apps and Power Automate users can make?
Yes. To help ensure service levels, availability and quality, there are limits to the number of API requests users can
make across Power Apps and Power Automate. Service limits are set against normal usage patterns in both 5-
minute and per 24-hour intervals, and most customers will not reach them.
API capacity is tracked based on consumption at an individual user level, and the daily limits cannot be pooled at
any other level.
API limits are also applicable to application users, non-interactive users and administrative users in Common Data
Service platform.
More information is available here.
Trial Licenses
How long is the free trial period?
Free trials for Microsoft Power Apps last 30 days. For Power Automate, they are available for 90 days.
Is there a way to develop my Microsoft Power Apps and Power Automate skills for more than 90 days?
Yes, with the Power Apps Community Plan you get a free environment for individual use with functionality
including the Common Data Service. In this environment you can explore and learn everything about Power
Automate and Power Apps for free, but the Power Apps Community Plan is not intended for production use.
Learn more.
How do I convert my trial environment to a production environment?
More information is available here.
Where can I find more information about trial environments?
For more information about trial environments in Power Apps read this topic.
Microsoft 365
What are Microsoft Power Apps and Power Automate use rights for Microsoft 365 applications?
Please refer to Licensing guide for Microsoft Power Apps and Power Automate use rights for Microsoft 365
applications.
Effective October 1, 2019, the SQL, Azure, and Dynamics 365 connectors listed below will be reclassified from
Standard to Premium. Non-Microsoft connectors that had previously been classified as standard connectors will
still be available to Microsoft 365 users. A standalone Power Apps or Power Automate plan license is required to
access all Premium, on-premises and custom connectors.
Azure Application Insights
Azure Automation
Azure Blob Storage
Azure Container
Azure Cosmos
Azure Data Factory
Azure Data Lake
Azure DevOps
Azure Event Grid
Azure Event Grid Publish
Azure File Storage
Azure IoT Central
Azure Kusto
Azure Log Analytics
Azure Log Analytics Data Collector
Azure Queues
Azure Resource Manager
Azure SQL
Azure SQL Data Warehouse
Azure Table Storage
Dynamics 365
Dynamics 365 Customer Insights
Dynamics 365 Finance & Operations
Dynamics 365 Sales Insights
Dynamics 365 Business Central
Dynamics 365 Business Central (on-premises)
Dynamics NAV
Event Hubs
Service Bus
SQL Server
Power Automate plan-based limits on trigger frequency and the number of runs allocated to a tenant per month
are being removed.
Power Apps and Power Automate usage will be subject to service limits described here. Per user service limits
provide capacity assurance for users and alleviate the risk of one user exhausting the tenant wide quota.
How does the change to Power Apps and Power Automate use rights for Microsoft 365 applications affect me if
I purchased the subscriptions prior to Oct 1st 2019? Will my existing Power Apps applications and Power
Automate workflows continue to work?
Yes, existing apps and flows will continue to work. Customers who have been using Power Apps or Power Automate
with Microsoft 365 using one or more of the connectors listed above will receive a transition period before the
connector reclassification goes into effect. This transition period would be until October 1, 2020 or the expiration of
their current Microsoft 365 subscription term, whichever is longer. During the transition period customers can
continue to create additional apps and flows using these connectors.
In addition, apps and flows created prior to October 1, 2019 which are using these connectors will receive an
extended transition period until October 1, 2024. During this time, these qualifying apps and flows will be exempt
from the Premium connector licensing requirements for the reclassified connectors.
The extended transition period allows for using the connectors listed above but it does not allow these connectors
to use gateways. Gateways were a premium capability before the transition and they continue to be a premium
capability.
Although apps may be granted to use the Dynamics 365 connector for an extended transition period, the ability to
use the connector does not provide Common Data Service capacity. Common Data Service capacity is a
prerequisite for Power Apps and Power Automate workflows to use Common Data Service.
How many Power Apps applications I can run with Microsoft 365 plans?
There is no limit on the number of applications. Customers can continue to run standalone Power Apps applications
to extend and customize Microsoft 365 using standard connectors.
Dynamics 365
What are Microsoft Power Apps and Power Automate use rights for Dynamics 365 applications?
Refer to Licensing guide for Microsoft Power Apps and Power Automate use rights for Microsoft 365 applications.
Effective October 1st 2019, there are certain changes made to use rights which are listed below:
Power Apps use rights with Dynamics 365 licenses: Dynamics 365 Enterprise licenses will no longer include general
purpose Power Apps capabilities. Dynamics 365 Enterprise users will continue to be able to run apps and portals
that extend and customize the licensed Dynamics 365 application, as long as those apps and portals are located in
the same environment as their licensed Dynamics 365 application. Custom apps or portals outside of the Dynamics
365 environment will require a standalone Power Apps license.
Power Automate use rights with Dynamics 365 licenses: Dynamics 365 licenses will no longer include general
purpose Power Automate capabilities. Power Automate flows will need to map to licensed Dynamics 365
application context - Power Automate flows should trigger from OR connect to data sources within use rights of
licensed Dynamics 365 application(s). Use of standalone flows will require a Power Automate license.
Can I connect to Microsoft Dynamics for Finance and Operations?
Yes, you can use the Dynamics 365 Finance and Operations connector to build canvas apps using this data.
Power Automate
When would I use the Power Automate per user plan versus the Power Automate per flow plan?
The per user plan is intended to support the broad adoption of an automation culture in an organization. Every
user with this plan is entitled to use an unlimited number of flows, within service limits. The per flow plan provides
an organization with the flexibility to license by the number of flows, instead of licensing each user accessing the
flows individually with the per user plan.
Which flows count in the Power Automate per flow plan?
All types of enabled flows count: scheduled flows, automated flows, and instant flows. Flows that are triggered by
other flows (child flows) do not count against the plan.
Do flows always have to be purchased in units of five as part of the Power Automate per flow plan?
No. After the minimum purchase of 5 flows, additional flows can be licensed individually at $100/month per flow.
Do users who run flows need to be licensed, or do only users who create flows need to be licensed?
Any end user running a flow will need to be licensed either by the per user or per Power Automate plans.
There are features in Power Automate that are not running a flow directly, such as responding to an approval
request or advancing a stage in a business process. These features are built on the Common Data Service.
Normally, any use of these features requires either a standalone Power Automate per user plan, or, that the flow
that creates these business process environments or approval requests to be licensed under the per flow plan.
Common Data Service

What Common Data Service capacity is included with the Power Apps and Power Automate plans?
Every tenant with a Power Apps license gets default capacity. In addition, for each license there is additional capacity
(pooled) added to the tenant.
P ER L IC EN SE EN T IT L EM EN T ( P O W ER P ER L IC EN SE EN T IT L EM EN T ( P O W ER
P O W ER A P P S C A PA C IT Y L IM IT S A P P S P ER A P P P L A N ) A P P S P ER USER P L A N )
Common Data Service Database + 50 MB + 250 MB

Capacity
Common Data Service Log Capacity +0 +0
Common Data Service File Capacity + 400 MB + 2 GB
Since flows, as well as certain Power Automate features like approvals, run inside of the Common Data Service,
every tenant with a Power Automate license gets default capacity. In addition, for each per-user or per-flow license
there is additional capacity added to the tenant.
P O W ER A UTO M AT E C A PA C IT Y L IM IT S + P ER USER + P ER F LO W
Common Data Service Database + 50 MB + 50 MB

Capacity
Common Data Service Log Capacity +0 +0
Common Data Service File Capacity + 200 MB + 200 MB
Project Oakdale
Here is a list of Project Oakdale licensing FAQs; for more information about Project Oakdale, see About the Project
Oakdale environment.
Are the existing Microsoft Power Platform use rights included with Microsoft 365 licenses changing?
To deliver a comprehensive low-code extensibility platform for Microsoft Teams, Microsoft Power Platform
capabilities available as part of select Microsoft 365 subscriptions are expanding with the introduction of Project
Oakdale.
Project Oakdale is a built-in flexible datastore that provides data storage and a one-click solution for (app/chatbot)
deployment in Teams. With the addition of Microsoft Project Oakdale:
Power Apps capabilities seeded in Microsoft 365 licenses are expanding to enable building and deploying
custom apps natively within Teams.
Additionally, Power Virtual Agents capabilities are being introduced to Teams. Customers will now be able to
build and deploy custom chatbots directly within Teams.
The existing Power Platform functionality available for use in Microsoft 365 more broadly outside of Teams remains
otherwise unchanged.
Is there any new capability coming with Project Oakdale to Power Automate rights included with Microsoft 365?
Yes. With Project Oakdale, users now can build flows using Power Automate maker portal and that operate in a
Project Oakdale environment. Please note that a Project Oakdale environment needs to be created first by either
authoring an app or chatbot.
Which Microsoft 365 subscriptions include Project Oakdale and Power Virtual Agents capabilities with Teams?
Project Oakdale and Power Virtual Agents for Teams capabilities will be available as part of select Microsoft 365
subscriptions with Power Platform and Teams capabilities, excluding plans for US government environments (GCC,
GCC High and DoD) and EDU A1 and SUB SKUs.
How is Project Oakdale environment created?
In public preview, creation of Project Oakdale environments is not available from the Power Platform admin center.
Creation of new Microsoft Project Oakdale environments will only be possible from within Teams.
Can Project Oakdale be used outside of Teams?
Project Oakdale is designed to work in the Teams client across web, desktop and mobile. If you’d want to use Project
Oakdale outside of Teams, you must promote your environment to Common Data Service.
Is there a limit to Project Oakdale capacity? How many Project Oakdale environments can be created in a tenant?
Each Project Oakdale environment uniquely maps (1:1) to a Teams team and can store up to 1,000,000 records
based on typical usage (enforced as 2GB relational database storage per Project Oakdale environment). For details
on service limits, including the tenant-level capacity limits associated with Project Oakdale, see About the Project
Oakdale environment.
Can we control who can create environments with Project Oakdale?
Teams governs who can create and join a Team.
In public preview, the environment is created when a team is created and when an owner or member tries to create
an application in it.
Can a Project Oakdale environment be deleted?
In public preview, a Project Oakdale environment is deleted when the associated Team is deleted.
How does the capacity enforcement work for Project Oakdale environments?
When the environment capacity limits are reached (2GB per environment) new solutions (apps/flows/chatbots)
can't be created or installed inthat specific Project Oakdale environment.
When the tenant capacity service limits are reached (grows with the # of eligible Office USLs in the tenant up to a
max of 1TB or up to a max of 500 environments as explained here:
New solutions cannot be created or installed in any Microsoft Project Oakdale environment.
New Microsoft Project Oakdale environments cannot be created in the tenant
In both cases:
Users who want to create/install new apps/flows/bots in that environment will be prompted to notify that the
capacity limit is reached, and they need to reduce storage usage or contact their admins.
Existing solutions in the environment will continue to work (CRUD allowed). The environments will be able to
continue to grow beyond the 2GB limit.
Existing solutions within the environment can be updated.
Certain options within each solution (Power Apps/Power Automate/Power Virtual Agents) will be hidden/grayed
out.
Can customers with Power Apps, Power Automate, and Power Virtual Agents subscriptions use premium
connectors with Project Oakdale?
Yes. Accessing premium connectors in a specific Project Oakdale environment requires users in that environment to
be licensed accordingly.
Example: In a Project Oakdale environment, accessing premium connectors in the context of an app requires all
users accessing the app to be licensed by either the Power Apps per app or per user plan depending on the
customer scenario.
Can I use AI Builder with Project Oakdale?
No. Tables for AI Builder are not included in Project Oakdale.
Can I use UI Flows with Project Oakdale?
No. UI Flows are not supported in Project Oakdale.
Can I use custom connectors in Project Oakdale?
Custom connectors are not supported in Project Oakdale but support for Azure API Management (API-M) will be
available in Project Oakdale.
Can customers purchase more capacity for an environment associated with a Team?
No. Project Oakdale provides support for approximately 1 million rows per team. Although existing apps and
chatbots will continue to work when a Microsoft Project Oakdale environment reaches the per environment limit
(2GB), users who want to create a new app, flow, or chatbot in the environment will need to :
1. Purchase Power Apps, Power Automate, and Power Virtual Agents subscriptions based on their needs and start
building their new app, flow, or chatbot in a Common Data Service environment.
2. Promote the existing Project Oakdale environment to Common Data Service in the Power Platform admin
center and, if needed, purchase Power Apps, Power Automate, or Power Virtual Agents subscriptions based on
their needs.
NOTE
The capability to promote Project Oakdale environments to Common Data Service won’t be available at public preview, but is
expected to be available by general availability (GA).
Can customers package and export their solution (app/flow/chatbots) built in Project Oakdale, and then import
that into a Common Data Service environment (assuming they have the corresponding license including access
rights to Microsoft Common Data Service )?
This capability is not available in public preview but is included in our roadmap.
Other than adding capacity, what are the other reasons to promote a Project Oakdale environment?
Promoting an environment from Project Oakdale to Common Data Service will enable customers to take
advantage of additional capacity, capabilities, such as:
Enterprise ALM, data types
Support for log and managed data lake
Rich access control, auditing
Governance and security
NOTE
Accessing an environment with Common Data Service requires all users to have a corresponding standalone Power Platform
license for each service being utilized.
Why do I see Common Data Service plan in select Microsoft 365 subscriptions? Is this related to Project
Oakdale?
No. A limited set of Common Data Service capabilities were recently added to Microsoft 365 licenses to support
service capabilities available (for example, Microsoft Project). A standalone Power Apps, Power Automate, or Power
Virtual Agents plan is still needed to run apps/flows/bots with Common Data Service. Review the Project Service
description for more details on the feature.
NOTE
There is a service plan called Common Data Service for Teams that is related to the Project Oakdale capabilities.
Is geo migration supported for Project Oakdale environments?

Geo migration is not supported for Project Oakdale environments.
Add-ons
What add-ons are available to the Power Apps and Power Automate plans?
A list of add-ons applicable to all standalone Power Apps and Power Automate plans are listed below:
New Power Apps Por tals login capacity add-on and Por tals page view capacity add-on for external
users of Power Apps Portals. External users are those outside of your organization who sign in with a variety
of identities such as LinkedIn, Microsoft Account, other commercial login providers, or anonymously.
Power Apps Portals log in capacity add-ons (various volume tiers start from $200 per 100 logins per
month)
Power Apps Portals page view capacity add-on (100,000 anonymous page views for $100 per month)
New Power Apps and Power Automate capacity add-on increases daily API request limits for Power
Apps, Power Automate, and Dynamics 365 workloads for users that exceed their usage entitlement (10,000
daily API requests for $50 per month).
Common Data Service Database Capacity (1GB) $40 per month
Common Data Service File Capacity (1GB) $2 per month
Common Data Service Log Capacity (1GB) $10 per month
Portals
Can you share more details regarding the new Power Apps Portals licensing?
Power Apps Portals can be provisioned without requiring a specific license. User access licensing is based on
persona type and details are as below.
UN IT P RIC E/ M O N T
USER T Y P E M O DEL SK U N A M ES C A PA C IT Y H C H A N N EL C O M M EN T S
External user Per login Power Apps 100 logins $200 All A login
(authenticated portals login provides the
) capacity add- authenticated
on user with
access to a
single portal
for up to 24
hours
Power Apps 1000 logins $1000 All

portals login
capacity add-
on Tier 2
Power Apps 5000 logins $3500 CSP only

portals login
capacity add-
on Tier 3
External user Per page view Power Apps 100,000 page $100 All
(anonymous) portals page views
view capacity
add-on
Internal user Via license Dynamics 365 n/a n/a n/a Custom portal
(various) use rights are
aligned with
custom app
use rights
Power Apps
per app plan
Power Apps
per user plan
Multiple logins during the 24-hour period count as one billable login
What exactly is considered a “login” as part of the Power Apps Portals add-on?
Think of a login as a “day pass” to a portal. Once logged in to a portal, subsequent logins (potentially from different
devices) during the 24-hour period will not be billable.
Does a single login provide access to multiple Power Apps Portals during the 24-hour period?
Logins are specific to a single portal. So if you access multiple portals belonging to the same tenant, it will be
counted as one login per portal.
What is the difference between Power Apps Portals and Dynamics 365 Portals in terms of licensing?
PA RA M ET ER DY N A M IC S 365 P O RTA L S N EW P O W ER A P P S P O RTA L S
Provisioning a por tal environment Purchase Dynamics 365 Additional Provision a portal—no need to
Portal SKU at $500 per month purchase portal addons to provision a
portal
PA RA M ET ER DY N A M IC S 365 P O RTA L S N EW P O W ER A P P S P O RTA L S
Qualifying base offers Dynamics 365 licenses only Customers can add on portal external
login or page view capacity to Dynamics
365, Power Apps and Power
Automate licenses
Internal use rights Dynamics 365 enterprise licenses, Internal users can now access portals
Dynamics 365 team member license. with a Power Apps per-app/per-
user license. For a Dynamics
license it is same as custom Power
Apps use rights.
Monetization Per portal environment Per page view Per log in Per page view
Entitlement for Dynamics 365 1 portal environment for the first 10 full Not applicable―Power Apps Portals
customers Dynamics 365 USLs environments can be provisioned
Can I purchase Power Apps Portals add-on licenses with my existing Power Apps P1 or P2 plans or do I have to
upgrade to the new plans to benefit from the new portal capability?
Yes. You can purchase Power Apps Portals add-on capacity if you are an existing Power Apps Plan 1 or Plan 2
customer. You can also purchase this capacity if you are a Dynamics 365 customer.
Can you clarify the use rights to Portals for internal users?
Custom Power Apps Portals use rights: For internal users, use rights to a “custom” portal are aligned with their
“custom” Power Apps use rights. For example:
A Dynamics 365 enterprise application license gets use rights to custom Power Apps applications within the
same environment as the Dynamics 365 application. As such, A Dynamics 365 enterprise application license
gets use rights to custom Power Apps Portals within the same environment as the licensed Dynamics 365
enterprise application.
The Team Member license does not get access to custom portal as Team Member licenses do not allow
access to a custom app.
What is the minimum number of logins and page view that I need to assign to a specific portal?
Minimum login quantity to be assigned to a portal is 100 logins/month. Once you have assigned 100 logins, you
can assign them in units of 1.
For example, if you have 3 portals and bought 4 login packs (400 logins), you can assign them in the following
ways:
Portal 1: 120 (min 100)
Portal 2: 151 (min 100)
Portal 3: 129 (min 100)
Page views: Minimum 50,000 per portal. After that you can assign 1 at a minimum.
Do unused Power Apps Portals logins carry forward to the next month?
Portals are licensed at a monthly rate that is based on a customer’s anticipated login volume. Logins are not
accumulated as individual assets that would carry forward month to month.
AI Builder
How is AI Builder licensed?
AI Builder is a capacity add-on to paid, standalone Power Apps, Power Automate, and Dynamics 365 licenses. Each
$500 subscription includes 1 million AI Builder service credits applied at the tenant level. To use your AI Builder
capacity, an administrator has to allocate AI Builder capacity to the environment where you want to use AI Builder.
More details about licensing can be found in the Microsoft Power Apps and Power Automate Licensing Guide.
Information about how to allocate capacity in the Power Platform admin center can be found here.
How is AI Builder capacity enforced?
The AI Builder capacity add-on is an annual subscription, and capacity is enforced on a monthly basis. Capacity
should be purchased for the peak utilization monthly period.
Information about how to allocate AI Builder capacity to your environment is available here.
Can AI Builder capacity be added to the P1 and P2 plans for Power Apps and Power Automate that are being
retired?
Yes. AI Builder capacity can be added to the P1 and P2 plans for Power Apps and Power Automate for customers
who haven’t yet transitioned to the new Power Apps and Power Automate plans.
What is a "service credit" and how does it work?
AI Builder includes several model types, including custom and prebuilt – a full list is available here.
AI models consume service credits when they are trained, used in an app or flow, or scheduled to periodically run.
The amount of capacity consumed varies based the AI model, as well as the size and complexity of the data set.
Which AI models are available for free in public preview and which are in paid GA status?
The release status for AI Builder features is available here.
AI models available in public preview do not require paid AI Builder capacity. A full list of all models can be found
here.
Is a trial available for AI Builder?
Users without an existing Power Apps or Power Automate license can access AI Builder trial capacity for 30 days by
signing up for either a Power Apps or Power Automate trial. Existing Power Apps and Power Automate users can
access AI Builder trial capacity for 30-days by signing into the respective service and accessing AI Builder in the left
navigation pane.
Requests limits and allocations
Effective October 2019, to help ensure service levels, availability and quality, there are entitlement limits to the
number of requests users can make each day across customer engagement apps (Dynamics 365 Sales, Dynamics
Automation), Power Apps, Power Automate, AI Builder, and Power Virtual Agents.
What is a Microsoft Power Platform request?

Requests in Microsoft Power Platform consist of various actions which a user makes across various products. At a
high level, below is what constitute an API request:
Connectors – all API requests to connectors from Power Apps or Power Automate
Microsoft Power Automate – all Power Automate step actions
Common Data Ser vice – all CRUD operations including user-driven and internal system calls required to
complete CRUD transactions, as well as special operations like “share” or “assign.” These can be from any
client or application and using any endpoint SOAP or REST. These include but are not limited to plug-ins,
async workflows, and custom controls making the above-mentioned operations.
Note that for Common Data Service, there will be a small set of system internal operations that are excluded, such
as login, logout, and system metadata operations.
This table below will describe the common requests limits as well as the allocation which a user gets based on the
type of license assigned to the user.
Microsoft Power Platform requests allocations based on licenses

All the users of Microsoft Power Platform can use a certain number of requests based on the license they are
assigned. The following table defines the number of requests a user can make in a 24-hour period:
USER L IC EN SES N UM B ER O F A P I REQ UEST S / 24 H O URS
Dynamics 365 Enterprise applications1 20,000
Dynamics 365 Professional 2 10,000
Dynamics 365 Team Member 5,000
Power Apps per user plan 5,000
Power Automate per user plan 5,000
Office licenses (that include Power Apps/Power Automate)3 2,000
Application user / Non-interactive users See Non-licensed user section below
1Dynamics 365 Enterprise applications include Dynamics 365 Sales Enterprise, Dynamics 365 Customer Service
Enterprise, Dynamics 365 Field Service, Dynamics 365 Project Service Automation, Dynamics 365 Retail, Dynamics
365 Talent, Dynamics 365 Customer Engagement plan.
2Dynamics 365 Professional includes Dynamics 365 Sales Professional, Dynamics 365 Customer Service
Professional.
3See Appendix C for Microsoft 365 licenses that include Power Apps and Power Automate capabilities in the
Licensing Guide.
Users who are running apps and flows without a user license through the Power Apps per app plan or flows
licensed through the Power Automate per flow plan are granted the following API request entitlement.
**N O N USER L IC EN SES ** N UM B ER O F A P I REQ UEST S / 24 H O URS
Power Apps per app plan 1,000 per user pass
Power Automate per flow plan 15,000 per flow
If a user has multiple plans assigned from different product lines, the total number of requests allowed would be
the sum of requests allocated to each license type. For example, if a user has both a Dynamics 365 Customer
Service Enterprise license as well as a Power Apps per user license , then that user will have a total of 20000 + 5000
= 25000 requests available per 24 hours.
If a user has multiple licenses allocated within the same product line, for example if a user has a Dynamics 365
Customer Service Enterprise license as the base license and a Dynamics 365 Sales Enterprise license attached, the
total number of requests would be what is provided by the base license - Dynamics 365 Customer Service.
Power Apps and Power Automate capacity add-on

Power Apps and Power Automate capacity add-on allows customers to purchase additional requests. Eventually,
these may be assigned to any user who has a Power Apps/Power Automate license as well as a Dynamics 365
license.
Each capacity add-on provides an additional 10,000 requests/24 hours which can be assigned to any user. Multiple
capacity add-ons can also be assigned to the same user.
NOTE
Power Apps and Power Automate capacity add-ons cannot be assigned to users yet. Assignment will be possible later in
calendar year 2020. When supported these may be assigned to application and administrative and non-interactive users.
Non-licensed users/application users/Users with special free licenses

Common Data Service also provides the ability to have identities that do not require any user license to interact
with the service. There are three types of these users:
Application users
Non-interactive users
Administrative users.
Additionally there are special free ($0) licenses which are used to interact with Dynamics 365 applications like
Dynamics 365 Marketing. See How Marketing is licensed.
For these users, every tenant will get base request capacity per tenant that can only be used by these users and not
by users with standard licenses.
This base request capacity is based on the type of subscription, as follows:
1. If a tenant has at least one Dynamics 365 enterprise subscription, they will get 100,000 requests per 24
hours.
2. If a tenant has at least one Dynamics 365 professional subscription, they will get 50,000 requests per 24
hours.
3. If a tenant has at least one Microsoft Power Apps or Power Automate subscription, they will get 25,000
requests per 24 hours.
If a tenant has multiple types of subscriptions, their base request capacity will use the subscription with the larger
number of requests. For example, if a customer has both Dynamics 365 Customer Service (100,000 requests) and
Power Apps per user (25,000 requests) subscriptions, their base request capacity will be 100,000 requests per 24
hours.
Base request capacity is defined at the tenant level and can only be used by non-licensed users, application users,
and users who have free ($0) licenses.
After base request capacity is exhausted, customers can increase this capacity by purchasing a Power Apps and
Power Automate capacity add-on.
Service protection limits currently applicable

Apart from the new daily API request limit, there are other service protection limits specific to various services that
exist currently. These limits are usually much higher when compared to the daily per user entitlements for a 24-
hour period. Limits help maintain the quality of service by protecting the service from malicious or noisy behavior
that would otherwise disrupt service for all customers.
Review the following resources for information about current service protection limits for each service:
Common Data Service service protection API limits: applicable for customer engagement apps (such as
Dynamics 365 Sales and Customer Service), Power Apps, and Power Automate connecting to Common Data
Service/customer engagement apps
Microsoft Power Automate limits: applicable for Power Automate
Limits in connectors: applicable for Power Automate and Power Apps

What happens if any user exceeds request capacity?
If any user exceeds their request capacity, the admin for the tenant/environment is notified. The admin can assign
Power Apps and Power Automate request capacity to that user.
Users won't be blocked from using the app for occasional and reasonable overages at this point in time.
Will my integrations stop working if application users exceed base request capacity?
Currently, integrations won't be stopped for occasional and reasonable overages (see above). Administrators will be
notified about overages and will be able to add Power Apps and Power Automate request capacity to be compliant.
In the near future, after reporting becomes available, certain operations would be blocked when a tenant exceeds
their Power Platform Request entitlements. These blocked operations will be in administration and customization
areas, but not limited to these operations and could expand into other areas as well, depending on the overage
scenarios.
Will there be a transition period for existing customers?
Yes, all existing customers will have a transition period until reporting is made available in the Power Platform
admin center.
What tools can an admin use to monitor and analyze API requests across the platform?
Usage reports and monitoring capabilities are expected by October 2020 in the Power Platform admin center and
will be the best way to monitor/analyze usage for API requests. This reporting will account for interactive and non-
interactive traffic, and will also de-duplicate calls between Power Apps and Power Automate to the Common Data
Service.
Can I look at the API numbers in Common Data Service Analytics section of the Power Platform Admin Center
to get a sense of Power Platform request counts versus entitlements?
No, the existing API reporting includes all Common Data Service API calls, and will not include Power Apps, Power
Automate, and Power Virtual Agent requests. For the Power Platform request counts, you should use the new
reporting that is soon to be released. Additionally, some internal operations are not counted in the forthcoming
Power Platform request report. For example, the calls to entities that are considered ‘IsPrivate’ are excluded, such
as: sdkmessagerequest, solutioncomponentdefinition, and ribbonclientmetadatareporting.
Do the Power Platform request entitlements roll over from day to day or month to month?
No. All the Power Platform request entitlements are calculated on a rolling 24-hour period. If they aren't consumed,
they don't roll over to the next day or next month.
Does each application user, non-interactive user, or administrative user get their own tenant-level entitlement?
No, tenant-level entitlements are shared across all application users, non-interactive users, or administrative users
within the tenant.
Will the requests generated from async workflows and plug-ins in Common Data Service count against the
request limits?
Yes, if these requests are making CrUD, assign, or share–type requests, they will count. However, requests generated
internally from the platform aren't going to be counted.
See also
Common Data Service API limits overview
What's the role of a Power Platform administrator?
Administration of Power Apps, Power Automate, and Common Data Service is done through the Power Platform
admin center.
Administration journey
The evolution of an organization adopting Power Apps, Power Automate, and Common Data Service starts with the
administrator. As an administrator, you begin your journey asking how you can protect your organization's data.
What data is accessible through these services? Are there best practices to follow? What is the Power Apps security
model and how should I control access to data? Once you determine how to proceed with data access, you'll then
want to know how you can monitor and manage what users are doing with these services.
When you've figured out control and visibility, the next part of your journey takes you to deployment. Individual
users and teams can deploy apps on their own, but how do you centrally deploy solutions for your entire
organization? And how do you orchestrate updates and identify and fix issues?
The documentation in this section, which you can access from the navigation pane on the left, provides answers to
these questions and guides you on this journey.
Next steps
To get you started administering Power Apps, Power Automate, and Common Data Service, check out the following
articles:
Learn how to create a data loss protection (DLP) policy.
Learn how to download a list of active users in your tenant.
Learn about environments.
Management and monitoring
This topic focuses on the tools you can use to manage and monitor what is going on in your environments. It is
important to understand that each company has its own operational model and requirements around a citizen app
development platform. Fulfilling those requirements using the platform capabilities in terms of custom apps or
flows can be seen as a best practice.
Out-of-the-box tooling around monitoring, alert, and actions falls into the following three categories:
Admin por tals offer an interactive experience for performing administrative tasks. This is typically considered the
primary path for completing administrative activities. From a monitoring point of view, this channel is used mostly
for ad-hoc interactive discovery. We're working toward a single admin interface (https://aka.ms/ppac) for Microsoft
Power Platform. Currently, there are admin portals for Microsoft Power Platform components, such as Power BI,
Power Automate, and Power Apps. Additionally, some admin tasks are done in the Microsoft 365 admin center
(https://admin.microsoft.com/)
PowerShell cmdlets offer a way to automate both management and monitoring tasks using PowerShell. These
cmdlets can be used in a sequence to automate multistep administrative actions. From a roadmap perspective,
PowerShell cmdlets will be available first, before enabling administration capabilities, via the web app interface or
via the management and admin connectors. Check out https://www.powershellgallery.com/ to get the latest
package.
Management and Admin Connectors offer the ability to use the platform's own tools to manage and monitor
itself. Part of the out-of-the-box available 275+ connectors and approval process capabilities are five admin-specific
connectors you should be familiar with.
Power Automate Management connector is specifically designed to help with administrative management
and monitoring (https://docs.microsoft.com/connectors/flowmanagement).
Microsoft Flow for Admins allows you to perform typical admin actions, such as disabling a flow or deleting
a flow (https://docs.microsoft.com/connectors/microsoftflowforadmins/).
Power Apps for Admins connector can be used to set permissions on Power Apps or set permissions to a
certain connector being used by this app (https://docs.microsoft.com/connectors/powerappsforadmins/).
PowerApps for App Makers can be used by the makers themselves, though some actions being an overlay to
administrational tasks, such as settings permissions to a Power Apps app as mentioned previously
(https://docs.microsoft.com/connectors/powerappsforappmakers/).
Power Platform for Admins can be used to perform tasks against platform components, such as creating an
environment or provisioning a Common Data Service database or creating a DLP policy for a specific
environment (https://docs.microsoft.com/connectors/powerplatformforadmins/).
Check out the Admin-in-a-day content that can be found in the GitHub repository
(https://aka.ms/powerapps/admininaday) that walks you through examples via hands-on labs with step-by-step
instructions.
The Center of Excellence Starter Kit offers a template implementation using the Management and Admin
connectors, and comes with a Power BI dashboard that can be leveraged to gain tenant-wide insights.
See also
Admin Analytics for Microsoft Power Automate
Admin Analytics for Power Apps
Administering a Power Apps enterprise deployment
Power Apps is a high-productivity application development platform from Microsoft. The platform is used by
Microsoft to build their own 1st party applications Dynamics 365 Sales, Service, Field Service, Marketing and Talent.
This means these applications are built natively on the platform. Enterprise customers can also build their own
custom line of business applications using the same technology. Individual users and teams within your
organization can also build personal or team productivity applications with no-code or low-code.
Check out the following downloadable whitepaper: Administering a Power Apps enterprise deployment
This whitepaper is targeted toward the enterprise application administrator responsible for planning, securing,
deploying, and supporting applications built on the Power Apps platform. The goal of the paper is to help you
understand what currently is in your environment, how to proactively plan for applications being developed and
deployed and finally how to handle day to day administrative tasks to manage deployments. In this whitepaper, we
will cover key concepts, platform architecture, and decisions that will be necessary. Where possible we will help you
develop best practices for your organization to ensure successful deployments and high productivity for users
using the platform.
The Power Apps platform is part of the larger Microsoft Power Platform that also includes PowerBI and Power
Automate, leveraging the common infrastructure of the Common Data Service and Data Connectors. These
capabilities are built on and leverage Microsoft Azure cloud services. Applications built on the Power Apps platform
can also include Azure cloud services to scale from individual productivity to enterprise mission critical line of
business applications.
Try Power Apps and customer engagement apps
apps
You can explore all Power Apps and model-driven apps capabilities in Dynamics 365, such as Dynamics 365 Sales
and Customer Service, for free by signing up for trial licenses.
Power Apps trial

You can try Power Apps for free by signing up either for a 30 day trial or community plan.
Sign up for 30 day trial
Sign up for Community Plan
Sign up for trial while purchasing Power Apps
Customer engagement apps trial

Visit https://trials.dynamics.com and select the required app to sign up for a 30-day trial.
For detailed information about signing up, purchasing or using individual customer engagement apps, see the
respective app's documentation at Dynamics 365 documentation.
Quickly navigate with the Microsoft 365 app launcher
and the Dynamics 365 home page
Quickly move between apps with the app launcher

The app launcher is built in to all Dynamics and Microsoft 365 apps. Use the app launcher in the top left corner to
quickly navigate to your Dynamics application of choice.
NOTE
For Microsoft Dynamics 365 Government subscriptions, the Microsoft 365 app launcher will take users to either Dynamics
365 apps or the Dynamics 365 admin center. Admins will go to the Dynamics 365 admin center.
Search your apps

If you have a lot of apps, you can also search for specific ones by using the global search bar that is found on most
Microsoft products.
Viewing all of your business applications
To see all of the business apps that you have access to across Dynamics 365 and the Power Platform, you can
navigate to the Dynamics home page by selecting the Dynamics 365 tile from the app launcher
This will bring you to the Dynamics 365 home page.

NOTE
The Dynamics 365 home page is not part of the Microsoft Dynamics 365 Government subscription. Clicking Dynamics 365
takes Microsoft Dynamics 365 Government users to your environment of Dynamics 365 or to the Dynamics 365 admin
center.
TIP
If you've just started a trial or upgraded to Dynamics 365, you might need to refresh or open a new browser session to see
your apps. There might be a delay for your environment to fully provision.
Your business apps are moving

In the future, the home for all of your business applications across Dynamics and the Power Platform will move to
the apps page on office.com. This will help ensure that your end-users have a single spot to find all of their apps
across the Microsoft ecosystem. Once the apps on the Dynamics home page have moved to office.com in October,
we will provide a banner redirecting users to their new home.
After October 31, 2020, when users navigate to https://home.dynamics.com, they will be redirected to
https://www.office.com/apps with a deep link to their business applications.
Sign in to Dynamics 365 and Office apps
There are multiple ways to sign in and access your Dynamics 365 and Office apps.
TIP
Admins: Be sure to share this information with your end users.
You can troubleshoot issues with signing in to Dynamics 365 apps using the Support and Recovery Assistant for Microsoft
365. For more information, see the blog New diagnostic scenario for web sign-in.
Signing in to https://office.com
For admins and end users, when you sign in to https://office.com, you will see a page with Office tiles. The tiles that
appear depend on what licenses you have. For example, if you have licenses for Office and Dynamics 365 apps,
you'll see tiles for Office apps like Word, OneDrive, and SharePoint, as well as a tile for Dynamics 365 apps.
Select the Dynamics 365 apps tile to go to the Dynamics 365 home page.
If you're a system administrator, you'll see an Admin tile. Select this tile to get to the Microsoft 365 admin center,
where you can see your service health, manage users, manage licenses, and more for all the online services
associated with your account.
From there, you can get to the Dynamics 365 admin center. Select Show all > All admin centers > Dynamics
365 .
For other ways to access Dynamics 365 and Office apps, see Quickly navigate with the Office app launcher and the
Dynamics 365 home page.
Direct sign in to the Dynamics 365 home page

Your business apps are moving
In the future, the home for all of your business applications across Dynamics and the Power Platform will move to
the apps page on office.com. This will help ensure that your end-users have a single spot to find all of their apps
across the Microsoft ecosystem. Once the apps on the Dynamics home page have moved to office.com, we will
provide a banner redirecting users to their new home.
After October 1, 2020, when users navigate to https://home.dynamics.com, they will be redirected to
https://www.office.com/apps with a deep link to their business applications.
See also
Quickly navigate with the Office app launcher and the Dynamics 365 home page
Use the Microsoft 365 admin center to manage your
subscription
The Microsoft 365 admin center is a portal site rich in features for the administrator. The customer engagement
apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing,
and Dynamics 365 Project Service Automation), take advantage of the features on this site to simplify and
consolidate management of user accounts, billing, licensing, and more.
Review the information in this topic to learn how to do common administrative tasks in the Microsoft 365 admin
center.
NOTE
You must have the Global admin role to fully access the Microsoft 365 admin center.
Open customer engagement apps and other services with the app
launcher
You can open customer engagement apps and other services such as Microsoft Social Engagement from the
Microsoft 365 app launcher. Choose Admin to open the Microsoft 365 admin center and Dynamics 365 to open
customer engagement apps. More information: Find help for the latest changes in Microsoft 365.
Check your service health
You can quickly get real-time status of your customer engagement apps and Microsoft 365 services. The Service
health page on the Microsoft 365 admin center provides a comprehensive view of the service health of your online
services. If users are having trouble signing in to customer engagement apps, check this page to see if there is a
service outage.
For more information, see Check your service health.
Review your messages

Check out the Message center to see how to fix or prevent issues, plan for service changes, or just to stay informed
of new or updated features.
Click Health > Message center , and select messages to get more information.
Request support
Having a problem with your service? You can create a support request to get the issue resolved.
More information: Contact Technical Support
Manage users
Each user signs in to customer engagement apps with an Microsoft 365 user ID (more precisely, an Azure Active
Directory user ID, see the following Note). Access to customer engagement apps is controlled through the
Microsoft 365 user ID.
You use the Microsoft 365 admin center to add, edit, and delete users and to reset passwords.
NOTE
Customer engagement apps use Azure Active Directory as its identity provider. You access customer engagement apps
through an Azure Active Directory user ID that is created and managed in the Microsoft 365 admin center. For simplicity, we'll
refer to the Azure Active Directory user ID as the Microsoft 365 user ID in this documentation.
If your company uses on-premises Active Directory for user identity, you have options that can simplify user
management such as providing a single sign-on experience for your users. More information: Manage user account
synchronization
Manage subscriptions
Use the Subscriptions page to adjust licenses, view your bill, add a partner of record, and lots more.
Set the password expiration

Use the Security & privacy page to set how frequently a user's password expires and the number of days before a
user is notified of an upcoming expiration.
TIP
Note the information on this page about users doing their own password reset. To enable your users to be able to reset their
passwords themselves, you'll need to purchase an Azure Active Directory subscription and configure it for password self-
service. More information: Self-service password reset in Azure AD: how to enable, configure, and test self-service password
reset
Configure self-service password reset and other settings in Azure

If you have an Azure Active Directory Basic or Premium subscription, you can set it up so users can do their own
password reset. You can access Azure Active Directory configuration from the Microsoft 365 admin center. More
information: Enable users to reset their Azure AD passwords
On the left-side menu of the Microsoft 365 admin center, choose Admin centers > Azure AD . Select your
subscription in Azure and then choose Configure .
Add your domain

Use the Manage domains page to add your domain to your subscription. When you add your own domain, user
sign-ins can match your company's URL. For example, instead of user@contoso.onmicrosoft.com, it could be
user@contoso.com. More information: Add a domain to Microsoft 365.
Purchase services
On the left-side menu of the Microsoft 365 admin center, click Billing > Purchase ser vices to add licenses or
purchase new online services.
See also
About the Microsoft 365 admin center
Set an individual user's password to never expire
You can quickly get a real-time status of your Dynamics 365 and Microsoft 365 services. The dashboard on the
Microsoft 365 Admin Center provides a comprehensive view of the service health of your online services. If users
are having trouble signing in to Dynamics 365 apps, check this page to see if there is a service outage.
View a snapshot of service health

Browse to the Microsoft 365 admin center and sign in using Global admin credentials. You can see a quick
snapshot of service health for some of your Microsoft 365 services. Select Ser vice health (from the menu:
Health > Ser vice health ) to get more information on all your services.
View Dynamics 365 service health

Select Health > Ser vice health > Dynamics 365 to see if there are issues; if so, select the advisor y link.
View service health history
Select View histor y in the upper-right corner to view the past 7 or the past 30 days of service.
Select an item to see service health status and details for that item.
View planned maintenance

Select the Message center on your home dashboard (from the menu: Health > Message center ) to see if there
are any scheduled events for your online service and to view other informative messages.
See also
Get Help + Support
What are Preview features, and how do I enable
them?
Preview features are features that aren't complete, but are made available on a "preview" basis so customers can
get early access and provide feedback. Preview features:
Are subject to separate Supplemental Terms of Use.
Are not suppor ted by Microsoft Suppor t .
May have limited or restricted functionality.
Aren't meant for production use.
May be available only in selected geographic areas.
How do I enable a Preview feature?

To enable a Preview feature, you must be an administrator.
1. In the web app, go to Settings > Administration .
2. Select System Settings , and then select the Previews tab.
3. Read the Supplemental Terms of Use, and if you agree, select the I've read and agree to the license
terms check box.
4. For each Preview feature you want to enable, select Yes .
How do I report an issue or provide other feedback?

If you'd like to provide feedback, offer suggestions, or report issues for a Preview feature, please go to Application
Ideas. This website provides a collaboration platform for gathering actionable feedback to build and improve
products and services.
About Unified Interface for model-driven apps in
Power Apps
Unified Interface uses responsive web design principles to provide an optimal viewing and interaction experience
for any screen size, device, or orientation. It brings all the rich experiences to any client that you are using. Whether
you are using a browser, tablet, or phone, you will be able to consume similar experiences.
More information:
Enhanced user experience with Unified Interface for model-driven apps
Blog: Moving forward with your transition to Unified Interface
Blog: Performance benefits of unified interface
Accessing Unified Interface apps in browsers

Once provisioned, you can access the installed Unified Interface and legacy web apps in a browser.
NOTE
The legacy web client is deprecated; you should plan to convert your legacy web apps to use the new Unified Interface.
More information: Legacy web client is deprecated
You can access Unified Interface apps from the following locations in a browser:
1. In https://home.dynamics.com/:
2. In app navigation:
3. In My Apps page under Settings :
Accessing Unified Interface apps on phone and tablets

The Unified Interface apps are the only apps supported on phones and tablets. When users sign in to their
environment, they will see the Unified Interface apps only on their apps landing page.
On phone On tablet
Capabilities not yet on Unified Interface

Some capabilities of the legacy web client are available in the hybrid experience in Unified Interface. You can
enable the hybrid experience to get them in the browser client.
There are certain capabilities that continue to be unavailable in Unified Interface and we are working to provide
these in future releases:
Custom styling of advanced chart properties (excluding colors and basic formatting)
Composite address control
Composite fullname control
Global notifications
Admin experiences
Editable grids on phones
Learning Path
Duplicate detection in Lookups
Read-only entities on Unified Interface

There are certain entities that are currently read-only on Unified Interface. Users will not be able to make changes
to these entity records within an Unified Interface app. We are working to make them editable in future releases.
NOTE
Some entities are being deprecated. More information: Important changes (deprecations) coming
The following are entities that are currently read-only in Unified Interface:
KnowledgeArticleViews
KnowledgeBaseRecord
SharePointDocument
SharePointSite
SLA
SLAKPIInstance
Template
Contract
Contract Lines
Contract Templates
Case Resolution
Workaround for out-of-the -box or custom entities appearing as read-only
Follow these steps to make all the out-of-the-box actions available and entities editable.
1. On the navigation bar in your app, select the Settings icon and then select Advanced Settings .
The Business Management page opens in a new browser tab.

2. On the navigation bar, select Settings and then select Customizations.
3. On the Customization page, select Customize the System .

4. In the solution explorer, under Components , expand Entities and then select the specific entity that's
appearing as read-only.
5. On the General tab, under Outlook & Mobile , clear the Read-only in Unified Client check box.
6. Save and publish the customizations.

7. In the Unified Interface app, refresh the window.
See also
Overview of building model-driven apps
Enable Unified Interface Only
In 2018, we introduced Unified Interface, the latest generation of web app design for the Power Apps model-driven
apps and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation). It brings the best in usability,
accessibility, functionality, and speed to every user. Improve how your business applications run by using only the
Unified Interface. To learn how to enable it, see How to enable Unified Interface Only. For more information, see
What experiences are available in Unified Interface Only and FAQs.
When does the Unified Interface Only experience become available,

and which environments are affected?
New environments
All new Common Data Service environments and Common Data Service environments, including those created in
existing tenants, will be provisioned in Unified Interface Only mode per the schedule below.
Note : Some geographical regions will get the changes ahead of schedule by as much as 2-3 weeks.
EN VIRO N M EN T T Y P ES REL EA SE DAT E
New trial environments December 12, 2018
New trial and production Common Data Service environments February 2, 2019
New production and sandbox environments June 8, 2019
Existing environments
Environments created before the scheduled release dates will not get this change automatically. Version 9.1.0.3448
onwards, administrators will have the option to change the environment settings to get the Unified Interface Only
experience. It is recommended to switch to this mode by following the steps at How to enable Unified Interface
Only.
IMPORTANT
For existing environments, it's recommended that you:
Read What experiences are available in Unified Interface Only and understand how it affects end users in your
environment.
Test the changes in your trial or sandbox environments before applying to your production environment.
What experiences are available in Unified Interface Only mode

New immersive home page experience on web
Unified Interface Only mode provides easier and quicker access to apps, and gives users the ease of working in
simple purpose-built apps. Users with just one app available to their security roles land directly in the app after
signing in using the environment URL (for example: https://contoso.crm.dynamics.com/). The first page they see is
determined by the first page of the app.
Users with multiple apps see the list of apps available to them, and can navigate to them by selecting the app tile.
NOTE
This change applies to environment URL based sign-in (for example, https://contoso.crm.dynamics.com/) on the web. It
doesn't affect users who sign in using home.dynamics.com or other portals. The sign-in and home page experience for
Dynamics 365 for phones and Dynamics 365 for tablets remains unchanged. You can learn more at Sign in and sign out.
Run all apps in Unified Interface Only mode

Unified Interface is centered around the concept of modular applications known as model-driven apps. These apps
allow developers and admins to streamline the data and functionality to provide exactly what end users need.
In Unified Interface Only mode, all model-driven apps, including those created for the legacy web client, run in
Unified Interface to provide superior performance and usability.
Deep linking apps and pages
With Unified Interface Only mode, all URLs (or deep links) open in Unified Interface in the context of the app being
referenced. For more information on constructing links, see Open forms, views, dialogs, and reports with a URL.
If no app is referenced in the URL, the record or page opens without any navigation elements on the page.
Navigation elements like sitemap are defined using an app; URLs without apps don't have them. Users can use the
app switcher to navigate to an app and continue their work.
Dynamics 365 - custom
The legacy web client app, also known as Dynamics 365 - custom, is hidden from end users when a new
environment is provisioned. It is always visible to those with System Administrator and System Customizer roles,
and to other custom roles with similar privileges. The legacy web client app should only be used temporarily for
backwards compatibility with custom and third-party legacy functionality that you have not migrated to Unified
Interface. It is not designed for Unified Interface and can cause unexpected errors and experience. For the best user
experience, port all custom and third-party functionality to model-driven apps for Unified Interface.
When Unified Interface Only mode is enabled, Dynamics 365 - custom opens in Unified Interface and not in the
legacy web client. If users only have access to the Dynamics 365 – custom app and no other model-driven apps,
they won't be redirected automatically when signing in using the environment URL (for example,
https://contoso.crm.dynamics.com/). Access to this app can be enabled in one of two ways:
In the Power Platform admin center, go to Environments and select an environment. Go to Settings >
Product > Behavior and then turn on Show legacy app to ever yone, not just admins .
Advanced settings
When Unified Interface Only mode is enabled, environment settings can be accessed via a menu on the navigation
bar. Follow these steps to navigate to Advanced Settings :
1. Select Settings ( ) on the navigation bar.
2. Select Advanced Settings .
NOTE
You need to select Advanced Settings from a customer engagement apps page that's displayed in the Unified Interface such
as Sales Hub or Customer Service Hub pages.
How to enable Unified Interface Only mode

In the Power Platform admin center, go to Environments and select an environment. Go to Settings > Product >
Behavior > Interface settings and then turn on Use Unified Interface only .
FAQs
Why is the Unified Interface setting disabled?
The Unified Interface only setting may be disabled for some organizations that have made the transition to the
Unified Interface Only experience. If you wish to make a change to this setting prior to October 1, 2020, please raise
a support request.
Is there any downtime while applying this change?
No, this change applies immediately, upon reloading the page. If it doesn't, clear cache and retry.
Business users in my environment are still using the legacy web client for all or some of the scenarios, and our
business is not completely ready to move to Unified Interface. How does the Unified Interface Only setting
impact my environment after the April 2019 release?
This setting is preset to Off for your environment, and you are unaffected by the April 2019 release. It is
recommended that you take advantage of the benefits of Unified Interface early by turning Unified Interface Only
mode on.
I want to use Unified Interface for all the apps, but still want Dynamics 365 – custom to open in the legacy web
client. Is that possible?
You can achieve this by setting all apps to be Unified Interface apps. Note that this won't change the home page
experience to Unified Interface. Unified Interface Only mode is a prerequisite to get the new home page experience.
How do I resolve errors seen while using a Dynamics 365 - custom legacy app in Unified Interface?
If there are issues with Unified Interface, please let us know.
How does it impact my Unified Service Desk deployment?
To learn about the impact of Unified Service Desk, see Impact of Unified Interface Only availability with Unified
Service Desk.
Update your apps to Unified Interface
When you enable Unified Interface Only, all your apps, including those designed for the legacy web client, run in
Unified Interface all the time. Environments with legacy web client apps will show a notification on the home page,
prompting System Administrators to update those apps to Unified Interface, as shown below:
"You are using apps designed for the legacy web client. For best results, update your apps to Unified Interface."
A similar notification will be visible to System Administrators whenever they use an app designed for the legacy
web client, as shown below:
"This app is designed for the legacy web client and might have features or customizations that aren't supported in
Unified Interface. For best results, update it to Unified Interface."
TIP
For information on enabling Unified Interface only mode, see Enable Unified Interface Only.
The following are recommended ways to update to Unified Interface based on how the apps were installed in the
environment.
Apps created in your sandbox environment

Be sure to import the changes in your target environment via a managed solution only. See Import, update, and
export solutions for guidance on installing an update to an existing managed solution.
Modify the app properties by following the steps detailed in Manage app properties, and set the Client type to
Unified Interface
Import the changes to your target environment via a managed solution update.
Apps installed from AppSource

Contact the app publisher and get a new version that updates the apps to Unified Interface.
Apps obtained from an ISV or any other third party publisher

Contact the ISV (Independent Software Vendor) or the third party app publisher and get a new version that
updates the apps to Unified Interface.
Enable the hybrid experience
Most of the core functionalities of sales and customer service have moved to the Unified Interface experience.
Some of the features that are not yet on Unified Interface can now be accessed in the Unified Interface client.
The following features are not yet present in the Unified Interface but can be enabled for display as legacy dialogs
in the Unified Interface through the hybrid experience.
Advanced Find
Bulk edit
Merge records
Record sharing
Audit History
All options under Set Personal Options ( )
Reports
NOTE
The hybrid experience is not available for on-premises versions or on mobile.
These features are enabled through a setting in System Settings.

1. In the web app, go to Settings > Administration > System Settings .
2. Select the General tab.
3. Set Enable embedding of cer tain legacy dialogs in Unified Interface browser client to Yes .
When you enable the hybrid experience, commands appear on the command bar. For example, when you select an
account, Edit , Merge , and Share commands are available.
You can select Share to share this account with another user or team.
If you disable the hybrid experience, these commands are not available in the command bar.
See also
Unified Interface
An environment is a space to store, manage, and share your organization's business data, apps, and flows. It also
serves as a container to separate apps that might have different roles, security requirements, or target audiences.
How you choose to use environments depends on your organization and the apps you're trying to build. For
example:
You can choose to only build your apps in a single environment.
You might create separate environments that group the test and production versions of your apps.
You might create separate environments that correspond to specific teams or departments in your company,
each containing the relevant data and apps for each audience.
You might also create separate environments for different global branches of your company.
NOTE
You can get early access to upcoming Power Apps functionality by joining the Power Apps Preview program.
Environment scope
Each environment is created under an Azure Active Directory (Azure AD) tenant, and its resources can only be
accessed by users within that tenant. An environment is also bound to a geographic location, like the United
States. When you create an app in an environment, that app is routed only to datacenters in that geographic
location. Any items that you create in that environment (including connections, gateways, flows using Microsoft
Power Automate, and more) are also bound to their environment's location.
Every environment can have zero or one Common Data Service database, which provides storage for your apps.
Whether you can create a database for your environment depends on the license you purchase for Power Apps
and your permissions within that environment. More information: Pricing info
When you create an app in an environment, that app is only permitted to connect to the data sources that are
also deployed in that same environment, including connections, gateways, flows, and Common Data Service
databases. For example, consider a scenario where you've created two environments named Test and Dev, and
created a Common Data Service database in each of the environments. If you create an app in the Test
environment, it will only be permitted to connect to the Test database; it won't be able to connect to the 'Dev'
database.
You can also move resources between environments. More information: Migrate resources
Environment permissions
Environments have two built-in roles that provide access to permissions within an environment:
The Environment Admin role can perform all administrative actions on an environment, including the
following:
Add or remove a user or group from either the Environment Admin or Environment Maker role.
Provision a Common Data Service database for the environment.
View and manage all resources created within the environment.
Set data loss prevention policies. More information: Manage data loss prevention policies
After creating the database in the environment, you can use the System Administrator role instead of the
Environment Admin role.
The Environment Maker role can create resources within an environment including apps, connections,
custom connectors, gateways, and flows using Power Automate.
Environment makers can also distribute the apps they build in an environment to other users in your
organization by sharing the app with individual users, security groups, or all users in the organization. More
information: Share an app in Power Apps
Users or groups assigned to these environment roles aren't automatically given access to the environment's
database (if it exists) and must be given access separately.
Users or security groups can be assigned to either of these two roles by an environment admin by following the
steps described in Configure user security to resources in an environment.
Types of environments
There are multiple types of environments. The type indicates the purpose of the environment and determines its
characteristics. The following table summarizes the current types of environments that you might encounter.
TYPE DESC RIP T IO N SEC URIT Y
Production This is intended to be used for Full control.

permanent work in an organization. It
can be created and owned by an
administrator or anyone with a Power
Apps license, provided there is 1 GB
available database capacity. These
environments are also created for each
existing Common Data Service
database when it is upgraded to
version 9.0 or later. Production
environments are what you should use
for any environments on which you
depend.
Default These are a special type of production Limited control—all licensed users*
environment. Each tenant has a default have the Environment Maker role.
environment that's created
automatically. Its characteristics are
discussed in the following section, The
default environment.
Sandbox These are non-production Full control.
environments, which offer features like If used for testing, only user access is
copy and reset. Sandbox environments needed.
are used for development and testing, Developers require Environment Maker
separate from production. Provisioning access to create resources.
sandbox environments can be
restricted to admins (because
production environment creation can
be blocked), but converting from a
production to a sandbox environment
can't be blocked.
Trial Trial environments are intended to Full control.

support short-term testing needs and
are automatically cleaned up after a
short period of time. They expire after
30 days and are limited to one user.
Provisioning trial environments can be
restricted to admins.
Developer Developer environments are created by Only a single user account with the
users who have the Community Plan Community Plan has access.
license. They're special environments
intended only for use by the owner,
and they can't be shared with other
users. Provisioning developer
environments can't be restricted unless
through a support ticket.
Project Oakdale Project Oakdale environments are Tenant admins and/or Power Platform
automatically created for the selected admins will not be able to access any of
team when you create an app in Teams the core customer data in the Teams
using the Power Apps app for the first environment. However, they will be
time or install a Power Apps app from able to perform all system
the app catalog. See About the Project management operations, including
Oakdale environment. customizations and updating user
records, among other options.
* Users licensed for Power Apps, Power Automate, Microsoft 365, and Dynamics 365, standalone licenses, and free and trial
licenses.
The default environment

A single default environment is automatically created by Power Apps for each tenant and shared by all users in
that tenant. Whenever a new user signs up for Power Apps, they're automatically added to the Maker role of the
default environment. The default environment is created in the region closest to the default region of the Azure
AD tenant.
NOTE
No users will be added to the Environment Admin role of the default environment automatically. More information:
Administer environments in Power Apps
You can't delete the default environment.
You can't backup and restore the default environment.
The default environment is limited to 32 GB of storage capacity. In case you need to store more data, you can create a
production environment. More information: Provisioning a new environment
The default environment is named as follows: "{Azure AD tenant name} (default)"
Production and trial environments

You can create environments for different purposes. A trial environment is for trying out the environment and
the experience of using a database with Common Data Service. It expires after a certain period.
Manage environments in the Power Platform admin center

You can view and manage your environments on the Environments page.
You can sort and search the list of environments; this is useful if you have a large number of environments to
manage.
Environment details
You can see some the details of your environments by selecting an environment. Select See all to see more
environment details.
Select Edit to review and edit environment details.

See also
Microsoft Learn: Create and manage environments in Common Data Service
Create and manage environments in the Power
Platform admin center
An environment is a space to store, manage, and share your organization's business data, apps, and flows. It also
serves as a container to separate apps that may have different roles, security requirements, or target audiences.
Power Apps automatically creates a single default environment for each tenant, which is shared by all users in that
tenant.
TIP
For the blog announcing the latest changes to environment creation, see Provisioning and administration updates are now
live in the Power Platform admin center.
Provisioning a new environment

You can provision a new environment based on available capacity. See the section Create an environment in the
Power Platform admin center.
What's new in provisioning environments
We're consolidating how you view, create, and manage environments.
Environments can now be provisioned in the Power Platform admin center : You can create
environments in the Power Platform admin center. Previously, environments could only be created in the
Dynamics 365 Admin center and the Power Apps Admin center.
Admins can govern environment creation : To limit environment creation to admins (Dynamics 365
admins, Global admins, or Power Platform admins), see Control who can create environments in the Power
Platform admin center. Previously, limiting was done by controlling who had Power Apps P2 licenses.
Admins can see all environments : Admins can see all environments (environments with and without a
database, and environments with apps) in the Power Platform admin center. Previously, admins could not see
environments created without a database.
Trial environment provisioning : You can create one trial environment per user. Previously, you could create
two per user. See About trial environments.
Who can create environments?

Your license determines whether you can create environments.
L IC EN SE T RIA L P RO DUC T IO N
Microsoft 365 Plans No No
Dynamics 365 Teams Plans No No
Power Apps Community Plan No No
Dynamics 365 trial Yes (one) No

L IC EN SE T RIA L P RO DUC T IO N
Dynamics 365 Plans Yes (one) Yes
Power Apps plan Yes (one) Yes
Power Apps trial Yes (one) Yes
Power Virtual Agents trial plan Yes No
Power Virtual Agents plan No Yes
To determine which license a user has, sign in to the Microsoft 365 admin center and follow the steps in Assign
licenses to multiple users on the Active users page.
NOTE
Global admins and Power Platform admins can create environments without a license. See Administer without a license.
Create an environment in the Power Platform admin center

An environment provides storage for apps, flows, data, and various other resources. When users create an app in
an environment, that app can connect to any data source, including connections, gateways, and flows. How you
choose to leverage environments depends on your organization and the apps you're trying to build. For more
information, see Environments overview.
You can store the app/business data in a database with Common Data Service. You can create a database with
Common Data Service with any environment.
You have multiple options when creating an environment:
1. Create an environment with a Common Data Service database
2. Create an environment without a Common Data Service database
Some important considerations when creating a new environment
Why create an environment with a database : When you create a production or sandbox environment with
a Common Data Service database, you have the option to add Dynamics 365 apps such as Dynamics 365 Sales
and Field Service during the creation process (by choosing Enable Dynamics 365 apps ). Currently, if you
don't select Enable Dynamics 365 apps at the time of database provisioning, you will not be able to make
this change later.
Why create an environment without a database : If you don't need Dynamics 365 apps or don't need to
use Common Data Service, and you are creating Power Apps or Power Automate using other data sources,
create the environment without the Common Data Service database.
The Enable Dynamics 365 apps decision is not reversible : Once you create an environment, if you don't
select Enable Dynamics 365 apps at the time of database provisioning, you will not be able to make this
change later.
Dynamics 365 apps and trial environments : Currently, Dynamics 365 apps cannot be enabled for trial
environments. To create a trial with Dynamics 365 apps, see Start your digital transformation here.
Create an environment with a database

You create a database to use Common Data Service as a data store. The Common Data Service is a cloud scale
database used to securely store data for business applications built on Power Apps. Common Data Service
provides not just data storage, but a way to implement business logic that enforces business rules and automation
against the data. For more information, see Why use Common Data Service?
Prerequisites
To create an environment with a database, you need 1GB available database capacity.
Steps
1. Sign in to the Power Platform admin center at https://admin.powerplatform.microsoft.com as an admin
(Dynamics 365 admin, Global admin, or Power Platform admin).
2. In the navigation pane, select Environments , and then select New .
3. Enter the following, and then select Next .
SET T IN G DESC RIP T IO N
Name The name of your environment.
Type Choose production, trial, or sandbox.
Region Choose a region for the environment.
Purpose A description of the environment.
Create a database for this environment? Select Yes .

4. Enter the following, and then select Save .
Language The default language for this environment. More

information: Common Data Service language collations
Currency The base currency used for reporting.
Enable Dynamics 365 apps Select Yes and make a selection to automatically deploy
apps such as Dynamics 365 Sales and Dynamics 365
Customer Service.
Deploy sample apps and data Select Yes to include sample apps and data. Sample data
gives you something to experiment with as you learn. You
must select No for Enable Dynamics 365 apps for this
setting to appear.
Security group Select a security group to restrict access to this

environment.
Create an environment without a database
You can create an environment without a database and use your own data store.
Prerequisites
You need 1GB available database capacity.
Steps
2. In the navigation pane, select Environments , and then select New .
Type You can choose production or trial.

Create a database for this environment? Select No .
Provision a sandbox environment

To provision a sandbox environment, you change a production environment to sandbox.
2. From the left-side menu, select Environments , and then select a production environment.
3. Select Edit
4. Under Type , choose the sandbox environment type.

5. Select Save .
Setting an environment refresh cadence

You can indicate how often you would prefer an environment to receive updates and features to certain Power
Platform services. You have two options to choose from after creating an environment.
SERVIC E SET T IN G DESC RIP T IO N
Canvas app authoring Frequent Get access the latest updates and
newest features multiple times a month.
Moderate Get access to updates and features at

least once a month.
To set refresh cadence:

2. From the left-side menu, select Environments , and then select an environment.
3. Select Edit
4. Under Refresh cadence , choose the cadence type.
5. Select Save .
The refresh cadence does not change when you will receive updates for:
Power Platform
Dynamics 365 Sales
Dynamics 365 Customer Service
Dynamics 365 Marketing
NOTE
By default, environments are automatically in the frequent cadence; creating and editing canvas apps will receive
updates once a week. When apps are published, they will receive the corresponding runtime version.
If you’ve chosen the moderate cadence for the environment, all creating and editing of canvas apps will receive updates
once a month. When apps are published, they will receive the corresponding runtime version.
FAQ
What are the new trial limits for Power Apps customers?
The new trial limits are one per user.
Can an Microsoft 365 licensed user manage and create environments?
No, Microsoft 365 licensed users will not be able to manage environments.
If I create an environment in the Dynamics 365 Admin center, will it appear in the Power Platform admin center?
Yes, it will appear in both admin centers.
What is the Power Apps production environment limit?
Provisioning environments is based on database capacity. Previously, it was two environments per Power Apps
Plan 2 license. Now all you need is 1GB of available capacity to provision. All environments with or without
Common Data Service will consume at least 1GB capacity.
See also
Manage environments in Power Apps
Common Data Service storage capacity
Control user access to environments: security groups and licenses
Control who can create and manage environments in
the Power Platform admin center
With the new provisioning model, those with the correct licenses can create an environment as long as 1GB of
capacity is available. To restrict environment creation and management to admins, do the following:
1. Sign in to the Power Platform admin center at https://admin.powerplatform.microsoft.com.
2. Select the Gear icon ( ) in the upper-right corner of the Power Platform site.
3. Select Power Platform settings .
4. Select Only specific admins .
The following admins will be able to create new environments in the Power Platform admin center:
Global admins
Dynamics 365 admins
Power Platform admins
NOTE
Environments created prior to restriction can still be managed after restriction by those who created the environment.
Restriction will prevent any new environments being created and managed.
Control environment creation through PowerShell

Download and install the admin PowerShell cmdlets as described here. For more information about our cmdlets,
see PowerShell support for Power Apps.
Use the following commands to restrict environment creation to Global admins, Dynamics 365 admins, and Power
Platform admins.
$settings = @{ DisableEnvironmentCreationByNonAdminUsers = $true }
Set-TenantSettings $settings
FAQ
Can I disable trial environment creation for users in the tenant?
Yes. Use the following PowerShell commands to restrict trial environment creation.
$settings = @{ DisableTrialEnvironmentCreationByNonAdminUsers = $true }

Set-TenantSettings $settings
Download and install the admin PowerShell cmdlets as described here. For more information about our cmdlets,
see PowerShell support for Power Apps.
Change the environment type
You may decide that your customization work developed and tested on a sandbox environment is now ready to go
live. If you’ve placed your sandbox environment in administration mode, only users with System Administrator or
System Customizer security roles are able to sign in to that environment. Once you change the environment type
to production, all your users can access your organization. When you configure or edit an environment, you can
change the environment from:
Production to sandbox
Sandbox to production
To change the environment type :
1. Go to the Power Platform admin center and sign in using Environment Admin or System Administrator role
credentials.
2. From the left-side menu, select Environments , and then select an environment to change.
3. Select Conver t to production or Conver t to sandbox .
4. Select Continue .
5. On the confirmation page, select OK .

Add a Common Data Service database
You can create a database and build apps by using Common Data Service as a data store. You can either create your
own custom entities or use the predefined entities. To create a database, you first need to either create an
environment, or be assigned to an existing environment as an Environment Admin . In addition, you must be
assigned the appropriate license. For information on purchasing a plan for using Common Data Service, see Pricing
info.
There are various ways to add or create a database:
In the Power Platform admin center
In the Entities pane of powerapps.com
NOTE
For security reasons, we do not support creating a copy of the database for local use.
Add a database in the admin center

1. In the admin center, in the left navigation pane, select Environments .
2. Select the environment to which you want to add the database.
3. Select + Add database .
4. Enter the following, and then select Add .
Language The default language for this environment. More

information: Common Data Service language collations
Enable Dynamics 365 apps Select Yes and make a selection to automatically deploy
apps such as Dynamics 365 Sales and Dynamics 365
Customer Service.
Deploy sample apps and data Select Yes to include sample apps and data. Sample data
gives you something to experiment with as you learn. You
must select No for Enable Dynamics 365 apps for this
setting to appear.

environment.
Create a database in the Entities pane of Power Apps

1. On make.powerapps.com, expand the Data section and click or tap Entities in the left navigation pane.
2. Select Create a database to create the database.
Security model for the databases

When a database is created, the users who have environment roles assigned to them, will continue to maintain
those privileges.
Users with Environment Admin role are now assigned to System Administrator role. Users with Environment
Maker continue to possess the same role.
You can assign additional users to pre-defined roles or even create custom roles. See Database Security for more
details.
NOTE
On creating the database, any security group assigned to Environment Admin or Environment Maker role will not be
honored any more. Currently, assigning permissions in database, do not support Azure AD security group.
License and security permissions

To create a database, you must be an administrator in the selected environment, and the appropriate license must
be assigned to you. From the environment, you can further configure security permissions for other users by using
the Security tab. For more information, see Configure database security.
Privacy notice
With the Microsoft Power Apps Common Data Model we collect and store custom entity and field names in our
diagnostic systems. We use this knowledge to improve the Common Data Model for our customers. The entity and
field names that Creators create help us understand scenarios that are common across the Microsoft Power Apps
community and ascertain gaps in the service’s standard entity coverage, such as schemas related to organizations.
The data in the database tables associated with these entities is not accessed or used by Microsoft or replicated
outside of the region in which the database is provisioned. Note, however, the custom entity and field names may
be replicated across regions and are deleted in accordance with our data retention policies. Microsoft is committed
to your privacy as described further in our Trust Center.
Delete environment
You can delete an environment to recover storage space and to remove Personally Identifiable Information (PII).
NOTE
You can't delete the default environment.
1. Sign in to https://admin.powerplatform.microsoft.com.
2. Select an environment and then select Delete .
3. Provide the confirmation data and then select Confirm .

See also
Back up and restore environments
Automatic environment cleanup
Manage sandbox environments
Cmdlet list - Admin Cmdlets
Licensing overview for Power Platform
Recover environment
You can recover a recently deleted environment (within 7 days of deletion), by using the Power Apps cmdlet
Recover-AdminPowerAppEnvironment.
## List soft-deleted environments

Get-AdminPowerAppSoftDeletedEnvironment
## Attempt a recover operation on a soft-deleted environment

Recover-AdminPowerAppEnvironment -EnvironmentName $environmentName -WaitUntilFinished $true
To learn more on using PowerShell cmdlets for environments, see Power Apps cmdlets for administrators.
NOTE
You should have at least 1GB of unused storage capacity to recover an environment. For information on viewing your current
storage capacity, see Common Data Service storage capacity.
Please review the following topics that discuss how environments could become marked for deletion and how to restore
environments.
Back up and restore environments.
See also
Reset environment
Reset a sandbox environment to delete and re-provision it. Consider a reset when you want to:
Create a new project
Remove an environment containing Personally Identifiable Information (PII) data
IMPORTANT
You can only reset sandbox environments.
A reset will permanently delete environment components such as canvas apps, flows, custom connectors, and
connections.
An example scenario
Thomas is looking at the storage consumed by the various Contoso environments and is getting concerned that
they'll run out of space in one of their production environments. He'd like to free up some space so he can give the
production environment some additional storage. He's also been notified that the Legal department has set a
retention policy on the use of production data in the test environment.
After contacting Isaac, Thomas resets the Sales department's complete sandbox environment. The environment is
re-provisioned to factory settings and ready for future use as a sandbox environment for a future project.
To reset an environment
credentials.
2. From the left-side menu, select Environments , and then select an environment to reset.
3. Select Reset from the top menu bar.
4. On the Reset environment page, adjust the environment settings as needed and then select Reset .
WARNING
The sandbox environment will be deleted and reset to factory settings. You will not be able to recover any deleted
data.
5. Select Confirm to reset the selected environment.

The reset process starts.
Copy an environment
You can use Copy environment in the Power Platform admin center to copy the customer engagement apps
(Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and
Dynamics 365 Project Service Automation), and all data from any environment to a sandbox environment. You can
select two levels of copy: Ever ything or Customizations and schemas only .
NOTE
You can only copy an environment to a sandbox environment.
You can only copy to a sandbox environment in the same tenant and region.
Currently, any components that have not been added to a solution (including canvas apps, flows, custom connectors, and
connections) will not be copied to the target environment.
You cannot copy from or to a default environment.
You must have sufficient storage capacity to copy an environment.
Copy over everything

An Everything copy includes all application data, users, and customizations, and schemas from the source
environment and is suitable for:
User acceptance testing
Upgrade testing
Preview in production (TAP/EA)
Training
An example scenario
Isaac, a business application developer, has received a request from the sales department to configure and deploy
a social media integration solution from another company vendor. Isaac has never installed a solution from this
vendor and is unsure what impact this would have on the production application. He’d like to import the solution
into an environment that is nearly identical to, but isolated from, production to learn about the solution and make
the appropriate configuration changes. Isaac submits a request to Thomas, the IT Manager for Contoso, to create
an Everything copy sandbox environment for him.
After the Everything copy is complete, Isaac receives a mail from Thomas telling him the sandbox environment is
ready. Isaac logs into the sandbox environment and makes the necessary changes to make sure that production
external services will not be impacted by the sandbox environment. Once changes are complete, Isaac turns off
administration mode and enables background services. Isaac is able to use the Everything copy sandbox
environment to do his testing and later manually import the solution into production.
Copy over customizations and schemas only

A Customizations and schemas only copy only includes users, customizations, and schema from the source
environment and is suitable for:
Iterative team development
Partner/ISV solutions
Proof of concept
An example scenario
Isaac has a large development project starting next week for the sales department. He has a team of developers
ready to start on the project, some of whom are internal to Contoso and some are external vendors. The Contoso
sales application contains Personally Identifiable Information (PII) that the sales manager has explicitly stated must
not be made available to any external parties for privacy and legal liability reasons. Isaac requests a customizations
and schemas only copy sandbox environment that does not contain any production data or users. In addition, Isaac
creates a Microsoft 365 security group to give the development team access to the sandbox environment.
After modifying and enabling some of the plug-ins, the developer sandbox environment functions the same and is
completely isolated from the production application. The development team works on their modifications in this
environment for several weeks. They package their changes into a solution and export/import to deploy to the
Everything copy sandbox environment. After a successful round of testing and signoffs, the changes are manually
deployed to production.
Entities copied in a Customizations and schemas only copy
The following entities are copied when you do a Customizations and schemas only copy:
EN T IT IES
BusinessUnit
ConnectionRole
Currency
DuplicateRule
DuplicateRuleCondition
EmailServerProfile
FieldPermission
FieldSecurityProfile
ImportMap
InternalAddress
EN T IT IES
Mailbox
Organization
Position
Queues
QueueMembership
Report
Resource
ResourceGroup
Role
RollupField
SavedQuery
Sites
SLAKPIenvironment
Solution
Subject
Team
TeamTemplate
Template
SystemUser
Copy an environment to a sandbox environment

credentials.
NOTE
Environment Admins or System Administrators can copy all available environments. System administrators can copy
environments for which they have the Environment Admin or System Administrator role.
2. From the left-side menu, select Environments , and then select an environment to copy.
3. Select Copy from the top menu bar.
4. Select the desired copy over level.
5. Select a sandbox environment.

A target environment can be a sandbox or preview environment; not a production environment.
WARNING
The target environment will be deleted and replaced with a copy of the data and customizations from the source
environment. You won’t be able to recover any deleted data.
6. To restrict environment access to people in a security group select Edit ( ).

7. Edit the details for the copied environment, and then select Copy .
8. Select Confirm to overwrite the target environment.

The overwrite process starts.
Once the copy process is complete, the target environment is placed in Administration mode and background
operations are disabled. The next section describes recommended Administrator actions for the newly created
copy (target) environment.
Next steps after copying an environment
To ensure the newly created copy (target) environment does not impact your production environment, once the
copy operation is complete, two things happen:
1. The newly created copy environment is placed in administration mode. Only those with System
Administrator or System Customizer security roles can sign in and manage the copy environment. Regular
users cannot sign in and use the copy environment.
2. Background operations are disabled in the copy environment. Disabled operations include workflows and
synchronization with Microsoft Exchange.
Review components
You should review the status of application components in the copy environment with external connections such
as Yammer, email, plug-ins, custom workflow activities, etc. Review these and consider what action to take:
1. Disable the component.
2. Redirect the component to another service environment such as one running Exchange or SharePoint.
3. Do nothing – leave the component as is in the copy environment. For example, you might decide to allow
Yammer posting to both the copy and production environments.
Here are some possible application components in the copy environment that could have external
connections and therefore could impact services with the same connections in your production
environment.
Email . A mailbox cannot be synced with two different environments. For an Everything copy environment,
the user mailboxes in the copy environment must be disabled so the mailboxes do not attempt to send or
receive email, or track appointments, contacts, or tasks. Set synchronization for the following to None.
Incoming Email
Outgoing Email
Appointments, Contacts, Tasks
More information: Set the delivery method for incoming and outgoing email
SharePoint . Deactivate or redirect SharePoint to a sandbox SharePoint environment to prevent impacting
documents managed by SharePoint. Go to Settings > Documentation Management > SharePoint
Sites . Select your site, and then click Deactivate .
Yammer . Disable Yammer or redirect to a separate Yammer service to prevent posts made in the copy
environment conflicting with posts made in the production environment. Go to Settings >
Administration > Yammer Configuration .
After creating a new sandbox environment, workflows and system jobs might be pending execution. Apart
from these jobs, if you have connected Yammer to customer engagement apps there will be Yammer activity
streams posted from customer engagement apps to Yammer asynchronously. These activity streams are not
visible through the system jobs. If there were any pending Yammer activity streams before the Disable
Background Process is turned on, these activity steams will be posted to the current Yammer configuration
once the Disable Background Process is turned back off. In the sandbox environment, if you have your
current Yammer configuration connected to the same Yammer network as your production environment,
you might see duplicate activity streams. To avoid duplicate Yammer activity streams, redirect your sandbox
environment to another Yammer network (possibly a test network) before turning background processes
back on.
Platform extensibility . Consider disabling the following that could be running in the copy environment
and impacting external service components.
Ser ver-side plug-ins .
Workflow custom activity .
Client extensibility . Review the following.
Client-side JavaScript . Take a look at your JavaScript and HTML web resources for read/write
operations that could impact external services.
IFRAMES . Determine if the target of an IFRAME is a production environment.
Tenant to tenant migration
Move an environment to a different tenant

You can use the Tenant to Tenant Migration feature to request to have an environment in one tenant moved to
another tenant. To do so submit a support request.
There are no user-interface changes or version changes as part of this move. You can move one or multiple
environments. Once complete, your environment(s) will appear in your new tenant.
IMPORTANT
When moving individual environments from one tenant to another, if that requires a geographical region change, your
tenant becomes a multiregional tenant. Regional features are enabled in the Power Platform admin center.
You might need to reconfigure some applications and settings after tenant to tenant migration such as Microsoft Dynamics
365 for Outlook, server-side sync, SharePoint integration, etc.
Impact of migrating between tenants

When your organization is moved from one tenant to another within the same region, the URL does not change.
In order to perform this operation, you'll need to provide some information, such as:
What is the source tenant domain and its region? (example: EMEA, NA, APAC)
What is the destination tenant domain and its region? (example: EMEA, NA, APAC)
Does the destination tenant have a valid subscription?
Does the destination tenant have enough available user licenses?
Does the destination tenant have enough environment licenses?
Does the destination tenant have enough storage available for the environments being migrated?
If you do not have a subscription and/or trial in the destination tenant, then you will need to create one. You might
need to purchase a new subscription in the destination tenant (or convert a trial to paid), if not already done.
You will need to create a temporary environment or environments in the destination tenant, depending on how
many source environments you are migrating. Source environment type and destination environment type must
match (production vs non-production (sandbox)). The users to be migrated from one tenant to another need to be
created on the target tenant as well.
The destination tenant needs an equal or higher number of active user licenses, environment licenses for the
environments being migrated, and equal or greater storage as the source tenant.
How the move works

You’ll be provided with a list of prerequisites and post-requisites for your migration as part of the support request
raised. The following table describes what Microsoft does before, during, and after your move.
A F T ER T H E M O VE
B EF O RE T H E M O VE DURIN G T H E M O VE N OT IF IC AT IO N A N D
N OT IF IC AT IO N C UT - O VER SUP P O RT
What Microsoft does Your support representative Cut-over for the migration You will be alerted by email
or Account Manager will takes several hours, or telephone when your
work with you to request a depending on the number of environment is migrated to
move and schedule it. users and the amount of the new tenant.
data. During this period, the
organization is not After the tenant migration is
accessible, so the cut-over complete, your support
should be scheduled during representative or Account
the evening or over a Manager will assist you to
weekend. contact with billing to cancel
and/or credit your previous
There is a step that will subscription, if needed.
require your involvement,
which is to provide a User
Mapping File. This is
requested in advance so that
we can validate the users
being moved before the
migration takes place.
We will adhere to the terms of the Microsoft Online Services Service Level Agreement for all moves.
Protecting your data in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), and
providing continuous availability of service are important. You have multiple options for backing up and restoring
your environments.
System backups
Some backups take place without you having to do anything.
About system backups :

All your environments are backed up.
System backups occur continuously. The underlying technology used is Azure SQL Database. See SQL
Database documentation Automated backups for details.
System backups for production environments that have been created with a database and have one or more
Dynamics 365 applications installed are retained up to 28 days. System backups for production environments
which do not have Dynamics 365 applications deployed in them will be retained for 7 days. System backups
for sandbox environments will be retained for 7 days.
You must restore an environment to the same region in which it was backed up.
Restore a system backup
1. Browse to the Power Platform admin center and sign in using administrator credentials. Consider using the
less privileged service admin role instead of the global admin role. See Use the service admin role to
manage your tenant.
2. Go to Environments > [select an environment] > Backups > Restore or manage .
3. Select the System tab.
4. Under Select a backup to restore , choose a date and time to select a system backup to restore, and then
select Continue .
5. You'll be provided with a list of available backups at or close to the date and time you chose if the selected
time is not available. Pick the desired backup, and then select Confirm .
6. Select an environment to restore to (overwrite), enter other settings as desired, and then select Restore .
NOTE
Only sandbox environments can be restored to.
Under Edit details , you can change the environment name.
7. Confirm overwrite of the environment.
Manual backups
Automated system backups are great, but you'll want to make your own backups before making some significant
customization change or applying a version update. You can do this with manual backups.
About manual backups :
A backup is created for you when we update your environment.
You can back up production and sandbox environments.
You can't back up the default environment.
Sandbox backups are retained for up to 7 days.
Manual backups for production environments that have been created with a database and have one or
more Dynamics 365 applications installed are retained up to 28 days. Manual backups for production
environments which do not have Dynamics 365 applications deployed in them will be retained for 7 days.
Check your expiration date.
You are not limited in the number of manual backups you can make.
Manual backups do not count against your storage limits.
You must restore an environment to the same region in which it was backed up.
Create a manual backup
1. Browse to the Power Platform admin center and sign in using administrator credentials.
2. Go to Environments > [select an environment] > Backups > Create .
3. Fill in the information, and then select Create .
There is no status as the backup is processing. When the backup is completed, you'll see the following message:
"The [backup name] backup was successfully created."
Restore a manual backup
You can only restore to sandbox environments. To restore to a production environment, first switch it to a sandbox
environment. See Switch an environment.
IMPORTANT
Note that changing an environment type to sandbox will immediately reduce backup retention to 7 days. If you do not need
backups (restore points) older than 7 days, then you can safely switch the type. If you think you may need restore points
older than 7 days, we strongly recommend that you keep the environment as production and consider restoring to a
different environment of type sandbox.
3. Select the Manual tab.
4. Select a manual backup to restore, and then select Restore .
5. Select an environment to restore to (overwrite), and then select Restore .
NOTE
6. Confirm overwrite of the environment.

Delete a manual backup
You can delete manual backups. You can't delete system backups.
3. Select the Manual tab.
4. Select Delete .
5. Confirm deletion of the environment.
FAQ
How are system backups taken?
In the current version of the product, system backups occur continuously; this is different from previous versions
where backups were once a day. Because the underlying technology used is Azure SQL Database, see Automated
backups for details.
How are manual/on-demand backups taken?
In the current version of the product, system backups occur continuously; this is different from previous versions
where backups were once a day. Because the underlying technology used is Azure SQL Database, see Automated
backups for details.
Because Azure SQL Database takes backups continuously, there is no need to take additional backups or specify
Azure SQL Database to take additional backups or an on-demand full backup. That means our on-demand backup
is just a label and a time stamp that we store in our system and use during restore requests. This is different from
previous versions that took a full backup during an on-demand backup.
Why can't I see a status of the manual backup?
There is no status as the backup is processing. When the backup is completed, you'll see the following message:
"The [backup name] backup was successfully created."
Should I open a support ticket for taking a full backup?
No. In the current version of the product, system backups occur continuously; this is different from previous
versions where backups were once a day. Because the underlying technology used is Azure SQL Database, see
Automated backups for details.
Because Azure SQL Database takes backups continuously and there is no specific way to take additional on-
demand backups, we recommend you use our on-demand backup feature to label your backups.
How long are my manual/on-demand backups and system backups retained?
System and manual backups for certain production-type environments are retained up to 28 days. Other
environment type backups are retained up to 7 days only. Please see the following FAQ, How do I determine if
backups of a production environment are retained for 28 days?
How do I determine if backups of a production environment are retained for 28 days?
Production environments that have been created with a database will give you the option to enable one or more
Dynamics 365 applications if you have purchased licenses that entitle you to deploy such applications (for
example, Dynamics 365 Sales, Dynamics 365 Customer Service). Backups of production environments with a
database and Dynamics 365 applications deployed are retained for up to 28 days. In contrast, backups of
production environments which do not have Dynamics 365 applications deployed in them will be retained for 7
days.
Can I extend my backup to be retained beyond the standard number of days?
You can't extend your system backups or manual/on-demand backups. However, if you want to keep the data for
longer than the standard retention period, we recommend you copy your environment to an additional
environment and do not modify that additional environment.
Can I move my data from an online environment to an on-premises version?
Obtaining a copy of your database backup isn't available. If you want to move your online data to Dynamics 365
Customer Engagement (on-premises), this requires data migration. For smaller data sets, consider exporting data
to Excel. For larger data sets, find a third-party data migration solution on Microsoft AppSource.
How can I download a copy of my backup?
Obtaining a copy of your database backup isn't available. Moving your online data requires data migration. For
smaller data sets, consider exporting data to Excel. For larger data sets, find a third-party data migration solution
on Microsoft AppSource.
Do we have any database size restriction to take a backup or restore an organization through user interface (UI )
or API?
We don't have any restriction on database size (or storage capacity/entitlement) to take a backup through UI or
API. However, when an organization’s storage capacity usage is greater than the entitled capacity, the following
admin operations will be blocked:
Restore an environment
Create new environment (requires minimum 1GB capacity available)
Copy an environment
To be compliant with storage usage requirements, customers can always free up storage, archive data, delete
unwanted environments, or buy more capacity. To learn more about capacity add-ons, see the Add-ons section in
the Dynamics 365 Licensing Guide or the Power Apps and Power Automate Licensing Guide. You can work
through your organization’s standard procurement process to purchase capacity add-ons.
Can I restore to a production environment?
In order to prevent accidental overwrites, we don't allow users to directly restore to a production environment. To
restore to a production environment, first switch it to a sandbox environment. See Switch an environment. Note
that changing an environment type to sandbox will immediately reduce backup retention to 7 days. If you do not
need backups (restore points) older than 7 days, then you can safely switch the type. If you think you may need
restore points older than 7 days, we strongly recommend that you keep the environment as production and
consider restoring to a different environment of type sandbox.
Why is my organization in administration mode after a restore and how do I disable it?
The newly restored environment is placed in administration mode. To disable administration mode, see Set
administration mode. You can set administration mode in sandbox or production environments.
Troubleshooting
Don't see your environment to restore to?
See also
Administration mode
You can set a sandbox or production environment in administration mode so that only users with System
Administrator or System Customizer security roles will be able to sign in to that environment. Administration mode
is useful when you want to make operational changes and not have regular users affect your work, and not have
your work affect end users (non-admins).
NOTE
You can place sandbox or production environments in administration mode.
Processes that use code, such as plug-ins or custom workflow assemblies, continue to be processed by the Common Data
Service platform when administration mode is enabled and background operations are disabled.
On the Settings panel, you can set the following:
Administration mode Select to enable administration mode for the selected sandbox
or production environment. Only System Administrators or
System Customizers will be able to sign in to the selected
sandbox or production environment.
Background operations (optional) Select to disable all asynchronous operations (see

Asynchronous service) such as workflows and synchronization
with Exchange. Emails will not be sent and server-side
synchronization for appointments, contacts, and tasks are
disabled. Note: Administration mode must be enabled to
disable background operations.
Custom message (optional) Enter a message that will be displayed to all users when they
attempt to sign in.
Set administration mode

credentials.
2. From the left-side menu, select Environments , and then click on a sandbox or production environment.
3. On the Details page, select Edit .
4. Under Administration mode , toggle Disabled to Enabled .
5. Optionally, you can set Background operations and Custom message , and then select Save .
Manage the encryption key
All environments of Common Data Service use SQL Server Transparent Data Encryption (TDE) to perform real-time
encryption of data when written to disk, also known as encryption at rest.
By default, Microsoft stores and manages the database encryption key for your environments so you don't have to.
The manage keys feature in the Power Platform admin center gives administrators the ability to self-manage the
database encryption key that is associated with the Common Data Service tenant.
IMPORTANT
Self-managed database encryption keys are only available for customers who have more than 1000 Power Apps plan and/or
Dynamics 365 plan licensed user seats and who have opted in to the feature. To opt in to this program, submit a support
request.
Encryption key management is only applicable to Azure SQL environment databases. The following features and services use
their own key to encrypt their data and can't be encrypted with the self-managed encryption key:
Relevance Search
Mobile Offline
Activity Log (Microsoft 365 portal)
Exchange (Server-side sync)
Note the following:
The self-manage the database encryption key feature must be turned on by Microsoft for your tenant before you can use
the feature.
To use the data encryption management features for an environment, the environment must be created after the self-
manage the database encryption key feature is turned on by Microsoft.
Encryption key management cannot be applied to environments that have data stored in File and Image fields.
A majority of existing environments have file and log stored in non-Azure SQL databases. These environments cannot be
opted in to self-managed encryption key. Only new environments (once you signed up for this program) can be enabled
with self-managed encryption key.
Introduction to key management

With key management, administrators can provide their own encryption key or have an encryption key generated
for them, which is used to protect the database for an environment.
The key management feature supports both PFX and BYOK encryption key files, such as those stored in a hardware
security module (HSM). To use the upload encryption key option you need both the public and private encryption
key.
The key management feature takes the complexity out of encryption key management by using Azure Key Vault to
securely store encryption keys. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud
applications and services. The key management feature doesn't require that you have an Azure Key Vault
subscription and for most situations there is no need to access encryption keys used for Common Data Service
within the vault.
The manage keys feature lets you perform the following tasks.
Enable the ability to self-manage database encryption keys that are associated with Common Data Service
environments.
Generate new encryption keys or upload existing .PFX or .BYOK encryption key files.
Lock and unlock tenant environments.
WARNING
While a tenant is locked, all environments within the tenant can't be accessed by anyone. More information: Lock the
tenant.
Understand the potential risk when you manage your keys

As with any business critical application, personnel within your organization who have administrative-level access
must be trusted. Before you use the key management feature, you should understand the risk when you manage
your database encryption keys. It is conceivable that a malicious administrator (a person who is granted or has
gained administrator-level access with intent to harm an organization's security or business processes) working
within your organization might use the manage keys feature to create a key and use it to lock all environments in
the tenant.
Consider the following sequence of events.
The malicious administrator signs in to the Power Platform admin center, goes to the Environments tab and
selects Manage encr yption key . The malicious administrator then creates a new key with a password and
downloads the encryption key to their local drive, and activates the new key. Now all the environment databases are
encrypted with the new key. Next, the malicious administrator locks the tenant with the newly downloaded key, and
then takes or deletes the downloaded encryption key.
These actions will result in disabling all the environments within the tenant from online access and make all
database backups un-restorable.
IMPORTANT
To prevent the malicious administrator from interrupting the business operations by locking the database, the managed keys
feature doesn't allow tenant environments to be locked for 72 hours after the encryption key has changed or activated.
Additionally, anytime an encryption key is changed for a tenant, all administrators receive an email message alerting them of
the key change. This provides up to 72 hours for other administrators to roll back any unauthorized key changes.
Key management requirements

Privileges required
To use the manage keys feature you need one of the following privileges:
Global admin membership.
Microsoft 365 Service administrators group membership.
System administrator security role for the environment that you want to manage the encryption key.
Encryption key requirements
If you provide your own encryption key, your key must meet these requirements that are accepted by Azure Key
Vault.
The encryption key file format must be PFX or BYOK.
2048-bit RSA or RSA-HSM key type.
PFX encryption key files must be password protected.
For more information about generating and transferring an HSM-protected key over the Internet see How to
generate and transfer HSM-protected keys for Azure Key Vault.
Key management tasks

To simplify the key management tasks, the tasks are broken down into three areas:
1. Generate or upload the encryption key for a tenant
2. Activate an encryption key for a tenant
3. Manage encryption for an environment
Administrators can use the Power Platform admin center or the Microsoft.Xrm.OnlineManagementAPI PowerShell
module cmdlets to perform the key management tasks described here.
Generate or upload the encryption key for a tenant
All encryption keys are stored in the Azure Key Vault, and there can only be one active key at any time. Since the
active key is used to encrypt all the environments in the tenant, managing the encryption is operated at the tenant
level. Once the key is activated, each individual environment can then be selected to use the key for encryption.
Use this procedure to set the manage key feature the first time for an environment or to change (or roll-over) an
encryption key for an already self-managed tenant.
WARNING
When you perform the steps described here for the first time you are opting in to self-managing your encryption keys. More
information: Understand the potential risk when you manage your keys.
1. Sign in to the Power Platform admin center.

2. Select the Environments tab, and then select Manage encr yption keys on the toolbar.
3. Select Confirm to acknowledge the manage key risk.
4. Select New key on the toolbar.
5. On the left pane, complete the details to generate or upload a key:
Select a Region . This option is only shown if your tenant has multiple regions.
Enter a Key name .
Choose from the following options:
To create a new key, select Generate new (.pfx) . More information: Generate a new key (.pfx).
To use your own generated key, select Upload (.pfx or .byok) . More information: Upload a key
(.pfx or .byok).
6. Select Next .
7. Email notification is sent to all administrators. More information: Encryption key change notification.
Generate a new key (.pfx )
1. Enter a password, and then re-enter the password to confirm.
2. Select Create , and then select the created file notification on your browser.
3. The encryption key .PFX file is downloaded to your web browser's default download folder. Save the file in a
secure location (we recommend that this key is backed up along with its password).
To perform this task using PowerShell, see Get-CRMGenerateProtectionkey and Set-CrmTenantProtectionKey.
Upload a key (.pfx or .byok)
1. Select Upload the Key , select the .pfx or .byok1 file, and then select Open .
2. Enter the password for the key, and then select Create .
1 For.byok encryption key files, make sure you use the subscription id as shown on the screen when you export the
encryption key from your local HSM. More information: How to generate and transfer HSM-protected keys for
Azure Key Vault.
To perform this task using PowerShell, see New-CRMImportProtectionKey and Set-CrmTenantProtectionKey.
NOTE
To reduce the number of steps for the administrator to manage the key process, the key is automatically activated when it is
uploaded the first time. All subsequent key uploads require an additional step to activate the key.
Activate an encryption key for a tenant

Once an encryption key is generated or uploaded for the tenant, it can be activated.
4. Select a key that has an Available state and then select Activate key on the toolbar.
5. Select Confirm to acknowledge the key change and that all administrators will be notified. More information:
Encryption key change notification
When you activate a key for the tenant, it takes a while for the key management service to activate the key. The
status of the Key state displays the key as Installing when the new or uploaded key is activated. Once the key is
activated, the following occurs:
All encrypted environments automatically get encrypted with the active key (there is no downtime with this
action).
When activated, the encryption key will be applied to all environments that are changed from Microsoft-
provided to self-managed encryption key.
To perform this task using PowerShell, see Set-CrmProtectWithTenantKey.
IMPORTANT
To streamline the key management process so that all environments are managed by the same key, the active key can't be
updated when there are locked environments. All locked environments must be unlocked before a new key can be activated.
If there are locked environments that don't need to be unlocked, they must be deleted.
NOTE
After an encryption key is activated, you can't activate another key for 24 hours.
Manage encryption for an environment

By default, each environment is encrypted with the Microsoft-provided encryption key. Once an encryption key is
activated for the tenant, administrators can elect to change the default encryption to use the activated encryption
key. To use the activated key, follow these steps.
Apply encryption key to an environment
2. Select the Environments tab.
3. Open a Microsoft-provided encrypted environment.
4. Select See all .
5. In the Environment Encr yption section, select Manage .
7. Select Apply this key to accept changing the encryption to use the activated key.
8. Select Confirm to acknowledge that you are managing the key directly and that there is downtime for this
action.
Return a managed encryption key back to Microsoft-provided encryption key
Returning to the Microsoft-provided encryption key configures the environment back to the default behavior where
Microsoft manages the encryption key for you.
2. Select the Environments tab, and then select an environment that is encrypted with a self-managed key.
3. Select See all .
4. In the Environment Encr yption section, select Manage , and then select Confirm .
5. Under Return to standard encr yption management , select Return .
6. For production environments, confirm the environment by entering the environment's name.
7. Select Confirm to return to standard encryption key management.
To perform this task using PowerShell, see Set-CrmProtectWithMicrosoftKey.
Lock the tenant
Since there is only one active key per tenant, locking the encryption for the tenant disables all the environments
that are in the tenant. All locked environments remain inaccessible to everyone, including Microsoft, until a Power
Platform admin in your organization unlocks it by using the key that was used to lock it.
Cau t i on
You should never lock the tenant environments as part of your normal business process. When you lock a Common
Data Service tenant, all the environments will be taken completely offline and they can't be accessed by anyone,
including Microsoft. Additionally, services such as synchronization and maintenance are all stopped. If you decide to
leave the service, locking the tenant can ensure that your online data is never accessed again by anyone.
Note the following about tenant environments locking:
Locked environments can't be restored from backup.
Locked environments are deleted if not unlocked after 28 days.
You can't lock environments for 72 hours after an encryption key change.
Locking a tenant locks all active environments within the tenant.
IMPORTANT
You must wait at least one hour after you lock active environments before you can unlock them.
Once the lock process begins, all encryption keys with either an Active or Available state are deleted. The lock process can
take up to an hour and during this time unlocking locked environments is not allowed.
1. Sign into the Power Platform admin center.

2. Select the Environments tab and then on the command bar select Manage encr yption keys .
3. Select the Active key and then select Lock active environments .
4. On the right pane select Upload active key , browse to and select the key, enter the password, and then select
Lock .
5. When prompted, enter the text that is displayed on your screen to confirm that you want to lock all
environments in the region, and then select Confirm .
To lock a tenant using the PowerShell cmdlet, see Set-CrmLockTenantProtectedInstances.
Unlock locked environments
To unlock environments you must first upload and then activate the tenant encryption key with the same key that
was used to lock the tenant. Please note that locked environments do not get unlocked automatically once the key
has been activated. Each locked environment has to be unlocked individually.
IMPORTANT
The unlock process can take up to an hour. Once the key is unlocked, you can use the key to Manage encryption for an
environment.
You can't generate a new or upload an existing key until all locked environments are unlocked.
Un l o c k en c r ypt i o n key

2. Select the Environments tab and then select Manage encr yption keys .
3. Select the key that has a Locked state, and then on the command bar select Unlock key .
4. Select Upload locked key , browse to and select the key that was used to lock the tenant, enter the password,
and then select Unlock . The key goes into an Installing state. You must wait until the key is in an Active state
before you can unlock locked environments.
5. To unlock an environment, see the next section.
Un l o c k en vi r o n m en t s
1. Select the Environments tab, and then select the locked environment name.
TIP
Don't select the row. Select the environment name.
2. In the Details section, select See all to display the Details pane on the right.
3. In the Environment encryption section on the Details pane select Manage .
4. On the Environment encr yption page select Unlock .
5. Select Confirm to confirm that you want to unlock the environment.

6. Repeat the previous steps to unlock additional environments.
To unlock an environment using the PowerShell cmdlet, see Set-CrmUnlockTenantProtectedInstance.
Environment database operations

A customer tenant can have environments that are encrypted using the Microsoft managed key and environments
that are encrypted with the customer managed key. To maintain data integrity and data protection, the following
controls are available when managing environment database operations.
1. Restore The environment to overwrite (the restored to environment) is restricted to the same environment
that the backup was taken from or to another environment that is encrypted with the same customer
managed key.
2. Copy The environment to overwrite (the copied to environment) is restricted to another environment that is
encrypted with the same customer managed key.
NOTE
If a Support Investigation environment was created to resolve support issue in a customer managed environment, the
encryption key for the Support Investigation environment must be changed to customer managed key before the
Copy environment operation can be performed.
3. Reset The environment's encrypted data will be deleted including backups. After the environment is reset, the
environment encryption will revert back to the Microsoft managed key.

IMPORTANT
When an encryption key is activated or changed, all administrators receive an email message alerting them of the change.
This provides a means to allow other administrators to verify and confirm that the key was updated by an authorized
administrator. Since it takes time to activate the key and to encrypt all the environments, and to send out the email
notification, an encryption key can only be updated once every 24 hours.
See also
Microsoft.Xrm.OnlineManagementAPI PowerShell reference
SQL Server: Transparent Data Encryption (TDE)
About trial environments
Using the Power Platform admin center, you can create environments of multiple types. Using trial environments,
companies and customers can try out new features and solutions. There are two types of trial environments: trial
(standard) and trial (subscription-based).
NOTE
The term "trial," as used in all other topics and the user interface, refers to the standard type of trial environment rather than
the subscription-based type.
Not all companies and admins approach trials the same way. This is especially true when it comes to deciding
whether to allow users to try new capabilities. Some companies let users try features in a self-serve manner.
Others want admins to completely control what's being tried and who's licensed to use the environment. The two
types of trial environments provide this level of control.
Trial (standard) : This is the type of trial environment that companies can use to allow users and department
managers to try new features and quickly build low-code and no-code applications and processes. Organization
(tenant) admins can enable all users to create trials, or only tenant admins. If allowed for users, any user from
that organization who has a suitable license can create a 30-day trial environment. After 30 days, the
environment is disabled and deleted.
Trial (subscription-based) : This is the type of trial environment that companies can use to develop larger,
multiuser and multiple-department solutions and perform proof-of-concept reviews. Tenant admins can add a
trial (subscription-based) environment to their tenant, or new customers can sign up for a new tenant and
become the Global admin. For new customers, an admin-managed subscription is created with a set number of
licenses (usually 25); admins control which other users get licenses assigned to them. An admin-managed
subscription has an end date that can be extended.
Neither type of environment consumes paid capacity. You can convert either type of trial environment to a
production environment by switching it to consume from paid capacity, which will keep it from being disabled and
deleted. After it becomes a production environment, it will follow the paid license lifecycle.
Multiple ways to start a trial

The type of trial environment you create depends on where you start and your tenant-level permissions.
T RIA L T Y P E T EN A N T - L EVEL P ERM ISSIO N S C REAT E T RIA L LO C AT IO N
Trial (standard) User or admin Power Platform admin center. See

Create a trial (standard) environment in
the Power Platform admin center
Trial (standard) User or admin https://trials.dynamics.com
Trial (subscription-based) Admin Power Platform admin center. See

Create a trial (subscription-based)
environment in the Power Platform
admin center
T RIA L T Y P E T EN A N T - L EVEL P ERM ISSIO N S C REAT E T RIA L LO C AT IO N
Trial (subscription-based) User or admin "Get started" pages, such as:

https://dynamics.microsoft.com/
get-started/?appname=salespro
https://dynamics.microsoft.com/
get-started/?
appname=customerservice
Create a trial (standard) environment in the Power Platform admin

center
1. Sign in to the Power Platform admin center with admin credentials.
2. Go to Environments , and then select + New .
3. Enter the following, and then select Next .
Type Choose Trial.
Create a database for this environment? Select Yes to add a Common Data Service database to the
trial (standard) environment.
Language The default language for this environment.
Enable Dynamics 365 apps Select Yes , and then select apps to automatically deploy,
such as Dynamics 365 Sales and Dynamics 365 Customer
Service.
Deploy sample apps and data This setting is preset to No and can't be changed.

environment.
Create a trial (subscription-based) environment in the Power Platform
admin center
2. Go to Environments , and then select New .
3. For Type , select Trial (subscription-based) , and then fill in and select other settings. Select Next .
Type Trial (subscription-based) .
Region A region for the environment.

Create a database for this environment This setting is preset to Yes and can't be changed, because
a Common Data Services database must be created for a
trial (subscription-based) environment.
4. Specify the following settings, and then select Save .
Language The default language for this environment.
URL The environment name to include in the URL.
Enable Dynamics 365 apps Select Yes to display the Automatically deploy
these apps setting, described in the following row
of this table.
Select No to provision an environment with no
apps included. You'll be able to create trials for low-
code and no-code apps and flows, but not the full
Dynamics 365 applications platform.
Automatically deploy these apps This setting appears if you set Enable Dynamics 365
apps to Yes .
Select All enterprise applications , Customer
Ser vice Pro , or Sales Pro to deploy and try
Dynamics 365 apps.
Select None to provision an environment with no
apps included.

environment.
Deploy sample apps and data This setting appears if you set Enable Dynamics 365
apps to No .
Select Yes to include sample apps and data. Sample data
gives you something to experiment with as you learn.
Check the expiration date for a trial (standard) environment

2. Go to Environments > [select a trial environment] > See all . Check out Day(s) remain .
Check the expiration date for a trial (subscription-based) environment
A trial (subscription-based) environment lasts as long as the subscription is active. To check its expiration date,
perform the following steps.
1. Sign in to the Microsoft 365 admin center using Global admin credentials.
2. Select Billing > Your products , and then select the Subscriptions tab.
3. Select your Dynamics 365 subscription, and review the date in the Billing section.
Convert either type of trial environment to a production environment

2. Go to Environments > [select a trial environment] > Conver t to production .
3. Select Continue .
It might take several hours to convert to a production environment.

Who can convert a trial environment to a production environment?
The organization (tenant) admin can determine who's allowed to create trial environments and convert them to
production. If you're allowed to, and you have 1 GB of available production database capacity, you can convert a
trial environment to production. You might need to free up or purchase additional capacity if the trial environment
database exceeds available production capacity. To determine the size of the trial environment database, see
Common Data Service storage capacity.
I can see a trial (subscription-based) environment type option, why can't I create this trial type?
Make sure that you have an active Dynamics 365 Trial subscription.
How can I retain my data and resources if I don't have a way to convert the trial (standard) environment to a
production environment?
You can export your resources and data to another environment if you want to retain them longer than the trial
period. We recommend that you create a production environment or an individual environment (with the Power
Apps Community Plan) and export your resources to that environment.
Here are some guidelines for exporting resources.
T Y P E O F RESO URC E IN T H E EN VIRO N M EN T H O W DO I EXP O RT IT ?
Apps (canvas and model-driven) and flows You can use packaging to export apps and flows from one
environment.
Data in the database (Common Data Service environment) Export to Excel and save the data. You can then import
the data into another environment.
Use Data Integrator services and APIs to export data
into another environment.
We delete trial (standard) environments that haven't had any activity in the environment databases for 30 days.
See also
Choose the right plans for your team
Licensing overview
Block trial licenses commands
Control who can create and manage environments in the Power Platform admin center
A sandbox environment is any non-production environment of Common Data Service. Isolated from production, a
sandbox environment is the place to safely develop and test application changes with low risk.
View your sandbox environments

Manage your sandbox environments from the Power Platform admin center.
1. Go to https://admin.powerplatform.microsoft.com/, and sign in using Environment Admin or System
Administrator role credentials.
2. Open the Environments page. Select the Type tab to sort by environment type.
Create a sandbox environment

See Create and manage environments in the Power Platform admin center.
Change a production environment to sandbox

(Service admin, Global admin, or Delegated admin).
2. From the left-side menu, select Environments , and then select a production environment.
3. Select Edit
4. Under Type , choose the sandbox environment type.
5. Select Save .
Reset a sandbox environment

Reset a sandbox environment to delete and re-provision it. Consider a reset when you want to:
Create a new project
Remove an environment containing Personally Identifiable Information (PII) data
IMPORTANT
You can only reset sandbox environments.
A reset will permanently delete environment components such as canvas apps, flows, custom connectors, and
connections.
An example scenario
Thomas is looking at the storage consumed by the various Contoso environments and is getting concerned that
they'll run out of space in one of their production environments. He'd like to free up some space so he can give the
production environment some additional storage. He's also been notified that the Legal department has set a
retention policy on the use of production data in the test environment.
After contacting Isaac, Thomas resets the Sales department's complete sandbox environment. The environment is
re-provisioned to factory settings and ready for future use as a sandbox environment for a future project.
To reset an environment
credentials.
2. From the left-side menu, select Environments , and then select an environment to reset.
3. Select Reset from the top menu bar.
4. On the Reset environment page, adjust the environment settings as needed and understand the
following consequences:
WARNING
The sandbox environment will be deleted and reset to factory settings. You will not be able to recover any data
that was previously in the environment.
When you reset an environment, the security group specified on the Reset environment page will be applied. If
a security group isn’t specified during the reset, no security group will be assigned to the environment after the
reset is completed. Any existing security group configured before the reset is performed will no longer be applied
to the environment. More information: Control user access to environments: security groups and licenses
5. Select Reset , and then select Confirm to reset the selected environment.
The reset process starts.
Administration mode
When you place a sandbox environment in administration mode only users with System Administrator or System
Customizer security roles will be able to sign in to that environment. Administration mode is useful when you
want to make operational changes and not have regular users affect your work, and not have your work affect
regular users.
See Administration mode.
About the Project "Oakdale" environment (Preview)
[This topic is pre-release documentation and is subject to change.]

Introduced in September, 2020, Project "Oakdale" is a built-in, low-code data platform for Microsoft Teams that
empowers users to build custom apps, bots, and flows in Teams by using Power Apps, Power Virtual Agents, and
Power Automate. Project "Oakdale"—built on Common Data Service—provides relational data storage, rich data
types, enterprise-grade governance, and one-click solution deployment to the Teams app store. More information:
Project "Oakdale" overview
The Project "Oakdale" environment is automatically created for the selected team when you create an app or bot in
Teams for the first time or install a Power Apps app from the app catalog for the first time. The Project "Oakdale"
environment is used to store, manage, and share team-specific data, apps, and flows. Each team can have one
environment, and all data, apps, bots, and flows created with the Power Apps app inside a team are available from
that team's Project "Oakdale" database.
NOTE
This is a preview feature.
Preview features aren’t meant for production use and may have restricted functionality. These features are available
before an official release so that customers can get early access and provide feedback.
The capability to promote Project "Oakdale" environments to Common Data Service isn’t available during the public
preview release; it will be available soon.
You can identify a Project "Oakdale" environment in the Power Platform admin center by using the Type column in
the list of environments.
Licensing and restrictions

Note the following regarding access to Microsoft Power Platform apps in Teams.
Project "Oakdale" capabilities will be available as part of select Microsoft 365 subscriptions. See the
Microsoft 365 licensing.
Teams can invite guests who can access the apps, bots, flows, and data in the Teams Project "Oakdale"
database within their team. However, they won't be allowed to install, make, or edit apps. They can only
discover and run apps in their team.
Apps created in Teams that use Project "Oakdale" will only be accessible in Teams and Teams Mobile,
regardless of the user's license.
For any standalone Power Apps or Power Automate usage, which includes API access as well, the Project
"Oakdale" schema will need to be promoted to Common Data Service.
No direct API access or pro developer experience will be provided, and only Power Apps embedded within
the Teams client will be able to access the runtime.
Tenant owners and members will be allowed to create their first app template, create a blank table app for
the team, or a bot.
Team owners will be allowed to delete a team associated with a Project "Oakdale" environment, which will
trigger the deletion of that environment.
See also: Project "Oakdale" licensing FAQs
Environment lifecycle
This section provides a summary of key lifecycle operations that will be allowed with Project "Oakdale"
environments.
NOTE
The Project "Oakdale" environment name is the same as the team name. You can filter the list of environments in the Power
Platform admin center to show just Project "Oakdale" environments.
O P ERAT IO N S F EAT URE DESC RIP T IO N AVA IL A B L E IN P REVIEW
Backup Automated backups and labeled Yes

backups can be taken. Admins can view
them in the Power Platform admin
center. Backups will be available for up
to 7 days.
Restore Only point-in-time restores to the same Yes

environment will be possible. Note: if
the environment has been promoted,
the point-in-time restore will only be
available starting from the moment it
was promoted.
Copy Not available by default for Project No

"Oakdale" environments.
Create Only through Teams. Note: these No

Project "Oakdale" environments will be
limited to a 1:1 mapping to the Teams
team it was created in and bound to
the Microsoft 365 group associated
with the team.
Delete The environment can be deleted by the Yes

team owner. Note: the environment will
be deleted automatically if the team it
was created in is also deleted.
O P ERAT IO N S F EAT URE DESC RIP T IO N AVA IL A B L E IN P REVIEW
Reset Not available by default for Project No

"Oakdale" environments.
Promote Unlocks all the functionality of Yes

Common Data Service services for the
environment.
The lifetime of the environment will be tied to the team it was created in. If you promote an environment to
Common Data Service, the 1:1 mapping isn't guaranteed because the environment can now be used by
applications outside of Teams. The promoted environment is bound by the lifecycle rules associated with the
Power Apps license and the configuration of the environment.
Some operations are blocked by default, such as the Copy and Reset operations. For scenarios where you need this
capability, use Common Data Service environments. See the previous table for details.
IMPORTANT
Project "Oakdale" environments won't be allowed to change types until the promote operation has been carried out on the
environment. After the promotion is complete, the Project "Oakdale" environment will have the full capabilities found in
Common Data Service. In addition to the standard termination of the environments, if the Microsoft Office license expires,
there will also be an inactivity clause for these environments. Specifically, when an environment is unused for over three
months, it will be disabled and ultimately deleted.
If the team is deleted, the Project "Oakdale" environment that was created will also be deleted. The Project "Oakdale"
environment itself may be deleted from within the team by the team owner. A warning will be provided prior to allowing the
deletion to go through, to ensure there are no accidental deletions.
User access to Project "Oakdale" environments

In an environment such as Teams that can be collaborative in the development and use of apps, bots, and data, it's
important to understand how access is granted to the different types of roles within the service.
This section summarizes user access to Project "Oakdale" environments and resources.
User access requirements
For users to access Project "Oakdale" environment apps, bots, and data, they must:
Be enabled in Azure Active Directory.
Have an active Microsoft 365 license with a plan that includes Project "Oakdale."
Be a member of the environment's security group.
Conceptual model
Every team in Teams is linked 1:1 to a Microsoft 365 group.
Microsoft 365 Groups supports two user membership types: owners and members. Members can be users from
the customer's own tenant or from a guest tenant. Any user management (addition, removal, user type change)
made in a team will be reflected in the Microsoft 365 group, and vice versa.
Access to a Project "Oakdale" environment and its resources (apps, data) will be restricted to users in the team. The
Microsoft 365 group linked to a team will be automatically associated with the Project "Oakdale" environment,
restricting access to users of that Microsoft 365 group. This Microsoft 365 Groups association with the Project
"Oakdale" environment won't be editable until the environment is promoted to Common Data Service.
Role assignments
P ERSO N A DESC RIP T IO N SEC URIT Y RO L E A UTO - A SSIGN ED
Teams owner Owners can manage team membership System Administrator

and settings in the team. They have full
access to the Project "Oakdale"
environment's apps, resources, and
data. They can perform environment
maintenance tasks such as backup and
restore through the Power Platform
admin center.
Teams member Members can view the Project Teams member

"Oakdale" environment's resources, run
all apps and resources, and create or
update their own resources. They have
full access to all data.
Teams guest Guests are people from outside the Teams guest
tenant that a team owner invites, such
as a partner or a customer. They can
view and run all resources in the team.
By default, guests have full access to
records they create and don't have
access to other users' records.
Global admin / Power Platform admin These are tenant-level admins who System Administrator
who isn't in the team manage the health and maintenance of
the tenant's environments. They need
not be members of the team, but
through their tenant-level admin
privileges they can perform
environment maintenance tasks such as
backup and restore for all Project
"Oakdale" environments. They are set
to the Administrative access mode as
opposed to the Read-Write access
mode if they aren't in the team, so
they'll only have Administrative access
to the Project "Oakdale" environments.
They can be explicitly given Read-Write
access by another admin who already
has Read-Write access to the
environment.
Colleagues with access Colleagues with access are people in Common Data Service User
the tenant who aren't in the team but
have been invited to run apps in the
team. By default, colleagues with access
have no access to data. Their data
access rights can be granted based on
the app or resources that they need to
run. Note: when a colleague with access
is invited to run apps in a team, the
Microsoft 365 group association with
the team's Project "Oakdale"
environment will be automatically
removed to allow app run access to the
colleague with access.
Dynamics 365 admin who isn't in the These admins won't have access to No access, because a Project "Oakdale"
team (that is, isn't in the Microsoft 365 manage the health and maintenance of environment will always have the
group) the team environment. team's Microsoft 365 group associated
with it, and Dynamics 365 Service
admins are excluded from
environments for which they aren't in
the associated group.
NOTE
Record sharing isn't supported in Project "Oakdale." You can't share a record with another user or team.
Project "Oakdale" environments settings and actions

To change settings for a Project "Oakdale" environment, go to Environments > [select a Project "Oakdale"
environment] > Settings .
Users + permissions
You can specify users in an environment to provide access to Project "Oakdale" environment apps, bots, and data.
1. In the Power Platform admin center, select Environments on the left pane, and then select a Project
"Oakdale" environment.
2. Select Settings .
3. Select Users + permissions , and then select Users .
4. You'll see a list of enabled and disabled users who are members of the Project "Oakdale" environment. You
can select a user from the list to run diagnostics and view their access details and status.
5. Select + Add user to add a tenant user to the selected Project "Oakdale" environment.
6. Enter a name or email address of a user who meets the user access requirements to add the user to the
Project "Oakdale" environment, and then select Add .
7. Select Refresh to see the added user in the list.

Microsoft Teams Integration
Tenant admins can select Microsoft Teams Integration to enable embedding model-driven apps into Teams.
After making this selection, users can use model-driven apps in Teams without using customer engagement apps
Dynamics 365 Project Service Automation).
IMPORTANT
Model-driven apps can execute code that may not be generated by Microsoft. Make sure that the code for the apps in this
environment are from a trusted source.
Delete a Project "Oakdale" environment

To delete a Project "Oakdale" environment, select it from the list of environments and then select Delete .
Promote a Project "Oakdale" environment to production

Select Promote to production . See Promotion process.
Capacity limits
The consumption of capacity by Project "Oakdale" environments won't count towards the tenant's capacity limits.
Instead, we'll provide a pool of capacity for Project "Oakdale" environments, which will be separate from the
tenant's Microsoft Power Platform Common Data Service capacity pool. Capacity won't be transferable between
these two pools.
Per-environment limits on Project Oakdale environments : Each Project "Oakdale" environment provides 2
GB of combined database and file storage, with a portion of this amount reserved for system use. To see the
consumption of each Project "Oakdale" environment in a tenant, go to the Power Platform admin center
(https://aka.ms/ppac), then to Resources > Capacity > Microsoft Teams Capacity .
Tenant-wide limits on Project Oakdale environments : Each tenant will also have limits related to Project
"Oakdale" environments defined in the following table.
UN IT SERVIC E L IM IT
Project "Oakdale" environments 5 + 1 per 20 eligible office seats (up to a maximum of 500
environments)
This limit on the number of environments can't be extended
further. Should more instances be needed, consider deleting
unused environments or promoting to environments to
Common Data Service.
Max Project "Oakdale" environment storage per tenant 10 GB + Project "Oakdale" environments × 2 GB (up to a max
of 1 TB).
This storage limit can't be extended further. Should more
storage be needed, consider promoting environments to
Max Project "Oakdale" environments API calls API requests in Microsoft Power Platform consist of various
actions that a user makes across various products.
For more information about API calls and the per-user limits
available, go to Microsoft Power Platform request
entitlements.
Enforcement
The following actions will be taken when customers approach and exceed the environment-level or tenant-wide
Teams limits.
Environment-level enforcement actions
NOTE
These environment-level enforcement actions won't be in place for the preview, but will take effect at general availability.
When a Project "Oakdale" environment in a team approaches or reaches the 2 GB capacity limit, the following
actions will be taken:
At 80 percent of the limit, the Teams users will see in the Teams maker experience a message informing them
the capacity limit is about to be reached. At this point, customers are encouraged to either reduce storage
usage or contact their admin for other options.
At 100 percent of the limit, any existing apps will continue to work and existing apps can be updated. However,
new apps, bots, and flows can't be created or installed as a result of having reached the capacity limit.
Tenant-level enforcement
NOTE
These tenant-level enforcement actions will take effect in the preview starting in mid-October 2020.
When a tenant approaches or reaches their tenant-wide Teams limits described earlier, the following actions will be
taken:
At 80 percent of the limit, a notification that capacity is reaching its limit will be sent to the Power Platform
center admin. The admin will be encouraged to consider reducing storage usage or promoting some of the
Project "Oakdale" environments.
At 100 percent of the limit, the creation of new Project "Oakdale" environments will be blocked. Any users
attempting to create a new Project "Oakdale" environment will be prompted to contact the tenant admin as the
result of the capacity limit being reached. Additionally, new apps and flows won't be allowed to be created or
installed in an existing Project "Oakdale" environment.
As mentioned for the environment-level enforcement, any existing apps will still be able to function as expected.
Promotion process
IMPORTANT
The capability to promote Project "Oakdale" environments to Common Data Service isn’t available during the public preview
release; it will be available soon.
The high-level flow and business rules for promoting a Project "Oakdale" environment follow.
A tenant admin will be allowed to promote a Project "Oakdale" environment to a Common Data Service database
environment. A typical flow is as follows:
1. Within a team, the Teams user chooses to create an app by using the new integrated Power Apps app
creation experience in Teams, or by installing an existing Project "Oakdale" environment-based app. At this
point, a Project "Oakdale" environment is provisioned for that team.
2. Over time, the data stored in the Project "Oakdale" environment will grow and eventually reach the capacity
limit that these environments have (2 GB). At this point, existing apps will continue to operate but new
applications won't be allowed to be created or installed. Customers will be directed to contact a tenant
admin to promote the Project "Oakdale" environments to Common Data Service and obtain more capacity.
Alternatively, a Teams user can request that the admin promote the environment because they want to use a
certain feature in Common Data Service.
3. Admins will review the request from the Teams user and make the decision to promote the environment
from Teams to Common Data Service. At this point, the admin will go to the Power Platform admin center
environments view to execute the promotion.
NOTE
To successfully carry out the promotion, the tenant must have at least as much available capacity as the size of the
Project "Oakdale" environment that's being promoted. After its promotion, the consumed capacity of the promoted
Project "Oakdale" environment will start counting towards the tenant's capacity. If an attempt is made to promote a
Project "Oakdale" environment when the tenant doesn't have enough capacity, the promote operation will be
blocked and an error message will be displayed.
4. Admins will be given a message with the implications of promoting and asked to confirm the action.
5. If the admin confirms, the promotion will go forward. As the promotion progresses, various notifications
will be provided as the operation transitions through the various states.
After promotion, the following applies to the newly promoted environment:
The promoted environment's lifecycle will no longer be tied to the lifecycle of that team. If the team is deleted,
the promoted environment remains.
Any apps running on the environment will require Microsoft Power Platform (Power Apps, Power Automate)
licenses to be accessed.
The apps can run inside and outside of Teams.
All existing apps will be associated with the promoted environment (Common Data Service) and can take
advantage of the extended set of entities.
The promoted environment capacity will start counting against the tenant's Common Data Service capacity.
The Microsoft 365 Groups association will become editable.
Team owners are assigned the System Admin roles on their environment and can access the environment by
using the Power Platform admin center.
Adding a new Teams Template app to the former team won't create a new Project "Oakdale" environment for
the team.
Ability to govern Project "Oakdale" in Teams

With the public preview release of Project "Oakdale," the ability to create apps or bots with the new Power Apps
and Power Virtual Agents apps is enabled by default in Teams. Admins can enable or disable it for specific users by
using the Teams apps permission policies in Teams.
In your Teams admin center, you can use Power Apps and Power Vir tual Agents applications available under
Microsoft Apps to enable or disable these new capabilities for specific users. More information: Manage app
permission policies in Microsoft Teams
In addition to the new experience of creating apps or bots with Power Apps and Power Virtual Agents, users can
now use sample apps to instantiate Teams apps (and associated Project "Oakdale" environments). These sample
apps are part of the public preview. Available sample apps are listed here. You can enable or disable these apps for
specific users by using the Teams apps permissions policies. For example, for app permissions policies under
Microsoft Apps in the Teams admin center, you'll find Employee Ideas , Inspection , and Issue Repor ting
sample apps.
Note that when the Power Apps app is disabled, users won't have access to any standalone apps that you pinned in
their Teams channels with the Power Apps app. For users to continue using standalone apps in the Teams
experience even after the Power Apps maker experience has been turned off for them, you can use the new Built
by your colleagues catalog entry point to pin standalone apps to Teams channels or a user's personal scope.
This action only needs to be performed once: it updates the experience for all members of the team, allowing them
to use existing apps they already had access to. We recommend that if you choose to disable Power Apps for any
user in your tenant, you advise them that they can use the Built by your colleagues catalog to restore the
standalone apps they were using before in Teams channels.
Known issues
The Run diagnostics " feature in the Power Platform admin center for team owners, members, and guests who
don't have Azure Active Directory admin roles like Global Admin, or Power Platform Admin assigned, will show
an alert that no security roles have been assigned directly to them. Security roles are auto-assigned by the
SYSTEM for Team personas, so this alert can be ignored.
Teams environments currently show as created by "SYSTEM" within the Power Platform admin center. After this
issue is fixed, existing environments will be retroactively updated to display the correct creator.
Team owners and members who trigger Teams environment creation can temporarily see the newly created
environment in the Power Platform admin center. After this issue is resolved, team owners will be able to
successfully administer their environment and team members won't be able to see the environment in the
admin center.
Related topics
Power Apps and Teams
Power Automate and Teams
Power Virtual Agents and Teams
Download a list of apps created in your environments
With the retirement of the Power Apps admin center, this feature is no longer available.
You can view apps in your environments. In the Power Platform admin center, select an environment and then select
an item in the Resources section. See Manage Power Apps.
Common Data Service language collations
When a Common Data Service environment is created, admins are asked to select which default language they
would like to use. This sets the dictionary, time and date format, number format, and indexing properties for the
environment.
Language selections for Common Data Service also include collation settings that are applied to the SQL database,
which stores entities and relational data. These collation settings affect things such as recognized characters,
sorting, quick find, and filtering. The collations applied to Common Data Service environments are chosen based
on the default language selected at the time of environment creation and aren't user configurable. After a collation
is in place, it can't be changed.
Collations contain the following case-sensitivity and accent-sensitivity options that can vary from language to
language.
C A SE A N D A C C EN T O P T IO N C O L L AT IO N DESC RIP T IO N
Case insensitive _CI All languages have case insensitive

enabled, which means that "Cafe" and
"cafe" are considered the same word.
Accent sensitive _AS Some languages are accent sensitive,

which means that "cafe" and "café" are
treated as different words.
Accent insensitive _AI Some languages are accent insensitive,

which means that "cafe" and "café" are
treated as the same word.
Language details
A language includes the following information:
LCID : This is an identification number applied to languages in the Microsoft .NET framework to easily
identify which language is being used. For example, 1033 is US English.
Language : The actual language. In some cases, names, country, and character dataset information have
been added for disambiguation.
Collation : The language collation uses the case-sensitivity and accent-sensitivity options associated with
the language (_CI, _AS, _AI) described earlier.
Language and associated collation used with Common Data Service

L C ID A N D L A N GUA GE C O L L AT IO N
1025 Arabic _CI_AI
1026 Bulgarian - Cyrillic dataset _CI_AI

1027 Catalan (Spain) _CI_AI
1028 Traditional Chinese Taiwan - Stroke 90 dataset _CI_AI
1029 Czech _CI_AI
1030 Danish Norwegian _CI_AI
1031 German Standard (Germany) _CI_AI
1032 Greek _CI_AI
1033 English (United States) _CI_AI
1035 Finnish Swedish (Finland) _CI_AS
1036 French (France) _CI_AI
1037 Hebrew _CI_AI
1038 Hungarian _CI_AI
1040 Italian (Italy) _CI_AI
1041 Japanese - Stoke 90 dataset _CI_AI
1042 Korean _CI_AI
1043 Dutch (Netherlands) _CI_AI
1044 Danish Norwegian - Bokmaal _CI_AI
1045 Polish _CI_AI
1046 Brazilian Portuguese _CI_AI
1048 Romanian _CI_AS
1049 Russian (Russia) - Cyrillic dataset _CI_AI
1050 Croatian _CI_AS
1051 Slovak _CI_AS
1053 Finnish Swedish (Sweden) _CI_AS
1054 Thai _CI_AS
1055 Turkish _CI_AI

1057 Indonesian _CI_AS
1058 Ukrainian _CI_AS
1060 Slovenian _CI_AS
1061 Estonian _CI_AS
1062 Latvian _CI_AS
1063 Lithuanian _CI_AS
1066 Vietnamese _CI_AS
1069 Basque (Spain) _CI_AS
1081 Hindi - Latin character dataset _CI_AS
1086 Malay _CI_AS
1087 Kazakh _CI_AS
1110 Galician (Spain) _CI_AS
2052 Simplified Chinese (China) - Stroke 90 dataset _CI_AI
2055 German (Switzerland) _CI_AS
2064 Italian (Switzerland) _CI_AS
2070 Portuguese (Portugal) _CI_AI
2074 Serbian - Latin character set _CI_AS
3076 Traditional Chinese Hong Kong - Stroke 90 dataset _CI_AI
3079 German (Austria) _CI_AS
3081 English (Australia) _CI_AS
3081 English (UK) _CI_AS
3082 Modern Spanish (Spain) _CI_AI
3084 French (Canada) _CI_AI
3098 Serbian - Cyrillic dataset _CI_AI
4108 French (Switzerland) _CI_AI
See also
Opt in to early access updates
Power Platform and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics
365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation) deliver two major
releases per year (April and October) that offer new capabilities and functionality.
Because the major releases include features that affect the user experience, you can opt in for early access to self-
update to the new release, and start testing and validating the new features before they're automatically enabled
for your users.
TIP
Check out the early access features for Power Platform and Dynamics 365 to know the features that will roll out to the users
automatically when you opt in for an update.
Early access availability

For each of the major releases, you can opt in for early access updates approximately two months before the major
release is automatically enabled in your region.
For example, for a wave 1 major release that's planned to be automatically enabled starting in the first week of
April, you'll be able to opt in for early access updates in early February. Similarly, for a wave 2 release that's planned
to be automatically enabled starting in the first week of October, you'll be able to opt in for early access updates in
early August.
The following is an example of an early update availability timeline.
NOTE
Once a release wave is generally available, the updates status in your environments will be set to On to automatically receive
all planned features and updates throughout the release.
To learn more, see release schedule and early access.
Environments available for early access updates

The early access updates are available for all types of environments, including trial, sandbox, and production.
However, the best practice is to enable the updates in trial or sandbox environments before production
environments.
Tenant to tenant migration is not supported for early access updates.
IMPORTANT
Although you can enable early access updates in a production environment, we highly recommend that you create a copy of
your production environment as a sandbox environment to try out the new features first. The updates can't be reverted after
they've been enabled; therefore, if you test and validate the updates in a sandbox environment before enabling them in a
production environment, you can determine the impact they'll have on users in your organization.
Be sure to:
Learn about the Dynamics 365 release plan and Power Platform release plan, and the new features available for early
access.
Review Prepare for a release wave.
Validate and test the updates in a sandbox environment before rolling out to production.
How to enable early access updates

1. Sign in to thePower Platform admin center.
2. Select the environment to update.
3. Under Updates , you'll see that the new release wave is available. Select Manage .
An example screenshot. May not be current wave.

4. Select Update now , and then proceed through the confirmation dialog boxes to enable the new features
and capabilities of the release wave.

5. After the update is complete, all early access features will be enabled for your model-driven apps in your
environment.
NOTE
All available updates to your environment will be initiated at once.
After they're enabled, the updates can't be reverted. Be sure to update your sandbox or trial environment before updating
the production environment.
Only the apps that you currently have licenses for will be updated; no new apps will be installed.
It might take a few hours to complete the updates. All applications in the environment will still be available during the
update, though you might experience slightly reduced performance.
Additional requirements to enable early access updates

Some apps require additional steps to enable early access features. If you have any of the following apps, after
enabling the early access updates on the Power Platform admin center, you'll need to take the following manual
steps.
EA RLY A C C ESS A P P S DESC RIP T IO N O F M A N UA L ST EP S
Dynamics 365 Marketing Run the Marketing setup wizard to update your environment.
This will install both the new release for production updates
and the early access features when you run it on an
environment where early access is enabled. For instructions,
see Rerun the Dynamics 365 Marketing setup wizard.
Dynamics 365 Field Service If you have Dynamics 365 Field Service version 8.8.6.0 or
newer, you'll automatically receive the early access updates. If
you're running on an older version of the Field Service app,
you'll need to perform an upgrade. See Upgrade Dynamics
365 Field Service.
Dynamics 365 Project Service Automation If you have Dynamics 365 Project Service Automation version
3.10.2.0 or newer, you'll automatically receive the early access
updates. If you're running on an older version of the Project
Service app, you'll need to perform an upgrade. See Upgrade
home page.
Dynamics 365 Resource Scheduling Optimization If you have Dynamics 365 Resource Scheduling Optimization,
you will need to update or deploy Resource Scheduling
Optimization in the Power Platform admin center. For
instructions, see Manage Dynamics 365 apps, Update RSO,
and Deploy RSO.
IMPORTANT
Be sure to enable the early access updates in the Power Platform admin center first. If you run the Dynamics 365 Marketing
setup wizard to update your Marketing app to a new release wave before activating the early access updates in the Power
Platform admin center, you must run the Dynamics 365 Marketing setup wizard again after opting in to install and enable the
early access features.
Update status and Retry

To check the update status, sign in to Power Platform admin center and select the environment. From Updates ,
you'll see the update process of each of the applications.
Retry
If an application update failed during the opt-in update, you can use the Retr y button to restart the update for the
failed application.
The retry will only restart the update for the failed application. If multiple applications failed during the update,
you'll need to retry for each of the failed updates individually.
The updates might take a few hours. If multiple retry attempts fail after 24 hours, contact Support for assistance.
NOTE
The retry experience is only available for the early access opt-in updates. After a release wave is generally available, the
updates of the release wave will be automatically enabled for all environments; thus, no manual action is required.
Confirm update complete

To verify that a release wave is enabled, open the environment, go to Settings ( ) > About to see the release
wave that's enabled.
IN UN IF IED IN T ERFA C E IN T H E W EB C L IEN T IN T ERFA C E
NOTE
You need to select About from a Dynamics 365 apps page that's displayed in the Unified Interface, such as Sales Hub or
Customer Service Hub pages.
The server version won't be updated to the next version after a release wave is enabled.
Features available in the early access updates

Each release wave includes features and functionality that are enabled for different types of users. They're
categorized as the following three types of features:
Users, automatically : These features include changes to the user experience for users and are enabled
automatically.
Admins, makers, or analysts, automatically : These features are meant to be used by administrators,
makers, or business analysts and are enabled automatically.
Users by admins, makers, or analysts : These features must be enabled or configured by the administrators,
makers, or business analysts to be available for their users.
By opting in for early access updates, you'll get features that are mandatory changes that are automatically enabled
for users. For more details, check the Enabled for column in Dynamics 365 and Power Platform release plans.
Prepare for a release wave

The following checklist provides the general guidelines to help you prepare for a release wave.
1. Review the release plans as soon as the early access updates are available. This will help you learn about the
early access capability and features that will be automatically enabled for the end users.
2. Create a sandbox environment from the production environment. After a new release wave is enabled for an
environment, it can't be reverted. Thus, we strongly recommend enabling a new release wave in a sandbox
environment that's a replica or copy of the existing production environment. This will allow you to test and
validate the new features in the sandbox environment without affecting the current production environment.
NOTE
If you don't have a sandbox copy of your production environment, you can create a copy in the Power Platform
admin center.
3. Opt in to the early access updates from the Power Platform admin center to enable the new release wave in
the sandbox environment. Check Additional requirements to enable early access updates if your apps
require manual steps.
4. Validate that key scenarios work as expected in the sandbox environment after the update is completed.
Update the customizations in your applications, if any, to leverage or respond to the new capabilities as
needed.
You might also need to update internal readiness materials (training and communications) for your
organization based on new features or user experiences.
If you find any issues during the validation—such as regressions, or functional or performance issues—
contact Support or get help from Dynamics 365 forum.
5. Enable the early access updates in your production environment. We recommend enabling the updates in
your production environment during business downtime.
Early access updates FAQ

Will an environment that previously opted in for the early access updates automatically get the early access
update of the new releases?
An environment opted in for the previous early access will not be automatically opted in for the next early access
release. Each early access release will need to be opted in explicitly. When a release becomes generally available, all
environments will be automatically updated to the latest release throughout the release wave.
After updating to a new release wave, can I export solutions?
Yes, you can export solutions to other environments that have also been updated to the same release wave.
Will the version number be updated with each release wave?
No, the version number is not necessarily going to change with a release wave.
Will Microsoft provide a free sandbox environment at no charge for testing updates?
No. You're responsible for creating a sandbox environment from a copy of the production environment for testing
and validation, at your own cost.
When will the updates be available for testing in the sandbox environment?
See Early access availability.
How do I report issues with updates?
Create a support ticket.
Can I skip or postpone an update?
No. To ensure you get the best quality of the new features and capabilities, all customers are required to update to
the latest release as scheduled.
What happens to the environments after a release wave becomes generally available?
If you've enabled the early access updates in your environments, you'll continue to get updates throughout the
release wave.
If you didn't opt in for the early access updates in your environments, after a release wave is generally available, all
environments will be automatically turned on to receive mandatory updates of the release wave. For regional
deployment, see General availability deployment
Throughout a release wave, your environments will be updated during one of the maintenance windows over a
weekend based on your environments' region. The specific dates when the updates will occur will be published to
the Message Center. Each notification will include the dates, the maintenance window, and the Release Plan
reference for the list of optimizations, fixes, and enhancements. Each environment should see the new features and
build numbers by Monday morning, local time.
See Policies and communications.
See also
Dynamics 365 release schedule and early access
Dynamics 365 and Power Platform Release Plans
General availability deployment
After a release wave is generally available, all environments will be automatically turned on to receive mandatory
updates which will enable the early access features and the general available features of a release.
TIP
Check out Dynamics 365 and Power Platform Release Plans to learn more about new features to be released in the release
waves.
Throughout a release wave, your environments will be updated during one of the weekend maintenance windows
based on your environments' region. The specific dates when the updates will occur will be published to the
Message Center. Each notification will include the dates, the maintenance window, and the Release Plan reference
for the list of optimizations, fixes, and enhancements. Each environment should see the new features and build
numbers by Monday morning, local time. See Policies and communications.
NOTE
If you have enabled the early access updates in your environments, you'll continue getting updates throughout the release
wave.
If you did not opt in for the early access updates in your environments, your environment will be automatically updated to
receive the new release based on the general availability deployment schedule for your region.
Deployment schedule
The general availability deployment is based on the regions where environments are created.
SC H EDUL E F O R 2020 WAVE 2 GEN ERA L AVA IL A B IL IT Y

REGIO N S DEP LO Y M EN T
South America Friday, October 2nd – Sunday, October 4th

Canada
India
France
Emirates
South Africa
Germany
Japan Friday, October 9th – Sunday, October 11th

Asia Pacific
Great Britain
Australia
Europe Friday, October 16th – Sunday, October 18th
North America Friday, October 23nd – Sunday, October 25th
China Friday, October 30th – Sunday, November 1st

SC H EDUL E F O R 2020 WAVE 2 GEN ERA L AVA IL A B IL IT Y
REGIO N S DEP LO Y M EN T
GCC Friday, October 30th – Sunday, November 1st

GCC High See Dynamics 365 US Government.
DOD
See also
Dynamics 365 release schedule
Dynamics 365 and Power Platform Release Plans
Power Platform settings
Configuring the Power Platform admin center settings such as the view theme, language, and password are just a
click away.
Review and modify the following settings:

Power Platform settings Select this link to control who can create environments and
allocate add-on capacity (if available).
Themes Change the appearance of the Power Platform site with the
provided themes.
Notifications By default, Microsoft 365 apps will ping you when new mail
arrives and when it's time for a reminder--with a pop up or
with a sound. You can change these settings at any time.
Password Change the password for all of your Microsoft 365 apps and
services.
Contact preferences Change contact preferences such as email and phone

preferences.
Manage Common Data Service settings
You can view and manage the settings for your environments by signing in to the Power Platform admin center,
going to the Environments page, selecting an environment, and then selecting Settings .
Settings for the selected environment can be managed here.

Environment settings are moving
Across organization admin settings are gradually moving from the web client to the Power Platform admin center.
Until the move to the Power Platform admin center is complete, you’ll still be able to manage settings in customer
engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics
365 Marketing, and Dynamics 365 Project Service Automation), as usual.
Many of these settings...
...are moving here.
Use the links on this page to manage organization-wide settings. App-specific settings will remain in customer
engagement apps and accessed through the app settings.
App settings
Getting to app feature settings can vary based on the type of app you're using.
Settings in Unified Interface apps
To open settings for apps that use Unified Interface, look in the upper-right corner and select the Gear icon ( ).
Then select Advanced settings .
Settings in legacy web client apps
To open settings for legacy client apps, select the arrow next to the app name, and then select Settings .
Environment database settings
There is a set of database settings for each environment that provides default option behavior. You can update
these default options through a special OrgDBSettings tool. This tool allows the system admin to override the
default database settings. You can find the list of database settings in the OrgDBOrgSettings tool for Microsoft
Dynamics CRM.
Install the OrganizationSettingsEditor tool

1. Download the latest OrganizationSettingsEditor tool and save it to your local drive.
2. Go to the environment where you need to update database settings.
3. Go to Settings > Solution .
4. Select Impor t > Choose File , and then select the .zip file that you downloaded.
5. Select Open > Next > Impor t .
6. When the import is complete, close the Impor t Solution window.
Override database settings

1. Go to Settings > Solution .
2. Locate the OrganizationSettingsEditor solution and double-click the OrganizationSettingsEditor row.
3. Select Add on a setting. The Add link changes to Edit .
4. Select Edit to change the values.

5. Type in the value, for example true or false, or ‘0’ or ‘1’, based on the Option value as listed in the dialog box
.
6. Select Update .
For the updates to take effect, sign out of the environment and sign in again.
NOTE
Updating environment database settings impacts the environment and should be done with caution. You should first test out
the database settings in a non-production environment.
Manage behavior settings
Use Behavior settings to adjust how model-driven apps in Dynamics 365, such as Dynamics 365 Sales and
Customer Service, appear and functions.
These settings can be found in the Power Platform admin center by going to Environments > [select an
environment] > Settings > Product >Behavior .
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the business closures.
Check your security role
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
Settings
SET T IN GS DESC RIP T IO N
Basic behavior
Auto save Default: On. If On , after a record is created (initially saved), any
changes made to a form will automatically be saved thirty
seconds after the change is made. The 30-second period
starts again after a change is made. If no changes are made,
the automatic save doesn’t happen. More information:
Manage auto-save
Load default static content from Content Delivery Network Default: On. Model-driven apps in Dynamics 365 will load out-
of-the-box static content from the Azure Content Delivery
Network (CDN) service. For firewall restrictions and IP
approved list related issues, system administrators can select
Off to disable the Azure Azure Content Delivery Network
feature.
Share reassigned records with original owner Default: Off. Select whether a record is shared with the original
owner of the record, or completely reassigned to another user.
Open in application mode Default: Off. Select On to enable application mode. When this
mode is enabled, model-driven apps in Dynamics 365 can be
opened in a browser without menus, navigation, or toolbars.
Hiding these parts of the browser causes model-driven apps
in Dynamics 365 to appear like a separate application rather
than a website.
Use Unified Interface only Default: Off. When you enable Unified Interface Only, all your
apps, including those designed for the legacy web client, run in
Unified Interface all the time. Environments with legacy web
client apps will show a notification on the home page,
prompting System Administrators to update those apps to
Unified Interface.
Use legacy form rendering Default: Off. For compatibility, use the legacy form rendering
engine. Note that performance may be adversely affected. If
you have forms that include unsupported customizations,
these enhancements can cause compatibility problems. To
avoid this, you can temporarily turn the form enhancements
off by setting to On . We recommend that you reset this
setting to Off after addressing scripting problems so you can
take advantage of optimized forms. Note: When a form that
includes unsupported customizations is used, such as
unsupported JavaScript, the form may fail to load or the user
will receive an error message.
If the form just fails, set the Use legacy form rendering
option to On . If the form loads after you select this
option, you may have unsupported customizations.
If the user receives an error, select "View the data that
will be sent to Microsoft" and see the details in the
tags.
Formatting
Full name display order Default: First Name. Select the order in which you want
customer and user names to be displayed.
Display currencies using Default: Currency symbol. Set how to display currencies, either
by a currency symbol, which is the default setting, or by
currency code. For example, a currency symbol could be $, and
the currency code could be USD.
Pricing decimal precision Default: 0. Select how many decimal points to use for a
currency.
Display behavior
Show app download message Default: On. If On , users will see a message regarding
downloading the Dynamics 365 for tablets app.
Show legacy app to everyone, not just admin Default: On. The legacy web app, also known as Dynamics 365
- custom, is hidden from end users when a new environment
is provisioned. It is always visible to those with System
Administrator and System Customizer roles, and to other
custom roles with similar privileges. More information:
Dynamics 365 - custom.
Legacy app name Enter the label to use for the legacy app. This appears on the
Dynamics 365 home page. The legacy label is Dynamics 365 -
custom. More information: Dynamics 365 - custom.
Show welcome screen on sign in Default: On. Select On to see the detailed card form in a
dashboard. If set to Off , only the header and minimal details
are displayed in the card form.
Show Microsoft Power Automate on forms and in the site map Default: On. Select On to enable embedded Power Automate
flows in your organization. More information: Enable
embedded Power Automate to automate processes.
Show dashboard cards in expanded state Default: Off. Select On to see the detailed card form in a
dashboard. If set to Off , only the header and minimal details
are displayed in the card form.
Manage feature settings
Use feature settings to adjust how features appear and function in Dynamics 365 model-driven apps such as
Dynamics 365 Sales and Dynamics 365 Customer Service.
environment] > Settings > Product > Features .
Settings
AI Builder (preview)
Create AI models in Power Apps Default: On. If Off , the environment will not have access to AI
Builder. Not all environments will have this setting. For
information about environments eligible for this feature and
related details, see Administer AI Builder
Embedded content
Power BI visualization embedding Default: Off. More information: Add or edit Power BI
visualizations on your dashboard
Bing Maps Default: Off. If On , Customer Engagement (on-premises) users

will need to enter a Bing Maps key. Users don’t need to enter
a key.
Prevent social data in Dynamics Default: Off. If you don’t want to receive social data in model-
driven apps in Dynamics 365, select Off . If you disable social
engagement, your organization will not be able to receive
social data in model-driven apps in Dynamics 365. Users can
continue to work with existing social data, however.
Communications
Skype presence Default: On. If On , instant messaging will display the current
status for users, contacts, opportunities, or leads. This only
applies to lists and sub-lists for entities with an updated user
interface.
Country/region code prefixing for numbers Default: On. If On , model-driven apps in Dynamics 365 will
prefix the country/region code to numbers that users are
trying to call.
Set the telephony provider Default: On. Choose which provider to enable outbound calls
from within model-driven apps in Dynamics 365. This setting
doesn’t apply to Dynamics 365 for tablets or Dynamics 365
for phones.
Use Skype Default: enabled. More information: Set up model-driven apps

in Dynamics 365 to use Skype or Skype for Business
Use Skype for Business Default: not enabled.
Search
Relevance Search Default: Off. If On , you can use Relevance search to find
records across multiple entities, sorted by relevance.
Quick Find record limits Default: On. If On , if more than 10,000 records are found, a
message will be displayed that suggests a more selective
search. More information: Configure Relevance search for the
organization
Help features
Custom help for customizable entities Default: Off. Select On to replace the default Help content with
custom Help designed for your users. After you enable custom
Help, you can enter a Global Custom Help URL.
Global custom help URL To replace the default Help with a single URL for all
customizable record types (entities), enter the URL here. You
also have the option of entering override URLs for each record
type (entity) for customizable record types. More information:
Create your own guided help
Append parameters to URL Default: Not selected. Select On to append parameters to the
URL, you can make your Help content more dynamic. For
example, you can access parameters for User Language Code,
Entity Name, Entry Point, and Form ID. More information:
Create your own guided help
Learning path Default: Off. Changes access to Learning Path for an entire
organization. More information: On-off switch for Learning
Path (guided help).
Learning path authoring Default: Off. Set to On if you want enable users to author
Learning Path content. More information: Create your own
guided help (Learning Path) for your customers
Power Apps component framework for canvas apps
Allow publishing of canvas apps with code components Default: Off. Enables Power Apps component framework
feature that allows the execution of code that may not be
generated by Microsoft when a maker adds code components
to an app. Make sure that the code component solution is
from a trusted source. More information: Code components
for canvas apps
TDS endpoint (Preview) Default: Off. Enables Tabular Data Stream (TDS) endpoint (a
SQL data connection) for Common Data Service in an
environment. This option is only available for environments
enabled for this public preview and version 9.1.0.17437 or
higher. To determine your version, select an environment and
review the information under Version . More information: Use
SQL to query data (Preview) and View entity data in Power BI
Desktop (Preview)
Regional and language options for your environment
Enable languages in your organization to display the user interface and Help in a language that’s different from the
base language.
The following table shows tasks that are associated with changing regional and language options for your
organization.
TA SK DESC RIP T IO N
Set the base language The base language determines default settings for regional
and language options in customer engagement apps
(Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and
Dynamics 365 Project Service Automation). After the base
language is set, you can’t change it.
Enable or disable languages You can enable or disable available languages in the Settings
area.
Add and remove currencies Similar to setting the base language, you select your
organization's base currency during the purchasing process for
a subscription. After the base currency is set, you can’t change
it.
However, if your organization uses more than one currency to

track financial transactions, you can add currencies.
Deactivate or activate currency records You can’t delete currency records that are being used by other
records, such as opportunities or invoices. However, you can
deactivate currency records so they won’t be available for
future transactions.
Enable the language

environment] > Settings > Product > Languages .
update the setting.
Before users can start using a Language Pack to display a language, the Language Pack must be enabled in your
organization.
2. Select an environment and go to Settings > Product > Languages .
Here you’ll see each Language Pack installed in your environment, with a check box to the left of each listed
Language Pack.
3. For each Language Pack that you want to provision (enable), select the check box next to it. For each
Language Pack that you want to unprovision (disable), clear the check box.
4. Select Apply .
5. Select OK on any confirmation dialog boxes that open.
NOTE
It may take several minutes to provision or unprovision the languages.
6. Select Close to close the Language Settings dialog box.
Select the language to display the user interface and Help

Each user selects the language to display in an app. See Languages tab options.
Manage privacy and security settings
Use these settings to adjust model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer
Service, privacy and security.
environment] > Settings > Product > Privacy + Security .
Settings
Privacy preference More information: Set error reporting preferences for the
organization
Show privacy statement link for this organization Default: Off. Select to display the privacy statement link.
Privacy statement URL Provide users with a link to your organization's privacy
statement. If you show the link, it will be added to the
Settings menu.
Default action to take when an error occurs More information: Replace the privacy statement for the
organization
Ask the user for permission to send an error report to Default: Not selected.
Microsoft
Automatically send an error report to Microsoft without Default: Not selected.

asking me for permission
Never send an error report to Microsoft Default: Not selected.
Blocked attachments
Set blocked file extensions for attachments (semicolon Prevent upload or download of certain attachment types that
separated) are considered dangerous. Separate file extensions with a
semicolon.
Default extensions: ade; adp; app; asa; ashx; asmx; asp; bas;
bat; cdx; cer; chm; class; cmd; com; config; cpl; crt; csh; dll; exe;
fxp; hlp; hta; htr; htw; ida; idc; idq; inf; ins; isp; its; jar; js; jse;
ksh; lnk; mad; maf; mag; mam; maq; mar; mas; mat; mau; mav;
maw; mda; mdb; mde; mdt; mdw; mdz; msc; msh; msh1;
msh1xml; msh2; msh2xml; mshxml; msi; msp; mst; ops; pcd;
pif; prf; prg; printer; pst; reg; rem; scf; scr; sct; shb; shs; shtm;
shtml; soap; stm; tmp; url; vb; vbe; vbs; vsmacros; vss; vst; vsw;
ws; wsc; wsf; wsh
Session expiration More information: Security enhancements: User session and

access management>
Set custom session timeout Default: Off. Select On to specify values different from default
values.
Enter maximum session length Default: 1440. After the time you set is reached, users must
re-authenticate to model-driven apps in Dynamics 365.
How long before the session expires do you want to show a Default: 20. After the time you set is reached, users receive an
timeout warning? expiration warning.
Inactivity timeout More information: Inactivity timeout
Set inactivity timeout Default: Off. Enable to automatically sign out a user.
Replace the privacy statement for the organization

By default, the Microsoft privacy statement is always shown to users with an administrator role only, and not to
other (business) users. As an administrator, you can add a link to specify your organization's privacy statement,
which is then shown to other users in your organization.
1. Go to Environments > [select an environment] > Settings > Product > Privacy + Security
2. Under Privacy Preferences , turn on Show privacy statement link for this organization .
3. In the Privacy statement URL box, type the link of the webpage you want to show.
4. Select Save .
NOTE
Any user with the System Administrator security role will always see the Microsoft privacy statement and not the
organization’s privacy statement.
Set error reporting preferences for the organization

When errors occur in the product, data about the problem is sent to Microsoft. This data – an error report - allows
model-driven apps in Dynamics 365 to track and address errors relating to Dynamics 365. You can help Microsoft
improve products and services when you allow the system to send these error reports.
By default, individual users have a measure of control over whether to send error reports to Microsoft. But you, as
an administrator, can override their preferences and set up the error reporting preferences for the entire
organization.
1. Go to Environments > [select an environment] > Settings > Product > Privacy + Security
2. Under Privacy Preferences , Default action to take when an error occurs , select an action to take.
3. Select Save .
When you use this setting, you can control error reporting for the entire organization by:
Not allowing users to make changes in how error reporting occurs.
Changing the default behavior for how error reporting happens.
Configure Relevance Search to improve search results
and performance
Relevance Search delivers fast and comprehensive search results in a single list, sorted by relevance. As an
administrator or customizer, you'll be able to enable and configure Relevance Search as described below. Many of
the configuration steps use the same user interface as the Quick Find configuration.
Relevance Search is available in addition to single-entity Quick Find on the entity grid, and as an alternative to
multi-entity Quick Find (also called Categorized Search), which is accessible from the navigation bar.
Changes made to the Relevance Search configuration or to the searchable data may take up to 15 minutes to
appear in the search service. It may take up to an hour or more to complete a full sync for average size
organizations, and a couple of days for very large size organizations.
What is Relevance Search?

Relevance Search brings the following benefits:
Improved performance compared to Categorized Search.
Finds matches to any word in the search term in any field in the entity. Matches may include inflectional
words, like "stream," "streaming," or "streamed."
Returns results from all searchable entities in a single list sorted by relevance, based on factors, such as
number of words matched or their proximity to each other in the text.
Matches in the result list are highlighted. These appear as bolded and italicized text in the search results.
Includes the ability to search documents found in Notes and Attachments on Emails and Appointments
For more information about Relevance Search, see: Using relevance search to search for records.
Relevance Search is available in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation)
that have installed version 9.0. It is not available for Customer Engagement (on-premises) organizations. Full-text
Quick Find is available for Customer Engagement (on-premises) organizations, starting with Dynamics CRM 2015
Update Rollup 1. Quick Find is available for customer engagement apps organizations and Customer Engagement
(on-premises) organizations.
For more detailed comparison of the searches available in Common Data Service, see: Compare search options in
Language support
All searchable fields in Relevance Search are processed in the language most closely matching the organization's
base language, except Kazakh where all fields are processed using a basic, language-agnostic text processor.
Enable Relevance Search

Relevance Search is an opt-in feature, set to off by default. Enabling Relevance Search makes this search option
available to all members of your organization.
To enable Relevance Search, do the following:
1. In the Power Platform admin center, select an environment.
2. Select Settings > Product > Features .
3. Under Search , set Relevance Search to On .
4. Select Save .
Select entities for Relevance Search

To configure Relevance Search, use the Configure Relevance Search selection on the task bar, as shown here.
There is no limit on how many entities you can include in the Relevance Search results. However, there is a limit on
the total number of fields that can be enabled in Relevance Search. The maximum is 1000 searchable fields for an
organization. Out of these 1000 fields, up to 50 fields are required by the Relevance Search system, so you can
configure up to 950 searchable fields in Relevance Search. When you select an entity to include in the search
results, you'll notice a number in parentheses next to the entity name. The number indicates how many fields each
entity uses in the Relevance Search index. Some fields, such as Primar y Name and ID , are shared by multiple
entities and don't count toward the total. Additionally, some field types use more than one field in the Relevance
Search index as indicated in this table.
F IEL D T Y P E N UM B ER O F F IEL DS USED IN T H E REL EVA N C E SEA RC H IN DEX
Lookup (customer, owner, or Lookup type attribute) 3
Option Set (state, or status type attribute) 2
All other types of fields 1
The progress bar Total fields indexed shows the percentage of indexed fields to the maximum allowed number
of searchable fields.
When you have reached the indexed field limit, you'll see a warning message. If you want to add more fields to the
index, you'll have to free up space, either by removing some of the fields that are already in the index or removing
entire entities from Relevance Search scope.
To select entities for the Relevance Search results, do the following:
1. Go to Settings > Customizations .
2. Select Customize the System .
3. Under Components , expand Entities , and then select Configure Relevance Search .
4. The Select Entities dialog box opens. Select Add to select the entities for the search results. When you're
done, select OK .
5. Select Publish All Customizations for your changes to take effect.

By default, some out-of-the-box system entities are included in Relevance Search. However, custom entities aren't
included. You must add them to Relevance Search.
Configure searchable fields for Relevance Search

The fields you add in the Quick Find view become part of the Relevance Search index. There is no limit on how
many searchable fields you can add for each entity. However, there is a limit on the total number of indexed fields,
as was explained in the previous section. Find Columns on a Quick Find View define the searchable fields in the
Relevance Search index. Text fields such as Single Line of Text and Multiple Lines of Text, Lookups, and Option Sets
are searchable. Find Columns with other data types are ignored. The View Columns on a Quick Find View
define the fields that are displayed in the user interface by default when the matched results are returned. The
fields that are highlighted replace the fields that don't have the highlighting. The first four matched fields are
displayed in the results. The filter on a Quick Find view is also applied to the Relevance Search results. See the
table below for the list of filter clauses not supported by Relevance Search.
NOTE
There are some fields, called common fields, common to every CRM entity that are defined on the index by default. They are:
1. ownerid (Name of lookup)
2. owningbusinessunit (Name of lookup)
3. statecode (Label of optionset)
4. statuscode (Label of optionset)
5. name (Primary name field of any entity. This may or may not be the same as the logical name (fullname, subject etc.) of
the entity) If a common field is added to any entity for Relevance Search, search will be performed for that common field
across all entities. However, once you choose a specific entity through the Record Type facet, Relevance Search will follow
the settings you have defined for that specific entity through Quick Find View.
You can use the Quick Find view to define which fields appear as facets when users search by using Relevance
Search. All View Columns with data types other than Single Line of Text and Multiple Lines of Text are marked as
facetable and filterable in the index. By default, the first four facetable fields in the Quick Find view for the
selected entity are displayed as facets when users search by using Relevance Search. At any time, you can only
have four fields selected as facets.
3. Under Components , expand Entities , and then expand the entity you want.
4. In the navigation tree, click View . Double-click Quick Find View . The following illustration shows the
Quick Find view for the Account entity.
5. Select Add Find Columns . In the dialog box, select the fields you want to add to the search index. When
done, select OK . In the following illustration, you see the Account entity fields added to the Relevance
Search index.
6. Repeat the steps for the View Columns .
7. Select Publish All Customizations for your changes to take effect.
NOTE
The changes you make in Quick Find view also apply to single-entity and multi-entity (Categorized Search) Quick Find
configurations. This is why we don't prevent you from including the fields that aren't supported for Relevance Search when
you configure Quick Find view. However, unsupported fields aren't synced to the Relevance Search index and don't appear
in the Relevance Search results.
For Relevance Search, fields on a related entity are not supported as Find, View, or Filter fields.
The following table contains the Quick Find Filter operators that aren't supported for Relevance Search:
O P ERATO R
Like
NotLike
BeginsWith
DoesNotBeginWith
EndWith
DoesNotEndWith
ChildOf
Mask
NotMask
O P ERATO R
MaskSelect
EqualUserLanguage
Under
NotUnder
UnderOrEqual
Above
AboveOrEqual
NotNull
Null
Set managed property for Relevance Search

If you want to include an entity in Relevance Search, the Can enable sync to external search index managed
property for this entity must be set to True . By default, the property is set to True for some of the out-of-the-box
system entities and all custom entities. Some of the system entities can't be enabled for Relevance Search.
To set the managed property, do the following:
3. Under Components , expand Entities , and then select the entity you want.
4. On the menu bar, select Managed Proper ties . For Can enable sync to external search index , select
True or False to set the property to the desired state. Select Set to exit, as shown here.
5. Select Publish for your changes to take effect.
If you want to change the Can enable sync to external search index property to False , you must first
deselect the entity from Relevance search. If the entity is included in Relevance Search, you'll see the
following message: "This entity is currently syncing to an external search index. You must remove the entity
from the external search index before you can set the Can Enable Sync to External Search Index
property to False ." If Can Enable Sync to External Search Index is set to False , you'll see the following
message when you try to include an entity in Relevance Search: "Entity can't be enabled for Relevance
Search because of the configuration of its managed properties." For custom entities with particularly
sensitive data, you may consider setting the Can enable sync to external search index property to
False . Keep in mind, after you install the managed solution on the target system, you won't be able to
change the value of the property because it's a managed property.
Privacy notice
By enabling Relevance Search, data in participating entities and attributes in your Dynamics 365 (online) instance
will begin syncing to and be stored in an Azure Search index.
Relevance Search is not enabled by default. The system administrator must enable the functionality within a
Dynamics 365 (online) instance. After Relevance Search is enabled, system administrators and customizers have
full control over the data that will be synchronized to the Azure Search index.
System customizers can use the Configure Relevance Search dialog box in Customization Tools to enable
specific entities for search and then configure Quick Find views on enabled entities to select the searchable
attributes. Data changes are synchronized continuously between Dynamics 365 (online) and Azure Search through
a secure connection. Configuration data is encrypted and the required secrets are stored in Azure Key Vault.
Azure components and services that are involved with Relevance Search functionality are detailed in the following
sections.
Microsoft Azure Trust Center
Azure Search Services
An Azure Search index is used to provide high-quality search results with quick response times. Azure Search adds
powerful and sophisticated next-generation search capabilities to Dynamics 365 (online). This is a dedicated search
service external to Dynamics 365 (online) provided by Azure. All new Azure Search indexes are encrypted at rest. If
you opted in before January 24, 2018, you'll need to reindex your data by opting out of Relevance Search, waiting
an hour, and opting back in.
Azure SQL Database
Relevance Search uses the Azure SQL Database to store:
Configuration data related to the organization and the corresponding index
Metadata relating to the search service and indexes
Pointers to system metadata and data when synchronizing changes
Authorization data to enable enhanced row- level security
Azure Event Hubs
The Azure Event Hubs component is used for message exchange between Dynamics 365 (online) and Azure and to
maintain work items that are managed by the synchronization process. Each message stores information, such as
the organization ID and entity name, used to sync the data.
Azure Service Fabric Cluster
The processing and indexing of data is handled in micro-services deployed on virtual machines managed through
the Service Fabric runtime. The search APIs and the data synchronization process are also hosted on the Service
Fabric cluster.
Service Fabric was born from years of experience at Microsoft delivering mission-critical cloud services and is now
production-proven for over five years. It’s the foundational technology on which we run our Azure core
infrastructure, powering services including Skype for Business, Intune, Azure Event Hubs, Azure Data Factory, Azure
DocumentDB, Azure SQL Database, and Cortana—which can scale to process more than 500 million evaluations
per second.
Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets are elastic and designed to support hyper scale-out workloads. The Azure Service
Fabric cluster runs on virtual machine scale sets. The micro-services for processing and indexing data are hosted
on the scale sets and managed by the Service Fabric runtime.
Azure Key Vault
Azure Key Vault is used for secure management of certificates, keys, and other secrets used in the search process.
Azure Storage (Blob Storage)
Changes to customer data are stored for up to 2 days in Azure Blob Storage. These blobs are encrypted by
leveraging the latest feature in the Azure Storage SDK, which provides symmetric and asymmetric encryption
support and integration with Azure Key Vault. With the December 2016 update for Dynamics 365 (online), the
documents found in Notes and Attachments on email messages and appointments are also synced to the blob
storage.
Azure Active Directory Service
Azure Active Directory is used to authenticate between the Dynamics 365 (online) and Azure services.
Azure Load Balancer
The Azure Load Balancer is used to distribute incoming traffic among healthy service instances in cloud services or
virtual machines defined in a load balancer set. Relevance Search uses it to load balance the end points in a
deployment.
Azure Virtual Networks
The Virtual Machines on the Service Fabric cluster running in one or more subnets are connected by Azure Virtual
Network. The security policies, DNS settings, route tables, and IP addresses are fully controlled within this virtual
network. Network Security Groups are leveraged to apply security rules on this virtual network. These rules allow
or deny network traffic to the VMs in the virtual network.
See also
Use relevance search to search for records
Work with fiscal year settings
You can set the fiscal year period, and how it's displayed, for your organization.
IMPORTANT
After you set the fiscal year options, you can't change them. Fiscal year options affect the way in which your organization's
data is stored in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), such as Dynamics 365 Sales and
Customer Service.
1. Make sure you have the System Administrator security role or equivalent permissions in Microsoft
Dynamics 365.
2. In the web app, go to Settings > Business Management .
3. Click Fiscal Year Settings .
4. Type information in the text boxes.
In the Star t Date box, select the date to start the fiscal year.
In the Fiscal Period Template drop-down list, select how your fiscal year is divided.
In the Fiscal Year drop-down list, select how you want to display the fiscal year.
In Name Based On drop-down list, select whether the fiscal year name is displayed on the start or
end of the fiscal year.
In the Fiscal Period drop-down list, select how you want to display the fiscal period.
In the Display As drop-down list, select how you want the fiscal year abbreviation and the year to
appear.
5. Click OK .
See also
Set up sales territories to organize business markets by geographical area
Manage transactions with multiple currencies
Currencies determine the prices for products in the product catalog and the cost of transactions, such as sales
orders. If your customers are spread across geographies, add their currencies to manage your transactions. Add the
currencies that are most appropriate for your current and future business needs.
NOTE
If your environment is a Common Data Service environment, you are in the Power Platform admin center, and you select the
Currencies page (Environments > [select environment] > Settings > Business > Currencies ), the page will be blank.
This is because setting a currency is not supported in Common Data Service environments.
Add a currency
Dynamics 365.
3. Select Settings > Business .
4. Select Currencies .
5. Select New .
6. Fill in the information, as required.
F IEL D DESC RIP T IO N
Currency Type - System - Select this option if you want to use the
currencies available in customer engagement apps (such
as Dynamics 365 Sales and Customer Service). To search
for a currency, select the Lookup button next to
Currency Code . When you select a currency code,
Currency Name and Currency Symbol are
automatically added for the selected currency.
- Custom - Select this option if you want to add a
currency that's not available in customer engagement
apps. In this case, you must manually enter the values for
Currency Code , Currency Precision , Currency
Name , Currency Symbol, and Currency Conversion .
Currency Code Short form for the currency. For example, USD for United
States Dollar.
F IEL D DESC RIP T IO N
Currency Precision Type the number of decimals that you want to use for the
currency. You can add a value between 0 and 4. Note: If
you've set a precision value in the System Settings
dialog box, that value will appear here. More information:
System Settings dialog box - General tab.
Currency Name If you selected a currency code from the list of available
currencies in customer engagement apps, the currency
name for the selected code is displayed here. If you
selected Custom as the currency type, type the name of
the currency.
Currency Symbol If you selected a currency code from the list of available
currencies, the symbol for the selected currency is
displayed here. If you selected Custom as the currency
type, enter the symbol for the new currency.
Currency Conversion Type the value of the selected currency in terms of one US
dollar. This is the amount at which the selected currency
converts to the base currency. Impor tant: Make sure you
update this value as frequently as required to avoid any
inaccurate calculations in your transactions.
7. When you're done, on the command bar, select Save or Save and Close .
TIP
To edit a currency, select the currency, and then enter or select the new values.
Delete a currency
2. Select Settings > Business .
3. Select Currencies .
4. From the list of currencies displayed, select the currency to delete.
5. Select Delete .
6. Confirm the deletion.
IMPORTANT
You can't delete currencies that are in use by other records; you can only deactivate them. Deactivating currency records
doesn't remove the currency information stored in existing records, such as opportunities or orders. However, you won't be
able to select the deactivated currency for new transactions.
See also
System Settings dialog box - General tab
Customize regional options
You can customize how numbers, currencies, times, and dates appear to everyone in your organization.
update the setting.
Don't have the correct permissions? Contact your system administrator.
1. Select an environment and go to Settings > Business > Regional formatting .
2. Select the check box Enable the default countr y/region code , and then choose a region code.
3. Select the Formats tab.
4. From the Current Format list, select the language and country or region, and then select Customize .
5. In the Customize Regional Options dialog box, you can change the default settings for the selected
format. View how the changes will look in the preview boxes.
Select the Number tab to change the decimal symbol, digit grouping symbol, digit groups, and
negative numbers.
Select the Currency tab to change the currency format, negative currency amounts, and number of
decimal places.
Select the Time tab to change the time format, time separator, and notation for morning and
afternoon.
Select the Date tab to set the type of calendar, first day of the week, first week of the year, formats for
long and short dates, and whether or not to show week numbers in calendar views.
Select Apply to apply the changes and continue working in the dialog box, or select OK to save the
changes and close the dialog box.
6. Select OK .
Create or edit a site to specify location
You can create a new site to add an office location or other facility where service operations take place. You can also
edit the details, such as the street address or phone number, for an existing site.
2. Choose Sites .
3. To create a new site, on the Actions toolbar, choose New .
- OR -
To edit an existing site, in the list of sites, under Name, double-click or tap the entry for the site you want to
edit details for.
4. Under General , in the Name text box, specify or edit the name for the site.
You can also enter or update contact information for the site.
5. Under Primar y Address , enter or update address details.
6. In the Time Zone box, ensure that the default time zone is appropriate for the site.
7. Choose Save and Close .
See also
Create or edit business units
After you create a site, you can add resources such as users, equipment, or facilities to it.
1. Go to Settings > Business Management .
2. Choose Sites .
3. In the list of sites, under Name , double-click or tap the site that you want to add resources to.
4. In the Navigation Pane, expand Common if necessary, and then click or tap Resources .
5. On the Actions toolbar, click or tap Add Resources .
6. In the Look Up Records dialog box, in the Search text box, type in a part of the name of the resource you
want to add to the site, and then click or tap the Star t search icon .
7. In the list of records, under Full Name , click or tap the entry for the resource you want to add to the site,
and then click or tap Add .
8. Close the site record.
See also
Regional and language options for your organization
Create or edit business units
A business unit is a logical grouping of related business activities.

If your organization is structured around departments or divisions that have separate products, customers, and
marketing lists, you might want to create business units. Business units are mapped to an organization’s
departments or divisions. Users can securely access data in their own business unit, but they can’t access data in
other business units.
Business units, security roles, and users are linked together in a way that conforms to the role-based security
model. Use business units together with security roles to control data access so people see just the information
they need to do their jobs.
Keep the following in mind when creating business units:
The organization (also known as the root business unit) is the top level of a business unit hierarchy. The
customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), automatically create the
organization when you install or provision customer engagement apps. You can’t delete the organization
name. The organization name is derived from the domain name when the environment was provisioned.
You cannot change the organization name using the Business Unit form but it can be changed using the
Web API.
Each business unit can have just one parent business unit.
Each business unit can have multiple child business units.
Security roles and users are associated with a business unit. You must assign every user to one (and only
one) business unit.
You cannot add a user into a business unit directly. All newly provisioned users are assigned to the root
business.
You can change the user's business unit at anytime. Once the business unit is changed, the user will show up
as a member of the business unit automatically.
Each business unit has a default team. You cannot update the default team's name nor delete the default
team.
You cannot add or remove users from the business unit's default team. However you can change the user's
business unit to the business unit and the user will automatically be added to the business unit's default
team.
You can assign a security role to the business unit's default team. This is done to simplify security role
management where all your business unit team members can share the same data access.
You can assign additional team to a business unit but there can only be one business unit per team.
A team can consist of users from one or many business units. Consider using this type of team if you have a
situation where users from different business units need to work together on a shared set of records.
Create a new business unit

environment] > Settings > Users + permissions > Business units .
update the setting.
1. Select an environment and go to Settings > Users + permissions > Business units .
2. On the Actions bar, select New .
3. In the Business Unit dialog box, type a name for the new business unit. Customer engagement apps
automatically fills in the Parent Business field with the name of the root business unit.
4. If you want to change the parent business unit, select the Lookup button ( ), Look Up More Records ,
and then do one of the following:
Select an existing business unit from the list.
Create a new parent business unit:
a. Choose New , and then add the information for the new parent business unit in the Business
Unit dialog box.
b. When you’re done adding information, select Save and Close .
c. In the Look Up Record dialog box, select Add .
5. In the Business Unit dialog box, fill in any of the other optional fields, such as the Division, Website, contact
information, or addresses.
6. When you’re done making entries, select Save and Close .
Change the settings for a business unit

1. Select an environment and go to Settings > Users + permissions > Business units .
2. Select a business unit name.
3. In the Business Unit dialog box, do one or more of the following:
Modify the data in one or more fields.
Select a record type under Organization to see a list of related records. For example, select Users to
view a list of users in the selected business unit.
4. When you’re done making changes select Save and Close .
Change the business unit for a user
IMPORTANT
By changing the business unit for a user, you remove all security role assignments for the user. At least one security role must
be assigned to the user in the new business unit.
1. Select an environment and go to Settings > Users + permissions > Users .

2. Select a user name.
3. On the More Commands (… ) menu, select Change Business Unit .
4. In the Change Business Unit dialog box, use the Lookup button ( ) to select a new business unit, and
then select OK .
See also
Delete a business unit
Assign a business unit a different parent business
Delete a business unit
You can delete a business unit to completely remove it.
IMPORTANT
Before deleting a business unit, be sure to consider the following:
Deleting a business unit is irreversible.
The records owned by the business unit (for example: Teams, Facilities/Equipment, and Resource Groups) are deleted at
the same time you delete the business unit.
You can't delete a business unit until you reassign all the business unit records to another business unit.

2. Select Settings > Users + permissions > Business units .
3. Click to select the business unit that you want to delete.
4. On the Actions toolbar, choose More Actions > Disable .
IMPORTANT
When you disable a business unit, all users and teams associated with the business unit will not be able to sign in. You will
need to reparent users and teams to another business unit and reassign security roles.
5. In the Confirm Deactivation dialog box, choose Deactivate .

6. Change the view to Inactive Business Units .
7. Select the business unit to delete, and then choose the Delete icon .
8. In the Confirm Deletion dialog box, choose Delete .
TIP
If you get an error, be sure to reparent users and teams to another business unit.
See also
You can assign a different parent business to a business unit to accommodate changes in your business
requirements. When you reassign a business unit, any child business units are also reassigned with it.
2. Select Settings > Users + permissions > Business Units .
3. Select the business unit you want to change the settings for.
4. On the Actions toolbar, select More Actions > Change Parent Business .
5. In the Change Parent Business dialog box, in the New parent business text box, type part or all of the
name of the parent business you want to assign the business unit to, and then select the Click to select a
value for New parent business icon .
6. Select the record for the parent business you want to assign the business unit to, and then click OK .
See also
Control Data Access
Create or edit a site
The hierarchy security model is an extension to the existing security models that use business units, security roles,
sharing, and teams. It can be used in conjunction with all other existing security models. The hierarchy security
offers a more granular access to records for an organization and helps to bring the maintenance costs down. For
example, in complex scenarios, you can start with creating several business units and then add the hierarchy
security. This will achieve a more granular access to data with far less maintenance costs that a large number of
business units may require.
Manager hierarchy and Position hierarchy security models

Two security models can be used for hierarchies, the Manager hierarchy and the Position hierarchy. With the
Manager hierarchy, a manager must be within the same business unit as the report, or in the parent business unit
of the report’s business unit, to have access to the report’s data. The Position hierarchy allows data access across
business units. If you are a financial organization, you may prefer the Manager hierarchy model, to prevent
managers’ accessing data outside of their business units. However, if you are a part of a customer service
organization and want the managers to access service cases handled in different business units, the Position
hierarchy may work better for you.
NOTE
While the hierarchy security model provides a certain level of access to data, additional access can be obtained by using other
forms of security, such as security roles.
Manager hierarchy
The Manager hierarchy security model is based on the management chain or direct reporting structure, where the
manager’s and the report’s relationship is established by using the Manager field on the system user entity. With
this security model, the managers are able to access the data that their reports have access to. They are able to
perform work on behalf of their direct reports or access information that needs approval.
NOTE
With the Manager hierarchy security model, a manager has access to the records owned by the user or by the team that a
user is a member of, and to the records that are directly shared with the user or the team that a user is a member of. When a
record is shared by a user who is outside of the management chain to a direct report user with Read-only access, the direct
report's manager only has Read-only access to the shared record.
In addition to the Manager hierarchy security model, a manager must have at least the user level Read privilege on an entity,
to see the reports’ data. For example, if a manager doesn’t have the Read access to the Case entity, the manager won’t be
able to see the cases that their reports have access to.
In order for the manager to see all the direct report's records, the direct report user must have an 'enabled' user status.
Manager will not be able to see 'disabled' user's records.
For a non-direct report in the same management chain of the manager, a manager has the Read-only access to the
non-direct report’s data. For a direct report, the manager has the Read, Write, Update, Append, AppendTo access to
the report’s data. To illustrate the Manager hierarchy security model, let’s take a look at the diagram below. The CEO
can read or update the VP of Sales data and the VP of Service data. However, the CEO can only read the Sales
Manager data and the Service Manager data, as well as the Sales and Support data. You can further limit the
amount of data accessible by a manager with “Depth”. Depth is used to limit how many levels deep a manager has
Read-only access to the data of their reports. For example, if the depth is set to 2, the CEO can see the data of the VP
of Sales, VP of Service and Sales and Service Managers. However, the CEO doesn’t see the Sales data or the Support
data.
It is important to note that if a direct report has deeper security access to an entity than their manager, the manager
may not able to see all the records that the direct report has access to. The following example illustrates this point.
A single business unit has three users: User 1, User 2 and User 3.
User 2 is a direct report of User 1.
User 1 and User 3 have User level read access on the Account entity. This access level gives users access to
records they own, the records that are shared with the user, and records that are shared with the team the
user is a member of.
User 2 has Business Unit read access on the Account entity. This allows User 2 to view all of the accounts for
the business unit, including all of the accounts owned by User 1 and User 3.
User 1, as a direct manager of User 2, has access to the accounts owned by or shared with User 2, and any
accounts that are shared with or owned by a team that User 2 is a member of. However, User 1 doesn’t have
access to the accounts of User 3, even though his or her direct report may have access to User 3 accounts.
Position hierarchy
The Position hierarchy is not based on the direct reporting structure, like the Manager hierarchy. A user doesn’t
have to be an actual manager of another user to access user’s data. As an administrator, you will define various job
positions in the organization and arrange them in the Position hierarchy. Then, you add users to any given position,
or, as we also say, “tag” a user with a particular position. A user can be tagged only with one position in a given
hierarchy, however, a position can be used for multiple users. Users at the higher positions in the hierarchy have
access to the data of the users at the lower positions, in the direct ancestor path. The direct higher positions have
Read, Write, Update, Append, AppendTo access to the lower positions’ data in the direct ancestor path. The non-
direct higher positions, have Read-only access to the lower positions’ data in the direct ancestor path.
To illustrate the concept of the direct ancestor path, let’s look at the diagram below. The Sales Manager position has
access to the Sales data, however, it doesn’t have access to the Support data, which is in the different ancestor path.
The same is true for the Service Manager position. It doesn’t have access to the Sales data, which is in the Sales
path. Like in the Manager hierarchy, you can limit the amount of data accessible by higher positions with “Depth”.
The depth will limit how many levels deep a higher position has a Read-only access, to the data of the lower
positions in the direct ancestor path. For example, if the depth is set to 3, the CEO position can see the data all the
way down from the VP of Sales and VP of Service positions, to the Sales and Support positions.
NOTE
With the Position hierarchy security, a user at a higher position has access to the records owned by a lower position user or
by the team that a user is a member of, and to the records that are directly shared to the user or the team that a user is a
member of.
In addition to the Position hierarchy security model, the users at a higher level must have at least the user level Read privilege
on an entity to see the records that the users at the lower positions have access to. For example, if a user at a higher level
doesn’t have the Read access to the Case entity, that user won’t be able to see the cases that the users at a lower positions
have access to.
In order for the user at the higher position to see all the lower position user's records, the lower position user must have an
'enabled' user status. The higher position user will not be able to see the 'disabled' lower position user's records.
Set up hierarchy security

environment] > Settings > Users + Permissions > Hierarchy security .
update the setting.
The hierarchy security is disabled by default. To enable:
1. Select an environment and go to Settings > Users + Permissions > Hierarchy security .
2. Under Turn on Hierarchy Modelling select Enable Hierarchy Modeling .
IMPORTANT
To make any changes in Hierarchy security , you must have the Change Hierarchy Security Settings privilege.
After you have enabled the hierarchy modeling, choose the specific model by selecting the Manager Hierarchy or
Custom Position Hierarchy . All system entities are enabled for hierarchy security out-of-the-box, but, you can
exclude selective entities from the hierarchy. The Hierarchy Security window shown below:
Set the Depth to a desired value to limit how many levels deep a manager has a Read-only access to the data of
their reports. For example, if the depth equals to 2, a manager can only access his or her accounts and the accounts
of the reports two levels deep. In our example, if you log in into customer engagement apps (Dynamics 365 Sales,
Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project
Service Automation), not as an Administrator, who can see all accounts, but, as the VP of Sales, you’ll only be able to
see the active accounts of the users shown in the red rectangle, as illustrated below:
NOTE
While, the hierarchy security grants the VP of Sales access to the records in the red rectangle, additional access can be
available based on the security role that the VP of Sales has.
Set up Manager and Position hierarchies

The Manager hierarchy is easily created by using the manager relationship on the system user record. You use the
Manager (ParentsystemuserID ) lookup field to specify the manager of the user. If you have already created the
Position hierarchy, you can also tag the user with a particular position in the Position hierarchy. In the following
example, the sales person reports to the sales manager in the Manager hierarchy and also has the Sales position in
the Position hierarchy:
To add a user to a particular position in the Position hierarchy, use the lookup field called Position on the user
record’s form, as show below:
IMPORTANT
To add a user to a position or change the user’s position, you must have the Assign position for a user privilege.
To change the position on the user record’s form, on the nav bar, choose More (…) and choose a different position,
as shown below:
To create a Position hierarchy:

1. Select an environment and go to Settings > Users + Permissions > Positions .
For each position, provide the name of the position, the parent of the position, and the description. Add users
to this position by using the lookup field called Users in this position . Below is the example of Position
hierarchy with the active positions.
The example of the enabled users with their corresponding positions is shown below:
Performance considerations
To boost the performance, we recommend:
Keep the effective hierarchy security to 50 users or less under a manager/position. Your hierarchy may have
more than 50 users under a manager/position, but you can use the Depth setting to reduce the number of
levels for Read-only access and with this limit the effective number of users under a manager/position to 50
users or less.
Use hierarchy security models in conjunction with other existing security models for more complex
scenarios. Avoid creating a large number of business units, instead, create fewer business units and add
hierarchy security.
See also
Security in Common Data Service
Query and visualize hierarchical data

NOTE
While the hierarchy security model provides a certain level of access to data, additional access can be obtained by using other
forms of security, such as security roles.
Manager hierarchy
NOTE
the report’s data. To illustrate the Manager hierarchy security model, let’s take a look at the diagram below. The CEO
can read or update the VP of Sales data and the VP of Service data. However, the CEO can only read the Sales
Read-only access to the data of their reports. For example, if the depth is set to 2, the CEO can see the data of the VP
of Sales, VP of Service and Sales and Service Managers. However, the CEO doesn’t see the Sales data or the Support
data.
It is important to note that if a direct report has deeper security access to an entity than their manager, the manager
may not able to see all the records that the direct report has access to. The following example illustrates this point.
Position hierarchy
NOTE
member of.
In addition to the Position hierarchy security model, the users at a higher level must have at least the user level Read privilege
on an entity to see the records that the users at the lower positions have access to. For example, if a user at a higher level
doesn’t have the Read access to the Case entity, that user won’t be able to see the cases that the users at a lower positions
have access to.

update the setting.
IMPORTANT
After you have enabled the hierarchy modeling, choose the specific model by selecting the Manager Hierarchy or
Custom Position Hierarchy . All system entities are enabled for hierarchy security out-of-the-box, but, you can
Service Automation), not as an Administrator, who can see all accounts, but, as the VP of Sales, you’ll only be able to
see the active accounts of the users shown in the red rectangle, as illustrated below:
NOTE

IMPORTANT
as shown below:

For each position, provide the name of the position, the parent of the position, and the description. Add users
to this position by using the lookup field called Users in this position . Below is the example of Position
hierarchy with the active positions.
users or less.
hierarchy security.
See also
Security roles and privileges
To control data access, you must set up an organizational structure that both protects sensitive data and enables
collaboration. You do this by setting up business units, security roles, and field security profiles.
TIP
Check out the following video: How to set up security roles.
Security roles
A security role defines how different users, such as salespeople, access different types of records. To control access
to data, you can modify existing security roles, create new security roles, or change which security roles are
assigned to each user. Each user can have multiple security roles.
Security role privileges are cumulative: having more than one security role gives a user every privilege available in
every role.
Each security role consists of record-level privileges and task-based privileges.
Record-level privileges define which tasks a user with access to the record can do, such as Read, Create, Delete,
Write, Assign, Share, Append, and Append To. Append means to attach another record, such as an activity or note, to
a record. Append to means to be attached to a record. More information: Record-level privileges.
Task-based privileges, at the bottom of the form, give a user privileges to perform specific tasks, such as publish
articles.
The colored circles on the security role settings page define the access level for that privilege. Access levels
determine how deep or high in the organizational business unit hierarchy the user can perform the specified
privilege. The following table lists the levels of access in the app, starting with the level that gives users the most
access.
IC O N DESC RIP T IO N
Global. This access level gives a user access to all records in

the organization, regardless of the business unit hierarchical
level that the environment or the user belongs to. Users who
have Global access automatically have Deep, Local, and Basic
access, also.
Because this access level gives access to information

throughout the organization, it should be restricted to match
the organization's data security plan. This level of access is
usually reserved for managers with authority over the
organization.
The application refers to this access level as Organization .

Deep . This access level gives a user access to records in the

user's business unit and all business units subordinate to the
user's business unit.
Users who have Deep access automatically have Local and

Basic access, also.

throughout the business unit and subordinate business units,
it should be restricted to match the organization's data
security plan. This level of access is usually reserved for
managers with authority over the business units.
The application refers to this access level as Parent: Child

Business Units .
Local. This access level gives a user access to records in the

Users who have Local access automatically have Basic access,

also.

throughout the business unit, it should be restricted to match
business unit.
The application refers to this access level as Business Unit .
Basic. This access level gives a user access to records that the
user owns, objects that are shared with the user, and objects
that are shared with a team that the user is a member of.
This is the typical level of access for sales and service

representatives.
The application refers to this access level as User .
None . No access is allowed.
IMPORTANT
To ensure that users can view and access all areas of the web application, such as entity forms, the nav bar, or the command
bar, all security roles in the organization must include the Read privilege on the Web Resource entity. For example, without
read permissions, a user won't be able to open a form that contains a web resource and will see an error message similar to
this: "Missing prvReadWebResource privilege." More information: Create or edit a security role
Record-level privileges
PowerApps and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365
Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), use eight different record-
level privileges that determine the level of access a user has to a specific record or record type.
P RIVIL EGE DESC RIP T IO N

Create Required to make a new record. Which records can be created

depends on the access level of the permission defined in your
security role.
Read Required to open a record to view the contents. Which records

can be read depends on the access level of the permission
defined in your security role.
Write Required to make changes to a record. Which records can be

changed depends on the access level of the permission defined
in your security role.
Delete Required to permanently remove a record. Which records can

be deleted depends on the access level of the permission
Append Required to associate the current record with another record.

For example, a note can be attached to an opportunity if the
user has Append rights on the note. The records that can be
appended depend on the access level of the permission
In case of many-to-many relationships, you must have
Append privilege for both entities being associated or
disassociated.
Append To Required to associate a record with the current record. For

example, if a user has Append To rights on an opportunity, the
user can add a note to the opportunity. The records that can
be appended to depend on the access level of the permission
Assign Required to give ownership of a record to another user. Which

records can be assigned depends on the access level of the
permission defined in your security role.
Share Required to give access to a record to another user while

keeping your own access. Which records can be shared
security role.
Overriding security roles

The owner of a record or a person who has the Share privilege on a record can share a record with other users or
teams. Sharing can add Read, Write, Delete, Append, Assign, and Share privileges for specific records.
Teams are used primarily for sharing records that team members ordinarily couldn't access. More information:
Manage security, users and teams.
It's not possible to remove access for a particular record. Any change to a security role privilege applies to all
records of that record type.
Team member's privilege inheritance

User and Team privileges
User privileges : User is granted these privileges directly when a security role is assigned to the user. User can
create and has access to records created/owned by the user when Basic access level for Create and Read were
given. This is the default setting for new security roles.
Team privileges : User is granted these privileges as member of the team. For team members who do not have
user privileges of their own, they can only create records with the team as the owner and they have access to
records owned by the Team when Basic access level for Create and Read were given.
A security role can be set to provide a team member with direct Basic-level access user privileges. A team member
can create records that they own and records that have the team as owner when the Basic access level for Create is
given. When the Basic access level for Read is given, team member can access records that are owned by both that
team member and by the team.
This member's privilege inheritance role is applicable to Owner and Azure Active Directory (Azure AD) Group
teams.
NOTE
Prior to Team member's privilege inheritance release in May 2019, security roles behaved as Team privileges . Security roles
created before this release are set as Team privileges and security roles created after this release are by default set as User
privileges .
Create a security role with team member's privilege inheritance

Prerequisites
environment] > Settings > User's + permissions > Security roles .
Make sure you have the System Administrator or System Customizer security role or equivalent permissions.
Check your security role:
1. Select an environment and go to Settings > User's + permissions > Security roles .
2. On the command bar, select New .
3. Enter a role name.
4. Select the Member's privilege inheritance drop-down list.
5. Select Direct User/Basic access level and Team privileges .
6. Go to each tab and set the appropriate privileges on each entity.
To change the access level for a privilege, select the access-level symbol until you see the symbol you want.
The access levels available depend on whether the record type is organization-owned or user-owned.
NOTE
You can also set this privilege inheritance property for all out-of-the-box security roles except the System Administrator role.
When a privilege inheritance security role is assigned to a user, the user gets all the privileges directly, just like a security role
without privilege inheritance.
You can only select Basic level privileges in the member's privilege inheritance. If you need to provide access to a child
business unit, you will need to elevate the privilege to Deep; for example, you need to assign a security role to the Group
team and you want the members of this group to be able to Append to Account. You setup the security role with a Basic level
member's privilege inheritance and in the Append to Account privilege, you set it to Deep. This is because Basic privileges are
only applicable to the user's business unit.
Assigning security roles

In order to assign security roles to a user, you need to have the appropriate privileges (minimum privileges are
'Read' and 'Assign' on the Security Role entity). To prevent elevation of security role privileges, the person who is
assigning the security role cannot assign someone else with a security role that has more privileges than the
assignee, for example a CSR Manager cannot assign a System Administrator role to another user.
By default, the System Administrator security role has all the required privileges to assign security roles to any user
including assigning the System Administrator security role. If you have a need to allow non-System Administrators
to assign security roles, you should consider creating a custom security role. See Create an administrative user and
prevent elevation of security role privilege.
Create a team template to control access rights for
automatically created teams
A team template can be used for the entities that are enabled for automatically created access teams. In the team
template, you have to specify the entity type and the access rights on the entity record. For example, you can create
a team template for an account entity and specify the Read, Write, and Share access rights on the account record
that the team members are granted when the team is automatically created. After you create a team template, you
have to customize the entity main form to include the new team template. After you publish customizations, the
access team template is added in all record forms for the specified entity in a form of a list. For example, you
created a team template called “Sales team” for the account entity. On all account record forms you’ll see the list
called “Sales team”. You can add or remove team members using this list.
Enable an entity for access teams

environment] > Settings > User's + permissions > Teams .
1. Select an environment and go to Settings > User's + permissions > Teams .
2. Select the check box for a team.
3. On the command bar, select More Commands (...).
4. Select Customize Entity .
5. In the navigation pane, expand Entities , and then choose the entity you want to use in the team template.
6. On the Entity Definition form, in the Communication & Collaboration section, select the Access
Teams checkbox.
7. On the Actions toolbar, select Save .
Add a team template to the entity form

4. In the navigation pane, expand Entities , expand the entity you want to use in the team template, and then
select Forms .
5. In System Forms , select Active Forms > Main form.
6. On the Main form, open the Inser t tab.
7. On the ribbon, choose Sub-Grid .
The Set Proper ties dialog box appears.
8. In Set Proper ties , complete the required fields, and then select the Display label on the Form check box.
9. In the Records drop-down list, select All Record Types .
10. In the Entity drop-down list, select Users .
11. In the Default View drop-down list, select Associated Record Team Members .
12. In the Team Template drop-down list, select the desired template and choose Set .
The team template you selected now appears on the Main form.
13. On the Actions toolbar, select Save , and then select Publish .
NOTE
The Access Team template does not get exported with its entity in a Solution. Administrators will need to recreate the
template when exporting the entity into another environment.
User settings
See Create users and assign security roles.

When you enable auditing, customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), store the
change history for transactions in the form of audit logs in the database. You can delete the old or unwanted logs to
clean up the database space.
Cau t i on
When you delete an audit log, you can no longer view the audit history for the period covered by that audit log.
1. Make sure that you have the System Administrator or System Customizer security role or equivalent
permissions.
3. Select Settings > Audit and logs > Audit Log Management .
4. Select the oldest audit log. Then, on the command bar, choose Delete Logs .
5. In the confirmation message, choose OK .
NOTE
You can only delete the oldest audit log in the system. To delete more than one audit log, continue to delete the
oldest audit log until you have deleted enough logs.
See also
Audit data and user activity
Retrieve and delete the history of audited data changes
System Settings Auditing tab
Enable auditing to track changes to your organization's data and maintain a log of changes.
Open the System Settings dialog box

permissions.
3. Select Settings > Audit and logs > Audit settings .
Start Auditing Default: Off. Start or stop auditing.
Log access Default: Off. If enabled, model-driven apps in Dynamics 365

track when the user started accessing model-driven apps in
Dynamics 365 and whether or not the user accessed the
application by using the web application or Dynamics 365 for
Outlook.
Read logs Default: Off. Logs will be sent to the Microsoft 365 Security
and Compliance Center.
Specify to audit specific areas of the product, as described in the following table via Settings > Audit and logs >
Legacy audit settings .
A UDIT IN G A REA EN A B L E T H E STA RT O F A UDIT IN G F O R T H ESE EN T IT IES
Enable Auditing in the following areas
Common Entities Account, Contact, Lead, Marketing List, Product, Quick

Campaign, Report, Sales Literature, Security Role, and User
Sales Entities Competitor, Invoice, Opportunity, Order, and Quote
Marketing Entities Campaign
Customer Service Entities Article, Case, Client Feedback, Contract, and Service
See also
Audit data and user activity for security and
compliance
The auditing feature logs changes that are made to customer records and user access so you can review the activity
later. The auditing feature is designed to meet the auditing, compliance, security, and governance policies of many
regulated enterprises.
The audit logs help the administrator answer questions such as:
Which user was accessing the system and when?
Who updated this field value on this record and when?
What was the previous field value before it was updated?
What actions has this user taken recently?
Who deleted this record?
What locale was used to make the update?
The following operations can be audited:
Create, update, deactivate, and delete operations on records.
Changes to the sharing privileges of a record.
The N:N association or disassociation of records.
Changes to security roles.
Audit changes at the entity, attribute, and organization level. For example, enabling audit on an entity.
Deletion of audit logs.
For changes made to entity fields that can be localized, such as the Product entity name or description fields, the
locale ID (LCID) appears in the audit record.
System administrators and customizers can start or stop auditing for an organization.
IMPORTANT
For Customer Engagement (on-premises), you may notice that auditing can significantly increase the size of the organization
database over time. You can delete audit logs by going to Settings > Auditing > Audit Log Management . Additionally,
you may want to stop auditing for maintenance purposes. Stopping auditing stops tracking for the organization during the
period until auditing is started again. When you start auditing again, the same auditing selection is maintained that was
previously used.
Start/stop auditing and set retention policy

This task requires the system administrator or customizer security role or equivalent permissions.
2. Go to Environments > [select an environment] > expand Audit and logs > Audit settings .
Start Auditing Start or stop auditing.

Log access Log whenever the system is accessed, generally by signing

in
Read logs Logs will be sent to the Microsoft 365 Security and
Compliance Center
3. You can set a retention period for how long audit logs are kept in a Common Data Service environment.
Under Retain these logs for , choose the period of time you wish to retain the logs.
Set the retention policy for these logs Default: 30 days.
Set a custom retention policy Maximum: 100,000 days
When new features are deployed, the audit retention period is set to Forever for all Common Data Service
environments with existing audit data. The default audit retention period is 30 days for new environments
and existing environments without any audit data. You can also change the audit retention value using the
Common Data Service Web API.
Each audit log is stamped with the currently active retention period. Changing the retention period will not
change already existing audit logs and is only applied to newly created audit logs.
4. Select Save .
Set specific areas of the product to audit

2. Go to Environments > [select an environment] > expand Audit and logs > Legacy audit settings .
3. Select the entities you want to track. To start or stop auditing on specific entities, select or clear the following
check boxes:
Common Entities . Tracks common entities like Account, Contact, Goal, Product, and User.
Sales Entities . Tracks sales-related entities like Competitor, Opportunity, Invoice, Order, and Quote.
Marketing Entities . Tracks Campaign entity activity.
Customer Ser vice Entities . Tracks Case, Contract, Queue, and Service entity activity.
4. Select OK .
View audit logging details

System administrators can see activity for the entities that are enabled for audit logging.
2. Go to Environments > [select an environment] > expand Audit and logs > Audit Summar y View .
3. In the Audit Summar y View , you can do the following:
Select Enable/Disable Filters to turn on filtering. Then, you can filter on a specific event, such as Delete
actions.
Choose an event to view specific details about the activity, such as field changes that were made during
an update to a record and who performed the update.
Select the Refresh button to view the most recent activity.
IMPORTANT
Large attribute values, such as Email.description or Annotation, are limited (capped) at 5KB or ~5,000 characters. A capped
attribute value can be recognized by three dots at the end of the text, for example, “lorem ipsum, lorem ip…”.
Enable or disable entities and fields for auditing

System administrators or customizers can change the default audit settings for entities and for specific fields for an
entity.
Enable or disable auditing for an entity
2. Go to Environments > [select an environment] > expand Audit and logs > Entity and Field Audit
Settings .
3. Under Components , expand Entities .
4. Select the entity for which you want to enable or disable auditing.
5. To start auditing, on the General tab, in the Data Ser vices section, select the Auditing check box to enable
auditing, or clear the Auditing check box to disable it.
By default, when you start or stop auditing for an entity, you also start or stop auditing for all the fields of
this entity.
6. Select Save .
7. Publish the customization. To publish for a single entity, choose the entity, such as Account, and then select
Publish on the toolbar.
Enable or disable auditing for specific fields on an entity
1. Under the entity for which you want to enable or disable auditing with specific fields, select Fields .
2. To enable or disable a single field, open the field and in the Auditing section, select Enable or Disable .
To enable or disable more than one field, select the fields you want, and then on the toolbar select Edit . In the
Edit Multiple Fields dialog box, in the Auditing area, select Enabled or Disabled .
3. Select Save .
Publish on the Actions toolbar.
compliance
The auditing feature logs changes that are made to customer records and user access so you can review the activity
later. The auditing feature is designed to meet the auditing, compliance, security, and governance policies of many
regulated enterprises.
For changes made to entity fields that can be localized, such as the Product entity name or description fields, the
locale ID (LCID) appears in the audit record.
IMPORTANT
previously used.



in
Compliance Center
4. Select Save .

3. Select the entities you want to track. To start or stop auditing on specific entities, select or clear the following
check boxes:
4. Select OK .

Select Enable/Disable Filters to turn on filtering. Then, you can filter on a specific event, such as Delete
actions.
IMPORTANT

entity.
Settings .
5. To start auditing, on the General tab, in the Data Ser vices section, select the Auditing check box to enable
auditing, or clear the Auditing check box to disable it.
this entity.
6. Select Save .
To enable or disable more than one field, select the fields you want, and then on the toolbar select Edit . In the
Edit Multiple Fields dialog box, in the Auditing area, select Enabled or Disabled .
3. Select Save .
Several features use system jobs to perform tasks automatically, including workflows, import, and duplicate
detection, running independently or in the background.
You can monitor them to ensure that they run smoothly or have completed successfully. In the Power Platform
admin center, select an environment. Go to Settings > Audit and logs > System Jobs to see a grid view of
system jobs.
Monitoring system jobs

If there is a problem with a system job, you can cancel, postpone, pause, or resume it. Select a job and then select
the Actions menu.
Canceling system jobs
You cannot resume a canceled system job.
Postponing completion of system jobs
Postponing an active system job stops any current and subsequent actions. You can specify a later time when
you want the system job to restart.
Pausing system jobs
You can resume a paused system job.
Resuming paused system jobs
Resuming restarts a system job that was paused.
TIP
1. If a system job fails, you can view the details about what steps failed and what the problems may have been. First,
open the system job record. To display details about system job failures, move your pointer over the warning
symbols.
2. To view system job failures in a format that you can print or copy and paste, select the Print button.
NOTE
You cannot make changes to the status of a system job that has been completed or canceled.
See also
Create templates for articles
Article templates help you create new articles for your organization's knowledge base library. You can also create
templates with boilerplate text to help article writers use consistent language and messaging.
NOTE
This experience is applicable only to legacy Articles entity and not the new Knowledge Article entity.
1. Make sure you have the System Administrator security role or equivalent permissions in Microsoft Dynamics
365.
2. In the web app, go to Settings > Ser vice Management .
3. Select Ar ticle Templates .
4. To create a new article template, select New .
5. In the Ar ticle Template Proper ties dialog box, type the new article title, select the language, and then
select OK .
6. To add a section, in the Common Tasks area, select Add a Section , and specify the following:
a. In the Title box, type a title.
b. In the Instructions box, type a description of the information that users should provide in this section
when they use this template.
When a user creates a new article with this template, these instructions appear in the body text for this
section, and disappear when the user starts typing.
7. To reposition a section from the template, select the section you want to reposition, and in the Common
Tasks area, select the green arrows to move the section to the position you want.
When you select a section, its border turns green and the border lines become solid.
8. To remove the section, select the section you want to remove, and in the Common Tasks area, select
Remove a Section .
9. To edit a section, select the section you want to edit, and in the Common Tasks area, select Section
Proper ties . Edit the title and description.
10. To format the text, font, and color of the article title, headings, and body text of each section, use the tools on
the Modify toolbar.
11. When you're done, select Save or Save and close .
After you save the template, it is immediately available for use. If the template is not complete and you want
to finish it later, you can save the template, deactivate it (make it ready-only), and then complete it later.
When the template is complete, you can reactivate it.
NOTE
If you need to back up your templates, or export them for use in a different implementation, you can export them as part of
exporting customizations. More information: Export your customizations as a solution.
See also
eBook: Use KB articles to help your customers
Download a template for data import
Whether your data is stored in spreadsheets, databases, or other systems, you'll want to import the data into
customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service,
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), so you can keep track of all your
customer information in one place. You use templates for importing many types of records, such as accounts, leads
or cases. There is a complete list in the Templates for Data Import wizard.
environment] > Settings > Data management > Templates .
update the setting.
1. Select an environment and go to Settings > Data management > Templates .
2. In the Templates for Data Impor t dialog box, choose the record type that you want to download the
template for, and then select Download .
3. In the file download box, select Save or Save as and navigate to a location for the file.
4. Select Close .
See also
Import data (all record types) from multiple sources
Import data
Create templates for email
Save time when creating multiple email messages by making email templates. Email templates contain prefilled
data that you specify, so you don't have to re-enter the same information for each article.
An email template is attached to an email activity after the activity is created. Typically, each type of email activity
has its own email template type; for example, an email activity created from a case record would use a case email
template. You can also create global templates that are available for any record type, or personal templates available
only to you, or organizational templates available to anyone in your organization.
365.
3. Select Settings > Templates > Email templates .
4. On the Actions toolbar, select New .
5. In the Email Template Type dialog box, in the Template Type list, select the type, and then select OK .
IMPORTANT
If you select a specific record type, such as lead or opportunity, the template is available only for that record type. This
cannot be changed. To use the same content for another record type, create a new template.
6. On the Email Templates form, enter a Title and a Subject .

7. You can type a description of the template. This is not displayed to the recipient.
8. Type the text you want to send in this message. Use the Formatting toolbar to edit the text.
TIP
Although you cannot insert images or HTML directly into email messages or email templates, you can use the
copy feature in Internet Explorer to copy an image from a website and paste it into the email message or email
template. The image is available as long as the website is accessible.
To include a hyperlink in an email template, type the URL including the http://, for example, http://contoso.com.
Do not include a period or comma or a space after the URL or the link will break. Select the link text and select
Make this a Hyperlink ( ).
A link is automatically added to the URL and the text is underlined and changed to blue.
To include data fields in a hyperlink:
a. Select the link text and data fields. For example: http://contoso.com/q?{!User : City;}
b. Select Make this a Hyperlink ( ).

The text and data fields will be converted to a hyperlink. For example: <a href="https://contoso.com/q?
{!User : City;}">http://contoso.com/q?{!User : City;}</a>.
The hyperlink text will appear as a link when the template is used in an email.
There is no spell check built into customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation).
There might be third-party solutions available. For more information, visit Microsoft Dynamics Solution Finder.
The Formatting toolbar has limited fonts and font sizes. However, you can copy and paste content from Office
Word. This allows you to take advantage of features such as spell checking and some advanced text
formatting. To single-space a line of text, at the end of the line press Shift+Enter .
9. To insert data fields to display information such as a customer's name or data from a quote, from a customer
engagement apps record, select Inser t/Update , and then in the Data Field Values dialog box, select Add .
10. In the Add Data Value dialog box, select the Record type and Field , and then select OK .
11. Select OK again to insert the data.
12. To enter customers' first and last names, you'll need to repeat these three data-insertion steps; first and last
names are separate data values.
TIP
Use the Default Text box to define what text is displayed if the record does not have data for the field.
13. Select Save or Save and Close .
NOTE
To change a shared template to a personal one or a personal template to a shared one, on the template form, on the
Actions menu, select Rever t to Personal Template , or select Make Template Available to Organization .
If you use an email template as a signature in another template, insert the signature template first. Otherwise, the Subject
line will be overwritten.
If you need to back up your templates, or export them for use in a different implementation, you can export them as part
of exporting customizations. More information: Export your customizations as a solution.
See also
Work with mail merge templates
You can use mail merge templates with Office Word to create customer-ready letters, faxes, e-mail messages, and
quotes.
Word templates are created and edited in Word, but can be uploaded to customer engagement apps (Dynamics
365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics
365 Project Service Automation), to use with mail merge and share with other users. Only Word .xml documents
can be used as templates. To learn more about how to create mail merge templates, see the online Help in Word.
365.
3. Select Settings > Templates > Mail merge templates .
4. To create a new mail merge template, select New .
5. In the Mail Merge Templates form, enter a Name and an Associated Entity (record type).
6. You can enter a description of the template. This is not displayed to the recipient.
7. Select Save .
8. Select Data Fields , select the columns to add as fields in your email, and then select OK .
9. Select Save , and then select Create Template in Word .
10. Select Add-ins , and then select CRM .
11. Proceed through the Mail Merge process and save the template.
12. Return to the Mail Merge Template page, and then select Choose File .
13. Select the newly created mail merge document, select Open , and then select Attach .
14. Select Save and Close .
NOTE
To change a personal template to a shared one, after you save the record on the template form, on the More Actions menu,
select Make Available to Organization . To revert the template to a personal one, select Make Personal.
Use a mail merge template

After creating a mail merge template, follow these steps to use it.
1. In the Power Platform admin center, select an environment and open it.
2. Select Advanced Find and select the customers to send an email.
3. Select Mail Merge , choose the Personal mail merge template , and then select Download .
4. Open the downloaded file in Microsoft Word and go through the steps.
Manage email settings
Use Email settings to adjust how model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer
Service, features appear and function.
environment] > Settings > Email > Email settings .
Security and permissions Select these check boxes if you want to allow email processing
only for users and queues whose email addresses have been
approved by the system administrator.
Process emails only for approved users Default: On.
Process emails only for approved queues Default: On.
Sync information rights management-enabled emails to the Default: Not selected. Off. Select On to sync emails that have
server information rights property.
Allow to delete appointments if system auto detects changes Default: Not selected. Off.
that will result in change in ownership
Notifications
When these occur, send details to the mailbox's notifications

area
Errors Default: Enabled.
Warnings Default: Enabled. Select Warning if you’re troubleshooting or

testing or want to get more detailed messages on the alert
wall.
Information Default: Enabled.
Notify mailbox owner Default: Off. By default, the system administrator is notified of
any error that occurs for an email server profile. Select On if
you also want to notify the mailbox owner.
Attachments
Maximum file size for attachments Default: 5 MB (5120 KB). Maximum file size (in Kilobytes).
Increase or decrease the maximum file size for attached files.
The maximum size is 128 MB (131,072 KB).
Synchronization methods For any mailbox that is automatically created in Dynamics 365
when a user or queue is created, the default email settings as
defined in this section will be applied.
The selected settings will be applied to mailboxes of all newly

created users and queues
Server profile For server-side synchronization, select the email server profile
that you want to use. The email server profile holds the
configuration data that enables Dynamics 365 to connect to
Microsoft Exchange. If you’re connecting model-driven apps in
Dynamics 365 with Exchange Online, the email server profile is
automatically created for you.
Incoming email Select whether you want to use Dynamics 365 for Outlook,
the Email Router, server-side synchronization, or a forward
mailbox for processing incoming email. More information:
Outgoing email Select whether you want to use Dynamics 365 for Outlook,
the Email Router, or server-side synchronization for processing
outgoing email.
Appointments, contacts, and tasks Select whether you want to use Dynamics 365 for Outlook or
server-side synchronization to synchronize appointments,
contacts, and tasks between Outlook and Dynamics 365.
Note: You can’t synchronize appointments, contacts, and
tasks if you’re synchronizing with a POP3 email server.
Email form options
Use secure frames to restrict email message content Default: Off. If this is set to On , you may see the following
error message when you’re reading email: “This content
cannot be displayed in a frame”. Although this can make
sending sensitive content in email less secure, changing the
setting to Off typically eliminates this error.
People can send emails with unresolved recipients Default: Off. Set this to On if you want to send email
messages that have unresolved recipients.
If there are multiple possible recipient matches in the to, CC, Default: Off. Use this setting to choose which record an email
or BCC fields, set them as unresolved address resolves to when there are multiple possible matches
in to , cc, or bcc fields of an email. When you select On , if the
to , cc, or bcc fields of an email have an email address that can
be resolved to multiple contacts (or other records), the email
address will be resolved in the unresolved mode instead of
resolving to all possible records. Unresolved email addresses
can then be resolved individually as you encounter them.
When someone manually resolves an unresolved email When set to Yes , the same email address is applied to all
address, apply it to all similar unresolved addresses similar unresolved email addresses when resolved in one email
activity. When set to Off , the email address is applied only to
the specific email activity and does not resolve similar
addresses present in other email activities. The default value is
On .
This setting is configurable when Set To, cc, bcc, fields as

unresolved values is multiple matches are found in
Incoming Emails is set to On .
Additional app-specific settings
Enhanced email for Timeline The enhanced email experience allows users to compose an
email without leaving the record they're working on. This
setting is available with environments that have customer
engagement apps in Dynamics 365, such as Dynamics 365
Sales or Dynamics 365 Customer Service.
See also
Frequently asked questions about synchronizing records between model-driven apps in Dynamics 365 and
Outlook
Set up email through server-side synchronization
Manage email tracking settings
Use Email settings to adjust how model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer
Service, features appear and function.
environment] > Settings > Email > Email Tracking .
Tracking email conversations
Use correlation Default: On. Select this check box if you want to link email
activities with other related records using the information in
the email headers. This method uses email properties for
correlation and is more accurate than smart matching, but less
accurate than folder-level tracking or tracking tokens. More
information: Email message filtering and correlation Note:
Email correlation using email headers works best when email is
processed using server-side synchronization. If you’re using
the Email Router to process email, you can use tracking tokens
or smart matching to correlate email activities with related
records.
Use tracking tokens Default: On. Select this check box to use tracking tokens and
to configure how Dynamics 365 displays them in the Subject
line of the email messages.
Tracking tokens provide 100% tracking accuracy. If you don’t

want to see tokens in Subject lines, however, consider folder-
level tracking, which also provides 100% tracking accuracy.
You can configure prefixes and other sections of tracking

tokens. Long prefixes or too many prefix changes may cause
lost data in history, however. More information: Email message
filtering and correlation
Tracking token preview More information: Use Email message filtering and correlation
to specify which emails are tracked
Prefix Default: CRM.
Base tracking number Default: 0.
Number of digits for personal numbers Default: 3.

Number of digits for email activity counter Default: 3.
Use smart matching Default: Off. Select On to use smart matching to correlate
email based on the similarity between email messages. Smart
matching isn’t as accurate as tracking tokens or folder-level
tracking. More information: Email message filtering and
correlation
Folder-level tracking
Use folder-level tracking for Exchange folders (server-side Default: On. Users can set up Exchange tracking folders, and
synchronization must be enabled) then move messages to those folders to track them
automatically on virtually any device. More information: Track
Outlook email by moving it to a tracked Exchange folder
Folder-level tracking provides 100% tracking accuracy. To use

folder-level tracking:
- Select On .
- Your organization must synchronize email through server-
side synchronization. More information: Set up server-side
synchronization
Tracking items
People can use categories to track emails and appointments Default: Off. Content coming.
Allow auto-tracking on outgoing email Default: Off. Content coming.
Tracking between people
Track emails sent between Dynamics 365 users as two Default: On. Select this option to create two email activities
activities between Dynamics 365 users, one for the sender and one for
the recipient.
Edit mailboxes
By default, when users and queues are created in customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation), their respective mailbox records are also created. These mailbox records contain information that is
specific to an individual mailbox on the email server, like email address, mailbox credentials, and email
synchronization method. To process email messages using server-side synchronization for users and queues, their
respective mailbox records should be associated to an email server profile record in customer engagement apps.
If your organization wants to configure server-side synchronization using a forward mailbox, you can create a new
forward mailbox record.
IMPORTANT
Forward mailboxes are not recommended and you should use individual mailboxes instead. Please review: Forward mailbox
vs. individual mailboxes.
A forward mailbox is used as a collection box for email messages that are transferred from each user’s mailbox on
the email system by a server-side rule. The forward mailbox must be dedicated to server-side synchronization, and
must not be used as a working mailbox by an individual user. This can be used to process email messages for users
and queues whose mailboxes have Incoming Email Synchronization Method set to For ward Mailbox . You
must associate the forward mailbox record to an email server profile record to process email using server-side
synchronization.
TIP
You can use an Microsoft 365 shared mailbox when you create a queue in customer engagement apps and not consume an
Microsoft 365 license for a forwarding email account.
environment] > Settings > Email > Mailboxes .
1. Select an environment and go to Settings > Email > Mailboxes .
2. To edit an existing mailbox record, open the mailbox record.
3. In the mailbox record, specify the following details.
F IEL DS DESC RIP T IO N
General
Name Type a meaningful name for the mailbox.

Owner Shows the owner of the mailbox. For a user mailbox that is
automatically populated, the owner of the mailbox is the
user itself. For a queue mailbox that is automatically
populated, the owner of the mailbox is the owner of the
queue record.
Email address Type the email address for the forward mailbox, such as
forwardmailbox@contoso.com.
For a user or a queue mailbox, the email address is the

same as that specified in the corresponding user or queue
record form. If you edit the email address here, the email
address in the user or queue record is updated
automatically.
Delete Emails After Processing Specify if you want to delete email from the mailbox after
processing. This field is available and can be set to Yes only
for a forward mailbox and a queue mailbox.
Regarding Select the user or queue that the mailbox is associated

with. This field is empty and cannot be set for a forward
mailbox.
Is Forward Mailbox This field indicates whether the mailbox record is a forward
mailbox. When set to No , it indicates that the mailbox
record is associated to an individual user or queue in
customer engagement apps.
Credentials
Allow to Use Credentials for Email Processing Select Yes if the email server profile associated to this
mailbox has Authenticate Using set to Credentials
Specified by a User or Queue . You must provide the
username and password when this field is set to Yes . These
credentials will be used to send and receive email from the
mailbox on the email server. Note: To ensure the
credentials are secured in customer engagement apps, SQL
encryption is used to encrypt the credentials stored in the
mailbox if you’re processing email by using server-side
synchronization.
Synchronization Method
Server Profile Select the email server profile that is used for email
processing for this mailbox.
For information on choosing a synchronization method,

see: Integrate your email system
Incoming Email Select the delivery method for incoming email. This will
determine how incoming email will be accessed for this
mailbox.
- None. Email won’t be received.

- Forward Mailbox. Email will be received using a forward
mailbox.
- Microsoft Dynamics 365 for Outlook. Email is received by
using Dynamics 365 for Outlook.
- Server-Side Synchronization or Email Router. Email is
received by using server-side synchronization or the Email
Router.
Outgoing Email Select the delivery method for outgoing email. This
determines how outgoing email will be sent for this
mailbox.
- None. Email won’t be sent.

- Microsoft Dynamics 365 for Outlook. Email is received by
using Dynamics 365 for Outlook.
- Server-Side Synchronization or Email Router. Email is sent
by using server-side synchronization or Email Router.
Note: For a forward mailbox, only None is allowed.
Appointments, Contacts, and Tasks Select whether you want to use Dynamics 365 for Outlook
or server-side synchronization to synchronize
appointments, contacts, and tasks.
If you select None , appointments, contacts, and tasks

won’t be synchronized.
Configuration Test Results
Incoming Email Status Show the result of the email configuration test for
incoming email. The various statuses can be:
- Not Run. The email configuration test has not been run
for this mailbox.
- Success. The incoming email has been configured and
email can be received for this mailbox.
- Failure. The incoming email has been configured but it is
not possible to pull email from the corresponding
configured mailbox.
Outgoing Email Status Show the result of the email configuration test for
outgoing email. The various statuses can be:
- Not Run. The email configuration test hasn’t been run for
this mailbox.
- Success. The outgoing email has been configured and
email can be sent from this mailbox.
- Failure. The outgoing email has been configured but it’s
not possible to send email from the corresponding
configured mailbox.
Appointments, Contacts, and Tasks Status Show the result of the synchronization of appointments,
contacts, and tasks. The various statuses can be:
- Not Run. The synchronization has not been tested for

this mailbox.
- Success. Appointments, contacts, and tasks can be
synchronized for this mailbox.
- Failure. Appointments, contacts, and tasks can’t be
Mailbox Test Completed On This field shows the date and time when the email
configuration was tested for this mailbox record.
4. Select Save or Save & Close .

Supported email service configurations for server-
side synchronization
Depending on your customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics
365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), installation, you may
be deciding whether to use server-side synchronization or the Email Router/Outlook synchronization. This following
table lists what is supported by server-side synchronization for each type of installation. Later in this topic, you can
read about the scenarios that aren't supported by server-side synchronization.
IMPORTANT
The information here includes the POP3/SMTP and IMAP/SMTP systems supported by Microsoft. Although other
POP3/SMTP and IMAP/SMTP systems might work with Customer Engagement (on-premises), those systems were not
tested by Microsoft and are not supported.
Outlook on the web is not supported in a hybrid deployment: Customer Engagement (on-premises) with Exchange Online.
You can create two different email server profiles: one for online mailboxes, and another for on-premises mailboxes.
Associate the mailboxes with the correct email server profile.
Manual tracking in Dynamics 365 for Outlook is not supported when a user's mailbox is configured to use server-side
synchronization with the POP/SMTP protocol.
For Dynamics CRM Online 2016 Update 1 and December 2016 Update for Dynamics 365 (online), we support service
encryption in Exchange Online with server-side sync.
A P P O IN T M EN T S,
C USTO M ER C O N TA C T S, A N D
EN GA GEM EN T A P P S EM A IL TA SK S
DEP LO Y M EN T EM A IL SY ST EM SY N C H RO N IZ AT IO N SY N C H RO N IZ AT IO N P ROTO C O L
Customer - Exchange Online Yes Yes Exchange Web

engagement apps - Exchange Server Services
2013 SP1
- Exchange Server
2016
-Exchange Server
2019
Customer - Gmail Yes No POP3/SMTP

engagement apps - Yahoo! Mail IMAP/SMTP
Using Exchange Online with customer engagement apps

If your company is using Exchange Online with customer engagement apps, note the following:
Customer engagement apps support server-side synchronization with Exchange Online in the same tenant in
Microsoft 365 with Server to Server Authentication. Other authentication methods or settings are not
recommended or supported, including:
Using credentials specified by a user or queue
Using credentials specified in an email server profile
Using Impersonation
Setting Auto Discover Server Location to No
Using an email server profile other than Exchange Online
Unsupported email service configurations

Server-side synchronization doesn't support the following scenarios:
Mix of Exchange/SMTP and POP3/Exchange
Exchange Online profile mailbox with Exchange on-premises user. Use the Exchange Server (Hybrid) profile,
associate the mailbox to it, then test and enable.
Exchange Online profile mailbox with an Exchange mailbox that points to an external email server. Use the
POP3/SMTP Server profile, associate the mailbox to it, then test and enable.
Creation of mass email marketing campaigns
Extensibility scenarios like extending EWS/POP3/SMTP protocols and creating custom email providers
Exchange Server 2010 SP3
Exchange Server 2003 and Exchange Server 2007
Server-side synchronization in customer engagement apps requires a POP3/SMTP email server that is also FIPS
140-2 compliant. Some email servers are not FIPS 140-2 compliant, such as MSN, Outlook.com, or Windows
Live Mail.
Multi-factor authentication isn't supported for customer engagement apps to Exchange Server (on-premises),
and Customer Engagement (on-premises) to Exchange Online.
Currently, connecting customer engagement apps with Exchange Online in a different tenant is not supported.
For most situations not supported by server-side synchronization, you can use the Microsoft Dynamics CRM Email
Router. More information: Integrate your email system
NOTE
We recommend that you don't use a mixed configuration of Outlook synchronization and server-side synchronization for
appointments, contacts, and tasks in the same organization, because it may result in updated data not synchronizing to all
attendees.
See also
Server-side synchronization
Set up server-side synchronization of email, appointments, contacts, and tasks
Configure server-based authentication with
SharePoint on-premises
Server-based SharePoint integration for document management can be used to connect customer engagement
and Dynamics 365 Project Service Automation), with SharePoint on-premises. When using server-based
authentication, Azure AD Domain Services is used as the trust broker and users do not need to sign in to
SharePoint.
Permissions required
Microsoft 365
Global admin membership - this is required for administrative-level access to the Microsoft 365 subscription
and to run the AzurePowerShell cmdlets.
Customer engagement apps
Run SharePoint Integration Wizard privilege. This is required to run the Enable Server-based
Authentication wizard.
By default, the System Administrator security role has this permission.
Farm Administrators group membership - this is required to run most of the PowerShell commands on the
SharePoint server.
Set up server-to-server authentication with SharePoint on-premises

Follow the steps in the order provided to set up customer engagement apps with SharePoint 2013 on-premises.
IMPORTANT
The steps described here must be completed in the order provided. If a task is not completed, such as a PowerShell command
that returns an error message, the issue must be resolved before you continue to the next command, task, or step.
Verify prerequisites
Before you configure customer engagement apps and SharePoint on-premises for server-based authentication, the
following prerequisites must be met:
SharePoint prerequisites
SharePoint 2013 (on-premises) with Service Pack 1 (SP1) or later version
IMPORTANT
SharePoint Foundation 2013 versions aren't supported for use with customer engagement apps document
management.
Install the April 2019 Cumulative Update (CU) for the SharePoint 2013 product family. This April 2019 CU
includes all SharePoint 2013 fixes (including all SharePoint 2013 security fixes) released since SP1. The April
2019 CU does not include SP1. You need to install SP1 before installing the April 2019 CU. More information:
KB4464514 SharePoint Server 2013 April 2019 CU
SharePoint configuration
If you use SharePoint 2013, for each SharePoint farm, only one customer engagement app can be
configured for server-based integration.
SharePoint website must be accessible via the Internet. A reverse proxy may also be required for
SharePoint authentication. More information: Configure a reverse proxy device for SharePoint Server
2013 hybrid
SharePoint website must be configured to use SSL (HTTPS) on TCP port 443 (no custom ports are
supported) and the certificate must be issued by a public root Certificate Authority. More information:
SharePoint: About Secure Channel SSL certificates
A reliable user property to use for claims-based authentication mapping between SharePoint and
customer engagement apps. More information: Selecting a claims mapping type
For document sharing, the SharePoint search service must be enabled. More information: Create and
configure a Search service application in SharePoint Server
For document management functionality when using the Dynamics 365 mobile apps, the on-premises
SharePoint server must be available through the Internet.
Other prerequisites
SharePoint Online license. Customer engagement apps to SharePoint on-premises server-based
authentication must have the SharePoint service principal name (SPN) registered in Azure Active Directory.
To achieve this, at least one SharePoint Online user license is required. The SharePoint Online license can
derive from a single user license and typically comes from one of the following:
A SharePoint Online subscription. Any SharePoint Online plan is sufficient even if the license isn't
assigned to a user.
An Microsoft 365 subscription that includes SharePoint Online. For example, if you have Microsoft
365 E3, you have the appropriate licensing even if the license isn't assigned to a user.
For more information about these plans, see Find the right solution for you and Compare SharePoint
options
The following software features are required to run the PowerShell cmdlets described in this topic.
Microsoft Online Services Sign-In Assistant for IT Professionals Beta
MSOnlineExt
To install the MSOnlineExt module, enter the following command from an administrator PowerShell
session. PS> Install-Module -Name "MSOnlineExt"
IMPORTANT
At the time of this writing, there is an issue with the RTW version of Microsoft Online Services Sign-In Assistant for IT
Professionals. Until the issue is resolved, we recommend that you use the Beta version. More information: Microsoft
Azure Forums: Cannot install Azure Active Directory Module for Windows PowerShell. MOSSIA is not installed.
A suitable claims-based authentication mapping type to use for mapping identities between customer
engagement apps and SharePoint on-premises. By default, email address is used. More information: Grant
customer engagement apps permission to access SharePoint and configure the claims-based authentication
mapping
Update the SharePoint Server SPN in Azure Active Directory Domain Services
On the SharePoint on-premises server, in the SharePoint 2013 Management Shell, run these PowerShell commands
in the order given.
1. Prepare the PowerShell session.
The following cmdlets enable the computer to receive remote commands and add Microsoft 365 modules to
the PowerShell session. For more information about these cmdlets see Windows PowerShell Core Cmdlets.
Enable-PSRemoting -force
New-PSSession
Import-Module MSOnline -force
Import-Module MSOnlineExtended -force
2. Connect to Microsoft 365.

When you run the Connect-MsolService command, you must provide a valid Microsoft account that has
Global admin membership for the SharePoint Online license that is required.
For detailed information about each of the Azure Active DirectoryPowerShell commands listed here, see
Manage Azure AD using Windows PowerShell
$msolcred = get-credential
connect-msolservice -credential $msolcred
3. Set the SharePoint host name.

The value that you set for the variable HostName must be the complete host name of the SharePoint site
collection. The hostname must be derived from the site collection URL and is case sensitive. In this example,
the site collection URL is https://SharePoint.constoso.com/sites/salesteam, so the hostname is
SharePoint.contoso.com.
$HostName = "SharePoint.contoso.com"
4. Get the Microsoft 365 object (tenant) id and SharePoint Server Service Principal Name (SPN).
$SPOAppId = "00000003-0000-0ff1-ce00-000000000000"
$SPOContextId = (Get-MsolCompanyInformation).ObjectID
$SharePoint = Get-MsolServicePrincipal -AppPrincipalId $SPOAppId
$ServicePrincipalName = $SharePoint.ServicePrincipalNames
5. Set the SharePoint Server Service Principal Name (SPN) in Azure Active Directory.
$ServicePrincipalName.Add("$SPOAppId/$HostName")
Set-MsolServicePrincipal -AppPrincipalId $SPOAppId -ServicePrincipalNames $ServicePrincipalName
After these commands complete do not close the SharePoint 2013 Management Shell, and continue to the
next step.
Update the SharePoint realm to match that of SharePoint Online
On the SharePoint on-premises server, in the SharePoint 2013 Management Shell, run this Windows PowerShell
command.
The following command requires SharePoint farm administrator membership and sets the authentication realm of
the SharePoint on-premises farm.
Cau t i on
Running this command changes the authentication realm of the SharePoint on-premises farm. For applications that
use an existing security token service (STS), this may cause unexpected behavior with other applications that use
access tokens. More information: Set-SPAuthenticationRealm.
Set-SPAuthenticationRealm -Realm $SPOContextId
Create a trusted security token issuer for Azure Active Directory on SharePoint
in the order given.
The following commands require SharePoint farm administrator membership.
For detailed information about these PowerShell commands, see Use Windows PowerShell cmdlets to administer
security in SharePoint 2013.
1. Enable the PowerShell session to make changes to the security token service for the SharePoint farm.
$c = Get-SPSecurityTokenServiceConfig
$c.AllowMetadataOverHttp = $true
$c.AllowOAuthOverHttp= $true
$c.Update()
2. Set the metadata endpoint.
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $SPOContextId + "/metadata/json/1"

$acsissuer = "00000001-0000-0000-c000-000000000000@" + $SPOContextId
$issuer = "00000007-0000-0000-c000-000000000000@" + $SPOContextId
3. Create the new token control service application proxy in Azure Active Directory.
New-SPAzureAccessControlServiceApplicationProxy -Name "Internal" -MetadataServiceEndpointUri

$metadataEndpoint -DefaultProxyGroup
NOTE
The New- SPAzureAccessControlServiceApplicationProxy command may return an error message indicating that
an application proxy with the same name already exists. If the named application proxy already exists, you can ignore
the error.
4. Create the new token control service issuer in SharePoint on-premises for Azure Active Directory.
$acs = New-SPTrustedSecurityTokenIssuer –Name "ACSInternal" –IsTrustBroker:$true –MetadataEndpoint

$metadataEndpoint -RegisteredIssuerName $acsissuer
Grant customer engagement apps permission to access SharePoint and configure the claims-based
authentication mapping
in the order given.
The following commands require SharePoint site collection administration membership.
1. Register customer engagement apps with the SharePoint site collection.
Enter the SharePoint on-premises site collection URL. In this example,
https://sharepoint.contoso.com/sites/crm/ is used.
IMPORTANT
To complete this command, the SharePoint App Management Service Application Proxy must exist and be running.
For more information about how to start and configure the service, see the Configure the Subscription Settings and
App Management service applications subtopic in Configure an environment for apps for SharePoint (SharePoint
2013).
$site = Get-SPSite "https://sharepoint.contoso.com/sites/crm/"

Register-SPAppPrincipal -site $site.RootWeb -NameIdentifier $issuer -DisplayName "crm"
2. Grant customer engagement apps access to the SharePoint site. Replace

https://sharepoint.contoso.com/sites/crm/ with your SharePoint site URL.
NOTE
In the following example, the customer engagement app is granted permission to the specified SharePoint site
collection by using the –Scope site collection parameter. The Scope parameter accepts the following options. Choose
the scope that is most appropriate for your SharePoint configuration.
site . Grants the customer engagement apps permission to the specified SharePoint website only. It doesn't
grant permission to any subsites under the named site.
sitecollection . Grants the customer engagement apps permission to all websites and subsites within
the specified SharePoint site collection.
sitesubscription . Grants the customer engagement apps permission to all websites in the SharePoint
farm, including all site collections, websites, and subsites.
$app = Get-SPAppPrincipal -NameIdentifier $issuer -Site "https://sharepoint.contoso.com/sites/crm/"

Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.Rootweb -Scope "sitecollection" -Right
"FullControl"
3. Set the claims-based authentication mapping type.
IMPORTANT
By default, the claims-based authentication mapping will use the user's Microsoft account email address and the user's
SharePoint on-premises work email address for mapping. When you use this, the user's email addresses must match
between the two systems. For more information, see Selecting a claims-based authentication mapping type.
$map1 = New-SPClaimTypeMapping -IncomingClaimType

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName
"EmailAddress" -SameAsIncoming
Run the Enable server-based SharePoint integration wizard

Follow these steps:
1. Go to Settings > Document Management .
2. In the Document Management area, click Enable ser ver-based SharePoint integration .
3. Review the information and then click Next .
4. For the SharePoint sites, click On-premises , and then Next .
5. Enter the SharePoint on-premises site collection URL, such as https://sharepoint.contoso.com/sites/crm. The
site must be configured for SSL.
6. Click Next .
7. The validate sites section appears. If all sites are determined valid, click Enable . If one or more sites are
determined invalid, see Troubleshooting server-based authentication.
Select the entities that you want to include in document management
By default, Account, Article, Lead, Product, Quote, and Sales Literature entities are included. You can add or remove
the entities that will be used for document management with SharePoint in Document Management Settings .
Go to Settings > Document Management . More information: Enable document management on entities
Add OneDrive for Business integration

After you complete customer engagement apps and SharePoint on-premises server-based authentication
configuration, you can also integrate OneDrive for Business. With customer engagement apps and OneDrive for
Business integration, users can create and manage private documents using OneDrive for Business. Those
documents can be accessed in once the system administrator has enabled OneDrive for Business.
Enable OneDrive for Business
On the Windows Server where SharePoint Server on-premises is running, open the SharePoint Management Shell
and run the following commands:
Add-Pssnapin *
# Access WellKnown App principal
[Microsoft.SharePoint.Administration.SPWebService]::ContentService.WellKnownAppPrincipals
# Create WellKnown App principal

$ClientId = "00000007-0000-0000-c000-000000000000"
$PermissionXml = "<AppPermissionRequests AllowAppOnlyPolicy=""true""><AppPermissionRequest
Scope=""http://sharepoint/content/tenant"" Right=""FullControl"" /><AppPermissionRequest
Scope=""http://sharepoint/social/tenant"" Right=""Read"" /><AppPermissionRequest
Scope=""http://sharepoint/search"" Right=""QueryAsUserIgnoreAppPrincipal"" /></AppPermissionRequests>"
$wellKnownApp= New-Object -TypeName "Microsoft.SharePoint.Administration.SPWellKnownAppPrincipal" -ArgumentList

($ClientId, $PermissionXml)
$wellKnownApp.Update()
Selecting a claims-based authentication mapping type

By default, the claims-based authentication mapping will use the user's Microsoft account email address and the
user's SharePoint on-premises work email address for mapping. Note that whatever claims-based authentication
type you use, the values, such as email addresses, must match between customer engagement apps and
SharePoint. Microsoft 365 directory synchronization can help with this. More information: Deploy Microsoft 365
Directory Synchronization in Microsoft Azure. To use a different type of claims-based authentication mapping, see
Define custom claim mapping for SharePoint server-based integration.
IMPORTANT
To enable the Work email property, SharePoint on-premises must have a User Profile Service Application configured and
started. To enable a User Profile Service Application in SharePoint, see Create, edit, or delete User Profile service applications in
SharePoint Server 2013. To make changes to a user property, such as Work email, see Edit a user profile property. For more
information about the User Profile Service Application, see Overview of the User Profile service application in SharePoint
Server 2013.
See also
Set up SharePoint integration with customer engagement apps
Enable SharePoint document management for
specific entities
Store the documents related to entity records in SharePoint and quickly access, share, and manage these documents
from customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), by enabling document
management on the specific entities.
TIP
If you haven't set up server-based SharePoint integration, you may want to do that before enabling document management
for specific entities. For more information, see Set up SharePoint integration.
365. Or verify that you have Read and Write privileges on all record types that are customizable.
3. Select Settings > Integration > Document management settings > Document Management
Settings .
4. Select the entities that you want to use to manage SharePoint documents.
If a URL is not already specified, enter the URL of the SharePoint site where the document locations and
folders for storing documents will be created, and then select Next .
5. Consider these server-based integration settings.
Check Based on entity to have document libraries and folders that are based on the Account entity
automatically created on the SharePoint site. Users will not be prompted to create them.
If you don't want folders automatically created, clear the Based on entity check box.
IMPORTANT
If you have customer engagement apps and SharePoint Online, make sure the site is under the same Microsoft 365
tenant as your Dynamics 365 environments.
Select Finish .
For more information on server-based integration, see Set up SharePoint integration.
IMPORTANT
With the exception of the opportunity and contract entities, a hierarchical folder structure will not be automatically created
in SharePoint for entities that have more than one many-to-one (N:1) relationship with the parent entity.
For document management to function correctly for an entity, the entity relationship must be one-to-many (1:N) between
the entity and the SharePoint document entity. The documents that exist in the SharePoint document library will not
appear in the app for entities with many-to-one (N:1) or many-to-many (N:N) relationships between the entity and a
SharePoint document entity.
See also
Set up SharePoint integration
Enable document suggestions to recommend related
documents
Enabling Document Suggestions helps your Dynamics 365 apps web browser and mobile users be aware of
important documents related to what they're working on in Dynamics 365 apps such as a big sales opportunity.
You, as the admin, define relevant fields. A recommendation engine using Azure text analytics uses keyword
matching to associate related records to find similar documents. You create similarity rules in Dynamics 365 apps
to provide your own similarity logic. Dynamics 365 apps then presents a list of suggested documents to the user
while the user works in the current record.
NOTE
The Document Suggestions feature doesn't require a connection to the Azure Text Analytics service. If you choose not to use
Azure Text Analytics, Document Suggestions will use the built-in keyword matching logic available in Dynamics 365 apps.
However, we recommend that you use Azure Text Analytics service for more advanced keyword matching.
Document Suggestions searches other like-entities to determine similarities found in documents located on a
SharePoint site, OneDrive, or external location. Suggested documents can be in several different formats such as
Word, Excel, PowerPoint, OneNote, Adobe PDF, and text files. When similar documents are found Document
Suggestions presents them offering you the ability to open the document or make a copy.
Requirements
The following are required to use Document Suggestions with Dynamics 365 apps.
Dynamics 365 apps
To suggest documents located on SharePoint:
Access to SharePoint Online, SharePoint 2013, or SharePoint 2016.
Document management must be set up in Dynamics 365 apps. See Set up SharePoint integration.
Relevance Search must be enabled. More information: Configure Relevance Search for the organization
Document Suggestions works with Web browser, Dynamics 365 for tablets and Dynamics 365 for phones.
To use Azure text analytics with Document Suggestions:
An Azure subscription is required to use the Azure Text Analytics service.
A system administrator must enable the text analytics connection in Dynamics 365 apps.
A system administrator must define a similarity rule for each entity type that is to be included in Document
Suggestions. More information: Use advanced similarity rules to view similar case suggestions.
How it works
The entities that can use Document Suggestions are Contact, Opportunity, Lead, Account, Case, and custom entities.
You can use the built-in pattern matching that is included natively with the Document Suggestions feature, but we
recommend that you use Azure Text Analytics service for more advanced keyword matching.
Document Suggestions searches only the locations and documents that the user has access to.
Locations where documents are found are searched in the following order:
1. SharePoint default site.
2. Other SharePoint sites.
3. OneDrive
4. Microsoft 365 Groups (when solution is installed).
5. External URL (when configured).
Currently, Document Suggestions does not search attachments that are added to Notes in Dynamics 365 apps
records.
Adding an external URL to search another site
External sites, such as an on-premises SharePoint document library can be included in Document Suggestions by
adding an external URL for the site to be searched.
NOTE
For the best results when using an external site for document suggestions, we recommend that you use Azure Text Analytics,
which provides more advanced keyword matching logic.
Once you add the external URL to the enabled document suggestions feature, here is what your users will
experience.
Web browsers. When you run Dynamics 365 apps from a Web browser, after selecting Document
Suggestions , users can then select Other Recommendations in the Document Suggestions page to
display another page that may include more document suggestions found on the external site. Notice that
the user may be prompted to sign in to the external site.
Mobile apps. For the Dynamics 365 for tablets and Dynamics 365 for phones apps, after selecting
Document Suggestions , users can select Other Recommendations , which opens the external site in the
devices default web browser that may include more document suggestions found on the external site. Notice
that the user may be prompted to sign in to the external site.
Constructing the external URL
The external URL should be constructed in a format that is understood by the external site. For example, for sites
that use a construct similar to https://contoso.com/search?{0}, where https://contoso.com/search? is the search
URL structure and {0} is the keyword string, Document Suggestions passes the keywords in the {0} parameter. The
keywords that are passed to the URL are derived from similar record rules that include entity mappings of Text
Match . More information: Use advanced similarity rules to view similar case suggestions.
The values found in the text fields of the similarity rule mappings are used as keywords to build the query that is
passed to the external site, similar to the below URL, where keyword is the text values found in the similarity rules
mappings and & represents a whitespace that Document Suggestions uses to separate each keyword.
https://contoso.com/search?keywordA&keywordB&keywordC
For an on-premises SharePoint server, you can add an external URL that points to a subsite similar to this, where
mysharepoint is the web site name sites is the site name and subsitename is the subsite name.
https://mysharepoint/sites/subsitename/_layouts/15/osssearchresults.aspx?&k={0}
Set up the Azure text analytics connection

To use Azure text analytics with Document Suggestions, an Azure text analytics connection must be configured.
NOTE
The Document Suggestions feature doesn't require a connection to the Azure Text Analytics service. If you choose not to use
Azure Text Analytics, Document Suggestions will use the built-in keyword matching logic available in Dynamics 365 apps.
However, we recommend that you use Azure Text Analytics service for more advanced keyword matching.
Define and activate similarity rules

If you have not already defined similarity rules, see Use advanced similarity rules to view similar case suggestions.
Enable Document Suggestions

To enable Document Suggestions, do the following:
2. Go to Environments > [select an environment] > Settings > Integration > Document management
settings > Manage Document Suggestions .
3. In the Select Entities area, select the entities that you want to include in Document Suggestions, and then
select Apply .
TIP
If the entities (contact, opportunity, lead, account, or custom) aren't listed in the Select Entities area, it is because
similarity rules for the entity have not been defined and activated. Use advanced similarity rules to view similar case
suggestions.
4. Set external URL to include in Document Suggestions. By default, Document Suggestions searches in
Microsoft 365 services like SharePoint or OneDrive. If you want to search an external site in addition to the
available Microsoft 365 services, such as an on-premises SharePoint site, enter the base URL to the external
system. Dynamics 365 apps will append a search query string to the base URL you provide. More
information: Adding an external URL to search another site.
See also
This feature was introduced in CRM Online 2016 Update.

Users can create and manage private documents with OneDrive for Business. Those documents can be accessed in
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), after the system administrator has
enabled OneDrive for Business.
Requirements
NOTE
This topic applies to organizations deploying online versions of OneDrive for Business and customer engagement apps. For
information on integrating OneDrive for Business on-premises with Dynamics 365 apps, or an online/on-premises mix of
these products, see: Enable OneDrive for Business (on-premises).
The following are required to use OneDrive for Business with customer engagement apps:
Set up customer engagement apps to use SharePoint Online.
A OneDrive for Business license for each user. More information: What is OneDrive for Business?
A SharePoint license for each user. Users with a SharePoint license can use OneDrive for Business. For
SharePoint Online, Microsoft 365 subscriptions come with SharePoint Online licenses.
For full Microsoft 365 feature integration with Dynamics 365 and Customer Engagement (on-premises),
you'll need Microsoft 365 Enterprise E3 or later. Skype for Business PSTN calling and conferencing requires
Microsoft 365 Enterprise E5. Other Microsoft 365 plans are not supported. For more information on
licensing and pricing, see:
Dynamics 365 pricing
Dynamics 365 Licensing Guide
Before using OneDrive for Business in customer engagement apps, the administrator and end users should
access OneDrive for Business through the web interface. For example, if you're using SharePoint Online, go
to https://admin.microsoft.com > app launcher > OneDrive . The site and other information
required by customer engagement apps to enable OneDrive for Business integration gets created only when
the site is accessed.

You can enable OneDrive for Business as follows.
2. Select Settings > Integration > Document management settings .
3. Select Enable OneDrive for Business to enable it, and then select OK .
Controlling access to OneDrive for Business

You can toggle availability of OneDrive in customer engagement apps for end users through the OneDrive for
Business privilege.
2. Select Settings > Users + permissions > Security roles .
3. Select a security role, and then select the Core Records tab.
4. Under Miscellaneous Privileges , toggle the OneDrive for Business privilege to the desired availability.
See also
What is OneDrive for Business?
Gather your thoughts, ideas, plans and research in one single place with OneNote in customer engagement apps
When you turn on OneNote integration in customer engagement apps, you have the benefits of using OneNote to
take or review customer notes from within your records.
You can configure OneNote in customer engagement apps when you're also using SharePoint Online. You must
have a subscription to Microsoft 365 to use OneNote in customer engagement apps.
Step 1: Turn on server-based SharePoint integration

Before you can enable OneNote integration, you need to turn on server-based SharePoint integration.
Make sure you have the System Administrator security role or equivalent permissions in Microsoft Dynamics 365.
Or, make sure that you have Read and Write privileges on all record types that are customizable.
Step 2: Turn on OneNote integration

When server-based SharePoint integration is turned on, OneNote integration is listed in Document
Management .
3. Select OneNote Integration .
4. Follow the instructions in the wizard to turn on OneNote integration for selected entities. Choose entities that
need a full notebook per record. Only entities that are already enabled for document management are listed.
Select Finish .
5. You can also enable OneNote integration for an entity from the customization form, as long as document
management has been enabled for that entity.
6. A OneNote notebook is automatically created for a record the first time you select the OneNote tab in the
activities area in customer engagement apps. After the dedicated OneNote notebook is created for that
record, you can view and navigate to that notebook from any Dynamics 365 apps client.
More information: Use OneNote
To turn off OneNote integration
4. In the OneNote Integration Setting dialog box, clear the check boxes for all entities, and then select
Finish .
See also
Use OneNote
OneNote FAQs
Turn on server-based SharePoint integration
Create or edit document location records
SharePoint document locations are records in customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation), that point to a SharePoint document library or folder.
To store documents for records, the document libraries or folders must be in place. If customer engagement apps
are unable to create the document libraries and folders automatically, you can manually create these in SharePoint.
After you create the document libraries and folders in SharePoint, you must create document location records in
customer engagement apps to point to these SharePoint document libraries and folders.
2. Choose SharePoint Document Locations .
3. Choose New .
4. Specify the following information as required:
Name . Type a name for the document location. This name displays in the location list in the entity
record.
Owner . By default, you are added as the owner of this location record.
Description . Type a description for the document location.
URL Type . Select whether you want to create the location with an absolute URL or relative URL.
Select Absolute URL , and in the Absolute URL box, specify the fully qualified URL of the
location of the folder in SharePoint.
- OR -
Select Relative URL . In Relative URL , to create a relative document location to the existing
site or document location record, select the existing SharePoint site or document location
record. In the second box, enter the name of the SharePoint folder.
Regarding . Choose the Lookup button . In the Look Up Record dialog box, in the Look for list,
select the type of records you want to find. search and select the record for which you want to create
the location record and choose OK .
NOTE
To activate or deactivate a document location, on the Document Locations page, select the document location record, and
choose Activate or Deactivate .
Store documents related to your records in SharePoint folders and manage the folders and documents from within
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation). Integrating SharePoint document
management with customer engagement apps makes it easy to access and share documents associated with your
records.
TIP
If you're using CRM 2013 SP1 or later, you can take advantage of server-based SharePoint integration between customer
engagement apps and SharePoint Online. Server-based SharePoint integration provides an immersive document management
experience consistent with the look and feel of customer engagement apps.
You can use server-based SharePoint integration for on-premises and hybrid SharePoint deployments. For information about
setting up server-based SharePoint integration using a wizard, see Set up SharePoint integration
If you have already set up SharePoint document management, and want to edit your site records, use the following
procedure.
Edit site records

365.
2. In the web apps, go to Settings > Document Management .
3. Select SharePoint Sites .
4. Select the site record you want to modify, and then select Edit .
5. Modify any of the following settings:
Name . Add or change the name for the site..
Owner . By default, the person who created the site is listed as the owner of the site record.
Description . Add or change the description for the site. For example, specify what documents the site
contains.
URL Type . Specify whether you want to add an absolute (full) or relative URL for the site.
Absolute URL . To point this site record to a site collection or site in SharePoint, specify the
fully qualified URL of the site collection or site. You can use this record as a parent site to create
other site records with relative URLs for sites inside the site collection or sites on the same
SharePoint site.
Relative URL . Use this option when you have at least one site record pointing to a site
collection in SharePoint. In the Parent Site box, select an existing site record. If the site record
that you selected as a parent site points to a site collection on SharePoint, specify the name of
an existing site in the second box. If the site record that you selected as a parent site points to a
site on SharePoint, specify the name of an existing subordinate site on SharePoint.
6. Select Save .
NOTE
To activate or deactivate a site record, on the SharePoint Sites page, select the site record, and then in the Records group,
select Activate or Deactivate .
See also
System Settings Synchronization tab
Use the settings on this page to determine how data is synchronized between customer engagement apps
Dynamics 365 Project Service Automation), and Microsoft Dynamics 365 for Outlook. For example, you can control
synchronization between pairs of fields or enable or disable synchronization of additional mailing addresses,
assigned tasks, or appointment attachments.

permissions.
3. Select Settings > Integration > Synchronization .
Synchronize items with Outlook or Exchange
Manage system filters for your entire organization to This setting provides access to the User Filters tab in the
determine the records that are synchronized to Outlook or Synchronization Settings for Outlook or Exchange
Exchange folders. dialog box. You may want to view this tab to see the default
online synchronization filter settings for users in your
organization. More information: Choose the records to
synchronize between customer engagement apps and Outlook
or Exchange
Manage the synchronized fields of Outlook or Exchange This setting provides access to the Synchronization Fields
items including appointments, contacts, and tasks for your tab in the Synchronization Settings for Outlook or
entire organization. Exchange dialog box. Use this tab to view how appointments,
contacts, and tasks fields are mapped between customer
engagement apps and Outlook, and to change the
synchronization direction or restrict synchronization for
contacts and tasks fields. For example, if you want the
contents of the contacts Notes field to be private, you can
keep that field from synchronizing. More information: Control
field synchronization between customer engagement apps and
Outlook or Exchange
Manage your offline filters and take your information

offline in Dynamics 365 for Outlook
Manage system offline filters for your entire organization to This setting provides access to the User Filters tab in the Go
determine what data users can take with them when they go Offline Settings dialog box. You may want to view this tab to
offline in Dynamics 365 for Outlook. see the default offline synchronization filter settings for users
in your organization.
Configure general synchronization rules for your

entire organization for appointments, contacts, and
tasks
Appointments
Synchronize appointment attachments with Outlook or Attachments take up database space, so synchronization of
Exchange appointment attachments is turned off by default. Choose the
check box to turn on synchronization of attachments.
Impor tant: Synchronization of appointment attachments is
not supported for recurring appointments or service activities.
Contacts
Synchronize mailing address only in Outlook contact By default, just one Outlook mailing address field is
synchronized between customer engagement apps and
Synchronize all three addresses (Business, Home, Other) in Outlook. This is sufficient for most organizations. If you want
Outlook contact to synchronize all three Outlook mailing address fields
(Business, Home, and Other fields) choose the Synchronize
all three addresses in Outlook contact option. Warning:
Be cautious when enabling this option as it can cause data loss
in some situations if you have existing data. This is due to the
remapping of the attributes for existing tracked contacts. The
best practice is to do in-house testing to understand how the
re-mapping affects your environment and data. In most cases,
you should have the full data in one side (normally in
customer engagement apps) and sync to the other side
(normally Outlook or Exchange).
Tasks
Synchronize tasks that are assigned in Outlook Outlook tasks are synchronized by default, but
synchronization of assigned tasks is turned off by default.
Most companies don't require this feature because tasks
would usually be assigned directly in customer engagement
apps by changing ownership.
You may want to enable this feature, however, if your

company's business processes involve creating and sending
tasks in Outlook instead of customer engagement apps.
Select whether to enable syncing of resource

bookings with Outlook
Synchronize resource bookings with Outlook Turn on (off by default) to enable resource bookings (Field
Service) synchronization with Dynamics 365 App for Outlook.
More information: Set up bookable resources (Field Service)
See also
Choose the records to synchronize between customer engagement apps and Outlook or Exchange
Control field synchronization between customer engagement apps and Outlook or Exchange
Connect to Yammer
Yammer gives colleagues at your organization a central place to have conversations, create and edit documents, and
share information without sending a single email or attending any meetings.
After you set up your organization to work with Yammer, employees will see posts in a newsfeed on their customer
engagement apps dashboard whenever people update customer info, and they'll be able to join in the conversation
with their own posts.
Connect your organization to Yammer

Prerequisites
Before your organization can use Yammer in customer engagement apps (Dynamics 365 Sales, Dynamics
365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project
Service Automation), your organization needs to buy Yammer enterprise licenses.
Yammer integration is only available for customer engagement apps.
Make sure you have the System Administrator security role or equivalent permissions in Microsoft Dynamics
365.
You'll also need to have verified system administrator privileges for your organization's Yammer account.
Install the most recent product updates for customer engagement apps.
Meet browser and system requirements.
Connect to Yammer
1. Sign up for a Yammer Enterprise account, and note the name of the network you receive. More information:
Visit the Yammer website
2. Go to Settings > System .
4. Select Settings > Integration > Yammer .
5. Read the disclaimer, and then choose Continue .
6. Choose Authorize Microsoft Dynamics 365 Online to connect to Yammer .
7. Sign in to your enterprise Yammer account using your administrator credentials.
8. Follow the on-screen instructions to accept the Yammer terms of service, note which Yammer network has
been set up for you, and connect your organization to it. After your organization is connected, you'll see a
confirmation message at the bottom of the screen.
NOTE
Customer engagement apps only support connecting to the primary Yammer network. Connecting to External
Networks in Yammer is not supported.
9. If desired, stay signed in to your Yammer account and set your organization's preferences for Yammer posts.
Set your organization's preferences for Yammer posts (optional)
1. Make sure you're signed in to your enterprise Yammer account using your administrator credentials.
2. If desired, select whether Yammer posts are public (everyone sees customer engagement apps posts in the
newsfeed, or private (people must "follow" a record to see posts about that record in the newsfeed).
3. If desired, select the default group where you would like posts to appear.
4. If desired, select which record types trigger automatic posts to the Yammer newsfeed.
Enable entities for Yammer

Once you've connected customer engagement apps to Yammer, you need to specify which entities are enabled for
use with Yammer. Enabled entities can be followed by users
2. Choose Activity Feeds Configuration > Post Configurations
3. Choose the entity, and then choose Activate .
4. Confirm the activation, and then choose More Commands (…) > Publish All Customizations
What triggers automatic posts to the Yammer newsfeed?

IMPORTANT
As of June 26, 2018, Yammer deprecated the Activity stream and its related APIs so auto-posts can no longer be enabled. For
more information, see Open Graph Actions & Activity stories.
Additional considerations
When connecting with a federated Yammer
If you have configured Yammer to use single sign-on, you'll need to generate and use a temporary password to
connect to Yammer.
1. Sign in to Yammer with the single sign-on credentials.
2. Choose More commands (…) > Apps
3. Scroll to the bottom of the page to the All Apps section.
4. Choose the Yammer tab, and then choose an app like Windows Phone. The app must support generating a
temporary password.
5. Complete the process to obtain a temporary user name and password.
6. Use the temporary user name and password to complete the customer engagement apps to Yammer
connection configuration.
Add Yammer sites to the browser as trusted
Add your Yammer sites to your browser as trusted. For example, for customer engagement apps, add the following:
https://*.crm.dynamics.com
https://*.yammer.com
https://*.assets-yammer.com
Privacy notice
By enabling Yammer, you consent to share your data with an external system. Data that is imported from external
systems into Microsoft Dynamics 365 (online) is subject to Microsoft Privacy and Cookies.
See also
Broadcast announcements to an entire organization
Circulate information quickly to a wide set of users at one go by using Announcements in customer engagement
and Dynamics 365 Project Service Automation). Announcements can also serve as message boards, where you can
post topics of your interest that you wish to share, or get answers to.
environment] > Settings > Data management > Announcements .
update the setting.
Create an announcement
1. Select an environment and go to Settings > Data management > Announcements .
3. Fill in the information, as required.
Title (required) - Type a title for the announcement that clearly and unambiguously states the purpose
and nature of the announcement.
Body (required) - Type the text for the announcement that you want to broadcast.
TIP
You can copy and paste an announcement text from another application. However, formatting might be lost.
More Information URL (optional) - Type the address of the website that provides detailed information
about the announcement.
NOTE
A web address that does not contain "http://" is automatically expanded to a full web address. In the announcement,
the web address will appear as an active external link.
Expiration Date (optional) - Type the date on which you want to stop the broadcast and the
announcement should expire.
NOTE
You can’t edit/extend this date after expiry. Customer engagement apps deletes the announcement after the
expiration date.
4. When you’re done, on the command bar, choose Save or Save and Close to begin the broadcast.
Broadcast an announcement
Make the announcements available to other users in your organization by using web resources and dashboards.
Create a web resource
1. In a text editor, type the following code, and save the file as “announcementsondashboard.htm”.
<html>
<body>
<script type="text/javascript">window.location.href="/home/homepage/home_news.aspx?pagemode=iframe";
</script>
</body>
</html>
2. Go to Settings > Customizations > Customize the System .

3. Under Components , select Web Resources > New .
4. Type the name as “announcements” and display name as “Announcements”.
5. In the Type drop-down list, select Web Page (HTML) .
6. In the Upload File box, choose Browse and select the “announcementsondashboard.htm” file that you
created earlier.
7. Select Save .
8. Add this new web resource to any existing or new dashboard.
Change auto-numbering prefixes for contracts, cases,
articles, quotes, orders, invoices, campaigns,
categories, and knowledge articles
Contracts, cases, articles, quotes, orders, invoices, marketing campaigns, categories, and knowledge articles are
automatically numbered. If your organization has standard numbering formats, you can change the default three-
character prefixes and number format to match your organization.
environment] > Settings > Data management > Auto numbering .
update the setting.
1. Select an environment and go to Settings > Data management > Auto numbering .
2. In the Set Auto-Numbering dialog box, select the record type that you want to change.
3. In the Prefix box, enter up to three characters, symbols, or numbers.
Prefixes are system-wide and are used for all system-generated numbers for the selected record type. If you
change the prefix for a record type, it won’t change the prefix of numbers that are already assigned.
The prefix of the tracking token for email messages is set in the System Settings area. More information:
System Settings dialog box - Email tab
4. In the Number box, enter the starting number.
If you haven’t set a numbering format before, the Number box displays 1000. After you set the numbering
format and save your settings, this field is set to read-only and you can’t modify it. If a custom auto-
numbering solution was used, you won’t be able to change the number.
5. Select a suffix length.
Articles and knowledge articles don’t have suffixes. The suffix is used for records that were created while you
were offline and for which the number can’t be guaranteed to be unique.
6. Select OK to save your settings.
See also
Use solutions for your customizations
Remove a large amount of specific, targeted data
with bulk deletion
The bulk deletion feature helps you to maintain data quality and manage the consumption of system storage by
deleting data that you no longer need.
For example, you can delete the following data in bulk:
Stale data.
Data that is irrelevant to the business.
Unneeded test or sample data.
Data that is incorrectly imported from other systems.
With bulk deletion you can perform the following operations:
Delete data across multiple entities.
Delete records for a specified entity.
Receive email notifications when a bulk deletion finishes.
Delete data periodically.
Schedule the start time of a recurring bulk delete.
Retrieve the information about the failures that occurred during a bulk deletion.
environment] > Settings > Data management > Bulk deletion .
update the setting.
Delete bulk data

1. Select an environment and go to Settings > Data management > Bulk deletion .
2. Select New to run the Bulk Deletion Wizard to create a bulk deletion job with the records you want to
delete.
For information about how to implement bulk delete in code, see Delete data in bulk.
See also
Manage your data
Data Encryption
Importing data is often the first important task that you need to perform after you have installed customer
365 Marketing, and Dynamics 365 Project Service Automation). You can import data from various systems and data
sources into standard and customized fields of most business and custom entities. You can include related data,
such as notes and attachments. To assure data integrity, you can enable duplicate detection that prevents importing
duplicate records. More information: Detect duplicate data. For more complex data import scenarios, you can write
code using the data import web service. More information: Import data.
environment] > Settings > Data management > Data impor t wizard .
Preliminary steps before you import the data include:
1. Preparing source data files in one of the following formats: comma-separated values (.csv), XML Spreadsheet
2003 (.xml), Compressed (.zip) or text files. You can import data from one source file or several source files. A
source file can contain data for one entity type or multiple entity types.
2. Preparing data maps for mapping data contained in the source file to the record fields. You must map every
column in the source file to an appropriate field. Unmapped data isn’t imported. More information: Select a
data map
There are several ways to import data:
NOTE
We recommend limiting your import to 20K rows or fewer.
1. To import large volumes of data, we recommend a programmatic way, as most efficient. When you import
data programmatically, you gain additional capabilities that are not available when you use other methods of
importing data. These advanced capabilities include viewing stored source data, accessing error logs and
creating data maps that include complex transformation mapping, such as concatenation, split, and replace.
See Import data.
2. For smaller import jobs, you can use the Import Data Wizard tool included in the web application.
NOTE
For the Import Data Wizard, the maximum file size for .zip files is 32 MB; for the other file formats, it’s 8 MB.
With the Import Data Wizard, you can specify the “Map Automatically” option. The wizard automatically maps all the
files and the column headings with record types and fields if:
The file names exactly match the display name of the record type.
The column headings of the file you are importing exactly match the display names of the fields in the record.
3. To add data for an individual record, the quickest way is to use Quick Create from the nav bar or New from
the entity form.
See also
Select a data map
1. Select a data map to tell the Import Data wizard how to organize your imported data into the right columns
and fields in customer engagement apps.
Select the default data map to let the wizard automatically map your data, or select a data map to match the
type of information you're importing.
2. Select Next .
The following tables help you decide which data map to use.
System Data Maps When to Use
Default (Automatic Mapping) Recommended. Use when you want the wizard to map the
imported data to the columns and fields in customer
engagement apps automatically.
If the wizard can't determine how to map your data, you'll

have an opportunity to map it manually later. Impor tant:
Import files can only contain one type of data, such as
contacts, leads, accounts, or cases. Also, the column headings
in the source file must match exactly with the field names in
For Generic Contact and Account Data Use when the import file contains contacts or accounts.
Data Maps for Salesforce When to Use
For Contact and Account Report Export Use this map when your import file contains contacts or
accounts from Salesforce.
For Full Data Export Use this map when your import file is exported from
Salesforce using Full Data Export.
For Report Export Use this map when your import file is exported from
Salesforce using Report Export.
Data Maps for Microsoft Outlook Business Contact When to Use

Manager
For Microsoft Outlook 2010 with Business Contact Manager Use this map when your import file contains data from
Microsoft Outlook 2010 with Business Contact Manager.
Custom Maps (optional) When to Use
Custom maps If available, custom data maps created for your organization
are listed here.
Run bulk system jobs to detect duplicate records
To maintain the integrity of system data, you should check for duplicates regularly to make sure that users don't
inadvertently create duplicate contacts, accounts, leads, or other types of records.
The Check for Duplicates wizard helps you set up a bulk "job" that finds and cleans up duplicate records. You can
schedule the job to run daily, and you can receive an email confirmation when the job finishes.
NOTE
If you haven't already done so, create and publish duplicate detection rules, and turn duplicate detection on before you run
the wizard. More information: Set up duplicate detection rules to keep your data clean

2. Select Settings > Data management > Duplicate detection jobs .
3. Select New , or select the name of the duplicate detection job you want to run.
You'll see the Duplicate Detection wizard, which helps you create a job to check for duplicates.
4. Select Next .
5. In the Look for drop-down list, select the record type that you want to check for duplicates.
NOTE
What you see in this list depends on which duplicate detection rules are published. More information: Set up duplicate
detection rules to keep your data clean
6. In the Use Saved View drop-down list, select a view if you want to limit the records searched to records in
that view. For example, select Active Accounts. When you select a view, customer engagement apps
(Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365
Marketing, and Dynamics 365 Project Service Automation), add the criteria to search on.
7. To further limit the records searched, select Select and then enter the criteria you want.
8. Select Next .
9. Accept the default name for the job, or type a different name.
10. Enter the start time for the job, and enter how often to run the job in days. (To run the job daily, type 1 .)
11. If you want to receive an email confirmation when the job is completed, select the Email options check box.
Enter an additional email address, if desired.
12. Select Next , and then select Submit .
See also
Set up duplicate detection rules to keep your data clean
Turn duplicate detection rules on or off for the whole organization
Set up duplicate detection rules to keep your data
clean
To maintain the integrity of your data, it's a good idea to have rules in place to reduce duplicate records in the
system. The customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365
Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), include default duplicate
detection rules for accounts, contacts, and leads, but not for other types of records. If you want the system to detect
duplicates for other record types, you'll need to create a new rule.
After you've created duplicate detection rules, you need to turn duplicate detection on.
1. Make sure that you have the System Administrator, System Customizer, Sales Manager, Vice President of
Sales, Vice President of Marketing, or CEO-Business Manager security role or equivalent permissions.
a. Follow the steps in View your user profile.
b. Don’t have the correct permissions? Contact your system administrator.
3. Select Settings > Data management > Duplicate detection rules .
4. To create a new duplicate detection rule, choose New . Type a name and description.
–OR–
To edit an unpublished existing duplicate detection rule, choose the duplicate detection rule.
–OR–
To edit a published duplicate detection rule, select the rule. On the Actions menu, choose Unpublish , and
then choose the rule.
5. Select the criteria to be used to identify a record as a duplicate.
a. If you are creating a new rule:
In the Duplicate Detection Rule Criteria section, in the Base Record Type list, choose the
type of record that this rule applies to. For example, select Contacts .
In the Matching Record Type box, choose the type of record to compare. In most cases, you'll
probably want to use the same record type for Base Record Type and Matching Record
Type . It's also useful to be able to compare different record types. For example, you might want
to compare the Email field in Contacts to the Email field in Leads.
b. If you want the rule to consider only active records while detecting duplicates, select the Exclude
inactive matching records check box. You should also select this check box if your duplicate
detection rule criteria are based on a status field.
c. If you want the rule to be case-sensitive, select the Case-sensitive check box.
d. If you selected different record types for the base and matching record types, for each new criterion, in
the Base Record Field column, choose Select , and then choose a field name. In the same row, in the
Matching Record Field column, choose Select , and then choose a field name.
- OR -
If you selected the same record types for the base and matching record types, for each new criterion,
in the Field column, choose Select , and then choose a field.
e. In the same row, in the Criteria column, choose Select , and then choose an operator. For example,
select Exact Match .
f. If you specified Same First Characters or Same Last Characters , in the No. of Characters
column, choose Enter Value , and then enter the number of characters to compare.
g. If you don't want the rule to consider blank fields (null values) as equal while identifying duplicates,
select the Ignore Blank Values check box.
IMPORTANT
If the duplicate detection rule contains only one condition, blank values are ignored during duplicate detection job.
The number of criteria that you can select is limited by the number of characters that can be stored in the
matchcode for the record. As you add criteria, watch the Current matchcode length value shown at the
bottom of the criteria list.
6. When you're finished adding criteria, choose Save and Close .

7. To make the new or changed duplicate detection rule usable, select the rule, and then choose Publish .
When you publish a duplicate detection rule, a matchcode is created for every record in the matching record
type for that rule. You can publish only five rules for the same base record type (Account, for example) at a
time. You might need to delete or unpublish an existing rule if you bump up against this limit.
NOTE
We recommend that you set the duplicate detection criteria on a field that has unique values, for example, Email.
You can have more than one duplicate detection rule for each record type.
See also
Merge duplicate records for accounts, contacts, or leads
Developer's Guide: Duplicate Rule entities
Turn duplicate detection rules on or off for the whole
organization
To maintain the integrity of your data, it’s a good idea to set up duplicate detection rules to reduce duplicate records
in the system. Remember that after you create duplicate detection rules, you need to turn them on.
environment] > Settings > Data management > Duplicate detection .
Make sure you have the System Administrator, System Customizer, Sales Manager, Vice President of Sales, Vice
President of Marketing, or CEO-Business Manager security role or equivalent permissions to update the setting.
1. Select an environment and go to Settings > Data management > Duplicate detection .
2. Select or clear the Enable duplicate detection check box.
NOTE
If your system contains a large number of records, checking for duplicates can impact performance.
3. If you’re turning duplicate detection on, select or clear the check boxes to set when duplicates are detected:
When a record is created or updated
The system checks for duplicates when a user enters or updates records.
IMPORTANT
Duplicates aren’t detected when a user merges two records, activates or deactivates a record, or saves a
completed activity.
When Dynamics 365 for Outlook goes from offline to online

For users of Dynamics 365 for Outlook, the system detects duplicates when the user synchronizes
their data after working offline, as long as users have enabled duplicate detection in Outlook. To
enable duplicate detection in Outlook, select File > Dynamics 365 > Options . Choose the Local
Data tab, and then select the Enable duplicate detection during offline to online
synchronization check box.
During data impor t
When you use the Import Data wizard to bring in contacts, leads, accounts, or other types of data, the
wizard detects any duplicate records as long as you enable duplicate detection in the wizard. For more
information, see Import data from multiple sources.
4. Select OK .
See also
Frequently asked questions about synchronizing records between customer engagement apps and Microsoft
Outlook
Certain transactions can be configured to cascade across all related records. This means the change on a parent
record will be transacted upon (cascade down through) all the child records. Cascading relationships are
configured at the entity level. For more information about cascading relationships, see Configure entity
relationship cascading behavior.
Synchronous versus asynchronous modes

By default, cascading operations are performed as a synchronous transaction. For a synchronous cascading
transaction, all impacted records are identified by the system. As the records are processed, they are locked by the
system. Once all the changes have been completed, the records are unlocked and the transaction is completed.
Synchronous transactions with a large number of records can cause performance issues for environments when
long running transactions fail due to server timeouts. The records are locked preventing other jobs and user
transactions that operate on the same records from executing. Also, long running transactions might result in a
backlog of pending transactions and requests that decrease system performance and might cause work stoppage.
If an environment is encountering timeouts or degraded performance while the synchronous cascading operations
are in progress, your environment could benefit by enabling the asynchronous mode. The main differences
between the modes are described here.
SY N C H RO N O US M O DE A SY N C H RO N O US M O DE
No other jobs can be executed on the entire set of selected For Assign and Delete, cascading changes are batched, locking
records (direct or cascading) until the cascading operation is only the records being processed within the batch. This allows
complete. other jobs to execute during the full cascading change
operation. For Merge, the changes are still run as a single
batch but done asynchronously to provide control back to the
user more quickly.
When the job is completed, all data shows the new desired As the job runs, each completed batch displays the desired
value. value. This means that there will be a time when some data
shows the desired value and some shows the original value
until the full operation is completed. This is referred to as
“eventual consistency.”
If a single record fails, all data is rolled back to the original If a single job fails, it is retried multiple times to attempt
value. The rollback will require re-editing all completed completion. If the job can't be completed the failure is
records, which takes additional time. recorded in the System Jobs area. Notice that successfully
completed records retain the new value.
If one of the records in the cascading list has a value that is For Assign, the operation always works in overwrite mode
different than the expected value, the job will fail and roll back. changing the current value to the new value based on the
For example, the starting record belongs to Owner 1 and the parent child relationship, there are no job failures due to an
cascading operation wants to change it to Owner 2. If one of original value mismatch. For Delete if a record that was
the downstream related records has changed to Owner 3 or is expected as part of the set is missing, all the records up to the
deleted before the lock occurs, the entire job will roll back. failure point are considered completed. The user or admin can
re-execute the failed job, which will recalculate the job to
continue without the missing record. For Merge, if there is an
issue with a missing record the entire job will fail admins or
users can run the job again to detect the correct records.
Asynchronous mode and plug-ins
When a cascading transaction meets the threshold for included records and does not have any plug-ins associated
with the records, the records will be processed asynchronously.
O P ERAT IO N T H RESH O L D
Assign 1,000 records
Delete 10,000 records
Merge Always asynchronous
If there's a plug-in assigned to a record inside the asynchronous batch, the single record update or delete along
with all associated plug-ins for that record will run synchronously. This occurs as part of a transaction before
moving to the next record in the asynchronous batch.
If a plug-in inside the asynchronous transaction triggers a new cascading delete or assign, the new cascading
transaction will always run synchronously within the current asynchronous transaction. This prevents having
multiple layers of asynchronous transactions.
Tracking asynchronous operation progress

Administrators can monitor the processing of asynchronous operations in the Settings area.
1. Sign into the Power Platform admin center , and then select the environment you want. Select Settings ,
expand Audit and logs , and then select System jobs .
2. The cascading operations are displayed in the All System Jobs view.
To view only cascading operations, in the View selector select Cascade Operations .
Cascading operations have any one of the following statuses:

Completed . All batches of the cascading transaction have been completed successfully.
In Progress . Cascading changes are in progress.
Failed . After multiple retries, some of the cascading changes have failed.
NOTE
It isn't possible to cancel an asynchronous cascading job. You must wait for it to complete by indicating a status of
Completed or Failed .
Opening a cascading operation displays:

How many retries have occurred for the particular transaction.
Created and completed dates and times.
Who created the job.
Any messages associated with the job, such as failure reasons, or exceptions.
Which cascading transactions can be processed asynchronously?

Assign, Delete, and Merge cascading transactions can be processed asynchronously.
NOTE
Other transactions, such as share/unshare, rollup view, and re-parent are are currently under review for asynchronous
processing.
Troubleshooting issues with asynchronous cascading operations

When synchronous cascading jobs fail, they stop and roll back all the changes so that none of the records include
the changes requested. This can be a time-consuming process as rollbacks can take as long as the original attempt
and retrying the operation will start again from the first record.
Asynchronous operations will retry numerous times if a failure occurs. In most cases, retrying the job results in
success and the job can continue to completion. In some rare cases, retrying won’t resolve the issue. When this
happens, the asynchronous job will pause, and the administrator and user can troubleshoot the issue and resume
the job from the point where it paused.
Common causes of failures in cascading operations
Common reasons for failures in processing cascading operations include:
Plugin exceptions.
Security exceptions.
Plugin Exceptions
Plugins are added to the processing of cascading operations to take specific actions when changes are made to a
record, such as sending an email or triggering a different update on other records. These may be provided by third
parties or developed in-house. If a plugin generates an exception, the cascading operation will fail. Depending on
the reason for the exception, a retry may resolve the issue. If the asynchronous cascade job is paused due to
failures, validate all plugins that are associated with the operations to make sure they are not generating
exceptions. Once fixed, the job can be resumed.
Security Exceptions
Security exceptions occur when the user who executed the cascading operation has insufficient privileges to make
a change to one or more records, or the user is disabled or removed from the system.
If the user is still in the system, validate they have the needed privileges to modify the records and that they have
permissions to execute the specified actions. Once this is resolved, resume the job.
If the user has been disabled or removed from the system, re-enabling or readding the user will resolve the issue
and the job can be resumed. However, if the user must be deleted or disabled or is not supposed to have
permissions for the actions or records, the job should be canceled and restarted by someone with appropriate
permissions.
For any other issues with failed jobs, contact Microsoft Support. More information: Support overview
Troubleshooting file deletion issues during cascade merge
If you experience failures with cascade merge operations because files are deleted during the job run, you can skip
the parenting check. This allows your merge to continue even if someone deletes a record from the set while the
job is running in the background. To do this, when you choose to merge records, at the bottom of the merge
window clear the option Parenting check is enabled by default. Uncheck this to ignore the parenting
check .
Merge record example
Imagine that you have accounts with a relationship to contact, which has a relationship to orders. You want to
merge two account records.
If the job runs successfully, the merge assigns all the related contacts and their orders to the target account.
If during the record merge process another user deletes a related contact record, but order records still exist
related to the contact record, the merge job will fail because a parent to a child record is missing. If you choose to
skip the parenting check during the record merge, the orders with the missing contact record will be merged into
the target account record. However, no related contact records will be assigned to the target account and the job
will complete.
See also
Entity relationships overview
Sample data gives you something to experiment with as you learn customer engagement apps (Dynamics 365
Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365
Project Service Automation), and helps you see how data is organized in the system. At some point, you'll probably
want to remove the sample data.
Or, if sample data isn't installed on your system, you may want to add it for training purposes. Later, when you're
ready, you can remove it.
IMPORTANT
Use sample data to learn and play around with system features. However, to avoid unwanted results, don't associate it with
any data you actually need.
1. Make sure you have the System Administrator security role or equivalent permissions.
2. Sign into the Power Platform admin center
3. Select Environments in the left navigation pane, select your environment, and then select Settings on the
top menu bar.
4. Select Data management to expand the category, then select Sample data .
5. A message appears that tells you whether the sample data is installed.
6. Select an action at the bottom of the screen:
Remove Sample Data , and then select Close .
Install Sample Data , and then select Close .
To close the screen without making changes, just select Close .
Enhance security by encrypting your data
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), use standard SQL Server cell
level encryption for a set of default entity attributes that contain sensitive information, such as user names and
email passwords. This feature can help organizations meet FIPS 140-2 compliance.
All new and upgraded organizations use data encryption by default. Data encryption can’t be turned off.
Users who have the system administrator security role can change the encryption key at any time.
Change an organization encryption key

environment] > Settings > Encr yption > Data encr yption .
update the setting.
1. Select an environment and go to Settings > Encr yption > Data encr yption .
2. In the Change Encr yption Key box type the new encryption key and then select Change .
3. Select OK in the confirmation message and then select Close to exit the Data Encryption page.
4. We recommend that you copy the key to a safe place. See the next section.
Copy your organization data encryption key

We strongly recommend that you make a copy of your data encryption key.
1. Sign in with the System Administrator or System Customizer security role or equivalent permissions.
2. Select an environment and go to Settings > Encr yption .
3. In the Data Encr yption dialog box, select Show Encr yption Key , in the Current encr yption key box
select the encryption key, and copy it to the clipboard.
4. Paste the encryption key into a text editor such as Notepad.
WARNING
By default, customer engagement apps generate a passphrase that is a random collection of Unicode characters.
Therefore, you must save the system-generated passphrase by using an application and file that supports Unicode
characters. Some text editors, such as Notepad use ANSI coding by default. Before you save the passphrase using
Notepad, select Save As , and then in the Encoding list, select Unicode .
5. As a best practice, save the text file that contains the encryption key on a computer in a secure location on an
encrypted hard drive.
See also
SQL Server Encryption
FIPS 140 Evaluation
Manage Your Data
Manage configuration data
Set up Business Management options
Select one of the following links for information about settings on the Business Management Options page:
Work with fiscal year settings Create or edit a goal
Set when your business is closed (Customer Service) Add facilities and equipment for service scheduling (Customer
Service)
Create or edit a queue Create or edit a resource group (Customer Service)
Set up sales territories to organize business markets by Create or edit a service (Customer Service)
geographical area
Use sites to manage your service locations (Customer Service) Define subjects to categorize cases, products, and articles
Manage transactions with multiple currencies Create connections to view relationships between records
Create connections to define and view relationships between Set up rules to automatically create or update records
records (Customer Service)
System Settings dialog box
Use the System Settings dialog box to specify system-level settings for your Common Data Service environment
and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation).
NOTE
Getting to the System Settings dialog box can vary based on the type of app you're using (Unified Interface or the legacy
web client). You might need to adjust the procedural steps in this section to reflect your app type. See Settings.
Also, we are moving some settings from customer engagement apps to the Power Platform admin center. See Environment
settings are moving.
System Settings General tab
Use the settings on this page to change general system-level settings like preferences for saving, decimal and
currency precision, and other default settings for model-driven apps in Dynamics 365, such as Dynamics 365 Sales
and Customer Service.
NOTE
Many of these settings can be found in the Power Platform admin center by going to Environments > [select an
environment] > Settings .

permissions.
3. Click the System Settings > General tab.
Allow text wrapping in form fields labels and values Default: Yes. Choose Yes to allow text wrapping.
Select the default save option for forms
Enable auto save on all forms If Yes, which is the default, after a record is created (initially
saved), any changes made to a form will automatically be
saved thirty seconds after the change is made. The 30-second
period starts again after a change is made. If no changes are
made, the automatic save doesn't happen.
More information: Manage auto-save
Set Skype for Business Options
Enable presence for the system If Yes, which is the default, instant messaging will display the
current status for users, contacts, opportunities, or leads. This
only applies to lists and sub-lists for entities with an updated
user interface.
Set the full-name format
Name Format Select the order in which you want customer and user names
to be displayed. The default is First Name Last Name.
Set the currency precision that is used for pricing

throughout the system
Pricing Decimal Precision Select how many decimal points to use for a currency. The
default is 2.
Set whether reassigned records are shared with the

original owner
Share reassigned records with original owner Select whether a record is shared with the original owner of
the record, or completely reassigned to another user. The
default is No.
Set blocked file extensions for attachments Prevent users from attaching files with specific file name
extensions.
Set the currency display option
Display currencies by using Set how to display currencies, either by a currency symbol,
which is the default setting, or by currency code. For example,
a currency symbol could be $, and the currency code could be
USD.
Set up search
Enable Relevance search If enabled, you can use Relevance search to find records
across multiple entities, sorted by relevance.
Enable Quick Find record limits If Yes, which is the default, if more than 10,000 records are
found, a message will be displayed that suggests a more
selective search.
More information: Configure Relevance search for the

organization
Select entities for Categorized Search Click Select to choose the entities to include when users do a
search in Dynamics 365 for tablets.
Enable Bing Maps
Show Bing Maps on forms If Yes, which is the default, Customer Engagement (on-
premises) users will need to enter a Bing Maps key. Model-
driven apps in Dynamics 365 users don't need to enter a key.
Please enter Bing Maps key (on-premises) On-premises users can obtain a Bing Maps key from: Bing
Maps Dev Center
Set the default countr y/region code
Enable country/region code prefixing If enabled, which is the default, model-driven apps in
Dynamics 365 will prefix the country/region code to numbers
that users are trying to call.
Country/Region Code Prefix The default is+1, which is the country/region calling code for
North America.
Set the telephony provider
Select provider for Click to call Choose which provider to enable outbound calls from within
model-driven apps in Dynamics 365. This setting doesn't
apply to Dynamics 365 for tablets or Dynamics 365 for
phones.
Set whether users see model-driven apps in

Dynamics 365 message
Users see app download message If Yes, which is the default, users will see a message regarding
downloading the Dynamics 365 for tablets app.
Set custom Help URL
Use custom Help for customizable entities If you want to replace the default Help content with custom
Help designed for your users, click Yes . After you enable
custom Help, you can enter a Global Custom Help URL .
Global custom Help URL To replace the default Help with a single URL for all
customizable record types (entities), enter the URL here. You
also have the option of entering override URLs for each
record type (entity) for customizable record types. More
information: Customize the Help experience
Append parameters to URL If you click Yes to append parameters to the URL, you can
make your Help content more dynamic. For example, you can
access parameters for User Language Code, Entity Name,
Entry Point, and Form ID. More information: Customize the
Help experience
Enable Learning Path Changes access to Learning Path for an entire organization.
More information: On/off switch for Learning Path (guided
help).
Enable Learning Path Authoring Defaults to No. Set to Yes if you want enable users to author
Learning Path content.
More information: Create guided help (Learning Path) for your

app
Disable Social Engagement
Prevent feature from receiving social data in model-driven Defaults to No. If you don't want to receive social data in
apps in Dynamics 365 model-driven apps in Dynamics 365, select Yes . If you disable
social engagement, your organization will not be able to
receive social data. Users can continue to work with existing
social data, however.
Set whether users see welcome screen

Display welcome screen to users when they sign in When users start model-driven apps in Dynamics 365, they're
presented with a welcome screen (navigation tour) that
provides a quick overview of Dynamics 365 apps. Click No to
disable this tour for all users in your organization.
Use legacy form rendering
For compatibility, use the legacy form rendering engine. Note In CRM Online 2015 Update 1 and Dynamics 365 on-
that performance may be adversely affected. premises, we made enhancements to forms so that they load
faster.
However, if you have forms that include unsupported

customizations, these enhancements can cause compatibility
problems. To avoid this, you can temporarily turn the form
enhancements off by choosing Yes . We recommend that you
reset this setting to No after addressing scripting problems so
you can take advantage of optimized forms. Note: When a
form that includes unsupported customizations is used, such
as unsupported JavaScript, the form may fail to load or the
user will receive an error message.
If the form just fails, set the Use legacy form
rendering option to Yes . If the form loads after you
select this option, you may have unsupported
customizations.
If the user receives an error, click "View the data that
will be sent to Microsoft" and see the details in the
<CrmScriptErrorReport> tags.
Set options for the default app: Dynamics 365 –

custom
Show default app on landing page and in app switch Default is Yes. Change to No to prevent the default app from
appearing on the Dynamics 365 home page and in the app
selector menu.
More information: For admins and end users: Introducing the

Dynamics 365 home page
Default app name Enter the label to use for the default app. This appears on the
Dynamics 365 home page. The default label is Dynamics 365
- custom.
More information: For admins and end users: Introducing the

Dynamics 365 home page
Set the default card state for Interactive Dashboards
Display cards in expanded state Click Yes to see the detailed card form in a dashboard. If set
to No (default), only the header and minimal details are
displayed in the card form.
Set session timeout More information: User session timeout management
Session timeout settings Choose Set custom to specify values different from default
values.
Enter maximum session length Enter the number of minutes for a session to remain open.
How long before the session expires do you want to show a Enter the number of minutes prior to session expiration for a
timeout warning? timeout warning to be displayed.
Set inactivity timeout More information: Inactivity timeout
Enable session timeout due to inactivity Choose Yes to enable inactivity timeout.
Duration of inactivity before timeout Enter the number of minutes of inactivity after which a
session timeouts.
How long before the session expires do you want to show an Enter the number of minutes prior to session expiration for an
inactivity warning? inactivity warning to be displayed.
Set Azure Content Deliver y Network options
Load default static content from Content Delivery Network Default is Yes and model-driven apps in Dynamics 365 will
load out-of-the-box static content from the Azure Content
Delivery Network (CDN) service. For firewall restrictions and IP
approval list related issues, system administrators can select
No to disable the Azure Azure Content Delivery Network
feature.
See also
Manage auto-save
Customize the Help experience
System Settings Calendar tab
Use the settings on this page to configure calendar settings for model-driven apps in Dynamics 365.
Open the Calendar System Settings dialog box

permissions.
3. Select Settings > Business > Calendar .
Set scheduling options
Maximum duration of an appointment in days Users can create appointments to meet or talk to customers.
Users create these appointments on the Service Calendar or in
the Activities area.
You can use this setting to control the maximum number of

days that your users can schedule an appointment for. The
default is 10 days.
See also
Create or edit an appointment
System Settings Formats tab
You can control how model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer Service,
display numbers, currencies, times, and dates for your organization.
Open the Formats System Settings dialog box (it it isn't already open)
permissions.
3. Choose System Settings > Formats tab.
Organizational Standards and Formats
Current Format Default: your organization's language and locale. Choose

Customize to customize number, currency, time, and date
formats for your organization.
Format Preview Preview the settings for the selected language and locale.
See also
Customize regional options (admins)
System Settings Auditing tab
Enable auditing to track changes to your organization's data and maintain a log of changes.

permissions.
3. Select Settings > Audit and logs > Audit settings .
Start Auditing Default: Off. Start or stop auditing.
Log access Default: Off. If enabled, model-driven apps in Dynamics 365

track when the user started accessing model-driven apps in
Dynamics 365 and whether or not the user accessed the
application by using the web application or Dynamics 365 for
Outlook.
Read logs Default: Off. Logs will be sent to the Microsoft 365 Security
and Compliance Center.
Specify to audit specific areas of the product, as described in the following table via Settings > Audit and logs >
Legacy audit settings .
A UDIT IN G A REA EN A B L E T H E STA RT O F A UDIT IN G F O R T H ESE EN T IT IES
Enable Auditing in the following areas
Common Entities Account, Contact, Lead, Marketing List, Product, Quick

Campaign, Report, Sales Literature, Security Role, and User
Sales Entities Competitor, Invoice, Opportunity, Order, and Quote
Marketing Entities Campaign
Customer Service Entities Article, Case, Client Feedback, Contract, and Service
See also
System Settings Email tab
Use the settings on this page to set up email processing in model-driven apps in Dynamics 365, such as Dynamics
365 Sales and Customer Service.
NOTE
Many of these settings can be found in the Power Platform admin center by going to Environments > [select an
environment] > Settings > Email > Email settings .

permissions.
2. In the web app, go to Settings > Email Configuration .
3. Choose Email Configuration Settings .
Configure email processing
Process Email Using Select whether you want to process email by using server-side
synchronization or the Email Router. Server-side
synchronization is the preferred method.
More information: Integrate your email system
Configure default synchronization method For any mailbox that's automatically created in model-driven
apps in Dynamics 365, the default email settings defined in
this section will be applied when a user or queue is created.
Server Profile For server-side synchronization, select the email server profile
that you want to use. The email server profile holds the
configuration data that enables model-driven apps in
Dynamics 365 to connect to Microsoft Exchange. If you're
connecting model-driven apps in Dynamics 365 with
Exchange Online, the email server profile is automatically
created for you.
Incoming Email Select whether you want to use Dynamics 365 for Outlook,
the Email Router, server-side synchronization, or a forward
mailbox for processing incoming email. More information:
Outgoing Email Select whether you want to use Dynamics 365 for Outlook,
the Email Router, or server-side synchronization for processing
outgoing email.
Appointments, Contacts, and Tasks Select whether you want to use Dynamics 365 for Outlook or
server-side synchronization to synchronize appointments,
contacts, and tasks between Outlook and model-driven apps
in Dynamics 365.
Note: You can't synchronize appointments, contacts, and
tasks if you're synchronizing with a POP3 email server.
Email processing for unapproved users and queues Select these check boxes if you want to allow email processing
only for users and queues whose email addresses have been
approved. More information: Approve email
Process email only for approved users
Process email only for approved queues
Configure folder-level tracking and email correlation
Use folder-level tracking for Exchange folders (server-side Users can set up Exchange tracking folders and then move
synchronization must be enabled) messages to those folders to track them automatically on
virtually any device. More information: Track Outlook email by
moving it to a tracked Exchange folder
Folder-level tracking provides 100 percent tracking accuracy.

To use folder-level tracking:
You must select this check box.
Your organization must synchronize email through
server-side synchronization. More information: Set up
server-side synchronization
Use correlation to track email conversations Select this check box if you want to link email activities with
other related records by using the information in the email
headers. This method uses email properties for correlation
and is more accurate than smart matching, but less accurate
than folder-level tracking or tracking tokens. More
information: Email message filtering and correlation
Note: Email correlation using email headers works best when
email is processed by using server-side synchronization. If
you're using the Email Router to process email, you can use
tracking tokens or smart matching to correlate email activities
with related records.
Use tracking tokens Select this check box to use tracking tokens and to configure
how model-driven apps in Dynamics 365 displays them in the
Subject line of the email messages.
Tracking tokens provide 100% tracking accuracy. If you don't

want to see tokens in Subject lines, however, consider folder-
level tracking, which also provides 100% tracking accuracy.
You can configure prefixes and other sections of tracking

tokens. Long prefixes or too many prefix changes may cause
lost data in history, however. More information: Email
message filtering and correlation
Use smart matching Select this check box to use smart matching to correlate email
based on the similarity between email messages. Smart
matching isn't as accurate as tracking tokens or folder-level
tracking. More information: Email message filtering and
correlation
Set tracking options for emails between users
Track email sent between two users as two activities Select this option to create two email activities between users,
one for the sender and one for the recipient.
Set email form options
Use secure frames to restrict email message content If this is set to Yes , you might see the following error message
when you're reading email: "This content cannot be displayed
in a frame." Although changing the setting to No typically
eliminates this error, such a change can make sending
sensitive content in email less secure.
Allow messages with unresolved email recipients to be sent Set this to Yes if you want to send email messages that have
unresolved recipients.
Set To, cc, bcc, fields as unresolved values if multiple matches Use this setting to choose which record an email address
are found in Incoming Emails. resolves to when there are multiple possible matches in to , cc,
or bcc fields of an email. When you select Yes , if the to , cc, or
bcc fields of an email have an email address that can be
resolved to multiple contacts (or other records), the email
address will be resolved in the unresolved mode instead of
resolving to all possible records. Unresolved email addresses
can then be resolved individually as you encounter them. The
default value is No .
Apply same email address to all unresolved matches when When set to Yes , the same email address is applied to all
you manually resolve it for one. similar unresolved email addresses when resolved in one email
activity. When set to No , the email address is applied only to
the specific email activity and doesn't resolve similar addresses
present in other email activities. The default value is Yes .
This setting appears when Set To, cc, bcc, fields as

unresolved values is multiple matches are found in
Incoming Emails is set to Yes .
Set file size limit for attachments
Maximum file size (in Kilobytes) Increase or decrease the maximum file size for attached files.
The default size is 5 MB (5,120 KB). The maximum
recommended size is 32 MB (32,768 KB). Using a larger file
size is not recommended.
Enhanced email for Timeline
Multitask, compose, and save drafts using email pop-up Select this check box to allow users to use enhanced email.
windows when creating email from timeline. Enabling or disabling enhanced email will apply to all
applications in your organization that use Timeline.
Configure aler ts Select check boxes for the type of alerts that must be sent to
users:
Error (default)
Warning
Information (default)
Tip: Select Warning if you're troubleshooting or testing, or

want to get more detailed messages on the alert wall.
Notify mailbox owner By default, the system administrator is notified of any error
that occurs for an email server profile.
Select this check box if you also want to notify the mailbox
owner.
Enable Send Direct Email Action in Unified Interface
Enable Send Direct Email Action in Unified Interface for Send Set this to Yes if you want to send an email message to
Email enabled entities. multiple recipients by using email templates.
See also
Frequently asked questions about synchronizing records between model-driven apps in Dynamics 365 and
Outlook
Set up email through server-side synchronization
System Settings Marketing tab
Use the settings on this page to configure marketing settings for model-driven apps in Dynamics 365, such as
Dynamics 365 Sales and Customer Service.
Open the Marketing System Settings dialog box

permissions.
3. Choose System Settings > Marketing tab.
Set whether direct email through mail merge is

enabled in campaigns
Enable Direct Email via Mail Merge Default: Yes. If Yes, users can send email as a campaign activity
using the mail merge feature. Note: To enable this option, the
security role assigned to users for whom you want to enable
mail merge must also include the Mail Merge privilege.
Set whether campaign responses are created for

incoming campaign activity email (Available only if
Email tracking is enabled)
Create campaign responses for incoming email Default: Yes. If Yes, model-driven apps in Dynamics 365 create
campaign response records automatically when email
messages are received in response to a specific marketing
campaign.
Set the auto-unsubscribe options (Available only if

Email tracking is enabled)
Set "Do Not Send Marketing Material" option when Default: No. If Yes, when an unsubscribe email is received, the
unsubscribe email is received preference setting for the account, contact, or lead from the
marketing list gets updated automatically to not send
marketing materials.
Send acknowledgement to customers when they unsubscribe If the previous setting Set "Do Not Send Marketing
Material" is Yes, you can use this setting to send a response
to customers when they unsubscribe.
Template for Acknowledgement Email If the two previous settings are Yes, you must specify an email
template to use to respond to customers when they
unsubscribe.
System Settings Customization tab
Use the tab to set preferences for plug-in and workflow tracing and also the use of application mode.

permissions.
3. Choose System Settings and then choose the Customization tab.
Application mode
Set whether model-driven apps in Dynamics 365, such as

Dynamics 365 Sales and Customer Service, can be opened in a
browser window without menu, navigation, and command
bars.
Open model-driven apps in Dynamics 365 in Application Select this check box to enable application mode. When this
mode mode is enabled, model-driven apps in Dynamics 365 can be
opened in a browser without menus, navigation, or toolbars.
Hiding these parts of the browser cause model-driven apps in
Dynamics 365 to appear like a separate applications rather
than a website. By default, application mode isn't enabled.
Plug-in and custom workflow activity tracing
Enable logging to plug-in trace log You can now store detailed information about an exception or
trace event raised by a custom code to help developers debug
plug-ins or custom workflow activity that they develop using
the customization methods supported by model-driven apps
in Dynamics 365.
- To capture trace logs only for exceptions, select Exception .

- To capture logs for all errors and general trace events, select
All.
- To disable capturing trace logs, select Off .
More information: Debug a plug-in Warning: We recommend

that you don't keep this option enabled for an extended
period because it may have performance implications in your
organization.
Enable Microsoft Power Automate More information: Enable embedded Power Automate to
automate processes
Show Power Automate on forms and in the site map Default: Yes. Choose Yes to enable embedded Power
Automate flows in your organization.
See also
Debug a plug-in
System Settings Outlook tab
Use the settings on this page to configure how Outlook interacts with customer engagement apps (Dynamics 365
Project Service Automation).
Open the System Settings dialog box (if it’s not already open)
permissions.
2. Go to Settings > Administration .
3. Choose System Settings > Outlook tab.
Set email promotion options for Dynamics 365 for

Outlook
Perform checks as new email is received Default: Yes. If Yes, email is checked for tracking as soon as it
arrives.
Promote incoming email every Default: 10 minutes. Looks for and links incoming email on the
specified interval.
Send pending email every Default: 10 minutes. Sends pending email on the specified
interval.
Set whether users can schedule synchronization in

Users can schedule synchronization Default: Yes. If Yes, users can set whether or not Dynamics 365
for Outlook synchronizes with customer engagement apps.
Minimum Time between synchronizations Default: 15 minutes. Synchronizes Dynamics 365 for Outlook
and customer engagement apps on the specified interval.
Set whether users can update their local data in the

background in Dynamics 365 for Outlook
Users can schedule background local data synchronization Default: Yes. If Yes, users can update the data that is stored on
their computer to use offline.
Minimum time between background local data Default: 15 minutes. Local data is synchronized with customer
synchronizations engagement apps on the specified interval.
Set schedule for address book synchronization in

Users can schedule background address book synchronization Default: Yes. If Yes, users can update the address book that is
stored on their computer to use offline.
Minimum time between address book synchronizations Default: 1 hour. The local address book is synchronized with
customer engagement apps on the specified interval.
Set whether users see customer engagement apps

message
Users see “Get Dynamics 365 for Outlook” option displayed in Default: Yes. If Yes, the Get Dynamics 365 for Outlook
the message bar button is displayed.
System Settings Reporting tab
Use the settings on this page to configure reporting settings for model-driven apps in customer engagement apps
Open the Reporting System Settings dialog box

permissions.
3. Choose System Settings > Repor ting tab.
Specify repor t categories Default categories:
- Sales reports
- Service reports
- Marketing reports
- Administrative reports Note: If you add a new category or
change existing categories, you should also change the default
views available for the Report record type. Otherwise, users
won't have a way to see all reports in the new categories.
Default value Unassigned. Select the default report category.
Set whether users can embed Power BI visuals
Allow Power BI visualization embedding Lets users embed Power BI for Microsoft 365 visualizations on
their personal dashboards. A Power BI visualization is a
snapshot of the user's data, such as a chart, map, or
aggregate number. More information: Add or edit Power BI
visualizations on your dashboard.
Default value: No. Users cannot embed Power BI visualizations

on their personal dashboards.
See also
Use Power BI
System Settings dialog box - General tab
System Settings Goals tab
Set the duration and frequency of the automatic rollup of goals. These settings only affect the automatic handling
of all goals set in model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer Service. You can
always perform a manual rollup for any goal at any time.
permissions.
2. If you are using a Sales web application, go to Settings > Administration > System Settings , and then
select the Goals tab.
OR
If you are using the Sales Hub App, select the Site map icon , then select ellipsis , then select App
Settings , and then select Goals Settings .
Set the roll-up expiration time and the roll-up

frequency.
Days after the goal end date when the rollup will stop Default: 30 days. Set the number of days after the ending date
of a goal for model-driven apps in Dynamics 365 to stop
including a goal in a rollup.
Roll-up recurrence frequency Default: 24 hours. Set the number of hours between each goal
rollup.
See also
Administrator and Sales Manager Guide
Progress Against Goals report
System Settings Sales tab
Use the settings on this page to configure system-level settings for the sales area of customer engagement apps
permissions.
2. If you are using a Sales web application, go to Settings > Administration > System Settings , and then
select the Sales tab.
OR
If you are using the Sales Hub App, select the Site map icon , then select ellipsis , then select App
Settings , and then select Product Catalog Settings .
Select whether products should be created in the

active state
Create products in active state To set the products to active state by default after creation,
click Yes . This option applies only to products that don't have
a parent product family. To create products in the Draft state,
click No .
Set whether the default pricelist for an oppor tunity

should be selected via an inbuilt rule
Allow selection of default pricelist for opportunity via inbuilt Click Yes if you want the default price list to be selected for an
rule opportunity based on the inbuilt rule (based on the default
price lists defined for territories). Otherwise, click No .
Set maximum number of products in a bundle
Maximum number of products in a bundle Type the maximum number of products a bundle can have.
Set pricing calculation preference
Use system pricing calculations Click Yes to use the pricing calculations of customer
engagement apps. To use custom pricing by using a plug-in,
click No . When set to No , the default pricing calculations
won't be done on opportunity, quote, order and invoice
records.
Set whether a discount is applied as a line item or per

unit
Discount calculation method Select Per unit if you want the pricing engine to calculate the
discount based on the prices per unit instead of a line item. By
default, the calculations are done on a line item-basis. *See the
table below that shows the difference between the two
calculations.
Set maximum number of proper ties allowed for a

product or bundle
Maximum number of properties that are allowed for a product Type the maximum number of properties (specifications) a
or bundle product or bundle can have. Product properties are added to
a product family record, and all the child products and bundles
under the product family inherit the properties added to the
parent product family. The number specified in this setting is
applied only when you publish a product or a bundle with the
associated properties.
*Table: Difference between calculations
DISC O UN T
M ET H O D P RO DUC T P RIC E P ER UN IT Q UA N T IT Y DISC O UN T A M O UN T
Line item Product 1 100 11 10 (100*11)-

10=1090
Per unit Product 2 100 11 10 (100-

10)*11=990
See also
Set up a product catalog: Walkthrough
Define product pricing with price lists and price list items
Set up a discount list
Set up product bundles to sell multiple items together
Use properties to describe a product
Administrator and Sales Manager Guide
System Settings Service tab
Use this tab to set preferences for the customer service area, such as service level agreements and entitlements in
model-driven apps in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation).
permissions.
3. Select the System Settings > Ser vice tab.
NOTE
With the version 9.1 release, service configuration settings in service management are available in the Customer Service Hub
based on Unified Interface experience. You are recommended to manage service configuration settings using the new
experience.
In the Customer Service Hub app, go to Ser vice Management and select Ser vice Terms > Ser vice Configuration
Settings in the sitemap to access the Service configuration settings.
Disable SL As
Disable Service Level Agreements(SLAs) on SLA-enabled entity SLAs are enabled by default. You can enable or disable them
records for SLA-enabled entity records in your organization. For
example, you might want to disable SLAs during maintenance
activities or when you're importing records and you don't
want the SLAs to apply to the records. To disable, select Yes .
To enable, select No . Note: When SLAs are disabled, SLA
records can still be created or modified. SLAs won't be applied
to records, however.
Apply SL A after manual override

Automatically apply SLA on entity record update after SLA This setting determines if an SLA should automatically be
was manually applied Impor tant: For organizations, this applied to a record when an SLA is manually selected in the
feature is available only if your organization has installed record's SLA field. The automatic SLA application can either be
Dynamics CRM Online 2016 Update. Interested in getting this through the entitlement applied to the case(for theCase
feature? Find your administrator or support person. entity) or with the default SLA.
Either way, the manual SLA takes precedence over any other
way of SLA application.
When set to No , SLAs won't be applied automatically to

records after an SLA is manually applied. Note: For Case
entity records, when both entitlement and customer, and
manual SLA are changing, the manual SLA is used regardless
of this setting.
Select SL A Pause Status
Select the SLA enabled entity to choose status values for Select the SLA-enabled entity you want to choose the pause
status for. Impor tant: This feature of enabling other entities
for SLA was introduced in CRM Online 2016 Update 1 and
CRM 2016 SP1. Interested in getting this feature? Find your
administrator or support person
For the selected entity, choose the status values that SLA Select the statuses for which the SLA calculation should be
calculation should pause for paused. Double-click the statuses in the Available Values
column. When the user sets a record to one of the pause
status values you set here, customer engagement apps pauses
the SLA calculation. When the user changes the status of the
case back to a status other than a pause status, customer
engagement apps updates the failure and warning time in the
enhanced SLA KPIs. It also tracks the total time for which a
record is in the pause status. Impor tant: This feature of
enabling other entities for SLA was introduced in CRM Online
2016 Update 1 and CRM 2016 SP1. Interested in getting this
feature? Find your administrator or support person
Automatically apply entitlement - Select whether to automatically apply the default customer
entitlement when a case is created.
- Select whether to automatically apply the default customer
entitlement when a case is updated and the customer, contact,
or product field has changed.
See also
Service Manager guide (Customer Service Hub)
System Settings Synchronization tab
Use the settings on this page to determine how data is synchronized between customer engagement apps
Dynamics 365 Project Service Automation), and Microsoft Dynamics 365 for Outlook. For example, you can control
synchronization between pairs of fields or enable or disable synchronization of additional mailing addresses,
assigned tasks, or appointment attachments.

permissions.
3. Select Settings > Integration > Synchronization .
Synchronize items with Outlook or Exchange
Manage system filters for your entire organization to This setting provides access to the User Filters tab in the
determine the records that are synchronized to Outlook or Synchronization Settings for Outlook or Exchange
Exchange folders. dialog box. You may want to view this tab to see the default
online synchronization filter settings for users in your
organization. More information: Choose the records to
synchronize between customer engagement apps and
Outlook or Exchange
Manage the synchronized fields of Outlook or Exchange This setting provides access to the Synchronization Fields
items including appointments, contacts, and tasks for your tab in the Synchronization Settings for Outlook or
entire organization. Exchange dialog box. Use this tab to view how appointments,
contacts, and tasks fields are mapped between customer
engagement apps and Outlook, and to change the
synchronization direction or restrict synchronization for
contacts and tasks fields. For example, if you want the
contents of the contacts Notes field to be private, you can
keep that field from synchronizing. More information: Control
field synchronization between customer engagement apps
and Outlook or Exchange
Manage your offline filters and take your information

offline in Dynamics 365 for Outlook
Manage system offline filters for your entire organization to This setting provides access to the User Filters tab in the Go
determine what data users can take with them when they go Offline Settings dialog box. You may want to view this tab
offline in Dynamics 365 for Outlook. to see the default offline synchronization filter settings for
users in your organization.
Configure general synchronization rules for your

entire organization for appointments, contacts, and
tasks
Appointments
Synchronize appointment attachments with Outlook or Attachments take up database space, so synchronization of
Exchange appointment attachments is turned off by default. Choose the
check box to turn on synchronization of attachments.
Impor tant: Synchronization of appointment attachments is
not supported for recurring appointments or service activities.
Contacts
Synchronize mailing address only in Outlook contact By default, just one Outlook mailing address field is
synchronized between customer engagement apps and
Synchronize all three addresses (Business, Home, Other) in Outlook. This is sufficient for most organizations. If you want
Outlook contact to synchronize all three Outlook mailing address fields
(Business, Home, and Other fields) choose the Synchronize
all three addresses in Outlook contact option. Warning:
Be cautious when enabling this option as it can cause data
loss in some situations if you have existing data. This is due to
the remapping of the attributes for existing tracked contacts.
The best practice is to do in-house testing to understand how
the re-mapping affects your environment and data. In most
cases, you should have the full data in one side (normally in
customer engagement apps) and sync to the other side
(normally Outlook or Exchange).
Tasks
Synchronize tasks that are assigned in Outlook Outlook tasks are synchronized by default, but
synchronization of assigned tasks is turned off by default.
Most companies don't require this feature because tasks
would usually be assigned directly in customer engagement
apps by changing ownership.
You may want to enable this feature, however, if your

company's business processes involve creating and sending
tasks in Outlook instead of customer engagement apps.
Select whether to enable syncing of resource

bookings with Outlook
Synchronize resource bookings with Outlook Turn on (off by default) to enable resource bookings (Field
Service) synchronization with Dynamics 365 App for Outlook.
More information: Set up bookable resources (Field Service)
See also
Choose the records to synchronize between customer engagement apps and Outlook or Exchange
Control field synchronization between customer engagement apps and Outlook or Exchange
System Settings Mobile Client tab
Use the settings on this page to manage mobile settings.

permissions.
3. Choose the System Settings > Mobile Client tab.
Set conflict detection for mobile offline

synchronization
Enable conflict for mobile offline synchronization If Yes, sync conflict detection will be enabled during the play
back of actions after an offline device comes back online. If No,
the default, no conflict detection is done while playing back
actions after an offline device comes back online. The changes
done offline will overwrite any changes done in model-driven
apps in Dynamics 365, such as Dynamics 365 Sales and
Customer Service.
For more information, see "Sync conflict resolution" in Work
offline with Dynamics 365 for phones and tablets
System Settings Previews tab
Use the settings on this page to enable preview features in customer engagement apps (Dynamics 365 Sales,
Service Automation).

permissions.
3. Choose the System Settings > Previews tab.
These preview features are intended to be used for

development and testing purposes only.
I have read and agree to the license terms After agreeing to the license terms, check this box to allow you
to enable preview features.
Action Step Suppor t for Business Process Flows

Preview
Enable Action Step Support for Business Process Flows Preview More information: Business process flows overview
Organization Insights Preview
Enable Organization Insights Preview
Text Analytics Preview for Case Topic analysis, Suggest

Similar Cases and Suggest Knowledge Ar ticles
Enable the Text Analytics Preview More information: Public Preview: Topic analysis
Sales Insights
Get insights on opportunities, activities, and leads of More information: Overview of Dynamics 365 Sales Insights
customers
See also
What are Preview features and how do I enable them?
On-off switch for Learning Path (guided help)
Learning Path (guided help) is turned on by default.
Turn Learning Path on or off for an individual user

This setting affects only the person who makes this change.
To turn Learning Path off: On the nav bar, click the Options icon > Opt out of Learning Path .
To turn Learning Path on: On the nav bar, click the Options icon > Opt in for Learning Path .
Turn Learning Path on or off for an entire organization

This setting changes access to Learning Path for an entire organization.
permissions.
4. Under Help features , set Learning Path to On .
Privacy notice
By enabling the Learning Path feature, static html, you enable images and scripts to be stored on Azure Content
Delivery Network (CDN). In addition, all dynamic content that is displayed will be stored in Azure Redis Cache,
which is used to pre-cache from the Azure SQL database.
An administrator can enable and disable use of the Learning Path feature within a Dynamics 365 (online) instance
by using the Enable Guided Help setting in the Dynamics 365 organization.
Azure components and services that are involved with Learning Path functionality are detailed in the following
sections.
NOTE
For more information about additional Azure service offerings, see the Microsoft Azure Trust Center.
Cloud Services
Learning Path runtime (Web Role)
This is the web application that serves the content to users.
Learning Path ser vice (Worker Role)
Worker role is responsible for processing the data from Azure SQL Database and caching them into Azure Redis
Cache.
Azure SQL Database
Learning Path uses SQL Database to store:
Content
Content metadata
System metadata
Azure Blob Storage
The HTML, images, JavaScript, and CSS are all stored in Azure Blob storage.
Azure Content Delivery Network (CDN)
Learning Path uses Azure Content Delivery Network to serve static content to the survey runtime, such as HTML,
images, JavaScript, and CSS.
Azure Active Directory
Learning Path uses Azure Active Directory Service to authenticate web services specifically for the designer.
Currently the designer is not exposed to customers and partners. And hence the authentication is within only the
Microsoft domain.
Azure Redis Cache
Learning path uses Azure Redis Cache to cache dynamic content that we serve to users.
Azure Traffic Manager
Learning Path uses Traffic Manager to improve the availability of important applications by monitoring your Azure
or external sites and services and automatically directing users to a new location anytime there’s a failure.
Azure Resource Manager
Learning Path uses Azure Resource Manager to deploy CDN, Redis Cache, SQL Database, and cloud services as
resource groups so that they are in a consistent state and can be deployed repeatedly.
See also
Create guided help (Learning Path) for your app
Video: Learning Path in-app Help designer for customers and partners
Datacenter operational processes will periodically identify environments that do not have an active subscription
and mark them for deactivation and eventual deletion. This frees up capacity from environments that are not in
use so you apply it elsewhere in your tenant.
To see the status of your environments:
1. Sign in as an admin to the Power Platform admin center.
2. Select Environments .
3. Look for environments with Inactive status.
Scope
Only production and sandbox environments are affected by the automatic cleanup.
Admin notification due to environment cleanup

Here's what you can expect to receive if you (as an admin) or someone in your organization has created an
environment that is marked for clean up.
Fourteen days prior to disabling the environment, an email is sent to all admins in your organization.
Seven days prior to disabling the environment, an email is sent to all admins in your organization.
One day prior to disabling the environment, an email is sent to all admins in your organization.
If no action is taken, the environment will be deleted ten days after the final email.
Actions you can take to prevent environment disabling and deletion

Any time prior to the environment deletion you can purchase licenses. Be sure to purchase enough licenses and/or
capacity to cover all the production environments in your tenant. See Licensing overview for Power Platform.
Within 24 hours after the licenses and capacity are applied to your tenant, the environment will automatically be
enabled and no longer be considered marked for deletion. If your environment has already been deleted, it is
possible to recover it within a limited window of time. See Recover environment.
IMPORTANT
Please allow ample time to take appropriate action. Your organization may have a central admin and purchasing group and
might be purchasing through Microsoft partners. Please plan accordingly.
See also
Microsoft Power Apps and Power Automate Licensing Guide
Regions overview
For multinational companies with employees and customers distributed around the world, you can create and
manage environments specific to your global regions. You can create an environment in a different region than
where your tenant resides. Local environments can provide quicker data access for users in that region. Be sure to
read A multi-environment deployment to understand the features of multiple environments.
How do I find out where my app is deployed?

Your app is deployed in the region that hosts the environment. For example, if your environment is created in the
Europe region, then your app is deployed in Europe data centers.
Using Power Platform admin center
If you're an administrator, you can determine the region of each environment in the Power Platform admin center.
Browse to the admin center, and sign in with your admin account.
From the left-side menu, select Environments .
What regions are available?

Asia
Australia
Canada
Europe
France
India
Japan
South America
United Kingdom
United States
US Government (GCC)
Who can create environments in these regions?

With Power Apps, you can create environments in various regions across the globe, which benefits your business in
these ways:
Store your data closer to your users
Maintain the compliance requirement of your geography
You can create a database for an environment in one region (for example, United States) even if the Azure Active
Directory (Azure AD) tenant is in another region (for example, Canada or Europe). Note the following:
Tax laws prevent you from creating a database for an environment in India and Australia, if your Azure AD
tenant is not in India and Australia respectively. You can get an exception for Australia.
You can create an environment in the Preview (United States) region, regardless of where the Azure AD tenant is,
but you can’t provision a database in that region.
Only a US Government associated organization can create an environment in US Government (GCC).
Y O UR A Z URE A D T EN A N T 'S H O M E LO C AT IO N REGIO N S W H ERE Y O U C A N C REAT E A DATA B A SE
India Any region except Australia and Preview (United States)
Australia Any region except India and Preview (United States)
Any other location Any region except India, Australia, and Preview (United States)
What features are specific to a given region?

Environments can be created in different regions, and are bound to that geographic location. When you create an
app in an environment, that app is deployed in datacenters in that geographic location. This applies to any items
you create in that environment, including databases in the Common Data Service, apps, connections, gateways, and
custom connectors.
For optimal performance, if your users are in Europe, create and use the environment in the Europe region. If your
users are in the United States, create and use the environment in the U.S.
NOTE
On-premises data gateways aren't available in the India region.
Can I create an environment outside of my tenant region?

Currently, there are limits to creating an environment for a region that differs from your tenant region. Please
contact your account manager or Technical Support.
About multiple online environments or tenants
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), gives you options for
segregating your data and user access. For most companies, adding and using multiple environments in your
subscription provides the right mix of functionality and ease of management. Enterprises with separate geographic
locations might consider using multiple tenants to separate licenses. Multiple environments can share users among
environments; multiple tenants cannot.
Uses for multiple environments

Environments are similar in concept to a high-rise business complex with floors organized according to business
functions. Consider each floor within the building as an application (Sales/Service/Marketing, Vendor management,
Wealth management) and consider each unit within a floor as an environment for a specific purpose such as
production, Training, Testing, and Development.
Multiple environments are needed when segregation is required of plugins, workflows, or admin resources that
cannot be easily isolated by using business units.
A multi-environment deployment
A typical deployment includes one tenant only. A tenant can include one or more environments; however, an
environment is always associated with a single tenant.
This example uses two environments for three teams: Sales, Marketing, and Services.
Sales and Marketing share an environment so lead information can be easily accessed by both. Services has its own
environment so tickets and warranties can be managed separately from campaigns and other sales related events.
You can provide access to one or both environments easily. Sales and Marketing users could be limited to their
environment while Service users with extended access could update support escalations records related to
accounts in both environments.
About single tenant with multiple environments:
Each environment within the tenant receives its own SQL database.
Data is not shared across environments.
See Common Data Service storage capacity for how storage is shared across environments.
All environments for a single customer tenant will be set up in the geography where they initially signed up
for their account. Storage consumption is totaled and tracked across all the environments attached to a
customer tenant.
You can set up separate security groups for all environments.
A licensed user can potentially access all the environments associated with the tenant. Access is controlled by
environment security group membership.
You can purchase additional environments through the Additional environment Add-On. Additional
environments can be added only to "paid" subscriptions - not trials or Internal Use Rights (IUR). If you
purchased your subscription through Volume Licensing, you must go through your Large Account Reseller
(LAR) to purchase the additional environment. More information: Support overview
You can't merge existing trials or subscriptions onto an additional environment; instead, you will need to
move your data and customizations.
Why use multiple environments?

The following are common use cases for multi-environment deployment. Consider these examples when you
decide the deployment type that best fits your company's requirements.
Master data management
In this scenario, a "master" data set provides for change management through a central master data source. This
approach requires that the central master data be synchronized to all environments so that each environment has
access to the latest version of the core information. Requested changes to the information can be made directly
within the master system. Alternatively, users can explicitly access the master system or capture the changes in the
local environment, with those changes subsequently passed on to the master environment.
Requiring that changes be made centrally can provide for centralized change control. For example, anti-fraud
checks can be performed to ensure that changes are made only by a central team and not by local teams that might
otherwise benefit from a change, such as a change in credit limits. This would provide a second level of change
authorization and verification that avoids the ability for a single person or a group of people who work closely
together to collaborate to affect a fraud. Pushing a request to a different, independent team can provide protection
against potential fraud.
Security and privacy
Differences in regional, for example European Union (EU), or national legislation can result in variations in
requirements for securing data or maintaining data privacy across the different regions or countries in a
deployment. In some cases, legislative/regulatory restrictions make it illegal to host data outside the borders of a
country or region, and addressing this challenge is particularly critical in specific business sectors.
For example, consider healthcare sector restrictions on sharing patient information. Some EU regulations require
that any health information that is collected about people residing in the EU be maintained and shared only within
EU boundaries, while similar data collected about people in the United States (US) is kept within US boundaries.
Also consider banking sector restrictions on sharing customer information. In Switzerland, for example, regulations
make it illegal to share customer information outside of their national boundaries.
Scalability
While a single environment of can scale up and out to support the growth of a customer's business, with very high
data volumes or levels of complexity, there are additional considerations. For example, in environments with
extreme volumes and/or extensive use of Service Scheduling, scaling up SQL Server can require complicated and
expensive infrastructure that is prohibitively expensive or extremely difficult to manage.
There are many scenarios in which there is a natural functional split in capability requirements. In such cases,
delegating workloads by creating scale-out scenarios that are based on these functional splits can provide for
higher volumes by using commodity infrastructure.
Add an environment to your subscription

For information about how to add an environment to your subscription, see Create and manage environments.
A multi-tenant deployment
Global businesses with regional or country models that differ can use tenants to account for variations in approach,
market size, or compliance with legal and regulatory constraints.
This example includes a second tenant for Contoso Japan.

User accounts, identities, security groups, subscriptions, licenses, and storage cannot be shared among tenants. All
tenants can have multiple environments associated with each specific tenant. Data is not shared across
environments or tenants.
About multiple tenants:
In a multi-tenant scenario, a licensed user associated with a tenant can only access one or more
environments mapped to the same tenant. To access another tenant a user would need a separate license
and a unique set of sign-in credentials for that tenant.
For example, if User A has an account to access Tenant A their license allows them to access any and all
environments created within Tenant A - if they are allowed by their administrator. If User A needs to access
environments within Tenant B, they will need an additional license.
Each tenant will require Power Platform admin(s) with unique sign-in credentials, and each tenant affiliate
will manage its tenant separately in the administrator console.
Multiple environments within a tenant are visible from the interface if the administrator has access.
You cannot reassign licenses between tenant enrollments. An enrolled affiliate can use license reduction
under one enrollment and add licenses to another enrollment to facilitate this.
On-premises Active Directory federation cannot be established with more than one tenant unless you have
top-level domains that you need to federate with different tenants (for example Contoso.com and
Fabricam.com).
Why use multiple tenants?

Functional localization
This scenario typically arises in organizations with overlapping but separate functional needs. Some common
examples include:
Organizations with different business divisions, each with a different market or model of operation.
Global businesses with regional or country models that differ to account for variations in approach, market
size, or compliance with legal and regulatory constraints.
In these types of business environments, an organization often will have common sets of functionality that
allow specific regions, countries, or business areas with a degree of localization regarding:
Information capture. For example, capturing the ZIP Code in the United States would correlate to capturing
the Post Code in the United Kingdom.
Forms, workflows.
Physical distribution
For business solutions that must support users that are physically distributed over large distances, particularly for
global deployments, using a single environment may not be suitable because of the implications (such as WAN
latency) associated with the infrastructure over which the users connect, which can significantly impact the user
experience. Distributing environments to provide users with more local access can reduce or overcome WAN-
related issues, as the access occurs over shorter network connections.
Add a multi-tenant deployment under volume licensing

For a multi-tenant deployment, you'll need a Multi-Tenant Amendment. A Multi-Tenant Amendment is an actual
amendment to the Volume License agreement used to purchase licenses. Contact your Microsoft Sales
Representative or Reseller to obtain the amendment.
Constraints of multi-tenants
Admins who want to deploy and manage multiple tenants should be aware of the following:
User accounts, identities, security groups, subscriptions, licenses, and storage cannot be shared among
tenants.
A single domain can only be federated with one tenant.
Each tenant must have its own namespace; UPN or SMTP namespaces cannot be shared across tenants.
If an on-premises Exchange organization exists, you cannot split this organization across multiple tenants.
A consolidated Global Address List will not be available, except if explicitly managed downstream from the
synchronization.
Cross-tenant collaboration will be limited to Lync Federation and Exchange Federation features.
SharePoint access across tenants may not be possible. While this may be solved with Partner Access, the
user experience is disrupted and licensing aspects apply.
There can be no duplicate accounts across the tenants or partitions in the on-premises Active Directory.
See also
Blog: What is a tenant?
Administration mode
You can set a sandbox or production environment in administration mode so that only users with System
Administrator or System Customizer security roles will be able to sign in to that environment. Administration
mode is useful when you want to make operational changes and not have regular users affect your work, and not
have your work affect end users (non-admins).
NOTE
You can place sandbox or production environments in administration mode.
Processes that use code, such as plug-ins or custom workflow assemblies, continue to be processed by the Common
Data Service platform when administration mode is enabled and background operations are disabled.
On the Settings panel, you can set the following:
Administration mode Select to enable administration mode for the selected sandbox
or production environment. Only System Administrators or
System Customizers will be able to sign in to the selected
sandbox or production environment.
Background operations (optional) Select to disable all asynchronous operations (see

Asynchronous service) such as workflows and synchronization
with Exchange. Emails will not be sent and server-side
synchronization for appointments, contacts, and tasks are
disabled. Note: Administration mode must be enabled to
disable background operations.
Custom message (optional) Enter a message that will be displayed to all users when they
attempt to sign in.
Set administration mode

credentials.
2. From the left-side menu, select Environments , and then click on a sandbox or production environment.
3. On the Details page, select Edit .
4. Under Administration mode , toggle Disabled to Enabled .
5. Optionally, you can set Background operations and Custom message , and then select Save .
Manage support environments
A support environment is any non-production environment of Common Data Service used by Microsoft support to
reproduce and resolve customer issues. When there is an issue affecting the operation of your online service,
Microsoft can create a support environment in your tenant to troubleshoot and repair the issue. It is isolated from
your production environment so it does not impact your business operations. System admins have full control of
managing and providing organization data by copying it to a support environment.
What is a support environment?
It is an environment created in your tenant by Microsoft under your direct instructions, for purposes of
preventing, detecting, or repairing problems affecting the operation of your online service.
It does not require any additional non-production environment to be purchased.
The database size of a support environment does not count towards your storage limit.
It resides in the same regional datacenter as your source environment.
Support environments are protected by the same administrative and technical measures implemented by
Microsoft to protect your production environment.
What data is in a support environment?
When a support environment is initially created by Microsoft, it contains no customer data or customizations.
System admins manage support environments in the Power Platform admin center.
System admins can copy an environment to a support environment, and then choose whether to provide a
Minimal or a Full copy of their environment.
Prior to provisioning, system admins must consent to providing a copy of their data to Microsoft.
Who has access to a support environment?
Minimal copy:
Microsoft staff who are members of a support security group
Full copy:
Microsoft staff who are members of an elevated support security group
What kind of data access does Microsoft have?
Online (via the application):
System admin privileges
Database (via SQL query tools):
Read/Write access to all tables
Access to the database requires additional approval by Microsoft and it is managed, controlled, and granted as
needed.
Access to the database is subject to our standard access controls (i.e. Just-in-time); for instance, access is time
limited (for example, 30 minutes) and expires automatically.
How long does a support environment stay in your tenant?
1. Seven days or upon resolution of the problem.
2. System admins can delete the support environment at any time.
Is access and usage of support environment audited?
Yes.
What is the consent form in the New support request page?
To assist with diagnosing and resolving a support issue, you must consent to the creation of a Minimal or a Full
copy of the environment with the issue. The consent form shown below records your instructions to Microsoft for
the creation of a support environment.
The PowerShell cmdlets allow you to do similar tasks that you would do with the admin portals but do them in
scripting where you can sequentially execute multiple commands or pipe output from one to automate common
tasks. Using the PowerShell cmdlets or the management connectors, you can build flows and apps that help you to
implement your governance policies. There are multiple PowerShell cmdlets that you can work with. The following
is an overview of each that you would likely interact with.
P O W ERSH EL L C M DL ET L IB RA RY C O M M O N TA SK S
Power Apps cmdlets Designed for app makers and administrators to automate
PowerShell support for Power Apps tasks with environments and associated apps, flows, and
connectors.
Microsoft 365 cmdlets These are focused on Microsoft 365 related tasks and can be
https://docs.microsoft.com/office365/enterprise/powershell/get used to automate user-related actions and tasks; for example,
ting-started-with-office-365-powershell assignment of licenses.
Dynamics 365 cmdlets These are useful if you have any environments with Common
https://docs.microsoft.com/powershell/dynamics365/customer Data Service databases. Modules include support for using the
-engagement/overview Common Data Service online admin API, as well as to
automate solution deployment to the Common Data Service
environments.
Microsoft Azure cmdlets The Azure cmdlets are useful if you are including any Azure
https://docs.microsoft.com/powershell/azure/overview components in your overall solution. This could also be used
to script setup of the on-premises application gateway.
You can use a combination of all the above cmdlets to build PowerShell scripts to do bulk operations on users,
environments or their resources.
TIP
Examples can also be found when installing and testing the Center of Excellence Starter Kit or using the Admin-in-a-Day
hands-on labs that can be found on GitHub (https://aka.ms/powerapps/admininaday).
Common PowerShell tasks

Displaying a list of environments
Get-AdminPowerAppEnvironment
This will give you key information such as the Display Name and GUID of the environment. This is often what is
needed for follow-on operations.
Adding parameters such as -Default will allow you to generically find the default environment in the tenant.
Get-AdminPowerAppEnvironment -Default
Using the GUID you got back (which is the non-display name for the environment), you can drill into details of that
specific environment Get-AdminPowerAppEnvironment -Environment 'EnvironmentName'.
That would produce the following detailed information:
Another useful one is getting a list of connections in an environment. The following lists all the connections in the
tenant's default environment.
Get-AdminPowerAppEnvironment -Default | Get-AdminPowerAppConnection
And finally, a little more complex example. This one pipes the output from one cmdlet to others and presents a nice
list of number apps in each environment in the tenant.
Get-AdminPowerApp | select -ExpandProperty EnvironmentName | Group | %{ New-Object -TypeName PSObject -

Property @{ DisplayName = (Get-AdminPowerAppEnvironment -EnvironmentName $_.Name | select -ExpandProperty
displayName); Count = $_.Count } }

Automation of tasks with Microsoft Power Automate
One of the unique things about Power Automate is you can use it to manage itself along with other parts of
Microsoft Power Platform. The following connectors can be helpful to automate administrator tasks with Power
Automate.
C O N N EC TO R P O SSIB L E USES
Power Automate Management connector Can be used to automate working with workflows including
https://docs.microsoft.com/connectors/flowmanagement/ getting lists of new workflows or connectors in your
environments.
Power Automate for Admins connector Allows you to perform typical admin actions, such as disabling
https://docs.microsoft.com/connectors/microsoftflowforadmins a flow or deleting a flow.
/
Power Apps for Admins connector To set permissions on Power Apps or set permissions to a
https://docs.microsoft.com/connectors/powerappsforadmins/ certain connector being used by this app.
Power Apps for app makers connector Can be used by makers although some actions could be
https://docs.microsoft.com/connectors/powerappsforappmake admin tasks, such as settings permissions to a Power Apps
rs/ app. Therefore, admins might also use this connector.
Power Platform for Admins connector To perform tasks against platform components, such as
https://docs.microsoft.com/connectors/powerplatformforadmi creating an environment or provisioning a Common Data
ns/ Service database or creating a DLP policy for a specific
environment.
Microsoft 365 Users connector Useful for automating actions around users. For example, you
https://docs.microsoft.com/connectors/office365users/ could use the connector to get the manager of a user who
owns an environment to be able to send them an email for
approval.
Approvals connector Often administrators need to get approvals and Power

https://docs.microsoft.com/connectors/approvals/ Automate offers a rich approval set of tasks that enable you to
automate this process.
Microsoft Forms Forms is an easy way to collect information to start an admin

https://docs.microsoft.com/connectors/microsoftforms/ task. This can be combined with the Approval connector to
get manager approval.
Azure AD connector Useful to perform tasks such as adding a user to a group or

https://docs.microsoft.com/connectors/azuread/ even creating the group.
Common Power Automate tasks

List new Microsoft Flow connectors is a simple template you can get started with right away. It triggers daily on
schedule, and uses the Power Automate Management connector to get a list of the connections in the environment
and sends you an email. You can add it to your flows quickly using the template at
https://us.flow.microsoft.com/galleries/public/templates/5a6ef26db3b749ed88b7afb377d11ecf/list-new-
microsoft-flow-connectors/.
If you want to try building it yourself, here is a good walkthrough of creating the flow from scratch:
https://flow.microsoft.com/blog/new-flow-connector-notifications/
Grant users access
To have users up and running in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation),
you complete some administrative tasks in the Microsoft 365 admin center—which you generally do only once—
followed by administrative tasks.
Customer engagement apps are an online service subscription. When you signed up for this service, you received
a set of licenses with your subscription, one license for each user. You can purchase additional licenses if you need
them.
As described in step one that follows, in the Microsoft 365 admin center, register your users so that they are
recognized in the Microsoft Online Services environment, assign a license to each user, and then assign
administrative roles to the users you choose to fill those roles. More information: Assigning admin roles
In customer engagement apps, populate the service with your organization’s data, including users and their
security roles, business units, and any existing data that you want to import from other applications or services. If
your organization uses business units, assign users to the appropriate business unit, and then assign a security
role to each user. Customer engagement apps includes predefined security roles that aggregate a set of user
permissions to simplify user security management. An organization can define additional roles or edit predefined
security roles to meet its unique security needs. For more information about security roles, see Security roles and
privileges.
IMPORTANT
When you assigned any of the licenses or the Microsoft Power Automate license to a user, the user is automatically added to
all your environments, however users can’t access any customer engagement apps until they’ve been assigned at least one
security role. See Step Two: Assign security roles.
Differences between the Microsoft Online services environment

administrative roles and Common Data Service security roles
Administrative roles are available to assign to users in the Microsoft 365 admin portal. The administrative roles
cover a set of rights and permissions related to managing the service subscription, such as adding users and
assigning licenses. The global administrator role has rights to control every aspect of the subscription and to add
subscriptions to other online services. The password administrator role has rights to reset a user’s password,
create service requests, and monitor the service.
Security roles are assigned within customer engagement apps and cover rights and permissions-related aspects,
for example, permission to update records or to publish customizations.
The roles are similar in that both types contain aggregated sets of permissions that allow access to some items
and not to others, and that allow some actions to be taken but not others. The roles are different in that the first
one applies to the management of the subscription but not to the service itself, and the second applies only within
the service.
Using roles is a powerful way to group a set of rights that are common to a job title or business unit. This way, the
administrator can grant a whole set of permissions to users simply by assigning a user or group of users to a
given role.
Step One: Provision users, and assign licenses and administrative roles
in the Microsoft 365 admin center
Your organization’s subscription to customer engagement apps provides access to the Microsoft 365 admin center
through a global administrator account. The global administrator manages every aspect of the subscription and
may add subscriptions to other Microsoft Online Services.
As the global administrator for your organization, one of your first tasks is to create users in the Microsoft 365
admin center. This registers users in the system and enables users to be licensed to use services available within
the online service environment. You decide which service you want your users to have by assigning a license for
that service to a user. For instructions about creating users in the Microsoft Online Services environment, see Add
users and assign licenses at the same time. For instructions about assigning a license to a user, see Assign or
remove licenses.
During your planning phase, you might have identified a set of key administrative roles that you want to fill. More
information: Plan for deployment and administration. Because the administrative roles provide coverage for
administrative tasks when the global administrator is not available, it’s a best practice to assign these roles to
users, including assigning the global administrator role to a second user. More information: Assigning admin roles
and Permissions in Microsoft 365.
The online service sends an invitation to each user
After you set up a user in the Microsoft 365 admin center, that user receives an email invitation with a link and a
password for the Microsoft Online Services environment. The credentials in the invitation provide access to the
portal and to documentation. However, the users who receive these invitations can’t access customer engagement
apps until you complete step two in this process.
Step Two: Assign security roles in Dynamics 365 apps

Sign in to customer engagement apps and add business units (if your organization needs more than one business
unit), and assign security roles and business units to users. The users you registered with the online service in step
one are automatically added to customer engagement apps. After you assign at least one security role to a user,
that user can click the link in the email invitation, enter credentials, and begin using customer engagement apps.
More information: Assign a security role to a user.
IMPORTANT
Before you start adding information to customer engagement apps, we recommend that you turn off or disable your
browser’s pop-up blocker. Pop-up blockers can block data-entry dialog boxes.
You might have data located in other systems. In your planning phase, you considered how you’ll import this data.
Before you invite users into customer engagement apps, ensure that you have completed the data migration
process. More information: Import data (all record types).
See also
Import data (all record types)
Download a list of active users in your tenant
This process has changed. Please see Download Reports.

You use the Microsoft 365 admin center to create user accounts for every user who needs access to customer
365 Marketing, and Dynamics 365 Project Service Automation). The user account registers the user with Microsoft
Online Services environment. In addition to registration with the online service, the user account must be assigned
a license in order for the user to have access to the service. Note that when you assign a user the global
administrator or the service administrator role in the Microsoft Online Services environment, it automatically
assigns the user the System Administrator security role. More information: Differences between the Microsoft
Online services environment administrative roles and security roles
Create a user account

When you create a user account in the Microsoft 365 admin center, the system generates a user ID and temporary
password for the user. You have the option to let the service send an email message to the user as clear text.
Although the password is temporary, you might consider copying the information to send to the user through a
more secure channel, such as from an email service that can digitally encrypt the contents. For step-by-step
instructions for creating a Microsoft Online Services user account, see Add users individually or in bulk.
NOTE
When you create a user and assign a license in the Microsoft 365 admin center, the user is also created in customer
engagement apps. It can take a few minutes to complete the synchronization process between the Microsoft 365 admin
center and customer engagement apps.
By entering a user ID and password, a user can access the Microsoft 365 admin center to view information about the service.
However, the user won't have access to customer engagement apps until the user has a security role assigned either directly
or indirectly as a member of a group team.
TIP
To force an immediate synchronization between the Microsoft 365 admin center and customer engagement apps, do the
following:
Sign out of the customer engagement app and the Microsoft 365 admin center.
Close all open browsers used for the customer engagement app and the Microsoft 365 admin center.
Sign back in to the customer engagement app and the Microsoft 365 admin center.
User profile information

Some user profile information is maintained and managed in the Microsoft 365 admin center. After you create or
update a user, these user profile fields are automatically updated and synchronized in your Microsoft Power
Platform environments.
The following table shows the fields that are managed in the Users section of the Microsoft 365 admin center.
C USTO M ER EN GA GEM EN T A P P S USER F O RM
M IC RO SO F T 365/ A Z URE A D USER
User Name Username
Full Name First name + Last name
Title Job title
Primary Email* Email
Main Phone Office phone
Mobile Phone Mobile phone
Fax Fax number
Address Street address
Address City
Address State or province
Address Country or region
* To prevent data loss, the Primary Email field isn't automatically updated and synchronized with customer engagement apps.
The following image shows Microsoft 365 user contact fields.
Add a license to a user account

You can license the user when you create the user account, or you can license the user later. You must assign a
license to every user account that you want to access the online service.
For step-by-step instructions to use user licenses, see Assign licenses to users.
For step-by-step instructions to use Power Apps per app plans, see Power Apps per app plans.
IMPORTANT
Licensed users must be assigned at least one security role to access customer engagement apps. Security roles can be
assigned either directly or indirectly as a member of a group team.
About user licenses

Use user licenses to provide access to your organization. You need one user license per person with an active
user record who signs in to your organization.
When you add a new person, the New user account form displays the number of user licenses available.
You can add additional licenses by choosing Billing > Purchase Ser vices from the left-side menu in the
Microsoft 365 admin center.
You need a user license for each invitation you issue. Even an invitation that isn't accepted requires a user
license until the invitation expires two weeks after it was issued.
If you have more user licenses than you're using, contact support to reduce the number of licenses. You can't
reduce the number of licenses to fewer than you're currently using or fewer than your offer allows. Any
changes are reflected in your next billing cycle.
Each user license requires a unique Microsoft account, and every user who signs in needs a license. Most
subscriptions include a specific number of user licenses.
NOTE
Certain default security roles are assigned to users based on the license and/or solution installed. These security roles only
give users Read access to apps that are installed in the environment. For example, when a user is assigned the Dynamics 365
Plan license and is synced to an environment that has the Customer Service Hub app, the user is automatically assigned the
Customer Service app access security role. No data access permission is granted to this role. The administrator is still required
to assign the appropriate security role to the user (either directly or indirectly as a member of a group team) in order for the
user to view and interact with the data.
Assign a security role to a user

Security roles control a user's access to data through a set of access levels and permissions. The combination of
access levels and permissions that are included in a specific security role sets limits on the user's view of data and
on the user's interactions with that data.
Customer engagement apps provide a default set of security roles. If necessary for your organization, you can
create new security roles by editing one of the default security roles and then saving it under a new name.
You can assign more than one security role to a user. The effect of multiple security roles is cumulative, which
means that the user has the permissions associated with all security roles assigned to the user.
Security roles are associated with business units. If you've created business units, only those security roles
associated with the business unit are available for the users in the business unit. You can use this feature to limit
data access to data owned by the business unit.
You need to have the appropriate privileges in order to assign security roles to another user. See Assigning security
roles.
For more information about the difference between Microsoft Online Services administrator roles and security
roles, see Grant users access.
IMPORTANT
You must assign at least one security role to every user either directly or indirectly as a member of a group team. The service
doesn't allow access to users who don't have at least one security role.
To assign security roles to users in an environment that has zero or one Common Data Service database, see
Configure user security to resources in an environment.
(Optional) Assign an administrator role

You can share Microsoft Online Services environment administration tasks among several people by assigning
Microsoft Online Services environment administrator roles to users you select to fill each role. You might decide to
assign the global administrator role to a second person in your organization for times when you're not available.
There are five Microsoft Online Services environment administrator roles with varying levels of permissions. For
example, the password reset administrator role can reset user passwords only; the user management administrator
role can reset user passwords in addition to adding, editing, or deleting user accounts; and the global administrator
role can add online service subscriptions for the organization and manage all aspects of subscriptions. For detailed
information about Microsoft Online Services administrator roles, see Assigning Admin Roles.
NOTE
Microsoft Online Services environment administrator roles are valid only for managing aspects of the online service
subscription. These roles don't affect permissions within the service.
Enable or disable user accounts

User enablement and disablement only applies to environments that have a Common Data Service database. To
enable a user in an environment that has a Common Data Service database, ensure that they're allowed to sign in,
assign a license to the user, and then add the user to the security group that's associated with the environment.
These are the same criteria used to add users to an environment.
To enable a user, assign a license to the user and add the user to the security group that's associated with an
environment. If you enable a user account that was disabled, you must send a new invitation for the user to access
the system.
To disable a user account, remove a license from the user or remove the user from the security group that's
associated with an environment. Removing a user from the security group doesn't remove the user's license. If you
want to make the license available to another user, you have to remove the license from the user account that was
disabled.
NOTE
You can also remove all security roles from a user to prevent the user from signing in to and accessing customer engagement
apps. However, this doesn't remove the license from the user, and the user will remain in the list of enabled users. We don't
recommend using this method to remove access from a user.
When you use a security group to manage enabling or disabling users or provisioning access to an org, nested security
groups within the selected security group aren't supported and will be ignored.
You can assign records to a disabled user account and also share reports and accounts with them. This can be useful when
migrating on-premises versions to online. If you need to assign a security role to users who have a Disabled status, you can
do so by enabling the allowRoleAssignmentOnDisabledUsers in OrgDBOrgSettings.
A Global admin, Power Platform admin, or a Dynamics 365 admin does not need a license to be enabled in a Common Data
Service environment. See: Global admins and Power Platform admins can administer without a license. But since they are
unlicensed, they will be set in the Administrative access mode.
You must be a member of an appropriate administrator role to do these tasks. More information: Assign admin
roles
Enable a user account in an environment
To enable a user in an environment that has a Common Data Service database, you enable sign-in for the user,
assign a license to the user, and then add the user to a security group.
To enable sign-in
1. Sign in to the Microsoft 365 admin center.
2. SelectUsers >Active users ,and then select the user.
3. Ensure that under the user's display name, you see Sign in allowed . If you don't, select Block this user , and
then unblock sign in.
To assign a license
3. Select the Licenses and Apps tab, and then selectthe licenses you want to assign.
4. SelectSave changes .
To add a user to a security group
2. SelectGroups > Groups .
3. Select the security group that's associated with your environment.
4. Select the Members tab.
5. Under Members , select View all and manage members >Add members .
6. Choose users from the list or search for users, and then select Save .
Disable a user account in an environment
To disable a user account in an environment that has a Common Data Service database, you can either remove the
user from the security group or remove the license from the user.
To remove a user from a security group
5. Under Members , select View all and manage members
6. Select the users in the list to remove them, and then select Save .
To remove a license from a user
3. Select the Licenses and Apps tab, and then selectthe licenses you want to remove.
Note that removing a license from a user might not always result in disabling the user account, though the license
will be freed up for assigning to another user. The recommended approach to disabling a user account in an
environment is to remove them from the security group that's associated with the environment.
NOTE
You can also delete users in the Microsoft 365 admin center. When you remove a user from your subscription, the license
assigned to that user automatically becomes available to be assigned to a different user. If you want the user to still have
access to other applications you manage through Microsoft 365—for example, Microsoft Exchange Online or SharePoint—
don't delete them as a user. Instead, simply remove the license you've assigned to them.
When you sign out of the Microsoft 365 admin center, you aren't signing out of customer engagement apps. You have to do
that separately.
TIP
following:
Create a Read-Write user account

By default, all licensed users are created with an access mode of Read-Write . This access mode provides full access
rights to the user based on the security privileges that are assigned.
To update the access mode of a user
1. In the Power Platform admin center, select an environment, and go to Settings > User's + permissions >
Users .
2. Select Enabled Users , and then select a user's full name.
3. In the user form, scroll down under Administration to the Client Access License (CAL) Information
section. In the Access Mode list, select Read-Write .
4. Select the Save icon.

An Administrative user is a user who has access to the Settings and Administration features but has no access to
any of the functionality. Use this account to assign administrative users to perform day-to-day maintenance
functions (create user accounts, manage security roles, and so on). Because an administrative user doesn't have
access to customer data nor any functionality, the user doesn't require a license (after setup).
You need to have the System Administrator security role or equivalent permissions to create an administrative user.
First, you'll create a user account in Microsoft 365, and then in to the customer engagement app, select the
Administrative access mode for the account.
NOTE
See Create an administrative user and prevent elevation of security role privilege for an example of how an Administrative
user account can be used.
1. Create a user account in the Microsoft 365 admin center.

Be sure to assign a license to the account. You'll remove the license (in step 12) after you've assigned the
Administrative access mode.
2. In the Optional settings form, expand Roles .
3. Clear the User (no administrator access) check box.
4. Scroll down the form, and then select the Show all link.
5. Select the ser vice administrator check box. Note: If you've selected Global Administrator , you don't
need to select this option.
Wait for the user to sync to the environments.
Users .
section. In the Access Mode list, select Administrative .
Now you need to remove the license from the account.
9. Go to the Microsoft 365 admin center.
10. Select Users > Active Users .
11. Select the Administrative user account, and then select the Licenses and Apps tab.
12. Clear the license box(es), and then select Save changes .
Create a non-interactive user account

The non-interactive user isn't a "user" in the typical sense—it doesn't represent a person, it's an access mode that's
created by means of a user account. It's used for programmatic access to and from customer engagement apps
between applications. A non-interactive user account lets these applications or tools—such as a connector from
customer engagement apps to ERP—authenticate and access customer engagement apps without requiring a
license. For each environment, you can create up to seven non-interactive user accounts.
You need to have the System Administrator security role or equivalent permissions to create a non-interactive user.
First, you'll create a user account in Microsoft 365. Then, in customer engagement apps, select the non-interactive
access mode for the account.
Be sure to assign a license to the account.
Users .
section. In the Access Mode list, select Non-interactive .
You then need to remove the license from the account.
7. On the Licenses and Apps tab, select the non-interactive user account.
9. Go back to the customer engagement app and confirm that the non-interactive user account Access Mode
is still set for Non-interactive .
Create an application user

You can use server-to-server (S2S) authentication to securely and seamlessly communicate between Common Data
Service and your web applications and services. S2S authentication is the common way that apps registered on
Microsoft AppSource use to access the Common Data Service data of their subscribers. All operations performed by
your application or service by using S2S will be performed as the application user you provide, rather than the user
who's accessing your application.
All application users are created with a non-interactive user account, however they aren't counted toward the limit
of seven non-interactive user accounts. In addition, there's no limit on how many application users you can create in
an environment.
For step-by-step information about creating an application user, see Application user creation.
Enable or disable application users
When application users are created, they're automatically enabled. The default Application User form shows the
status in the form footer; the Status field can't be updated.
You can customize the default Application User form to allow updates to the Status field so that you can enable
or disable application users, if required. For step-by-step information about customizing the default Application
User form, see Enable or disable application users.
Cau t i on
Disabling an application user will break all the integration scenarios that use the application user.
How stub users are created

A stub user is a user record that has been created as a placeholder. For example, records have been imported that
refer to this user but the user doesn't exist in customer engagement apps. This user can't sign in, can't be enabled,
and can't be synchronized to Microsoft 365. This type of user can only be created through data import.
A default security role is automatically assigned to these imported users. The Salesperson security role is assigned
in an environment and the Common Data Ser vice User security role is assigned in a Power Apps environment.
NOTE
By default, a security role can only be assigned to users with an Enabled status. If you need to assign a security role to users
who have a Disabled status, you can do so by enabling the allowRoleAssignmentOnDisabledUsers OrgDBOrgSettings.
Update a user record to reflect changes in Azure AD

When you create a new user or update an existing user in Dynamics 365 Customer Engagement (on-premises),
some fields in the user records, such as name and phone number, are populated with the information obtained
from Active Directory Domain Services (AD DS). After the user record is created, no further synchronization occurs
between Azure AD user accounts and customer engagement apps user records. If you make changes to the Azure
AD user account, you must manually edit the user record to reflect the changes.
Users .
2. In the list, select the user record you want to update, and then select Edit .
The following table shows the fields that are populated on the user form (user record) from the Azure AD user
account.
USER F O RM A C T IVE DIREC TO RY USER A C T IVE DIREC TO RY O B JEC T TA B
User name User logon name Account
First name First name General
Last name Last name General
Main Phone Telephone number General
Primary Email Email General
Address* City Address
Address* State/province Address
Home phone Home Telephones
* The Address field comprises the values from the City and State/province fields in Azure AD.
See also
Get started with security roles in Common Data Service
Reset a user's password
If a user loses a password, you can reset it. To reset a user’s password, you must be a Microsoft Online Services
environment global administrator, user management administrator, or password administrator.
For step-by-step instructions, see Reset a User’s Password.
NOTE
The reset password is temporary. The user must change the temporary password at the next sign in. To help users meet the
requirements for creating a new password in the Microsoft Online Services environment, see Set a user's password expiration
policy.
See also
365 Marketing, and Dynamics 365 Project Service Automation). The user account registers the user with Microsoft
Online Services environment. In addition to registration with the online service, the user account must be assigned
a license in order for the user to have access to the service. Note that when you assign a user the global
administrator or the service administrator role in the Microsoft Online Services environment, it automatically
assigns the user the System Administrator security role. More information: Differences between the Microsoft
Online services environment administrative roles and security roles

NOTE
By entering a user ID and password, a user can access the Microsoft 365 admin center to view information about the service.
However, the user won't have access to customer engagement apps until the user has a security role assigned either directly
or indirectly as a member of a group team.
TIP
following:

User Name Username
Title Job title
Fax Fax number
Address City

IMPORTANT
About user licenses

Use user licenses to provide access to your organization. You need one user license per person with an active
user record who signs in to your organization.
If you have more user licenses than you're using, contact support to reduce the number of licenses. You can't
reduce the number of licenses to fewer than you're currently using or fewer than your offer allows. Any
changes are reflected in your next billing cycle.
NOTE
give users Read access to apps that are installed in the environment. For example, when a user is assigned the Dynamics 365
Plan license and is synced to an environment that has the Customer Service Hub app, the user is automatically assigned the
Customer Service app access security role. No data access permission is granted to this role. The administrator is still required
to assign the appropriate security role to the user (either directly or indirectly as a member of a group team) in order for the
user to view and interact with the data.

You need to have the appropriate privileges in order to assign security roles to another user. See Assigning security
roles.
IMPORTANT
You must assign at least one security role to every user either directly or indirectly as a member of a group team. The service
doesn't allow access to users who don't have at least one security role.

Microsoft Online Services environment administrator roles to users you select to fill each role. You might decide to
assign the global administrator role to a second person in your organization for times when you're not available.
example, the password reset administrator role can reset user passwords only; the user management administrator
role can reset user passwords in addition to adding, editing, or deleting user accounts; and the global administrator
role can add online service subscriptions for the organization and manage all aspects of subscriptions. For detailed
information about Microsoft Online Services administrator roles, see Assigning Admin Roles.
NOTE

the system.
associated with an environment. Removing a user from the security group doesn't remove the user's license. If you
want to make the license available to another user, you have to remove the license from the user account that was
disabled.
NOTE
You can also remove all security roles from a user to prevent the user from signing in to and accessing customer engagement
apps. However, this doesn't remove the license from the user, and the user will remain in the list of enabled users. We don't
recommend using this method to remove access from a user.
roles
To enable sign-in
To assign a license
To disable a user account in an environment that has a Common Data Service database, you can either remove the
user from the security group or remove the license from the user.
NOTE
When you sign out of the Microsoft 365 admin center, you aren't signing out of customer engagement apps. You have to do
that separately.
TIP
following:

By default, all licensed users are created with an access mode of Read-Write . This access mode provides full access
rights to the user based on the security privileges that are assigned.
Users .

You need to have the System Administrator security role or equivalent permissions to create an administrative user.
First, you'll create a user account in Microsoft 365, and then in to the customer engagement app, select the
NOTE

Users .

You need to have the System Administrator security role or equivalent permissions to create a non-interactive user.
First, you'll create a user account in Microsoft 365. Then, in customer engagement apps, select the non-interactive
access mode for the account.
Users .
9. Go back to the customer engagement app and confirm that the non-interactive user account Access Mode
is still set for Non-interactive .

You can use server-to-server (S2S) authentication to securely and seamlessly communicate between Common Data
Service and your web applications and services. S2S authentication is the common way that apps registered on
Microsoft AppSource use to access the Common Data Service data of their subscribers. All operations performed by
your application or service by using S2S will be performed as the application user you provide, rather than the user
who's accessing your application.
of seven non-interactive user accounts. In addition, there's no limit on how many application users you can create in
an environment.
Cau t i on

A default security role is automatically assigned to these imported users. The Salesperson security role is assigned
in an environment and the Common Data Ser vice User security role is assigned in a Power Apps environment.
NOTE

from Active Directory Domain Services (AD DS). After the user record is created, no further synchronization occurs
between Azure AD user accounts and customer engagement apps user records. If you make changes to the Azure
AD user account, you must manually edit the user record to reflect the changes.
Users .
account.
See also
To help you administer environments and settings for Power Platform, you can assign users to manage at the tenant
level without having to assign the more powerful Microsoft 365 global admin privilege.
There are two Power Platform related service admin roles you can assign to provide a high level of admin
management.
Dynamics 365 administrator

The Dynamics 365 admin can:
Sign in to and manage multiple environments. If an environment uses a security group, a service admin would
need to be added to the security group in order to manage that environment. Not assigning to an in place
security group essentially locks these admins out of any admin management.
Perform admin functions in Power Platform because they have the system admin role.
Power Platform administrator

Users with the Power Platform admin role can:
Sign in to and manage multiple environments. Power Platform admins are not affected by security group
membership and can manage environments even if not added to an environment's security group.
Both service admin roles cannot do functions restricted to the Microsoft 365 global admin such as manage user
accounts, manage subscriptions, access settings for Microsoft 365 apps like Microsoft Exchange or Microsoft
SharePoint.
Assign a service admin role to a user

Follow these steps to assign a service admin role.
1. Sign in to the Microsoft 365 admin center as a global admin.
2. Go to Users > Active users and select a user.
3. Under Account > Roles select Manage roles .
4. Select to expand Show all by categor y .
5. Under Collaboration select either Dynamics 365 administrator or Power Platform administrator .
Service administrator permission matrix

The following matrix shows what management is possible with the various service admin roles compared to the
Microsoft 365 global admin role.
M IC RO SO F T 365 P O W ER P L AT F O RM DY N A M IC S 365 P O W ER B I
GLO B A L A DM IN A DM IN A DM IN A DM IN
POWER PL ATFORM
Environments
Full access1 Yes Yes Yes2 No
Create Yes Yes Yes2 No
Backup and restore Yes Yes Yes2 No
Copy Yes Yes Yes2 No
Ability to exclude No No Yes Yes

access from selected
environments (using
security groups)
Analytics
Capacity Yes Yes Yes2 No
Capacity allocation Yes Yes Yes2 No

(Power Apps per app
plans, Power
Automate, AI Builder,
and Portal)
Common Data Yes Yes Yes2 No

Service
Power Automate Yes Yes Yes2 No
Power Apps Yes Yes Yes2 No
Help + suppor t
Create and access Yes Yes Yes2 No

support requests
Data integration
Create new project Yes Yes Yes2 No

and connection set
Data gateways
View gateways Yes Yes Yes2 No
Data policies
View and manage Yes Yes Yes2 No

tenant policies

environment policies
POWER BI
Manage the Power BI Yes Yes No Yes

tenant
Acquire and assign Yes No No No

Power BI licenses
MICROSOFT 365
Create users Yes No No No
Add security roles Yes No No No
Add licenses Yes No No No
1Equivalent permission level to a SystemAdministrator. Has full permission to customize or administer the
environment, including creating, modifying, and assigning security roles. Can view all data in the environment - if
the user has a suitable license.
2If a security group is assigned to the environment and the user with this role added to the security group
See also
What is Power BI administration?
Add users to an environment
Environments can have zero or one Common Data Service database. The process for adding users to
environments that have no Common Data Service database differs from the process for environments that have
one Common Data Service database. For an overview of environments, see Environments overview.
Add users to an environment that has no Common Data Service

database
You don't have to add users to environments that have no Common Data Service database, because all users in the
organization are present in these environments by default. However, for a user to get access to an environment's
resources, a security role needs to be assigned to them. For information about assigning a security role to users in
an environment, see Configure user security to resources in an environment.
Add users to an environment that has a Common Data Service

database
When an environment is created with a Common Data Service database or a Common Data Service database is
added to an existing environment, all users in the organization are added automatically to the environment unless
a security group is selected as an access filter. Review the following on automatic user addition to environments.
For a user to be successfully added to an environment that has a Common Data Service database, the user
must meet certain criteria. This same criteria applies to enabling a user who is already present in an
environment.
Automatic user addition to an environment takes time, especially if your organization is large and access to
the environment isn't restricted to any security group. As a best practice, we recommend that you restrict
access to your environment to a specific set of users by associating your environment to a security group.
In most cases, adding users to an environment only gives users access to the environment itself, not to any
resources (apps and data) in the environment. You need to configure access to resources by assigning
security roles to users. Users with certain Dynamics 365 app licenses will be assigned some security roles
by default that only give them read access to the environment's resources. Users who have been assigned
service admin roles or the Global admin role, assigned through the Microsoft 365 admin center, will get the
System Administrator role by default. They will have admin privileges to the environment's resources when
they get added to the environment.
Because it can take a long time to automatically add users to an environment, you can use the following
procedure to add specific users to the environment sooner.
To add users to an environment that has a Common Data Ser vice database
1. From the Power Platform admin center, select the environment to which you want to add users.
2. Select Settings > Users + permissions > Users .
You'll see the list of users that have already been added to the environment. This user list includes users
with enabled and disabled status. More information: Enable or disable users
3. Check to see whether the user you want to add might already be present in the environment by doing a
search (because automatic user addition might have added the user already). If you don't find the user in
the environment yet, select Add user .
4. In the Add user pane, enter the user's name or email address, select it, and add them to the environment.
Note the requirements for successfully adding a user, and see enable a user in an environment for details
about how to ensure the requirements are met.
5. After a user is added to the environment, assign a security role to the user to configure their access to
resources in the environment.
Configure user security to resources in an
environment
Common Data Service uses a role-based security model to help secure access to the database. This topic explains
how to create the security artifacts that you must have to help secure resources in an environment. Security roles
can be used to configure environment-wide access to all resources in the environment, or to configure access to
specific apps and data in the environment. Security roles control a user's access to an environment's resources
through a set of access levels and permissions. The combination of access levels and permissions that are included
in a specific security role governs the limitations on the user's view of apps and data, and on the user's interactions
with that data.
An environment can have zero or one Common Data Service database. The process for assigning security roles for
environments that have no Common Data Service database differs from that for an environment that does have a
Common Data Service database.
Predefined security roles

Environments include predefined security roles that reflect common user tasks with access levels defined to match
the security best-practice goal of providing access to the minimum amount of business data required to use the
app.
These security roles can be assigned to the user, owner team and group team.
There is another set of security roles that is assigned to application users. Those security roles are installed by our
services and cannot be updated.
SEC URIT Y RO L E DATA B A SE P RIVIL EGES* DESC RIP T IO N
Environment Admin Create, Read, Write, Delete, TheEnvironment Adminrole can perform
Customizations, Security Roles all administrative actions on an
environment, including the following:
Add or remove a user from
either the Environment Admin or
Environment Maker role.
Provision a Common Data
Service database for the
environment. After a database is
provisioned, the System
Customizer role should also be
assigned to an Environment
Admin to give them access to
the environment's data.
View and manage all resources
created within an environment.
Set data loss prevention policies.
More information: Data loss
prevention policies
Environment Maker Customizations Can create new resources associated

with an environment, including apps,
connections, custom APIs, gateways,
and flows using Microsoft Power
Automate. However, this role doesn't
have any privileges to access data within
an environment. More information:
System Administrator Create, Read, Write, Delete, Has full permission to customize or
Customizations, Security Roles administer the environment, including
creating, modifying, and assigning
security roles. Can view all data in the
environment. More information:
Privileges required for customization
System Customizer Create (self), Read (self), Write (self), Has full permission to customize the
Delete (self), Customizations environment. However, users with this
role can only view records for
environment entities that they create.
More information: Privileges required
for customization
Common Data Service User Read (self), Create (self), Write (self), Can run an app within the environment
Delete (self) and perform common tasks for the
records that they own. Note that this
only applies to non-custom entities.
More information: Create or configure a
custom security role
Delegate Act on behalf of another user Allows code to impersonate, or run as

another user. Typically used with
another security role to allow access to
records. More information: Impersonate
another user
Support User Read Customizations, Read Business Has full Read permission to
Management settings customization and business
management settings to allow Support
staff to troubleshoot environment
configuration issues. Does not have
access to core records.
*The scope of these privileges is global, unless specified otherwise.

NOTE
Environment Maker and Environment Admin are the only predefined roles for environments that have no Common Data
Service database.
The Environment Makerrole can create resources within an environment, including apps, connections, custom connectors,
gateways, and flows using Power Automate. Environment makers can also distribute the apps they build in an
environment to other users in your organization. They can share the app with individual users, security groups, or all users
in the organization. More information: Share an app in Power Apps
For users who make apps that connect to the database and need to create or update entities and security roles, you need
to assign the System Customizer role in addition to the Environment Maker role. This is necessary because the
Environment Maker role doesn't have privileges on the environment's data.
If the environment has a Common Data Service database, a user must be assigned the System Administrator role instead
of the Environment Admin role for full admin privileges, as described in the preceding table.
Assign security roles to users in an environment that has no Common

Data Service database
A user who already has the Environment Admin role in the environment can take these steps.
NOTE
Roles can be assigned toowner teamsandAzure AD group teams, in addition to individual users.

2. SelectEnvironments > [select an environment].
3. In the Access tile, select See all for Environment admin or Environment maker to add or remove
people for either role.
4. Specify the names of one or more users or security groups from Azure AD, or specify that you want to add
your entire organization.
Assign security roles to users in an environment that has a Common
Verify that the user you want to assign a security role to is present in the environment. If not, add the user to the
environment. You'll be able to assign a security role as part of the process of adding the user. More information: Add
users to an environment
In general, a security role can only be assigned to users who are in the Enabled state. But if you need to assign a
security role to users in the Disabled state, you can do so by enabling allowRoleAssignmentOnDisabledUsers
in OrgDBOrgSettings.
To add a security role to a user who is already present in an environment:
2. SelectEnvironments > [select an environment] >Settings >Users + permissions > Users .
3. Select Manage users in Dynamics 365 .
4. Select the user from the list of users in the environment, and then select Manage roles .
5. Assign one or more security roles to the user.
6. SelectOK .
Create or configure a custom security role

If your app uses a custom entity, its privileges must be explicitly granted in a security role before your app can be
used. You can either add these privileges in an existing security role or create a custom security role.
NOTE
Every security role must include a minimum set of privileges before it can be used. These are described later in this article.
TIP
The environment might maintain the records that can be used by multiple apps; therefore, you might need multiple security
roles to access the data by using different privileges. For example:
Some users (call them Type A) might only need to read, update, and attach other records, so their security role will have
read, write, and append privileges.
Other users might need all the privileges that Type A users have, plus the ability to create, append to, delete, and share.
The security role for these users will have create, read, write, append, delete, assign, append to, and share privileges.
For more information about access and scope privileges, seeSecurity roles and privileges.
1. Sign in to the Power Platform admin center, and select the environment for which you want to update a
security role.
2. Select the environment's URL.
3. If you see published apps and tiles, select the gear icon ( ) in the upper-right corner, and then select
Advanced settings .
4. In the menu bar, select Settings > Security .
5. Select Security roles .
6. Select New .
7. From the security role designer, enter a role name on the Details tab. From the other tabs, you'll select the
actions and the scope for performing that action.
8. Select a tab, and search for your entity. For example, select the Custom Entities tab to set permissions on a
custom entity.
9. Select the privileges Read, Write, Append .
Minimum privileges to run an app
When you create a custom security role, you need to include a set of minimum privileges into the security role in
order for a user to run an app. We've created a solution you can import that provides a security role that includes
the required minimum privileges.
Start by downloading the solution from the Download Center: Common Data Service minimum privilege security
role.
Then, follow these directions to import the solution: Import solutions.
When you import the solution, it creates the min pr v apps use role, which you can copy (see: Create a security
role by Copy Role). When the Copy Role process is completed, navigate to each tab—Core Records , Business
Management , Customization , and so on—and set the appropriate privileges.
IMPORTANT
You should try out the solution in a development environment before importing it into a production environment.
See also
Grant users access
How access to a record is determined
Control user access to environments: security groups
and licenses
If your company has multiple Common Data Service environments, you can use security groups to control which
licensed users can be a member of a particular environment.
Consider the following example scenario:
EN VIRO N M EN T SEC URIT Y GRO UP P URP O SE
Coho Winery Sales Sales_SG Provide access to the environment that

creates sales opportunities, handles
quotes, and closes deals.
Coho Winery Marketing Marketing_SG Provide access to the environment that

drives marketing efforts through
marketing campaigns and advertising.
Coho Winery Service Service_SG Provide access to the environment that

processes customer cases.
Coho Winery Dev Developer_SG Provide access to the sandbox

environment used for development and
testing.
In this example, four security groups provide controlled access to a specific environment.
Note the following about security groups:
When users are added to the security group, they are added to the Common Data Service environment.
When users are removed from the group, they are disabled in the Common Data Service environment.
When a security group is associated with an existing environment with users, all users in the environment that
are not members of the group will be disabled.
If a Common Data Service environment does not have an associated security group, all users with a Common
Data Service license (customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation)), Power
Automate, Power Apps, etc.) will be created as users and enabled in the environment.
If a security group is associated with an environment, only users with Common Data Service licenses that are
members of the environment security group will be created as users in the Common Data Service environment.
When you assign a security group to an environment, that environment will not show up in home.dynamics.com
for users not in the group.
If you do not assign a security group to an environment, the environment will show up in home.dynamics.com
even for those who have not been assigned a security role in that Common Data Service environment.
If you do not specify a security group, all users who have a Common Data Service license, (customer
engagement apps (such as Dynamics 365 Sales and Customer Service)) will be added to the new environment.
New : Security groups cannot be assigned to default and developer environment types. If you've already
assigned a security group to your default or developer environment, we recommend removing it since the
default environment is intended to be shared with all users in the tenant and the developer environment is
intended for use by only the owner of the environment.
Common Data Service environments support associating the following group types: Security and Microsoft 365.
Associating other group types is not supported.
NOTE
All licensed users, whether or not they are members of the security groups, must be assigned security roles to access
environments. You assign the security roles in the web application. Users can't access environments until they are assigned at
least one security role for that environment. For more information, see Configure environment security.
Create a security group and add members to the security group

2. Select Groups > Groups .
3. Select + Add a group .
4. Change the type to Security group , add the group Name and Description . Select Add > Close .
5. Select the group you created, and then next to Members , select Edit .
6. Select + Add members . Select the users to add to the security group, and then select Save > Close several
times to return to the Groups list.
7. To remove a user from the security group, select the security group, next to Members , select Edit . Select -
Remove members , and then select X for each member you want to remove.
NOTE
If the users you want to add to the security group are not created, create the users and assign to them the Common Data
Service licenses.
To add multiple users, see: bulk add users to Office365 groups.
Create a user and assign license

1. In the Microsoft 365 admin center, select Users > Active users > + Add a user . Enter the user
information, select licenses, and then select Add .
More information: Add users and assign licenses at the same time
Associate a security group with a Common Data Service environment

2. In the navigation pane, select Environments , select an environment, and then select Edit .
3. In the Settings page, select Edit ( ).
4. Select a security group, select Done , and then select Save .
The security group is associated with the environment.

Remove a security group's association with a Common Data Service
environment
(Dynamics 365 admin, Microsoft 365 Global admin, or Power Platform admin).
3. In the Settings page, select Delete ( ).

4. Confirm removal, select Remove , and then select Save .
The security group associated with the environment will be removed and the environment's access will no longer
be restricted to only users that are members of that group.
See also
Diagnose user access in an environment
Multiple factors affect user access to Common Data Service environments. Administrators can use the Run
diagnostics command to assess user access to a Common Data Service environment, and get details and
mitigation suggestions as to why a user can or can't access the environment.
To access a Common Data Service environment, a user must meet the following criteria:
1. Be enabled for sign-in in Azure Active Directory (Azure AD).
2. Have a valid license that has a Dynamics 365 or Microsoft Power Platform recognized service plan, or the
environment must have active per-app plans.
3. Be a member of the environment's Azure AD group (if one has been associated with the environment).
4. Have at least one Common Data Service security role assigned directly to them or to a group team they're a
member of.
A user's level of access within the environment and to the resources (apps and data) in the environment is
determined by the privileges defined in the security roles assigned to that user. Their access mode being
Administrative or Read-Write also determines their level of access within an environment.
Use the following steps to run user access diagnostics on a user in a Common Data Service environment.
3. Select a user.
4. Select Run diagnostics .
5. Review the details for the user, and take any needed corrective actions.
NOTE
The action of running or rerunning diagnostics will force the user information in Azure AD to synchronize to the
environment's Common Data Service database to provide up-to-date status on the user's properties. If the diagnostic run
doesn't eliminate the root cause of a user access issue, please provide the results of the diagnostic run in the support ticket
you create; this will greatly help Microsoft Support engineers to resolve your issue faster.
Known issue
The check for the presence of security roles assigned to a user only checks for roles directly assigned to the user
and can't currently check for roles inherited through group team memberships.
To control data access, you must set up an organizational structure that both protects sensitive data and enables
collaboration. You do this by setting up business units, security roles, and field security profiles.
TIP
Check out the following video: How to set up security roles.
Security roles
A security role defines how different users, such as salespeople, access different types of records. To control
access to data, you can modify existing security roles, create new security roles, or change which security roles are
assigned to each user. Each user can have multiple security roles.
Security role privileges are cumulative: having more than one security role gives a user every privilege available
in every role.
Each security role consists of record-level privileges and task-based privileges.
Record-level privileges define which tasks a user with access to the record can do, such as Read, Create, Delete,
Write, Assign, Share, Append, and Append To. Append means to attach another record, such as an activity or note,
to a record. Append to means to be attached to a record. More information: Record-level privileges.
Task-based privileges, at the bottom of the form, give a user privileges to perform specific tasks, such as publish
articles.
The colored circles on the security role settings page define the access level for that privilege. Access levels
determine how deep or high in the organizational business unit hierarchy the user can perform the specified
privilege. The following table lists the levels of access in the app, starting with the level that gives users the most
access.
Global. This access level gives a user access to all records in

the organization, regardless of the business unit hierarchical
level that the environment or the user belongs to. Users who
have Global access automatically have Deep, Local, and Basic
access, also.

throughout the organization, it should be restricted to match
organization.
The application refers to this access level as Organization .

Deep . This access level gives a user access to records in the

user's business unit and all business units subordinate to the
Users who have Deep access automatically have Local and

Basic access, also.

throughout the business unit and subordinate business units,
it should be restricted to match the organization's data
security plan. This level of access is usually reserved for
managers with authority over the business units.
The application refers to this access level as Parent: Child

Business Units .
Local. This access level gives a user access to records in the

Users who have Local access automatically have Basic access,

also.

throughout the business unit, it should be restricted to
match the organization's data security plan. This level of
access is usually reserved for managers with authority over
the business unit.
The application refers to this access level as Business Unit .
Basic. This access level gives a user access to records that the
user owns, objects that are shared with the user, and objects
that are shared with a team that the user is a member of.
This is the typical level of access for sales and service

representatives.
The application refers to this access level as User .
None . No access is allowed.
IMPORTANT
To ensure that users can view and access all areas of the web application, such as entity forms, the nav bar, or the command
bar, all security roles in the organization must include the Read privilege on the Web Resource entity. For example, without
read permissions, a user won't be able to open a form that contains a web resource and will see an error message similar to
this: "Missing prvReadWebResource privilege." More information: Create or edit a security role
Record-level privileges
PowerApps and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics
365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), use eight different
record-level privileges that determine the level of access a user has to a specific record or record type.


security role.
Read Required to open a record to view the contents. Which

records can be read depends on the access level of the

changed depends on the access level of the permission


In case of many-to-many relationships, you must have
Append privilege for both entities being associated or
disassociated.

example, if a user has Append To rights on an opportunity,
the user can add a note to the opportunity. The records that
can be appended to depend on the access level of the
Assign Required to give ownership of a record to another user.

Which records can be assigned depends on the access level of
the permission defined in your security role.

security role.
Overriding security roles

The owner of a record or a person who has the Share privilege on a record can share a record with other users or
teams. Sharing can add Read, Write, Delete, Append, Assign, and Share privileges for specific records.
Teams are used primarily for sharing records that team members ordinarily couldn't access. More information:
Manage security, users and teams.
It's not possible to remove access for a particular record. Any change to a security role privilege applies to all
records of that record type.
Team member's privilege inheritance

User and Team privileges
User privileges : User is granted these privileges directly when a security role is assigned to the user. User can
create and has access to records created/owned by the user when Basic access level for Create and Read were
given. This is the default setting for new security roles.
Team privileges : User is granted these privileges as member of the team. For team members who do not
have user privileges of their own, they can only create records with the team as the owner and they have
access to records owned by the Team when Basic access level for Create and Read were given.
A security role can be set to provide a team member with direct Basic-level access user privileges. A team
member can create records that they own and records that have the team as owner when the Basic access level
for Create is given. When the Basic access level for Read is given, team member can access records that are
owned by both that team member and by the team.
This member's privilege inheritance role is applicable to Owner and Azure Active Directory (Azure AD) Group
teams.
NOTE
Prior to Team member's privilege inheritance release in May 2019, security roles behaved as Team privileges . Security
roles created before this release are set as Team privileges and security roles created after this release are by default set
as User privileges .
Create a security role with team member's privilege inheritance

Prerequisites
environment] > Settings > User's + permissions > Security roles .
1. Select an environment and go to Settings > User's + permissions > Security roles .
3. Enter a role name.
4. Select the Member's privilege inheritance drop-down list.
5. Select Direct User/Basic access level and Team privileges .
6. Go to each tab and set the appropriate privileges on each entity.
To change the access level for a privilege, select the access-level symbol until you see the symbol you want.
The access levels available depend on whether the record type is organization-owned or user-owned.
NOTE
You can also set this privilege inheritance property for all out-of-the-box security roles except the System Administrator
role. When a privilege inheritance security role is assigned to a user, the user gets all the privileges directly, just like a
security role without privilege inheritance.
You can only select Basic level privileges in the member's privilege inheritance. If you need to provide access to a child
business unit, you will need to elevate the privilege to Deep; for example, you need to assign a security role to the Group
team and you want the members of this group to be able to Append to Account. You setup the security role with a Basic
level member's privilege inheritance and in the Append to Account privilege, you set it to Deep. This is because Basic
privileges are only applicable to the user's business unit.
Assigning security roles

In order to assign security roles to a user, you need to have the appropriate privileges (minimum privileges are
'Read' and 'Assign' on the Security Role entity). To prevent elevation of security role privileges, the person who is
assigning the security role cannot assign someone else with a security role that has more privileges than the
assignee, for example a CSR Manager cannot assign a System Administrator role to another user.
By default, the System Administrator security role has all the required privileges to assign security roles to any
user including assigning the System Administrator security role. If you have a need to allow non-System
Administrators to assign security roles, you should consider creating a custom security role. See Create an
administrative user and prevent elevation of security role privilege.
365 Marketing, and Dynamics 365 Project Service Automation). The user account registers the user with
Microsoft Online Services environment. In addition to registration with the online service, the user account must
be assigned a license in order for the user to have access to the service. Note that when you assign a user the
global administrator or the service administrator role in the Microsoft Online Services environment, it
automatically assigns the user the System Administrator security role. More information: Differences between the
Microsoft Online services environment administrative roles and security roles

NOTE
By entering a user ID and password, a user can access the Microsoft 365 admin center to view information about the
service. However, the user won't have access to customer engagement apps until the user has a security role assigned
either directly or indirectly as a member of a group team.
TIP
following:

User Name Username
Title Job title
Fax Fax number
Address City

IMPORTANT
About user licenses

Use user licenses to provide access to your organization. You need one user license per person with an
active user record who signs in to your organization.
If you have more user licenses than you're using, contact support to reduce the number of licenses. You
can't reduce the number of licenses to fewer than you're currently using or fewer than your offer allows.
Any changes are reflected in your next billing cycle.
NOTE
give users Read access to apps that are installed in the environment. For example, when a user is assigned the Dynamics
365 Plan license and is synced to an environment that has the Customer Service Hub app, the user is automatically
assigned the Customer Service app access security role. No data access permission is granted to this role. The administrator
is still required to assign the appropriate security role to the user (either directly or indirectly as a member of a group team)
in order for the user to view and interact with the data.

You need to have the appropriate privileges in order to assign security roles to another user. See Assigning
security roles.
IMPORTANT
You must assign at least one security role to every user either directly or indirectly as a member of a group team. The
service doesn't allow access to users who don't have at least one security role.

Microsoft Online Services environment administrator roles to users you select to fill each role. You might decide
to assign the global administrator role to a second person in your organization for times when you're not
available.
example, the password reset administrator role can reset user passwords only; the user management
administrator role can reset user passwords in addition to adding, editing, or deleting user accounts; and the
global administrator role can add online service subscriptions for the organization and manage all aspects of
subscriptions. For detailed information about Microsoft Online Services administrator roles, see Assigning Admin
Roles.
NOTE

the system.
associated with an environment. Removing a user from the security group doesn't remove the user's license. If
you want to make the license available to another user, you have to remove the license from the user account that
was disabled.
NOTE
You can also remove all security roles from a user to prevent the user from signing in to and accessing customer
engagement apps. However, this doesn't remove the license from the user, and the user will remain in the list of enabled
users. We don't recommend using this method to remove access from a user.
roles
To enable sign-in
To assign a license
To disable a user account in an environment that has a Common Data Service database, you can either remove
the user from the security group or remove the license from the user.
NOTE
When you sign out of the Microsoft 365 admin center, you aren't signing out of customer engagement apps. You have to
do that separately.
TIP
following:

By default, all licensed users are created with an access mode of Read-Write . This access mode provides full
access rights to the user based on the security privileges that are assigned.
1. In the Power Platform admin center, select an environment, and go to Settings > User's + permissions
> Users .

You need to have the System Administrator security role or equivalent permissions to create an administrative
user. First, you'll create a user account in Microsoft 365, and then in to the customer engagement app, select the
NOTE

> Users .

You need to have the System Administrator security role or equivalent permissions to create a non-interactive
user. First, you'll create a user account in Microsoft 365. Then, in customer engagement apps, select the non-
interactive access mode for the account.
> Users .
9. Go back to the customer engagement app and confirm that the non-interactive user account Access
Mode is still set for Non-interactive .

You can use server-to-server (S2S) authentication to securely and seamlessly communicate between Common
Data Service and your web applications and services. S2S authentication is the common way that apps registered
on Microsoft AppSource use to access the Common Data Service data of their subscribers. All operations
performed by your application or service by using S2S will be performed as the application user you provide,
rather than the user who's accessing your application.
of seven non-interactive user accounts. In addition, there's no limit on how many application users you can create
in an environment.
Cau t i on

A default security role is automatically assigned to these imported users. The Salesperson security role is
assigned in an environment and the Common Data Ser vice User security role is assigned in a Power Apps
environment.
NOTE

from Active Directory Domain Services (AD DS). After the user record is created, no further synchronization
occurs between Azure AD user accounts and customer engagement apps user records. If you make changes to the
Azure AD user account, you must manually edit the user record to reflect the changes.
> Users .
account.
See also
To help you administer environments and settings for Power Platform, you can assign users to manage at the
tenant level without having to assign the more powerful Microsoft 365 global admin privilege.
There are two Power Platform related service admin roles you can assign to provide a high level of admin
management.
Dynamics 365 administrator

The Dynamics 365 admin can:
Sign in to and manage multiple environments. If an environment uses a security group, a service admin would
need to be added to the security group in order to manage that environment. Not assigning to an in place
security group essentially locks these admins out of any admin management.
Power Platform administrator

Users with the Power Platform admin role can:
Sign in to and manage multiple environments. Power Platform admins are not affected by security group
membership and can manage environments even if not added to an environment's security group.
Both service admin roles cannot do functions restricted to the Microsoft 365 global admin such as manage user
accounts, manage subscriptions, access settings for Microsoft 365 apps like Microsoft Exchange or Microsoft
SharePoint.
Assign a service admin role to a user

Follow these steps to assign a service admin role.
1. Sign in to the Microsoft 365 admin center as a global admin.
2. Go to Users > Active users and select a user.
3. Under Account > Roles select Manage roles .
4. Select to expand Show all by categor y .
5. Under Collaboration select either Dynamics 365 administrator or Power Platform administrator .
Service administrator permission matrix

The following matrix shows what management is possible with the various service admin roles compared to the
Microsoft 365 global admin role.
POWER PL ATFORM
Environments
Full access1 Yes Yes Yes2 No
Create Yes Yes Yes2 No
Backup and restore Yes Yes Yes2 No
Copy Yes Yes Yes2 No
Ability to exclude No No Yes Yes

access from selected
environments (using
security groups)
Analytics
Capacity Yes Yes Yes2 No
Capacity allocation Yes Yes Yes2 No

(Power Apps per app
plans, Power
Automate, AI Builder,
and Portal)
Common Data Yes Yes Yes2 No

Service
Power Automate Yes Yes Yes2 No
Power Apps Yes Yes Yes2 No
Help + suppor t
Create and access Yes Yes Yes2 No

support requests
Data integration
Create new project Yes Yes Yes2 No

and connection set
Data gateways
View gateways Yes Yes Yes2 No
Data policies

tenant policies

environment policies
POWER BI
Manage the Power BI Yes Yes No Yes

tenant
Acquire and assign Yes No No No

Power BI licenses
MICROSOFT 365
Create users Yes No No No
Add security roles Yes No No No
Add licenses Yes No No No
1Equivalent permission level to a SystemAdministrator. Has full permission to customize or administer the
environment, including creating, modifying, and assigning security roles. Can view all data in the environment - if
the user has a suitable license.
2If a security group is assigned to the environment and the user with this role added to the security group
See also
What is Power BI administration?
Create or edit a security role to manage access
You can create new security roles to accommodate changes in your business requirements or you can edit the
privileges associated with an existing security role.
If you need to back up your security role changes, or export security roles for use in a different implementation,
you can export them as part of exporting customizations. More information: Export your customizations as a
solution
Create a security role

permissions.
5. Set the privileges on each tab.
To change the access level for a privilege, select the symbol until you see the symbol you want. The possible
access levels depend on whether the record type is organization-owned or user-owned.
TIP
To cycle through the access levels, you can also select the privilege column heading, or select the record type multiple
times.
There are a set of minimum privileges that are required in order for the new security role to be used - see below
Minimum Privileges for common tasks.
6. When you have finished configuring the security role, on the toolbar, select or tap Save and Close .
Create a security role by Copy Role

permissions.
4. Select the Security role you want to copy from.
5. On the Actions toolbar, select Copy Role .
6. Enter the New Role Name, and check the box for Open the new security role when copying is
complete .
7. Select OK .
8. When Copying Role is complete, navigate to each tab, ie Core Records, Business Management,
Customization, etc.
TIP
To cycle through the access levels, you can also select the privilege column heading, or select the record type multiple times.
There are a set of minimum privileges that are required in order for the new security role to be used - see below Minimum
Privileges for common tasks.
Edit a security role

Before you edit an existing security role, make sure that you understand the principles of data access. More
information: Controlling Data Access
NOTE
You can't edit the System Administrator security role. To create a security role similar to the System Administrator security
role, copy the System Administrator security role, and make changes to the new role.
permissions.
4. In the list of security roles, double-select or tap a name to open the page associated with that security role.
To change the access level for a privilege, select the symbol until you see the symbol you want. The possible
access levels depend on whether the record type is organization-owned or user-owned.
TIP
To cycle through the access levels, you can also select the privilege column heading, or select the record type multiple
times.
There are a set of minimum privileges that are required in order for the new security role to be used - see below
Minimum Privileges for common tasks.
6. When you have finished configuring the security role, on the toolbar, select or tap Save and Close .
Minimum privileges for common tasks

It's helpful to keep in mind the minimum privileges that are needed for some common tasks. This means that a
user is required to have a security role with these privileges in order to run applications.
We've created a solution you can import that provides a security role with the required minimum privileges.
Start by downloading the solution from the Download Center: Common Data Service minimum privilege security
role.
Then, follow the directions to import the solution: Import, update, and export solutions.
When you import the solution, it creates the min pr v apps use role which you can copy (see: Create a security
role by Copy Role). When Copying Role is complete, navigate to each tab - Core Records, Business Management,
Customization, etc - and set the appropriate privileges.
IMPORTANT
You should try out the solution in a development environment before importing into a production environment.
When logging in to customer engagement apps:

Assign the min prv apps use security role or a copy of this security role to your user.
To render an entity grid (that is, to view lists of records and other data), assign the following
privileges on the Core Records tab: Read privilege on the entity, Read Saved View, Create/Read/Write
User Entity UI Settings and assign the following privilege on the Business Management tab: Read
User
When logging in to Dynamics 365 for Outlook:
To render navigation for customer engagement apps and all buttons: assign the min prv apps use
security role or a copy of this security role to your user
To render an entity grid: assign Read privilege on the entity
To render entities: assign Read privilege on the entity
Privacy notices
Licensed Dynamics 365 Online users with specific Security Roles (CEO – Business Manager, Sales Manager,
Salesperson, System Administrator, System Customizer, and Vice President of Sales) are automatically authorized
to access the service by using Dynamics 365 for phones, as well as other clients.
An administrator has full control (at the user security role or entity level) over the ability to access and the level of
authorized access associated with the phone client. Users can then access Dynamics 365 (online) by using
Dynamics 365 for phones, and Customer Data will be cached on the device running the specific client.
Based on the specific settings at the user security and entity levels, the types of Customer Data that can be
exported from Dynamics 365 (online) and cached on an end user’s device include record data, record metadata,
entity data, entity metadata, and business logic.
The Dynamics 365 for tablets and phones, and Project Finder for Project Finder for Dynamics 365 (the "App")
enables users to access their Microsoft Dynamics CRM or Dynamics 365 instance from their tablet and phone
device. In order to provide this service, the App processes and stores information, such as user's credentials and
the data the user processes in Microsoft Dynamics CRM or Dynamics 365. The App is provided for use only by end
users of Microsoft customers who are authorized users of Microsoft Dynamics CRM or Dynamics 365. The App
processes user's information on behalf of the applicable Microsoft customer, and Microsoft may disclose
information processed by the App at the direction of the organization that provides users access to Microsoft
Dynamics CRM or Dynamics 365. Microsoft does not use information users process via the App for any other
purpose.
If users use the App to connect to Microsoft Dynamics CRM (online) or Dynamics 365, by installing the App, users
consent to transmission of their organization's assigned ID and assigned end user ID, and device ID to Microsoft
for purposes of enabling connections across multiple devices, or improving Microsoft Dynamics CRM (online),
Dynamics 365 or the App.
Location data. If users request and enable location-based services or features in the App, the App may collect
and use precise data about their location. Precise location data can be Global Position System (GPS) data, as well as
data identifying nearby cell towers and Wi-Fi hotspots. The App may send location data to Microsoft Dynamics
CRM or Dynamics 365. The App may send the location data to Bing Maps and other third party mapping services,
such as Google Maps and Apple Maps, a user designated in the user's phone to process the user's location data
within the App. Users may disable location-based services or features or disable the App's access to user's location
by turning off the location service or turning off the App's access to the location service. Users' use of Bing Maps is
governed by the Bing Maps End User Terms of Use available at https://go.microsoft.com/?linkid=9710837 and the
Bing Maps Privacy Statement available at https://go.microsoft.com/fwlink/?LinkID=248686. Users' use of third
party mapping services, and any information users provide to them, is governed by their service specific end user
terms and privacy statements. Users should carefully review these other end user terms and privacy statements.
The App may include links to other Microsoft services and third party services whose privacy and security
practices may differ from those of Microsoft Dynamics CRM or Dynamics 365. IF USERS SUBMIT DATA TO OTHER
MICROSOFT SERVICES OR THIRD PARTY SERVICES, SUCH DATA IS GOVERNED BY THEIR RESPECTIVE PRIVACY
STATEMENTS. For the avoidance of doubt, data shared outside of Microsoft Dynamics CRM or Dynamics 365 is not
covered by users' Microsoft Dynamicss CRM or Dynamics 365 agreement(s) or the applicable Microsoft Dynamics
Trust Center. Microsoft encourages users to review these other privacy statements.
Licensed Dynamics 365 Online users with specific Security Roles (CEO – Business Manager, Sales Manager,
Salesperson, System Administrator, System Customizer, and Vice President of Sales) are automatically authorized
to access the service by using Dynamics 365 for tablets, as well as other clients.
An administrator has full control (at the user security role or entity level) over the ability to access and the level of
authorized access associated with the tablet client. Users can then access Dynamics 365 (online) by using
Dynamics 365 for tablets, and Customer Data will be cached on the device running the specific client.
Based on the specific settings at the user security and entity levels, the types of Customer Data that can be
exported from Dynamics 365 (online) and cached on an end user’s device include record data, record metadata,
entity data, entity metadata, and business logic.
If you use Microsoft Dynamics 365 for Outlook, when you go offline, a copy of the data you are working on is
created and stored on your local computer. The data is transferred from Dynamics 365 (online) to your computer
by using a secure connection, and a link is maintained between the local copy and Dynamics 365 Online. The next
time you sign in to Dynamics 365 (online), the local data will be synchronized with Dynamics 365 (online).
An administrator determines whether or not an organization’s users are permitted to go offline with Microsoft
Dynamics 365 for Outlook by using security roles.
Users and administrators can configure which entities are downloaded via Offline Sync by using the Sync Filters
setting in the Options dialog box. Alternatively, users and Administrators can configure which fields are
downloaded (and uploaded) by using Advanced Options in the Sync Filters dialog box.
If you use Dynamics 365 (online), when you use the Sync to Outlook feature, the Dynamics 365 data you are
syncing is “exported” to Outlook. A link is maintained between the information in Outlook and the information in
Dynamics 365 (online) to ensure that the information remains current between the two. Outlook Sync downloads
only the relevant Dynamics 365 record IDs to use when a user attempts to track and set regarding an Outlook
item. The company data is not stored on the device.
An administrator determines whether your organization’s users are permitted to sync Dynamics 365 data to
Outlook by using security roles.
If you use Microsoft Dynamics 365 (online), exporting data to a static worksheet creates a local copy of the
exported data and stores it on your computer. The data is transferred from Dynamics 365 (online) to your
computer by using a secure connection, and no connection is maintained between this local copy and Dynamics
365 (online).
When you export to a dynamic worksheet or PivotTable, a link is maintained between the Excel worksheet and
Dynamics 365 (online). Every time a dynamic worksheet or PivotTable is refreshed, you’ll be authenticated with
Dynamics 365 (online) using your credentials. You’ll be able to see the data that you have permissions to view.
An administrator determines whether or not an organization’s users are permitted to export data to Excel by using
security roles.
When Dynamics 365 (online) users print Dynamics 365 data, they are effectively “exporting” that data from the
security boundary provided by Dynamics 365 (online) to a less secure environment, in this case, to a piece of
paper.
An administrator has full control (at the user security role or entity level) over the data that can be extracted.
However, after the data has been extracted it is no longer protected by the security boundary provided by
Dynamics 365 (online) and is instead controlled directly by the customer.
See also
Security concepts
Copy a security role
Save time creating a security role by copying one
If you want to create a security role that is similar to another security role, you can copy an existing security role
and save it with a new name. You can then modify the privileges and access levels to accommodate the new
security role.
NOTE
You can't copy a security role to a different business unit.
Security role privileges are subject to change with updates and the copied security role could become out-of-date. You
should periodically check security role privileges. See Create an administrative user and prevent elevation of security role
privilege for an alternative method to assign security role privileges that will change dynamically.
permissions.
4. In the list of security roles, under Name , select the security role you want to copy, and then on the Actions
toolbar, select More Actions > Copy Role .
5. In the Copy Security Role dialog box, in the New Role Name text box, type in the name for the new
security role.
6. To modify the new security role after creating a copy, verify that the Open the new security role when
copying is complete check box is selected; otherwise, clear the check box.
7. Select OK .
See also
Security concepts
Security roles
Field-level security Prevent elevation of security role privilege
Create an administrative user and prevent elevation
of security role privilege
The copy security role method is a quick and easy way to create a new security role based on an existing set of
privileges. However, security role privileges can change with product updates which could render the new security
role out-of-date and might not function as expected. This is especially true in the case where you want to allow a
certain group of administrative users to assign security roles to your users. We recommend you not copy the
System Administrator security role and assign it to users, since this would allow the users to elevate the assigned
user to System Administrators. In addition, newer privileges from product updates will not be automatically
added to the copied System Administrator security role resulting in the role having insufficient privileges to
continue to assign security roles.
The following steps describe a method to create a new custom security role with privileges that will change
dynamically with updates and therefore can continue to be used for security role assignments.
Create a new custom security role that only has access to "Security Role" entity
1. Make sure that you have the System Administrator permissions.
3. Select Settings > Users + permissions > Security roles , and then select New .
4. Enter a role name, and then select the Business Management tab.
5. Scroll down to the Entity list and set the Security Role entity privileges as follows:
P RIVIL EGE SET T IN G
Create Business Unit
Read Organization
Write Business Unit
Delete Business Unit
Append Business Unit
Append To Business Unit
Assign Business Unit

Assign the new security role to an administrative user
3. Select an administrative user and then choose Manage Roles .
4. Select the new security role.
5. Select all the security roles that the administrative user can assign to other users.
6. Choose OK .
NOTE
The customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service,
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), are designed to prevent any elevation of security
role privileges. Therefore, the administrative user cannot assign System Administrator, System Customizer, or any security
roles that have a higher privilege.
The above steps are for assigning roles to users who belong to the same Business Unit (BU) as the administrative user. To
assign roles to child BU users, the administrative user's privileges need to have Deep (Parent:Child Business Units) privilege
level for all the privileges of the child BU user.
See also
Global and Service administrators can administer without a license
Troubleshooting: Common user access issues
User access diagnostic tool in the Power Platform admin center

Several factors influence user access in a Common Data Service environment. To help administrators with
diagnosing user access to an environment and reasons for access or no access, the new “Run diagnostics” feature
in the Power Platform admin center provides basic access diagnostics for individual users in the environment. The
feature helps to detect potential causes to user sign-in and other issues and suggests potential mitigations. For
more information, see: Diagnose user access in an environment.
User has no roles

When an error screen stating the user has no roles is encountered, a system administrator will need to assign roles
to the user. Roles can be assigned directly to the user, or to a group team that the user is a part of. For information
on how to assign Common Data Service security roles to a user, see: Assign a security role to a user
User does not have a license / user does not belong to the organization
1. Verify if a license has been assigned to the user and assign one if not already. See: Add a license to a user
account.
2. Once a license is assigned, it may take some time for the license change to sync to the Common Data Service
environment. To trigger a sync for this user, the system administrator for the environment can re-add the user to
the environment. See: Add users to an environment that has a Common Data Service database.
User is not a member of the environment’s security group

1. As a system administrator of the environment, verify that the Common Data Service environment is associated
with any Azure Active Directory group. See: Associate a security group with a Common Data Service
environment.
2. Ensure the user with the access issue is a member of the group associated with the environment. See: Create a
security group and add members to the security group.
3. Once user membership in the environment’s group is updated, it may take some time for the change to sync to
the Common Data Service environment. To trigger a sync for this user, the system administrator for the
environment can re-add the user to the environment. See: Add users to an environment that has a Common
Data Service database.
User doesn’t have sufficient permissions

You don't have sufficient permissions to access customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation). A system administrator will need to do the following:
3. Open the user record.
4. Select More Commands ( ) > Manage Roles .
5. Make note of the role assigned to the user. If appropriate, select a different security role. Close the Manage
User Roles dialog box.
6. Select Security > Security Roles .
7. Select the security role from step 4.
8. Select Core Records .
9. Confirm that the Read permission for User Entity UI Settings is set to the User level (a yellow circle with a
wedge-shaped segment).
If the security role is missing this permission, the system administrator will need to change this setting by
clicking or tapping on it.
Assign security roles to a form to more finely control
access
Control form and field access by assigning different security roles to different forms you create.
More information: Security concepts
Dynamics 365.
3. Choose Customize the System .
4. Enable security roles.
a. Under Components , expand Entities , and then expand the entity you want.
b. Choose Forms . In the list, choose a form to edit it if it has a form type of Main.
c. On the Home tab, in the Form group, choose Enable Security Roles .
5. Assign security roles.
a. In the Assign Security Roles dialog box, select the security roles to which this form will be available.
b. To make this the fallback form, select the Enabled for fallback check box.
At least one form per entity must be a fallback form (the form that is displayed to a user when no
other form is available for that user's security role).
c. Choose OK .
6. Preview the main form.
a. On the Home tab, choose Preview , and then select Create Form , Update Form , or Read-Only
Form .
b. To close the Preview form, on the File menu, choose Close .
7. When you're ready to save your data, choose Save and Close .
8. Publish your customization.
To publish just the edited component, choose Save > Publish on the Home tab.
To publish all unpublished components at one time, choose Publish All Customizations .
NOTE
Installing a solution or publishing customizations can interfere with normal system operation. We recommend that you
schedule a solution import when it’s least disruptive to users.
Manage user account synchronization
Because user identities are provisioned through Microsoft Online Services, you have multiple options for
managing user synchronization between your online and on-premises environments.
Decide on a user management approach

You can choose from three main identity models in Microsoft 365 when you set up and manage user accounts:
1. Cloud identity . Manage your user accounts in Microsoft 365 only. No on-premises servers are required to
manage users; it's all done in the cloud.
2. Synchronized identity . Synchronize on-premises directory objects with Microsoft 365 and manage your
users on-premises. You can also synchronize passwords so that the users have the same password on-
premises and in the cloud, but they will have to sign in again to use Microsoft 365.
3. Federated identity . Synchronize on-premises directory objects with Microsoft 365 and manage your
users on-premises. The users have the same password on-premises and in the cloud, and they do not have
to sign in again to use Microsoft 365. This is often referred to as single sign-on.
It’s important to carefully consider which identity model to use to get up and running. Think about time, existing
complexity, and cost. These factors are different for every organization. Your choice is based largely on the size of
your company and the depth and breadth of your IT resources.
Review the following resources to equip you to make the right decision for your company:
Microsoft 365 identity models and Azure Active Directory
What is Azure AD Connect?
Microsoft 365 integration with on-premises environments
Tip for admins: provide a single sign-on organization URL for your users
If you’ve deployed synchronization with single sign-on (option 3 above), you can provide a URL to your users that
takes advantage of your company’s Active Directory and simplifies the sign-in experience.
The URL follows this pattern:
https://<yourCRMOrganizationName>.crm.dynamics.com?whr=<yourFederationServiceIdentifier>
You can get the <yourCRMOrganizationName> by looking at the URL you use to access environments. For
example, in https://contoso.crm.dynamics.com, contoso is <yourCRMOrganizationName>.
IMPORTANT
The following URLs would be used for subscriptions hosted in these locations.
LATAM/SAM: https://<yourCRMorganizationname>.crm2.dynamics.com?whr=<yourFederationServiceIdentifier>
CAN: https://<yourCRMorganizationname>.crm3.dynamics.com?whr=<yourFederationServiceIdentifier>
EMEA: https://<yourCRMorganizationname>.crm4.dynamics.com?whr=<yourFederationServiceIdentifier>
APAC: https://<yourCRMorganizationname>.crm5.dynamics.com?whr=<yourFederationServiceIdentifier>
OCE: https://<yourCRMorganizationname>.crm6.dynamics.com?whr=<yourFederationServiceIdentifier>
JPN: https://<yourCRMorganizationname>.crm7.dynamics.com?whr=<yourFederationServiceIdentifier>
IND: https://<yourCRMorganizationname>.crm8.dynamics.com?whr=<yourFederationServiceIdentifier>
United States of America Government: https://< yourCRMorganizationname>.crm9.dynamics.com?whr=
<yourFederationServiceIdentifier>
UK: https://<yourCRMorganizationname>.crm11.dynamics.com?whr=<yourFederationServiceIdentifier>
FRA: https://<yourCRMorganizationname>.crm12.dynamics.com?whr=<yourFederationServiceIdentifier>
DEU: https://<yourCRMorganizationname>.crm.microsoftdynamics.de?whr=<yourFederationServiceIdentifier>
You can get the Federation Service identifier for your organization by using the following steps:
1. On the server that is running AD FS 2.0, click or tap Star t > Administrative Tools > AD FS 2.0
Management .
2. In the console tree, right-click or tap AD FS 2.0 , and then click or tap Edit Federation Ser vice
Proper ties .
3. Select the General tab.
Make note of your Federation Service identifier. For example: http://sts1.fabrikam.com/adfs/services/trust
Your URL should look like: https://contoso.crm.dynamics.com?
whr=http://sts1.fabrikam.com/adfs/services/trust
Send this URL to your users and encourage them to bookmark it.

NOTE
While the hierarchy security model provides a certain level of access to data, additional access can be obtained by using
other forms of security, such as security roles.
Manager hierarchy
NOTE
the report’s data. To illustrate the Manager hierarchy security model, let’s take a look at the diagram below. The
CEO can read or update the VP of Sales data and the VP of Service data. However, the CEO can only read the Sales
Read-only access to the data of their reports. For example, if the depth is set to 2, the CEO can see the data of the
VP of Sales, VP of Service and Sales and Service Managers. However, the CEO doesn’t see the Sales data or the
Support data.
It is important to note that if a direct report has deeper security access to an entity than their manager, the
manager may not able to see all the records that the direct report has access to. The following example illustrates
this point.
Position hierarchy
NOTE
member of.
In addition to the Position hierarchy security model, the users at a higher level must have at least the user level Read
privilege on an entity to see the records that the users at the lower positions have access to. For example, if a user at a
higher level doesn’t have the Read access to the Case entity, that user won’t be able to see the cases that the users at a
lower positions have access to.

update the setting.
IMPORTANT
After you have enabled the hierarchy modeling, choose the specific model by selecting the Manager Hierarchy
or Custom Position Hierarchy . All system entities are enabled for hierarchy security out-of-the-box, but, you can
Service Automation), not as an Administrator, who can see all accounts, but, as the VP of Sales, you’ll only be able
to see the active accounts of the users shown in the red rectangle, as illustrated below:
NOTE
IMPORTANT
as shown below:
For each position, provide the name of the position, the parent of the position, and the description. Add
users to this position by using the lookup field called Users in this position . Below is the example of
Position hierarchy with the active positions.
users or less.
hierarchy security.
See also
Add or remove sales territory members
To accommodate changes in sales territories or the representatives that are assigned to each territory, you can add
or remove territory members.
1. Go to Settings > Business Management .
2. Choose Sales Territories .
3. In the list of territories, under Territor y Name , double-click or tap the entry for the territory you want to
add people to or remove people from.
4. In the Navigation Pane, expand Common if necessary, and then choose Members .
5. Follow the steps for the task you're performing:
Add people to a sales territor y
a. On the ribbon, choose Add Members , view the text in the Message from webpage dialog box, and
then choose OK to close the dialog box.
b. In the Look Up Records dialog box, in the Search text box, type in the name or a part of the name
of the user you want to add to the sales territory, and then choose the Star t search icon .
c. In the list of records, select the people you want to add to the sales territory, and then tap or click
Add .
Remove people from a sales territor y
a. In the list of members, select the people you want to remove from the sales territory, and then on the
ribbon, choose Remove Members .
b. In the Remove Members dialog box, choose Remove .
NOTE
When you remove someone from a sales territory, the updated list of members isn't displayed until you
refresh the page.
See also
Manage users
Security enhancements: User session and access
management
You can use security enhancements to better secure the customer engagement apps (Dynamics 365 Sales,
Service Automation).
User session timeout management

The maximum user session timeout of 24 hours is removed. This means that a user is not forced to login with their
credentials to use the customer engagement apps and other Microsoft service apps like Outlook that were opened
in the same browser session every 24 hours.
Honor Azure AD session policy
By default, the customer engagement apps leverage the Azure Active Directory (Azure AD) session policy to
manage the user session timeout. Customer engagement apps use the Azure AD ID Token with a Policy Check
Interval (PCI) claims. Every hour a new Azure AD ID Token is fetched silently in the background and the Azure AD
instant policy is enforced (by Azure AD). For example, if an administrator disables or deletes a user account, blocks
the user from signing in, and an administrator or user revokes the refresh token, the Azure AD session policy is
enforced.
This Azure AD ID token refresh cycle continues in the background based on the Azure AD token lifetime policy
configurations. Users continue to access the customer engagement apps/Common Data Service data without the
needs to re-authenticate until the Azure AD token lifetime policy expires.
NOTE
The default Azure AD refresh token expiration is 90 days. This token lifetime properties can be configured. For detailed
information, see Configurable token lifetimes in Azure Active Directory.
The Azure AD session policy is bypassed and the maximum user session duration is reverted back to 24 hours in the
following scenarios:
In a browser session, you went to the Power Platform admin center and opened an environment by manually
keying in the environment URL (either on the same browser tab or a new browser tab).
To workaround the policy bypass and maximum 24 hour user session, open the environment from the Power
Platform admin center environments tab by selecting the Open link.
In the same browser session, open a version 9.1.0.3647 or higher environment and then open a version earlier
9.1.0.3647.
To workaround the policy bypass and user duration change, open the second environment in a separate browser
session.
To determine your version, sign in to customer engagement apps, and in the upper-right side of the screen, select the
Settings button ( ) > About .
Resilience to Azure AD outages

In an event that there are intermittent Azure AD outages, authenticated users can continue to access the customer
engagement apps/Common Data Service data if the PCI claims has not expired or the user has opted in the 'Stay
signed in' during authentication.
Set Custom Session timeout for individual environment
For environments that require different session timeout values, administrators can continue to set the session
timeout and/or inactivity timeout in the System Settings. These settings override the default Azure AD session
policy and users will be directed to Azure AD for re-authentication when these settings expired.
To change this behavior
To enforce users to re-authenticate after a pre-determined period of time, admins can set a session timeout for
their individual environments. Users can only remain signed in the application for the duration of session. The
application signs out the user when the session expires. Users need to sign-in with their credentials to return to
NOTE
User session timeout is not enforced in the following:
1. Dynamics 365 for Outlook
2. Dynamics 365 for phones and Dynamics 365 for tablets
3. Unified Service Desk client using WPF browser (Internet Explorer is supported)
4. Live Assist (Chat)
Configure session timeout

2. Select Settings > Product > Privacy + Security .
3. Set Session Expiration and Inactivity timeout . These settings apply to all users.
NOTE
Default values are:
Maximum Session Length: 1440 minutes
Minimum Session Length: 60 minutes
How long before session expires before showing timeout warning: 20 minutes
The updated settings will be effective the next time the user signs in to the application.
Inactivity timeout
By default, customer engagement apps do not enforce an inactivity session timeout. A user can remain logged in
the application until the session timeout expires. You can change this behavior.
To enforce users to automatically signed out after a pre-determined period of inactivity, admins can set an
inactivity timeout period for each of their environments. The application signs out the user when the inactivity
session expires.
NOTE
Inactivity session timeout is not enforced in the following:
1. Dynamics 365 for Outlook
2. Dynamics 365 for phones and Dynamics 365 for tablets
3. Unified Service Desk client using WPF browser (Internet Explorer is supported)
4. Live Assist (Chat)
To enforce the inactivity session timeout for Web Resources, Web Resources need to include the
ClientGlobalContext.js.aspx file in their solution.
The Dynamics 365 portal has its own settings to manage its session timeout and inactivity session timeout
independent of these system settings.
Configure inactivity timeout

2. Select Settings > Product > Privacy + Security .
3. Set Session Expiration and Inactivity timeout . These settings apply to all users.
NOTE
Default values are:
Minimum Duration of Inactivity: 5 minutes
Maximum Duration of Inactivity: less than Maximum Session length or 1440 minutes
The updated settings will be effective the next time the user signs in to the application.
Access management
Customer engagement apps use Azure Active Directory as the identity provider. To secure the user's access to
customer engagement apps, the following were implemented:
To enforce users to re-authenticate, users are required to sign in with their credentials after they signed out
within the application.
To prevent users from sharing credentials to access customer engagement apps, the user access token is
validated to ensure that the user who was given access by the identity provider is the same user who is
accessing customer engagement apps.
Block access by location with Azure AD Conditional
Access
You can limit access to users with block access by location to reduce unauthorized access. When block access by
location restrictions are set in a user’s profile and the user tries to log in from a blocked location, access to
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), are blocked.
Requirements
A subscription to Azure Active Directory Premium.
A federated Azure Active Directory tenant. See What is Conditional Access?
Additional security considerations

Block access is only enforced during user authentication. This is done by the Azure Active Directory Conditional
Access capability. Customer engagement apps set a session timeout limit to balance protecting user data and the
number of times users are prompted for their sign-in credentials. Block access for devices (including laptops) is not
applied until the session timeout expires.
For example, block access is setup to only allow access to customer engagement apps when users are working
from a corporate office. When a user signs in into customer engagement apps using their laptop from their office
and establishes a session, the user can continue to access customer engagement apps after leaving the office until
the session timeout expires. This behavior also applies to mobile and offsite connections such as: Dynamics 365 for
Phones and Tablets, and Dynamics 365 App for Outlook.
Create a security group (optional)

You can block access to all Users or groups of users. It's more efficient to restrict by a group if only a subset of your
Azure Active Directory (Azure AD) users are accessing customer engagement apps.
For information, see: Create a basic group and add members using Azure Active Directory.
Create a block access by location

Block access by location is set using Azure Active Directory (AD) Conditional Access. For the cloud app, select
Common Data Ser vice to control access to customer engagement apps (such as Dynamics 365 Sales and
Customer Service).
NOTE
Setting Conditional Access is only available with an Azure Active Directory Premium license. Upgrade your Azure AD to a
Premium license in the Microsoft 365 admin center (https://admin.microsoft.com > Billing > Purchase ser vices ).
To create a block access by location for your users:

1. Create a Named location. See Define locations.
2. Create a Conditional Access policy. See Create a Conditional Access policy.
For Step 6. Under Cloud apps or actions , select the Common Data Service application.
See also
How to set Azure Active Directory device-based conditional access policy for access control to Azure Active
Directory connected applications
Invite users with Azure Active Directory B2B
collaboration
You can invite other users to access your environment. The Microsoft 365 Global admin can do this through the
Azure portal. Invited users can access your environment using their own login credentials once a license and a
security role are assigned to them. You don’t need to create a new user account and temporary password for these
invited users in your own Microsoft 365 tenant.
Requirements
To send business-to-business (B2B) user invitations, you must have an Azure Active Directory Global admin
role.
To bulk- invite users, get the latest Azure Active DirectoryPowerShell which can be downloaded from the
PowerShell module's release page.
Incompatibilities
The following features are not supported for B2B invited users.
1. Unified Service Desk client
Invited users will not be able to use the Unified Service Desk client to log into the host tenant’s environment.
2. Dynamics 365 App for Outlook
Invited users will not be able to use their own tenant email addresses when performing email related
transactions in the host environment. Server-side synchronization of invited users’ incoming and outgoing
emails are not supported as there can be complications, especially for invited users who are already syncing
their emails in their own tenant.
3. Invited users cannot perform email activity using their own email address. The customer engagement apps
Marketing, and Dynamics 365 Project Service Automation) only synchronizes incoming and outgoing emails
from Microsoft Exchange Online that is hosted in the same Microsoft 365 tenant.
4. Microsoft 365 Groups
Microsoft 365 Groups connects a group to customer engagement apps. Data (including new conversations
and documents) are stored in the Exchange and/or SharePoint system. Since invited users belong to a
different Microsoft 365 tenant, the invited users do not have permission to create Microsoft 365 Groups in
the invited-to Microsoft 365 tenant. However, they can participate in the Microsoft 365 Groups
conversations as a guest in their Outlook Inbox, but not within customer engagement apps.
Invite a user
You can add users to through Azure Active Directory B2B user collaboration. Global admins and limited admins can
use the Azure portal to invite B2B collaboration users to the directory, to any security group, or to any application.
Admins can use one of the following methods to invite B2B users to their environment:
1. Invite users to your environment that has a security group.
See Admins adding guest users to a group.
See Control user access to environments: security groups and licenses on how to use security groups
for your environments.
2. Invite users to your environment that does not have a security group.
See Admins adding guest users to the directory.
3. Bulk-invite guest users using a .csv file.
See PowerShell example.
Your invited user will receive an email invitation to get started with B2B user collaboration.
When your user accepts the invitation by clicking on the Get Star ted link on the invitation email, they will
be prompted to accept the invitation.
NOTE
Until you add a license to the user account, the user will not have access to customer engagement apps. Follow the steps
below to add a license through the Azure portal.
Update user’s name and usage location

To assign a license, the invited user’s Usage location must be specified. Admins can update the invited user’s
profile on the Azure portal.
1. Go to Azure Active Director y > Users and groups > All users . If you don't see the newly created user,
refresh the page.
2. Click on the invited user, and then click Profile .
3. Update First name , Last name , and Usage location .
4. Click Save , and then close the Profile blade.
Assign invited users a license and security role

Assign your invited users a license and security role so the user can use customer engagement apps.
1. Go to Azure Active Director y > Users and groups > All users . If you don't see the newly created user,
refresh the page.
2. Click on the invited user, and then click Licenses .
3. Click Assign .
4. Click Configure required settings .
5. Select the product to license.
6. Click Select , and then click Assign .

Next, assign the invited users with appropriate security roles for the environment so they can access it. See
Create users and assign security roles.
Approve email or enable mailbox (not supported)

Since server-side synchronization is not supported, System admins cannot approve an invited email address or
mailbox since emails cannot be synced from the invited user’s Microsoft Exchange.
Notify your invited users

To complete the user invitation, notify your invited users and provide them with the URL for the environment they
are invited to (for example, https://contoso.crm.dynamics.com).
See also
Azure AD B2B Collaboration is Generally Available!
Azure Active Directory B2B collaboration code and PowerShell samples
Azure Active Directory B2B collaboration frequently-asked questions (FAQ)
Azure Active Directory B2B Collaboration
Azure AD B2B: New updates make cross-business collab easy
We've improved how you view metrics for your organization. You no longer need to install or update a solution.
Instead, you can view Common Data Service analytics right from the Power Platform admin center to quickly view
adoption ad user metrics for your organization.
To access these reports:
1. Go to the navigation bar on the left side.
2. Select Analytics .
3. Select Common Data Ser vice .
4. View the reports on the right side.
Who can view these reports?

Admins with the following roles and a license can view the reports in Common Data Service analytics:
Environment Admin - can view reports for the environments that the admin has access to.
Power Platform admin – can view reports for all environments.
Dynamics 365 admin - can view reports for all environments.
Microsoft 365 Global admin – can view reports for all environments.
For more information on the different roles for managing your tenant across the platform, see Use service admin
roles to manage your tenant.
Key highlights
Deprecating the solution : Organization Insights, available as a preferred solution from AppSource, will
no longer be supported or available for use in future releases.
Deprecating Organization Insights dashboard : This dashboard will be removed from Common Data
Service in future releases.
Monitor adoption and use : Identify your most active users, the number and types of operations they're
performing, number of pages requests, most-used entities, workflows, plug-ins, and more, over a period of
time as you work toward your adoption goals.
Manage storage and performance : Monitor storage quotas, storage use, and top tables by size to
optimize performance.
Troubleshoot effectively : Drill down into the details of your top failing workflows and API calls to quickly
diagnose and troubleshoot errors.
Home (default)
About this dashboard
This is the default dashboard that provides information on the number of active Common Data Service users,
storage usage, the most active workflows, and more.
What's included in this dashboard
C H A RT EL EM EN T DESC RIP T IO N
Active Users Number of active users (unique users) who performed an

operation that caused one of these SDK calls:
Retrieve , Retrieve Multiple , Delete , Create , and
Update .
API Calls Number of API calls that were made by the Common Data
Service environment for the selected time period.
API Pass Rate This chart shows the API pass rate as percentage of total API
calls that were made in the Common Data Service
environment over the specified time.
Executions This chart shows how many plug-ins have been executed in
the Common Data Service environment over the specified
time.
Total Operations This chart shows how many operations (create, update,
deletes, reads) have occurred in the Common Data Service
Most Active Users Performing Operations List of most active users who performed an operation that
caused a Create , Update , Read , or Delete SDK call in
the Dynamics 365 environment over the selected time period.
Top Plug-ins by Failures This chart shows top 10 most failing plug-in in the Common
Data Service environment over the specified time.
Active Users
Use this dashboard to find out how many Dynamics 365 users there are, how many licenses are in use, what
custom entities are used most frequently, and more.
Total Active Users Total number of active users (unique users) who performed an
operation that caused one of these SDK calls:
Update .
Most Used Entities Ten Entities which had the most

Update SDK Calls .
Total Page Requests The number of page load requests for forms, dashboards, and
reports. This is the count of requests received by the
Dynamics 365 server. Pages that are cached while browsing
won't be counted.
Total Operations This chart shows how many operations (create, update,
deletes, reads) have occurred in the Common Data Service
environment for the selected time period.
Active Users Performing Specific Operations Total number of active users (unique users) over time who
performed an operation that caused one of these SDK calls:
Update .
Active Users Number of active users (unique users) in your environment

who performed an operation that caused one of these SDK
calls:
Update over time.
Most Active Users Performing Operations List of most active users (unique users) over time who
Update .
Most Used Custom Entities List of custom entities which had the most
Update SDK Calls .
Most Used OOB Entities List of out-of-box entities which had the most
Update SDK Calls .
Usage Active Users by OS The number of active users by operating system.
Active Users by Device Type The number of active users by device type.
Active Users by Browser The number of active users by browser.
Active Users by Security Roles The number of active users by security roles.
Users by Business Unit The number of active users by business unit.
Number of Creates by Entity How many create operations are performed by the selected
user in the Common Data Service environment for the
selected time period.
Number of Updates by Entity How many update operations are performed on different
entities by the selected user in the Common Data Service
Number of Reads by Entity How many read operations are performed on different entities
by the selected user in the Common Data Service
Number of Deletes by Entity How many delete operations are performed on different
entities by the selected user in the Common Data Service
Total Operations Over Time The total operations performed by the selected user in the
Common Data Service environment over the selected time
period.
Total Operations by Entity The total operations performed on different entities by the
selected user in the Common Data Service environment for
the selected time period.
Active Users by Entities Show the active users distributed over different entities
Active Users by Client The active users distributed by client type
Active Users Using More than One Client The number of active users using more than one client,
distributed over different client combinations
NOTE
Retrieve and RetrieveMultiple SDK calls are reported as Reads .
Update frequency
Active usage chart data is updated as follows.
C H A RT UP DAT E F REQ UEN C Y
Total Active Users 24 hours
Most Used Entities 24 hours
Most Active Users (Reads) 24 hours
Total API Calls 24 hours
Total Page Requests 24 hours
Most Active Users (Changes) 24 hours
Total Operations 24 hours
Active Users Performing Specific Operations 24 hours
Active Users 24 hours
Most Active Users Performing Operations 24 hours
Most Used Custom Entities 24 hours
Most Used OOB Entities 24 hours
System Jobs
Use this dashboard to monitor and troubleshoot workflows.
Workflow Executions This chart shows how many workflows have been executed in
time.
System Jobs Pass Rate This chart shows the system job's pass rate as percentage of
system jobs that were executed in the Common Data Service
System Jobs Throughput/Minute This chart shows the average system jobs that have been
executed per hour in the Common Data Service environment
over the specified time.
Executions and Backlog This chart shows the number of executions and the backlog
for system jobs in the Common Data Service environment
over the specified time.
Most Active Workflows This chart shows top 10 most executed workflows in the
Common Data Service environment over the specified time.
Top Workflows by Failures This chart shows top 10 most failing workflows in the
Click on a workflow to see the failures and their number of
occurrences.
Update frequency
System jobs chart data is updated as follows.
Workflow Executions 24 hours
System Jobs Pass Rate 24 hours
System Jobs Throughput / Hour 24 hours
Most Active Workflows 24 hours
System Jobs Executions and Backlog 24 hours
Top Workflows by Failures 24 hours
Plug-ins

Use this dashboard to monitor and troubleshoot plug-ins.
Plug-in Success Rate This chart shows the plug-in pass rate as percentage of total
plug-in executions that were executed in the Common Data
Service environment over the specified time.
Plug-in Executions This chart shows how many plug-ins have been executed in
time.
Average Plug-in Execution Time This chart shows average time taken to successfully execute a
plug-in in the Common Data Service environment over the
specified time.
Most Active Plug-ins This chart shows top 10 most executed plug-ins in the
Top Plug-ins by Failures This chart shows top 10 most failing plug-ins in the Common
Data Service environment over the specified time.
Update frequency
Plug-ins chart data is updated as follows.
Plug-in Success Rate 24 hours
Most Active Plug-ins 24 hours
Plug-in Executions 24 hours
Average Plug-in Execution Time 24 hours
Top Plug-ins by Failures 24 hours
API Call Statistics

Use this dashboard to monitor and troubleshoot API calls.
API Success Rate This chart shows the API success rate as percentage of total
API calls that were made in the Common Data Service
Top API by Failures This chart shows top 10 failing API calls in the Common Data
Total API Calls This chart shows how many API calls have been made in total
in the Common Data Service environment over the specified
time.
Most Used API This chart shows top 10 most executed API calls in the
Common Data Service environment database.
API Calls This chart shows how many API calls have been made over
time in the Common Data Service environment over the
specified time.
Update frequency
API Call Statistics chart data is updated as follows.
API Success Rate 24 hours
Top API by Failures 24 hours
Most Used API 24 hours
Total API Calls 24 hours
API Calls 24 hours
Mailbox Usage
Use this dashboard to monitor email mailbox usage.
Mailbox Details by GEO This chart shows mailbox details like:

the number of server-side synch configured mailboxes
the number of server-side synch enabled mailboxes
the number of server-side synch Appointments,
Contacts, and Tasks enabled mailboxes
the number of server-side synch incoming enabled
mailboxes
the number of server-side synch outgoing enabled
mailboxes categorized by the geo location the mailbox
is hosted in
Mailboxes by Server Type This chart shows the mailbox distribution by server type.
Active Email Server Profiles by Geo This chart shows active server-side synch enabled mailboxes
distributed over the geo location they are hosted in.
Mailboxes by Exchange Configuration This chart shows the number of mailboxes categorized by
their Exchange configuration.
Number of Mailbox Configuration Errors This chart shows the number of mailboxes configuration
errors which occurred over the user-selected time frame.
Mailbox Usage This chart shows the number of server-side synch mailboxes
over the time range selected by the user.
Number of Outlook Mailboxes This chart shows the number of Outlook mailboxes configured
for the organization.
Number of Active Email Server Profiles This chart shows the number of active email server profiles for
the time range configured by the user.
Update frequency
Mailbox Usage chart data is updated as follows.
Mailbox Details by Geo 24 hours
Active Email Server Profiles by Geo 24 hours
Mailboxes by Server Type 24 hours
Mailbox Usage 24 hours
Number of Mailbox Configuration Errors 24 hours
Number of Active Email Server Profiles 24 hours
Number of Outlook Mailboxes 24 hours
Mailboxes by Exchange Configuration 24 hours
Download Reports
Select Download to view available downloads and then select any of the reports to download them into Microsoft
Excel.
All the download reports, except "Active Dynamics 365 Customer Engagement Plan Users by Application", show
data:
for an environment
and
per the timeline in the filters for the out-of-box Common Data Service analytics reports. If you select a certain
date range for the out-of-box Common Data Service reports, the same time filter applies to the downloads.
The maximum duration for data availability is 30 days.
The "Active Dynamics 365 Customer Engagement Plan Users by Application" report always shows the last 30 days
of data at the tenant level.
What's included
Active users by device type List of active users by device type used to access Dynamics
365
Active users by business unit List of active users by their business unit
Active users by security role List of active users by their security roles
Active users by client List of active users, by client type used to access Dynamics
365
Active users by entities List of active users distributed by entity
Most active users performing operations List of most active users (unique users) over time who
Update .
Most used custom entities List of custom entities which had the most
Update SDK Calls .
Most used OOB entities List of out-of-box entities which had the most
Update SDK Calls .
Most active workflows List of top 10 most executed workflows in the Common Data
Most active plug-ins List of top 10 most executed plug-ins in the Common Data
Most used API List of top 10 most executed API calls in the Common Data
Service environment database.
Active Dynamics 365 Customer Engagement Plan Users by Active Dynamics 365 Customer Engagement plan users by
Application application. Helps customers to know usage across different
apps and entities so that when it is time to renew their
subscription, they can chose the individual apps to be bought
(for example Dynamics 365 for Sales, Dynamics 365 for
Customer Service, etc.). The Customer Engagement plan
which was a suite of all Customer Engagement applications is
no longer being sold and people need to choose the
individual apps to be bought.
Non-conformant usage by users with Team Member license Shows customers how their users (with team member
licenses) are using the product in ways that are deemed to be
not conformant with the use rights entitled to this license, as
per licensing guide.
View data for different environments and date-time ranges

Select Change filters .
Select the environment and time-period from the drop-down lists, and then select Apply to save the changes. All
the Common Data Service analytics reports are available using this selection.
Admin Analytics for Microsoft Power Automate
Environment admins can access analytics for Power Automate in the Power Platform admin center. The reports
provide insights into runs, usage, errors, types of flows created, shared flows, and details on connectors associated
with all the different flow types like automated flows, button flows, scheduled flows, approval flows, business
process flows. These reports are not available for the UI flows type.
To access these reports:
1. Go to the navigation bar on the left side.
2. Select Analytics .
3. Select Microsoft Power Automate .
4. View the reports on the right side.

Admins with the following roles and a license can view the reports in Power Automate analytics:
Data storage
When a user creates an environment in a region, the environment is hosted in that region. All data for that
environment resides within that region for a maximum period of 28 days.
The data refresh cycle is about 3 hours and you can find the last refresh time at the top right corner of the page.
Available reports
The preview contains 6 reports with multiple KPIs in each report. By default, you see reports for the last viewed
environment.
Runs report
By default, you see the Runs report. It provides a view into the daily, weekly, and monthly run data of all flows in an
environment.
Usage report
This report provides insights into the different types of flows in use, the trends, and the flow creator's names.
Created report
This report provides insights into the types of flows created, trends, and details like the created date and the
creator's email address.
Error report
This report provides insights into recurring error types and details like the error count, creator's email address, last
occurred time, and the creator's email address for each flow.
Shared report
This report provides details on the flows shared and trends in the environment.
Connectors report
This report provides details on connectors and their associated flows. Metrics like the number of calls from each
flow per connector, flow runs, and the flow creator's email address are available for both standard and custom
connectors.
Download reports
The reports are built with Power BI. Users can select the ellipsis (…) for a KPI and then select Expor t data .
View reports in other environments

To view reports in another environment:
1. Select Change Filters .
2. Select the new environment from the Environment list and optionally, select a Time Period .
3. Select Apply .
Admin Analytics for Power Apps
Analytics for the environment admin is available at the Power Platform admin center. The admin reports provide a
view into environment level usage, errors, service performance to drive governance, and change management
services to users. These reports are available for canvas apps only and not available for model-driven apps.
To access these reports, sign in to the Power Platform admin center and select Analytics > Power Apps . Reports
appear in a menu bar at the top of the page.

Admins with the following roles and a license can view the reports in Power Apps analytics:
Where is my data stored?

When a user first creates an environment from a region, the environment is always hosted in that region. The data
is stored only in the region that an environment is hosted in. Data is stored for a maximum of 28 days. The data
refresh cycle is about 3 hours and the last refresh time in UTC time standard is displayed on the upper-right corner
of the page.
What are the available reports?

There are six reports available for Power Apps admins. The last viewed environment is selected by default.
Usage report is the default reports seen by the logged in environment admin. It provides total app launches and
daily active users across all apps in the environment. Admins can filter the view with attributes like device platform,
player version, country, state, and city.
Location report provides a map-based view of usage. It gives an insight into regional adoption and usage trends.
Toast Errors report provides insights into the toast error trends, types, and counts per app to help drive
improvements in app quality. The toast errors are errors displayed to the end users of the app.
Ser vice Performance report provides details of all standard and custom connectors to understand performance
bottlenecks and client versus service API issues. An environment admin will get insights into:
Connectors used in the environment.
Best and least performant service and the API service response times.
Success rates for each service to determine areas that need attention.
The 50th, 75th, and 90th percentile response times for each service.
The number of HTTP 500 error codes of connectors indicating issues around the server not responding to calls
from the client.
The number of successful connection requests.
All the service performance KPI's can be filtered with attributes like a specific service or connector, device platform,
player version, and country, state, or city to drill down into the specific API.
Connectors repor t provides visibility into the standard and custom connectors being used by canvas apps. The
last 28 days of data is visible at the environment level.
Admins can gain insights into the number of connectors associated with each app, the specific connectors being
used by each app, and the owner of the connector. It also provides data on the number of times the app has been
shared, the number of app sessions, and the last accessed time for visibility into high usage apps and connectors.
A sample scenario : An admin can gain insight into the number of shares and usage of a specific finance app
using one or more connectors. This will allow the admin to engage with the app owner to ensure no sensitive data
is inadvertently being shared through the app.
Note that the current iteration of this specific report does not have a download report feature.
How can I download the reports?
The reports are built on Power BI. To download a report, select the ellipsis (…) of the specific KPI and select Expor t
data .
How do I change environments?

Select Change Filter or the Filter button ( ) in the upper-right corner of the page.
Select the environment and time period from the drop-down lists, and then select Apply to save the changes. All
the Power Apps analytics reports will now use this selection.
FAQ
Why are some apps missing in my report?
Currently, Power Apps analytics reports do not display model-driven apps data. Only canvas apps related data is
displayed.
What's new about storage
We've made some key enhancements to admin experiences for the Power Platform admin center:
Storage reporting is based on customer licenses and capacity add-ons.
Changes have been implemented for exceeding storage capacity entitlements.
We're rolling out these features now so check back if your user experience varies from the following content.
Updates to storage reporting

In April 2019, we introduced Common Data Service capacity storage that's optimized for relational data (database),
attachments (file), and audit logs (log). New customers of Power Apps, Power Automate, and customer engagement
apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365
Marketing, and Dynamics 365 Project Service Automation) receive a tenant-wide default entitlement for each of
these three storage types and additional per user subscription license entitlements. Additional storage can be
purchased in 1-GB increments. Existing customers won't be affected by this change until the end of their current
Power Apps or Dynamics 365 subscription, when renewal is required.
Some of the benefits of this change include:

Scalability with purpose-built storage management solutions.
The ability to enable new business scenarios.
Reduced need to free up storage space.
Support for a variety of data types.
Additional default and full user entitlements.
Flexibility to create new environments.
Following the introduction of Common Data Service capacity, we updated our capacity reporting to show database,
file, and log entitlement for all our customers. This change in reporting isn't visible to those who are still on the
legacy licensing storage model.
Two versions of storage reporting
There are two versions for storage capacity reporting:
Legacy capacity model : Organizations with the previous licensing model for storage. Users with these
licenses will see a single capacity for entitlement. More information: Legacy storage capacity
New capacity model : Organizations with the new licensing model for storage. Users with these licenses
will see the storage capacity entitlement and usage by database, file, and log. More information: Common
Data Service storage capacity
What happens when my organization exceeds storage entitlements?

If you exceed your storage capacity, you'll receive notifications alerting you to the over-capacity usage. These
notifications occur as alerts in the Power Platform admin center. The following admin operations won't be available
when a tenant exceeds storage capacity entitlements:
1. Create environment
2. Copy environment (starting August 24th)
3. Restore environment (starting August 24th)
Please review:
Actions to take for a storage capacity deficit.
For the legacy capacity storage model, see Example storage capacity scenario.
For the new capacity storage model, see Example storage capacity scenarios, overage enforcement.
See also
Legacy storage capacity
Delete and recover environments
New Common Data Service storage capacity
If you purchased storage in or after April 2019, or you have a mix of storage purchases made before and after
April 2019, you'll see your storage capacity entitlement and usage by database, file, and log as it appears in the
Power Platform admin center today.
Data volume continues to grow exponentially, as businesses advance their digital transformation journey and
bring data together across their organization. Modern business applications need to support new business
scenarios, manage new data types, and help organizations with the increasing complexity of compliance
mandates. To support the growing needs of today's organizations, data storage solutions need to evolve
continuously and provide the right solution to support expanding business needs.
We're rolling out this feature now so check back if your user experience varies from the following content.
NOTE
For licensing information, see the Power Apps and Power Automate licensing guide.
If you purchased your Dynamics 365 subscription through a Microsoft partner, contact them to manage storage capacity.
The steps below do not apply to partner-based subscriptions.
Licenses for the new storage model

The following licenses provide capacity by using the new storage model. If you have any of these licenses, you'll
see the new model report:
Common Data Service for Apps Database Capacity
Common Data Service for Apps File Capacity
Common Data Service for Apps Log Capacity
To see whether you have any of these licenses, sign in to the Microsoft 365 admin center, and then go to Billing
> Licenses .
NOTE
If you have a mix of legacy model licenses and the abovementioned new model licenses, you'll see the new model report.
If you have none of the legacy model licenses nor the new model licenses, you'll see the new model report.
Verifying your new storage model

1. Sign in to the Power Platform admin center, and then select an environment.
2. Select Resources > Capacity .
3. View the data on the Summar y page.
The new licensing storage model looks like the following image.
Capacity page details
Summary tab
This page provides a tenant-level view of where your organization is using storage capacity.
To view the Summar y page, select Resources > Capacity > Summar y .
All entities of Common Data Service, including system entities, are included in the storage capacity reports.
N UM B ER DESC RIP T IO N
(1) Storage capacity usage

File and database : The following entities store data
in file and database storage:
Attachment
AnnotationBase
Any custom or out-of-the-box entity that has
fields of datatype file or image (full size)
Any entity that is used by one or more
installed Insights applications and ends in -
Analytics
Log : The following entities are used:
AuditBase
PlugInTraceLogBase
Database only : All other entities are counted for
your database
(2) Storage capacity, by source

Org (tenant) default : The default capacity given at
the time of sign-up
User licenses : Additional capacity added for every
user license purchased
Additional storage : Any additional storage you
bought
Total: Total storage available
View self-ser vice sources : See View self-service
license amounts and storage capacity
(3) Top storage usage, by environment : The environments

that consume the most capacity
The actual files such as .pdf (or any other file attachment type) are stored in file storage. However, certain
attributes needed to access the files are stored in the database as well.
Storage capacity tab
This page provides similar information as the Summar y tab, but with an environment-level view of where your
organization is using capacity.
To view the Storage capacity page, select Resources > Capacity > Storage capacity . See the next section for
using the Details button ( ) to see environment capacity analytics.
NOTE
The following environments don't count against capacity and are shown as 0 GB:
Trial
Preview
Support
Developer
You can select an environment that's showing 0 GB, and then go to its Environment Analytics page to see the actual
consumption.
Environment capacity analytics

This page provides an environment-level detailed view of where your organization is using capacity, in addition
to the three types of capacity consumption.
To view environment-level capacity analytics
1. Select Resources > Capacity > Storage capacity .
2. Select an environment.
3. Select Details ( ).
The following details are provided:

Actual database usage
Top database tables and their growth over time
Actual file usage
Top files tables and their growth over time
Actual log usage
Top tables and their growth over time
Changes for exceeding storage capacity entitlements

We're making changes for what happens when an organization's storage capacity usage is greater than the
capacity entitled or purchased via add-ons.
For now, if you exceed your storage capacity, you'll receive notifications alerting you to the over-capacity usage.
These notifications will occur as alerts in the Power Platform admin center. In the future, certain admin
operations will no longer be available when a tenant exceeds storage capacity entitlements. Check back for
updated information.
Example storage capacity scenarios, overage enforcement

You should be within limits for your entitled capacity for database, log, and file. If you have used more capacity
than you're entitled to, you should buy more capacity or free up capacity. However, if you've overused database,
log, or file capacity, review the following scenarios to understand when enforcement will be applied.
Scenario 1: Database storage is over capacity, overage enforcement
TYPE EN T IT L ED C O N SUM ED
Database 100 GB 110 GB
Log 10 GB 5 GB
File 400 GB 200 GB
This tenant is 10 GB over in database usage. Despite having 200 GB excess file storage, the tenant is considered
to be in deficit. This tenant should free up storage or purchase more capacity.
Scenario 2: Log storage is over capacity, overage enforcement
Log 10 GB 20 GB
File 400 GB 200 GB
This tenant is 10 GB over in log usage and has only 5 GB available in database capacity. Therefore, the tenant is in
deficit and should free up storage or purchase more capacity.
Scenario 3: File storage is over capacity, overage enforcement
Log 10 GB 5 GB
File 200 GB 290 GB
This tenant is 90 GB over in file usage. Despite having 85 GB available (80 GB database + 5 GB log) in storage
capacity, the tenant is considered to be in deficit. This tenant should free up storage or purchase more capacity.
Example storage capacity scenario, no overage

Scenario 4: Log storage is over capacity
Log 10 GB 20 GB
File 400 GB 200 GB
This tenant is 10 GB over in log usage but has 20 GB available in database capacity. Therefore, the tenant isn't in
deficit. Note that file storage excess entitlement can't be used to compensate deficits in log or database storage.
Actions to take for a storage capacity deficit

You can always free up storage, delete unwanted environments, or buy more capacity to be compliant with
storage usage. To learn more about capacity add-ons, see the Dynamics 365 Licensing Guide or the "Add-ons"
section of the Power Apps and Power Automate Licensing Guide. You can work through your organization's
standard procurement process to purchase capacity add-ons.
FAQ
Why is my storage consumption decreasing in database and growing in file?
We are constantly optimizing the Common Data Service for ease of use, performance, and efficiency. Part of this
ongoing effort is to move data to the best possible storage with the lowest cost for customers. File-type data
such as “Annotation” and “Attachment” is moving from database to file storage. This leads to decreased usage of
database capacity and an increase in file capacity.
Why could my database table size decrease while my table and file data sizes remain the same?
As part of moving file-type data such as “Annotation” and “Attachment” out from database and into file storage,
we periodically reclaim the freed database space. This leads to decreased usage of database capacity, while the
table and file data size computations remain unchanged.
Do indexes affect database storage usage?
Possibly. Database storage includes both the database records and index files used to improve search
performance. Indexes are created and optimized for peak performance and are updated frequently by the system
by analyzing data use patterns. No user action is needed to optimize the indexes, as all Common Data Service
stores have tuning enabled by default. A fluctuation in database storage can be represented by an increased or
decreased number of indexes on the database. Common Data Service is continually being tuned to increase
efficiency and incorporate new technologies that improve user experience and optimize storage capacity.
Common causes for an increase in index size are:
An organization making use of new functionality (this can be custom, out-of-the-box, or part of an update or
solution installation).
Data volume or complexity changes.
A change in usage patterns that indicate new indexes are in need of reevaluation.
If Quick Find lookups are configured for data that's frequently used, this will also create additional indexes in the
database. Admin-configured Quick Find values can increase the size of the indexes based on:
The number of fields chosen and the data type of those fields.
The volume of records for the entities and fields.
The complexity of the database structure.
Because custom Quick Find lookups are created by an admin in the org, these can be user-controlled. Admins can
reduce some of the storage used by these custom indexes by doing the following:
Removing unneeded fields and/or entities
Eliminating multiline text fields from inclusion
I just bought the new capacity-based licenses. How do I provision an environment by using this model?
You can provision environments through the Power Platform admin center. More information: Create and
manage environments in the Power Platform admin center
I'm a new customer and I recently purchased the new offers. My usage of database/log/file is showing red.
What should I do?
Consider buying additional capacity by using the Licensing Guide. Alternatively, you can free up storage.
Where can I read more about the new capacity offers?
Download the Licensing Guide to learn more.
I'm an existing customer, and my renewal is coming up. Will I be affected?
Customers who renew existing subscriptions can choose to continue to transact by using the existing offers for a
certain period of time. Please contact your Microsoft partner or Microsoft sales team for details.
I'm a Power Apps/Power Automate customer and have environments with and without database. Will they
consume storage capacity?
Yes. All environments will consume 1 GB, regardless of whether they have an associated database.
Do I get notified through email when my org is over capacity?
When you sign in to the Power Platform admin center, you'll be notified if your capacity usage is more than the
capacity you're entitled to.
Why am I no longer getting storage notifications?
We've disabled email notifications with the move to the new storage model. Review the Capacity page to
monitor usage.
I'm an existing customer. Should I expect my file and log usage to change?
Log and files data usage isn't expected to be exactly the same size as when the same data is stored by using
database, due to different storage and indexing technologies. The current set of out-of-the-box entities stored in
file and log storage might change in the future.
The capacity report shows the entitlement breakdown per license, but I have more licenses in my tenant and
not all of them are listed in the breakdown. Why?
Not all licenses give per-user entitlement. For example, the Team Member license doesn't give any per-user
database, file, or log entitlement. So in this case, the license isn't listed in the breakdown.
Which environments are counted in the capacity report?
Default, production, and sandbox environments are counted for consumption. Trial, preview, support, and
developer environments aren't counted.
What are entities ending in “- analytics" in my capacity report?
Entities ending in “– Analytics” are entities used by one or more Insights applications, for example Sales Insights,
Customer Service Hub, or Field Service and resource scheduling and optimization analytics dashboard to
generate predictive insights and/or analytics dashboards. The data is synched from Common Data Service
entities. See More information below for documentation covering the installed Insights applications and the
entities used to create insights and dashboards.
More information:
Sales Insights
Field Service and resource scheduling optimization (RSO)
Customer Service Hub
Field Service
See also
Capacity add-ons
Automatic tuning in Azure SQL Database
What's new in storage
Legacy storage capacity
In April 2019, we introduced Common Data Service capacity storage that is optimized for relational data,
attachments, and audit logs. If you purchased storage prior to April 2019, you are using the legacy licensing model
for storage discussed in this topic.
We're rolling out this feature now so check back if your user experience varies from the following content.
Licenses for the legacy storage model

The following licenses provide capacity using the legacy storage model. If you have any of the following licenses
and none of the new model licenses, you'll see the legacy model report:
Microsoft Dynamics 365 Additional Non-production Instance
Microsoft Dynamics 365 Additional Test Instance
Microsoft Dynamics 365 Instance
Microsoft Dynamics 365 Storage Add-On
To see whether you have any of these licenses, sign in to the Microsoft 365 admin center, and then go to Billing >
Licenses .
NOTE
If you have a mix of the abovementioned legacy model licenses and new model licenses, you'll see the new model report.
If you have none of the abovementioned legacy model licenses nor the new model licenses, you'll see the new model report.
Verifying your legacy storage model

1. Sign in to the Power Platform admin center, and then select an environment.
2. Select Resources > Capacity .
3. View the data on the Summar y page.
The legacy licensing storage model looks like the following image.
The report displays available storage capacity by source in addition to overall storage capacity usage. To help
customers transition to the new licensing model, current usage is also shown by database, file, and log capacity.
Capacity page details

NOTE
The calculation of storage capacity usage in the legacy licensing model consists of all three storage types—database, file, and
log—however, it's displayed as one overall storage number.
Summary tab
This page provides a tenant-level view of where your organization is using storage capacity.
To view the Summar y page, select Resources > Capacity > Summar y .
(1) Storage capacity usage

File and database : The following entities store data
in file and database storage:
Attachment
AnnotationBase
Any custom or out-of-the-box entity that has
fields of datatype file or image (full size)
Any entity that is used by one or more installed
Insights applications and ends in - Analytics
Log : The following entities are used:
AuditBase
PlugInTraceLogBase
Database only : All other entities are counted for
your database
(2) Storage capacity, by source

Org (tenant) default : The default capacity given at
the time of sign-up
User licenses : Additional capacity added for every
user license purchased
Additional storage : Any additional storage you
bought
Total: Total storage available
View self-ser vice sources : See View self-service
license amounts and storage capacity
(3) Top storage usage, by environment : The environments

that consume the most capacity
Storage capacity tab

This page provides similar information as the Summar y tab, but with an environment-level view of where your
organization is using capacity.
To view the Storage capacity page, select Resources > Capacity > Storage capacity . See the next section for
using the Details button ( ) to see environment capacity analytics.
NOTE
The following environments don't count against capacity and are shown as 0 GB:
Trial
Preview
Support
Developer
You can select an environment that's showing 0 GB, and then go to its Environment analytics page to see the actual
consumption.
Environment capacity analytics

This page provides an environment-level detailed view of where your organization is using capacity, in addition to
the three types of capacity consumption.
To view environment-level capacity analytics
1. Select Resources > Capacity > Storage capacity .
2. Select an environment.
3. Select Details ( ).
The following details are provided:

Actual database usage
Top database tables and their growth over time
Actual file usage
Top files tables and their growth over time
Actual log usage
Top tables and their growth over time
Example storage capacity scenario

Example storage capacity scenario
Scenario: Total storage is over capacity, overage enforcement
Total storage 100 GB 110 GB
The 110 GB of storage is used by the three types of storage: database, log, and file. This tenant is 10 GB over in
storage usage. Therefore, there is a deficit. This tenant should free up storage or purchase more capacity.
Actions to take for a storage capacity deficit

You can always free up storage, delete unwanted environments, or buy more capacity to be compliant with storage
usage. To learn more about capacity add-ons, see the Dynamics 365 Licensing Guide or the "Add-ons" section of
the Power Apps and Power Automate Licensing Guide. You can work through your organization's standard
procurement process to purchase capacity add-ons.
FAQ
Why is my storage consumption decreasing in database and growing in file?
We are constantly optimizing the Common Data Service for ease of use, performance, and efficiency. Part of this
ongoing effort is to move data to the best possible storage with the lowest cost for customers. File-type data such
as “Annotation” and “Attachment” is moving from database to file storage. This leads to decreased usage of
database capacity and an increase in file capacity.
Why could my database table size decrease while my table and file data sizes remain the same?
As part of moving file-type data such as “Annotation” and “Attachment” out from database and into file storage, we
periodically reclaim the freed database space. This leads to decreased usage of database capacity, while the table
and file data size computations remain unchanged.
I have available instances (production and sandbox), but my capacity usage is more than my capacity
entitlement. Will I be able to provision new environments?
Provisioning a new environment requires that you not be delinquent in storage capacity. If you have at least 1 GB
of available storage capacity, you can provision environments to align with your available instances.
I have storage licenses from the legacy licensing model, and I also purchased new model storage licenses.
Which report will I see?
You'll see the report for the new licensing model.
Do I get notified through email when my org is over capacity?
When you sign in to the Power Platform admin center, you'll be notified if your capacity usage is more than the
capacity you're entitled to.
What are entities ending in “- analytics” in my capacity report?
Entities ending in “– Analytics” are entities used by one or more Insights applications, for example Sales Insights,
Customer Service Hub, or Field Service and resource scheduling and optimization analytics dashboard to generate
predictive insights and/or analytics dashboards. The data is synched from Common Data Service entities. See
More information below for documentation covering the installed Insights applications and the entities used to
create insights and dashboards.
More information:
Sales Insights
Field Service and resource scheduling optimization (RSO)
Customer Service Hub
Field Service
See also
What's new in storage
Capacity add-ons
View self-service storage capacity
With the introduction of self-service purchases for Power Platform products, license purchases are no longer
restricted to Power Platform admins. With this change comes the need to be able to view self-service capacity data.
Use the steps below to view the storage capacity provided with purchased licenses.
1. Sign in to the Power Platform admin center at https://admin.powerplatform.microsoft.com with admin or
end-user credentials.
2. Select Resources > Capacity > Summar y tab.
NOTE
Admins and end users will see the same tenant capacity on this page.
3. In the Storage capacity, by source tile, select View self-ser vice sources .
If you are signed in as a Power Platform admin

You will see all licenses purchased by users in the tenant. You can filter or search for licenses to shorten the list.
If you are signed in as an end user
You will see the license and capacity information for the licenses you have purchased.
If there are no licenses purchased by tenant users

The Capacity from self-ser vice user licenses page will be blank.
Capacity add-ons
If your organization has purchased capacity add-ons, you have to allocate that capacity to any environment where
you want to use it. You also have to make sure that your users have access to those environments and have the
correct permissions before they can use the products for which you've purchased a capacity add-on.
There are three stages for using capacity add-ons:
1. Purchase: you buy individual capacity add-ons. For purchasing information, see the Power Apps and Power
Automate Licensing Guide.
2. Allocate: assign the purchased add-ons to an environment.
3. Consume: once allocated, you can consume the capacity add-ons.
TIP
Consider purchasing Power Apps per app plans which allow individual users to run two applications and one portal. See
About Power Apps per app plans.
View capacity add-ons in Power Platform admin center

If your organization has purchased capacity add-ons, an Add-ons tile appears on the Capacity screen in the
Power Platform admin center. Sign into the Admin center, and select Resources > Capacity in the left-side
navigation pane.
The Add-ons tile shows summary information about the capacity add-ons that your organization has.
Each capacity has a usage gauge that shows how many units have been assigned compared to the available
capacity. Capacities are measured in different ways depending on the product. For example, App passes are
assigned individually, while AI Builder capacity is measured in credits. Refer to the product documentation for
more information about metering.
Allocate or change capacity in an environment

To allocate capacity to an environment:
2. Select Resources > Capacity in the left-side navigation pane.
3. On the Capacity screen, do one of the following to open the Manage add-ons screen:
Scroll down to the Add-ons tile, and then select Manage on the top-right corner of the Add-ons tile.
Select the Add-ons tab. Select Assign to an environment in the upper-left menu bar.
Select the Add-ons tab. Select an environment, and then select Manage add-ons in the upper-left
menu bar.
4. Select the environment where you want to add capacity from the Environment drop-down menu, and
then allocate from your available capacity.
Some examples
If you have 10 users who are going to be using 1 app each, you should assign 10 app passes to the app
environment.
If you want to create 5 flows in an environment which are going to be used for business process flows,
assign a capacity of 5 for flow per business process .
If a company has created a portal and anticipate 50,000 views of the portal, they should allocate 50,000 por tal
page views .
Control who can allocate add-on capacity

As an admin, you can restrict who can allocate add-on capacity to environments.
1. Sign in to the Power Platform admin center at https://admin.powerplatform.microsoft.com.
3. Select Power Platform settings .
4. Under Who can allocated add-on capacity to environments , select Only specific admins .
The following admins will be able to allocate add-on capacity in the Power Platform admin center:
Global admins
Dynamics 365 admins
Power Platform admins
See also
These are ways to reduce the amount of storage space used by removing or deleting different types of
information from customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics
365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation). Use one or more of
these methods to control your total data storage usage. You can delete certain categories of data as the need
arises, or you can set up bulk deletion jobs to reoccur at set intervals.
WARNING
The suggestions in this topic include deleting notes, attachments, import history, and other data. Before you delete data,
be sure that the data is no longer needed because you cannot retrieve deleted data. There is no "undo" to restore your
data once it has been deleted. This means it may make more sense for you to increase the amount of storage space you
have with your Microsoft Dynamics 365 subscription instead of reducing the amount of storage space used.
NOTE
Except for methods 3 and 5, all these methods require that you have an administrator security role, such as System
Administrator. This gives you permission to delete records in bulk and to delete system jobs.
After performing actions to free up storage, the system can take up to 24 hours to update storage information. We
recommend waiting up to 24 hours and monitoring your storage.
Storage consumed does not directly correspond to the size reported in Common Data Service for Apps; consumption
includes additional storage for metadata and encryption. For example, removing 10MB of storage from a file does not
mean the file size is reduced by 10MB.
Some platform operations require you to wait 24-36 hours to confirm data size changes. Such operations include but
are not limited to upgrades to new versions and introduction of new workflows. Such operations require system
adjustments that might result in a momentary size increase report.
Freeing storage for Common Data Service

Use the following methods to free up storage for each of the capacity types.
STO RA GE M ET H O D
File
Method 3 : Remove email attachments using Advanced Find
Method 4 : Remove email messages with attachments using

a bulk deletion job
Method 5 : Remove notes with attachments using Advanced

Find
Method 6 : Remove notes with attachments using a bulk

deletion job
Log
STO RA GE M ET H O D
Method 10 : Delete audit logs
Delete plug-in trace logs using a bulk deletion job
Database
Method 1 : Delete bulk email and workflow environments

using a bulk deletion job
Method 2 : Evaluate and delete suspended workflows
Method 7 : Remove bulk duplicate detection jobs and

associated copies of duplicate records
Method 8 : Delete bulk import environments using a bulk

deletion job
Method 9 : Delete bulk deletion job environments using a

bulk deletion job
Method 11 : Remove unrequired entities and fields from

Relevance Search
Reduce file storage

Method 3: Remove email attachments using Advanced Find
WARNING
If you delete this data, the attachments will no longer be available in customer engagement apps. However, if you have
them saved in Office Outlook, they will still be there.
1. Choose Advanced Find ( ).

2. In the Look for list, select Email Messages .
3. In the search criteria area, add criteria similar to the following:
Attachments (Item)
File Size (Bytes) – Is Greater Than - In the text box, type a byte value, such as 1,048,576 (1MB in
binary).
4. Choose Results .
5. You will now have a list of email messages that have attachments that are larger than 'X' bytes. Review the
emails and delete the attachments as needed.
Method 4: Remove email messages with attachments using a bulk deletion job
WARNING
If you delete this data, the email messages and their associated attachments will no longer be available in customer
engagement apps. However, if you have them saved in Office Outlook, they will still be there.
1. Go to Settings > Data Management .

2. Choose Bulk Record Deletion , and then in the menu bar, choose New . This opens the Bulk Deletion
Wizard.
3. Choose Next .
4. In the Look for list, select Email Messages .
Status Reason – Equals – Completed
Actual End – Older Than X Months – 1
Attachments (Item)
File Size (Bytes) – Is Greater Than – In the text box, type a byte value, such as 1,048,576 (1MB in
binary).
6. Group the first two criteria rows:
a. Choose the arrow next to each criteria row, and then choose Select Row .
b. With both rows selected, choose Group AND .
7. Choose Next .
8. In the Name text box, type a name for the bulk deletion job.
9. Select a date and time for the job start time; preferably a time when users are not in customer
engagement apps.
10. Select the Run this job after ever y check box, and then in the days list, select the frequency you want
the job to run.
11. If you want a notification e-mail sent, select the Send an email to me (email@domain.com) when
this job is finished check box.
12. Choose Next , review the bulk deletion job, and then choose Submit to create the recurring job.
Method 5: Remove notes with attachments using Advanced Find
WARNING
If you delete this data, notes and their associated attachments will no longer be available in customer engagement apps.
1. Choose Advanced Find .

2. In the Look for list, select Notes .
File Size (Bytes) – Is Greater Than – In the text box, type a byte value, such as 1048576.
4. Choose Results .
5. You will now have a list of attachments that are larger than the size you specified.
6. Select individual or a multiple attachments, and then choose Delete (X).

Method 6: Remove notes with attachments using a bulk deletion job
WARNING
If you delete this data, notes and their associated attachments will no longer be available in customer engagement apps.

Wizard.
3. Choose Next .
4. In the Look for list, select Notes .
File Size (Bytes) – Is Greater Than – In the text box, type a byte value, such as 1048576.
Created On – Older Than X Months – 1
6. Group the two criteria rows:
b. With all three rows selected, choose Group AND .
7. Choose Next .
engagement apps.
the job to run.
Reduce log storage

Method 10: Delete audit logs
When you enable auditing, customer engagement apps create audit logs to store the audit history of the records.
You can delete these audit logs to free space when they are no longer needed.
WARNING
1. Go to Settings > Auditing .

2. In the Audit area choose Audit Log Management .
3. Select the oldest audit log, then choose Delete Logs .
4. In the confirmation message choose OK .
NOTE
You can only delete the oldest audit log in the system. To delete more than one audit log repeat deleting the oldest
available audit log until you have deleted enough logs.
Reduce database storage

Method 1: Delete bulk email and workflow environments using a bulk deletion job
WARNING
If you delete this data, you will no longer be able to tell if an email was sent through bulk email or if a workflow rule ran
against a record. The emails that were sent and the actions that ran against the record in the workflow will remain.

2. Choose Bulk Record Deletion . In the menu bar, choose New . This opens the Bulk Deletion Wizard.
3. Choose Next .
4. In the Look for list, select System Jobs .
System Job Type – Equals – Bulk E-mail ; Workflow ;
Status Reason – Equals – Succeeded
Completed On – Older Than X Months – 1
6. Group the three criteria rows:
7. Choose Next .
engagement apps.
the job to run.
11. If you want a notification e-mail sent, select the Send an e-mail to me (email@domain.com) when
Method 2: Evaluate and delete suspended workflows
Sometimes workflows will enter a suspended state because there is a condition that will never be met or some
other reason that will not allow the workflow to continue.
WARNING
Some workflows will be in a suspended state because they are waiting for a condition that has not yet been met, which is
expected. For example, a workflow may be waiting for a task to be completed.
1. Choose Advanced Find .

System Job Type – Equals – Workflow
Status Reason – Equals – Waiting
4. Group the two criteria rows:
5. Choose Results .
6. In the results window, you can open each item to determine whether the workflow can be deleted.
Method 7: Remove bulk duplicate detection jobs and associated copies of duplicate records
Every time that a duplicate detection job runs, a copy of each duplicate record is stored in the database as part of
the duplicate detection job. For example, if you have 100 duplicate records, every time that you run a duplicate
detection job that finds these duplicates, whether it is manual or reoccurring, those 100 duplicate records will be
stored in the database under that environment of that duplicate job until the duplicates are merged or deleted, or
until the environment of that duplicate detection job is deleted.
2. Choose Duplicate Detection Jobs .
3. Select the duplicate detection job environments you want to delete and then choose Delete (X).
To avoid wasting storage space, make sure duplicates are resolved promptly so that they are not reported
in multiple duplicate detection jobs.
Method 8: Delete bulk import environments using a bulk deletion job
Every time you perform a bulk import, there is a system job associated with that import. The system job details
show which records imported successfully and which records failed.
WARNING
After you delete these bulk import jobs, you will not be able to see what data was imported and you cannot roll back the
import.

Wizard.
3. Choose Next .
System Job Type – Equals – Impor t
7. Choose Next .
engagement apps.
the job to run.
Method 9: Delete bulk deletion job environments using a bulk deletion job
When you are bulk deleting data, such as in many of the methods described in this article, a bulk deletion system
job is created and can be deleted.
WARNING
After you delete these jobs, you will lose the history of the prior bulk deletion jobs that you've run.

Wizard.
3. Choose Next .
System Job Type – Equals – Bulk Delete
NOTE
You could also delete jobs that have failed or been canceled.

7. Choose Next .
engagement apps.
the job to run.
Method 11: Remove unrequired entities and fields from Relevance Search
Entities and entity fields enabled for Relevance Search have an impact on the database storage capacity.
To revise the list of entities selected for Relevance Search results, see Select entities for Relevance Search.
To revise the list of fields selected for each entity for Relevance Search results, see Configure searchable fields
for Relevance Search.
Free up storage used by flow approvals

See Delete approval history from Power Automate.
See also
Overview
You can now install, configure, and manage Dynamics 365 apps in the Power Platform admin center.
Apps refer to model-driven applications in Dynamics 365, Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, and Dynamics 365 Marketing as well as apps purchased from Microsoft AppSource
requiring any of these Dynamics 365 licenses.
You can manage apps from either the tenant level or the environment level.
See the following topics:
Manage Dynamics 365 apps
Manage Power Apps
Portal administration with Power Platform admin center
Manage Dynamics 365 apps
You can now use the Power Platform admin center to install, configure, and manage Dynamics 365 apps built on
Apps in this topic refer to Dynamics 365 apps such as Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, and Dynamics 365 Marketing as well as apps purchased from Microsoft AppSource
requiring any of these Dynamics 365 licenses.
You can manage apps from either the tenant level or the environment level.
Tenant-level view of apps

App management in the Applications tab of the Dynamics 365 admin center is now done from the tenant-level
view of apps in the Power Platform admin center. Follow these steps to see a list of all licensed Dynamics 365 apps
for your tenant.
L EGA C Y A P P M A N A GEM EN T N EW A P P M A N A GEM EN T
Follow these steps to see a list of all licensed applications for your tenant.
2. Select Resources > Dynamics 365 apps from the left-side menu.
You'll see a list of installed or available to install or configure Dynamics 365 apps for the signed-in user. An
admin will see all installed or available to install apps.
Duplicate items will appear under Name if you have the same app license applied to multiple
environments.
Note the following under Status :
Enabled : This app is ready to be installed in your environments.
Configured : This app has been configured to an environment. It can be reconfigured to a different
environment or configuration to current environment can be udpated.
Not configured : This app is ready to be configured to an environment.
3. From the top menu bar, depending on the status of the app, you can do the following:
Manage : Select to go to a page where you can manage your app.
Details : See information about the app such as the publisher.
Install app : Install certain applications to the selected environment for which you have permissions.
Once an environment is selected, you'll see a list of packages to be installed.
4. If your tenant is multigeo, you can change the locale with the region selector.
Environment-level view of apps

In addition to the environment level, solution management can also be done from the environment-level view in
the Power Platform admin center.
L EGA C Y A P P M A N A GEM EN T N EW A P P M A N A GEM EN T
Follow these steps to see a list of all the licensed applications you installed for your environment.
2. Select Environments and then select an environment.
3. Under Resources , select Dynamics 365 apps .
You'll see a list of Dynamics 365 apps installed by you in the selected environment.
4. Select an app. From the top menu bar, depending on the status of the app, you can do the following:
Install app : Admins can install certain applications to the selected environment for which they have
permission. Once an environment is selected, you'll see a list of packages to be installed.
Open AppSource : Select to install an app from AppSource.
Update : Appears if an update is available. Select to update the package.
Details : See information about the app such as the publisher.
If you have failed installations, see Troubleshooting failed installations.
Install an app
The process to install an app depends on your view.
Install an app in the tenant view
1. From the tenant-level view of apps, select an Enabled app, and then select Install from the top menu bar.
2. Select an environment, review the packages to be installed, agree to the terms of service, and then select
Install .
You'll navigate to the environment-level view where you can see the installation status.
Install an app in the environment view

1. From the environment-level view of apps, select an environment, under Resources select Dynamics 365
apps , and then select Install app .
2. Select an Enabled app, and then select Next .
3. Agree to the terms of service, and then select Install .
Troubleshooting a failed installation

If the app installation has failed, select Installation failed from the environment-level view and review the
troubleshooting details.
If it's necessary to contact Support, be sure to provide the details listed on the Error details page.
FAQ
Don't see your environment?
The number of environments admins see in the Select an environment drop-down list will be less than or equal
to the number of environments displayed on the Environments page in the Power Platform admin center. Check
that no filter is applied on the Environments page.
Filters are applied to the Select an environment drop-down list as follows:
1. Filtered based on the geographic region (Geo picker); selected by the admin in the tenant-level view.
2. Filtered with environments that only have a database.
3. Filtered with environments that are only in a ready state.
Manage Power Apps
If you're an Environment Admin, Global admin, or Power Platform admin, you can manage the apps created in your
organization.
Admins can do the following from the Power Platform admin center:
Add or change the users with whom an app is shared
Delete apps not currently in use
Prerequisites
Either a Power Apps plan or Power Automate plan. Alternatively, you can sign up for a free Power Apps trial.
Power Apps Environment Admin, Global admin, or Power Platform admin permissions. For more
information, see Environments administration in Power Apps.
Manage Power Apps

2. In the navigation pane, select Environments , select an environment with resources, and then select the
Power Apps resource.
3. Select an app to manage.

4. Select your desired action.
If you're an Environment Admin, Global admin, or Power Platform admin, you can manage the flows created in
your organization.
Admins can do the following from the Power Platform admin center:
View flow details, connections, and owners
Share the flow with others
Disable the flow
Delete the flow
Prerequisites
Either a Power Apps plan or Power Automate plan. Alternatively, you can sign up for a free Power Apps trial.
Power Apps Environment Admin, Global admin, or Power Platform admin permissions. For more
information, see Environments administration in Power Apps.

2. In the navigation pane, select Environments , select an environment with resources, and then select the
Power Automate (Flows) resource.
3. Select a flow to manage.

4. Select your desired action.
A C T IO N DESC RIP T IO N
Details View details, connections, and owners
Share Share the flow with others
Disable Disable the flow
Delete Delete the flow

Power Apps activity logging
Power Apps activities are now tracked from the Microsoft 365 Security & Compliance Center.
Follow these steps.
1. Sign in to the Security & Compliance Center as a tenant admin.
2. Select Search > Audit log search .
Within the Audit log search screen, Power Platform admins can search audit logs across many popular services
including eDiscovery, Exchange, Power BI, Azure AD, Microsoft Teams, customer engagement apps (Dynamics 365
Project Service Automation), and Microsoft Power Apps.
Once the Audit log search screen is accessed, an administrator can filter for specific activities by pulling down the
Activities dropdown. By scrolling down the list, a section dedicated to Microsoft Power Apps activities can be
found.
What events are audited

Logging takes place at the SDK layer which means a single action can trigger multiple events that are logged. The
following are a sample of user events you can audit.
EVEN T DESC RIP T IO N
Created app When the app gets created for the first time by a maker
Launched app When the app gets launched
Marked app as Featured Every time the app is marked as Featured
Restored app version The version of the app when restored
Edited app Any updates made to the app by the maker
Published app When the app is published and is now made available to
others in the environment
Edited app permission Every time a user's permissions to the app is changed
Deleted app When the app is deleted
Marked app as Hero Every time the app is marked as Hero
Deleted app permission Every time a user's permissions to the app is removed
Base schema
Schemas define which Power Apps fields are sent to the Microsoft 365 Security and Compliance Center. Some
fields are common to all applications that send audit data to Microsoft 365, while others are specific to Power Apps.
The Base schema contains the common fields.
F IEL D N A M E TYPE M A N DATO RY DESC RIP T IO N
Date Edm.Date No Date and time of when the

log was generated in UTC
App Name Edm.String No Unique Identifier of the

PowerApp
Id Edm.Guid No Unique GUID for every row

logged
Result Status Edm.String No Status of the row logged.

Success in most cases.
Organization Id Edm.Guid Yes Unique identifier of the

organization from which the
log was generated.
CreationTime Edm.Date No Date and time of when the

Operation Edm.Date No Name of operation

UserKey Edm.String No Unique Identifier of the User

in Azure AD
UserType Self.UserType No The audit type (Admin,

Regular, System)
Additional Info Edm.String No Additional information if any

(e.g. the environment name)
Review your audit data using reports in Microsoft 365 Security and
Compliance Center
You can review your audit data in the Microsoft 365 Security and Compliance Center. See Search the audit log for
user and admin activity.
To use the preconfigured Power Apps reports, go to https://protection.office.com > Search & investigation >
Audit log search and select the Power Apps app activities tab.
See also
Search the audit log for user and admin activity
Office 365 Management APIs overview
Permissions in the Security & Compliance Center
Data loss prevention activity logging
Data Loss Protection (DLP) policy activities are now tracked from the Microsoft 365 Security & Compliance Center.
Follow these steps.
1. Sign in to the Security & Compliance Center as a tenant admin.
2. Select Search > Audit log search .
3. Under Search > Activities , enter "dlp". You'll see a list of activities for Power Platform DLP.
4. Select an activity, click outside the search window to close it, and then select Search .
Within the Audit log search screen, Power Platform admins can search audit logs across many popular services
including eDiscovery, Exchange, Power BI, Azure AD, Microsoft Teams, customer engagement apps (Dynamics 365
Project Service Automation), and Power Platform.
Once the Audit log search screen is accessed, an administrator can filter for specific activities by pulling down the
Activities dropdown. By scrolling down the list, a section dedicated to Microsoft Power Platform activities can be
found.
What DLP events are audited

The following are the user actions you can audit:
Created DLP Policy When a new DLP policy is created
Updated DLP Policy When an existing DLP policy is updated
Deleted DLP Policy When a DLP policy is deleted

Base schema for DLP audit events
Schemas define which fields are sent to the Microsoft 365 Security and Compliance Center. Some fields are
common to all applications that send audit data to Microsoft 365, while others are specific to DLP policies. In the
below table, Name and Additional Info are the DLP policy specific columns.

App Name Edm.String No Unique Identifier of the

PowerApp

logged

Success in most cases.

log was generated.

Operation Edm.Date No Name of operation

in Azure AD
UserType Self.UserType No The audit type (Admin,

Regular, System)
Additional Info Edm.String No Additional information if any

(e.g. the environment name)
Additional Info
The Additional Info field is a JSON object that contains operation-specific properties. For a DLP policy operation, it
contains the following properties:
PolicyId Edm.Guid Yes Unique identifier of the

policy (GUID)
PolicyType Edm.String Yes Policy type. Allowed values

are AllEnvironments,
SingleEnvironment,
OnlyEnvironments,
ExceptEnvironments
DefaultConnectorClassificati Edm.String Yes Default connector

on classification. Allowed values
are General, Blocked,
Confidential
EnvironmentName Edm.String No Name (GUID) of the

environment. Only present
for SingleEnvironment
policies.
ChangeSet Edm.String No Changes made to the policy.

Only present for “Update”
operations.
Here’s what the Additional Info JSON might look like for a “Create” or “Delete” event:
{
"policyId": "eb1e0480-0fe9-434e-9ad8-df4047a666ec",
"policyType": "SingleEnvironment",
"defaultConnectorClassification": "General",
"environmentName": "8a11a4a6-d8a4-4c47-96d7-3c2a60efe2f5"
}
Here’s what the Additional Info JSON might look like for an “Update” operation that:
Changes the policy name from “oldPolicyName” to “newPolicyName”
Changes the default classification from “General” to “Confidential”
Changes the policy type from “OnlyEnvironments” to “ExceptEnvironments”
Moves the Azure Blob Storage connector from the General to the Confidential bucket
Moves the Bing Maps connector from the General to the Blocked bucket
Moves the Azure Automation connector from the Confidential to the Blocked bucket
{
"policyId": "eb1e0480-0fe9-434e-9ad8-df4047a666ec",
"policyType": "ExceptEnvironments",
"defaultConnectorClassification": "Confidential",
"changeSet": {
"changedProperties": [
{
"name": "ApiPolicyName",
"previousValue": "oldPolicyName",
"currentValue": "newPolicyName"
},
{
"name": "DefaultConnectorClassification",
"previousValue": "General",
"currentValue": "Confidential"
},
{
"name": "DlpPolicyType",
"previousValue": "OnlyEnvironments",
"currentValue": "ExceptEnvironments"
}
],
"connectorChanges": [
{
"name": "Azure Blob Storage",
"id": "/providers/Microsoft.PowerApps/apis/shared_azureblob",
"previousValue": {
"classification": "General"
},
"currentValue": {
"classification": "Confidential"
}
},
{
"name": "Bing Maps",
"id": "/providers/Microsoft.PowerApps/apis/shared_bingmaps",
"previousValue": {
"classification": "General"
},
"currentValue": {
"classification": "Blocked"
}
},
{
"name": "Azure Automation",
"id": "/providers/Microsoft.PowerApps/apis/shared_azureautomation",
"previousValue": {
"classification": "Confidential"
},
"currentValue": {
"classification": "Blocked"
}
}
]
}
}
See also
compliance
The auditing feature logs changes that are made to customer records and user access so you can review the
activity later. The auditing feature is designed to meet the auditing, compliance, security, and governance policies of
many regulated enterprises.
For changes made to entity fields that can be localized, such as the Product entity name or description fields,
the locale ID (LCID) appears in the audit record.
IMPORTANT
previously used.



in
Compliance Center
4. Select Save .

3. Select the entities you want to track. To start or stop auditing on specific entities, select or clear the
following check boxes:
4. Select OK .

Select Enable/Disable Filters to turn on filtering. Then, you can filter on a specific event, such as
Delete actions.
IMPORTANT

entity.
Settings .
5. To start auditing, on the General tab, in the Data Ser vices section, select the Auditing check box to
enable auditing, or clear the Auditing check box to disable it.
this entity.
6. Select Save .
To enable or disable more than one field, select the fields you want, and then on the toolbar select Edit . In
the Edit Multiple Fields dialog box, in the Auditing area, select Enabled or Disabled .
3. Select Save .
Common Data Service and model-driven apps
activity logging
Protecting data, preserving privacy, and complying with regulations such as the General Data Protection Regulation
are certainly some of the highest priorities for your business. It's critical that you audit the entirety of data
processing actions taking place to be able to analyze for possible security breaches. This information from Activity
Logging can be used when you perform a Data Protection Impact Assessment (DPIA) addressing the use of Office,
Power Apps, Microsoft Power Automate, and customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation) .
This topic covers how you can set customer engagement apps to audit a broad range of data processing activities
and use the Microsoft 365 Security and Compliance Center to review the data in activity reports.
Requirements
A Microsoft 365 Enterprise E3 or E5 subscription is required to do Activity Logging.
Available for production and not sandbox environments.
What events are audited

Logging takes place at the SDK layer which means a single action can trigger multiple events that are logged. The
following are a sample of admin and user events you can audit.
Admin-related events
Publishing customizations An admin publishes a new customization which overrides a

change done by the previous one. The action requires auditing
for analysis.
Attribute deletes Admin accidentally deletes an attribute. This action also

deletes the data.
Team, user management Who was added, who was deleted, what access rights a
user/team had is important for analyzing impact.
Configure instance Adding solutions to an instance.
Backup and restore Backup and restore actions at the tenant.
Manage applications New instance added, existing instance deleted, trials converted
to paid, etc.
User and support-related events

Create, read, update, delete (CRUD) Logging all CRUD activities essential for understanding the
impact of a problem and being compliant with data protection
impact assessments (DPIA).
Multiple record view Users of Dynamics view information in bulk, like grid views,
Advanced Find search, etc. Critical customer content
information is part of these views.
Export to Excel Exporting data to Excel moves the data outside of the secure
environment and is vulnerable to threats.
SDK calls via surround or custom apps Actions taken via the core platform or surround apps calling
into the SDK to perform an action needs to be logged.
All support CRUD activities Microsoft support engineer activities on customer

environment.
Admin activities Admin activities on customer tenant.
Backend commands Microsoft support engineer activities on customer tenant and

environment.
Report Viewed Logging when a report is viewed. Critical customer content

information might be displayed on the report.
Report Viewer Export Exporting a report to different formats moves the data
outside of the secure environment and is vulnerable to
threats.
Report Viewer Render Image Logging multimedia assets that are shown when a report is
displayed. They might contain critical customer information.
Base schema
Schemas define which fields are sent to the Microsoft 365 Security and Compliance Center. Some fields are
common to all applications that send audit data to Microsoft 365, while others are specific to customer
engagement apps. The Base schema contains the common fields.

IP address Edm.String No IP address of the user or

corporate gateway

logged

Success in most cases

log was generated. You can
find this ID under Dynamics
Developer Resources.
ClientIP Edm.String No IP Address of the user or

corporate gateway
CorrelationId Edm.Guid No A unique value used to

associate related rows (e.g.,
when a large row is split)

Operation Edm.Date No Name of the message called

in the SDK

in AAD. AKA User PUID
UserType Self.UserType No The Microsoft 365 audit type

(Admin, Regular, System)
User Edm.String No UPN of the user
Customer engagement apps schema

The customer engagement apps schema contains fields specific to customer engagement apps and partner teams.
User Id Edm.String No Unique identifier of the user

GUID in the organization
Crm Organization Unique Edm.String No Unique name of the

Name organization
Instance Url Edm.String No URL to the instance
Item Url Edm.String No URL to the record emitting

the log
Item Type Edm.String No Name of the entity
Message Edm.String No Name of the message called

in the SDK
User Agent Edm.String No Unique identifier of the user

EntityId Edm.Guid No Unique identifier of the

entity
EntityName Edm.String No Name of the entity in the

organization
Fields Edm.String No JSON of Key Value pair

reflecting the values that
were created or updated
Id Edm.String No Entity name in customer

engagement apps
Query Edm.String No The Filter query parameters

used while executing the
FetchXML
QueryResults Edm.String No One or multiple unique

records returned by the
Retrieve and Retrieve
Multiple SDK message call
ServiceContextId Edm.Guid No The unique id associated

with service context
ServiceContextIdType Edm.String No Application defined token to

define context use
ServiceName Edm.String No Name of the Service

generating the log
SystemUserId Edm.Guid No Unique identifier of the user

UserAgent Edm.Guid No Browser used to execute the

request
UserId Edm.Guid No The unique id of the

Dynamics system user
associated with this activity
UserUpn Edm.String No User principal name of the

user associated with this
activity
Enable auditing
1. Choose Settings > Administration > System Settings > Auditing tab .
2. Under Audit Settings , enable the following check boxes:
Star t Auditing
Audit user access
Star t Read Auditing (Note: this only appears if you enable Star t Auditing .)
3. Under Enable Auditing in the following areas , enable the check boxes for the areas you want to audit
and then choose OK .
4. Go to Settings > Customizations > Customize the System

5. Under Components , expand Entities and select an entity to audit, such as Account .
6. Scroll down and under Data Ser vices enable Auditing .
7. Under Auditing , enable the following check boxes:
Single record auditing. Log a record when opened.
Multiple record auditing. Log all records displayed on an opened page.
8. Choose Save .
9. Choose Publish to publish the customization.
10. Repeat steps 5 - 9 for other entities you want to audit.
11. Turn on audit logging in Microsoft 365. See Turn audit log search on or off.
Review your audit data using reports in Microsoft 365 Security and
Compliance Center
You can review your audit data in the Microsoft 365 Security and Compliance Center. See Search the audit log for
user and admin activity.
To use the preconfigured reports, go to https://protection.office.com > Search & investigation > Audit log
search and select the Dynamics 365 activities tab.
The following are the preconfigured reports:
Accessed out-of-box entity Accessed custom entity Accessed admin entity
Performed bulk actions (such as delete Accessed other entity type Accessed Power Platform admin center
and import)
Accessed internal management tool Signed in or out Activated process or plug-in
Create reports
You can create your own reports to review your audit data. See Search the audit log in the Security & Compliance
Center.
What's logged
For a list of what's logged with Activity Logging, see Microsoft.Crm.Sdk.Messages Namespace.
We log all SDK messages except the following:
WhoAmI
RetrieveFilteredForms
TriggerServiceEndpointCheck
QueryExpressionToFetchXml
FetchXmlToQueryExpression
FireNotificationEvent
RetrieveMetadataChanges
RetrieveEntityChanges
RetrieveProvisionedLanguagePackVersion
RetrieveInstalledLanguagePackVersion
RetrieveProvisionedLanguages
RetrieveAvailableLanguages
RetrieveDeprovisionedLanguages
RetrieveInstalledLanguagePacks
GetAllTimeZonesWithDisplayName
GetTimeZoneCodeByLocalizedName
IsReportingDataConnectorInstalled
LocalTimeFromUtcTime
IsBackOfficeInstalled
FormatAddress
IsSupportUserRole
IsComponentCustomizable
ConfigureReportingDataConnector
CheckClientCompatibility
RetrieveAttribute
How we categorize read and readmultiple

We use the prefix to categorize.
IF T H E REQ UEST STA RT S W IT H : W E C H A RA C T ERIZ E A S:
RetrieveMultiple ReadMultiple
ExportToExcel ReadMultiple
RollUp ReadMultiple
RetrieveEntitiesForAggregateQuery ReadMultiple
RetrieveRecordWall ReadMultiple
RetrievePersonalWall ReadMultiple
IF T H E REQ UEST STA RT S W IT H : W E C H A RA C T ERIZ E A S:
ExecuteFetch ReadMultiple
Retrieve Read
Search Read
Get Read
Export Read
Example generated logs

The following are some examples of logs created with Activity Logging.
Example 1 – Logs generated when user reads an Account record
SC H EM A N A M E VA L UE
ID 50e01c88-2e43-4005-8be8-9ceb172e2e90
UserKey 10033XXXA49AXXXX
ClientIP 131.107.XXX.XX
Operation Retrieve
Date 3/2/2018 11:25:56 PM
EntityId 0a0d8709-711e-e811-a952-000d3a732d76
EntityName Account
Query N/A
QueryResults N/A
ItemURL https://orgname.onmicrosoft.com/main.aspx?
etn=account&pagetype=entityrecord&id=0a0d8709-711e-
e811-a952-000d3a732d76
Example 2 – Logs generated when user sees Account records in a Grid (Export to Microsoft Excel logs are like
this)
ID ef83f463-b92f-455e-97a6-2060a47efe33
UserKey 10033XXXA49AXXXX
ClientIP 131.107.XXX.XX
Operation RetrieveMultiple
Date 3/2/2018 11:25:56 PM
EntityId N/A
EntityName Account
Query <filter type="and"><condition column="ownerid"

operator="eq-userid" /><condition column="statecode"
operator="eq" value="0" /></filter>
QueryResults 0a0d8709-711e-e811-a952-000d3a732d76, dc136b61-

6c1e-e811-a952-000d3a732d76
ItemURL N/A
Example 3 – List of messages logged when user converts a lead to opportunity

ID EN T IT Y ID EN T IT Y N A M E O P ERAT IO N
53c98033-cca4-4420-97e4- 23ad069e-4d22-e811- Contact Create

4c1b4f81e062 a953-000d3a732d76
5aca837c-a1f5-4801-b770- 25ad069e-4d22-e811- Opportunity Create

5c66183a58aa a953-000d3a732d76
c9585748-fdbf-4ff7-970c- 25ad069e-4d22-e811- Opportunity Update

bb37f6aa2c36 a953-000d3a732d76
a0469f30-078b-419d- 1cad069e-4d22-e811- Lead Update

be61-b04c9a34121f a953-000d3a732d76
0975bceb-07c7-4dc2-b621- 1cad069e-4d22-e811- Lead Update

5a7b245c36a4 a953-000d3a732d76
When audit log search in the Microsoft 365 Security and Compliance Center is turned on, user and admin activity
from your organization is recorded in the audit log and retained for 90 days. However, your organization might not
want to record and retain audit log data. Or you might be using a third-party security information and event
management (SIEM) application to access your auditing data. In those cases, a global admin can turn off audit log
search in Microsoft 365.
Known issues
Office has a 3KB limit for each audit record. Therefore, in some cases a single record from customer
engagement apps needs to be split into multiple records in Office. The CorrelationId field can be used to retrieve
the set of split records for a given source record. Operations that are likely to require splitting include
RetrieveMultiple and ExportToExcel.
Some operations need additional processing to retrieve all relevant data. For example, RetrieveMultiple and
ExportToExcel are processed to extract the list of records that are retrieved or exported. However, not all relevant
operations are yet processed. For example, ExportToWord is currently logged as single operation with no
additional details about what was exported.
In future releases, logging will disabled for operations that are determined to not be useful based on a review of
the logs. For example, some operations result from automated system activity, not user activity.
See also
Audit data and user activity for security and compliance
Search the audit log for user and admin activity Office 365 Management APIs overview
PowerShell support for Power Apps
With PowerShell cmdlets for app creators and administrators, you can automate many of the monitoring and
management tasks that are only possible manually today in Power Apps.
Cmdlets
Cmdlets are functions written in PowerShell script language that execute commands in the Windows PowerShell
environment. Running these Power Apps cmdlets will allow you to interact with your Business Application
Platform without having to go through the admin portal in a web browser. You can combine these cmdlets with
other PowerShell functions to write complex scripts that can optimize your workflow. Note that you can still use
the cmdlets if you're not an admin on the tenant, but you will be limited to the resources you own. Cmdlets that
start with the word 'Admin' are designed to be used by an administrative user account.
Cmdlets are available on the PowerShell gallery as two separate modules:
Administrator
Maker
For information on the Power Apps admin module, see Get started using the Power Apps admin module and
Microsoft.PowerApps.Administration.PowerShell.
NOTE
Regarding Dynamics 365 Government Community Cloud (GCC) level 2 suppor t:
The default endpoint is "prod". If a user wants to run a PowerShell script targeting a GCC environment, the -Endpoint
parameter needs to be changed to "usgov" for GCC Moderate, or "usgovhigh" for GCC High, or "dod" for GCC DOD.
Add-PowerAppsAccount -Endpoint "usgov"
Requirements
PowerShell in this topic requires PowerShell version 5.x. To check the version of PowerShell running on your
machine, run the following command:
$PSVersionTable.PSVersion
If you have an outdated version, see Upgrading existing Windows PowerShell.
IMPORTANT
The modules described in this document, use .NET Framework. This makes it incompatible with PowerShell 6.0 and later,
which uses .NET Core.
Installation
To run the PowerShell cmdlets for app creators, do the following:
1. Run PowerShell as an administrator.
2. Import the necessary modules using the following commands:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell

Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber
Alternatively, if you don't have admin rights on your computer, you can use the following to use these
modules:
Save-Module -Name Microsoft.PowerApps.Administration.PowerShell -Path

Import-Module -Name Microsoft.PowerApps.Administration.PowerShell
Save-Module -Name Microsoft.PowerApps.PowerShell -Path
Import-Module -Name Microsoft.PowerApps.PowerShell
3. If you are prompted to accept the change to InstallationPolicy value of the repository, accept [A] Yes to all
modules by typing 'A' and pressing Enter for each module.
4. Before accessing any of the commands, you have the option to provide your credentials using the following
command. These credentials are refreshed for up to ~8 hours before you're required to sign in again to
continue using the cmdlets.
# This call opens prompt to collect credentials (Azure Active Directory account and password) used by
the commands
Add-PowerAppsAccount
# Here is how you can pass in credentials (avoiding opening a prompt)

$pass = ConvertTo-SecureString "password" -AsPlainText -Force
Add-PowerAppsAccount -Username user@contoso.com -Password $pass
Power Apps cmdlets for app creators

Prerequisite
Users with a valid Power Apps license can perform the operations in these cmdlets, but they will only have access
to the resources (for example, apps, flows, etc.) that have been created or shared with them.
Cmdlet list - Maker Cmdlets
NOTE
We have updated some of the cmdlets function names in the latest release in order to add appropriate prefixes to prevent
collisions. See the table below for an overview of what has changed.
P URP O SE C M DL ET
Add a canvas app to a Common Data Service solution SetPowerAppAsSolutionAware
Read environments Get-PowerAppEnvironment (previously Get-

PowerAppsEnvironment)
Get-FlowEnvironment
Read, update, and delete a canvas app Get-PowerApp (previously Get-App)

Remove-PowerApp (previously Remove-App)
Publish-PowerApp (previously Publish-App)
Set-AppDisplayName (previously Set-PowerAppDisplayName)
Get-PowerAppVersion (previously Get-AppVersion)
Restore-PowerAppVersion (previously Restore-AppVersion)
Read, update, and delete canvas app permissions Get-PowerAppRoleAssignment (previously Get-
AppRoleAssignment)
Set-PowerAppRoleAssignment (previously Set-
AppRoleAssignment)
Remove-PowerAppRoleAssignment (previously Remove-
AppRoleAssignment)
Read, update, and delete a flow Get-Flow

Get-FlowRun
Enable-Flow
Disable-Flow
Remove-Flow
Read, update, and delete flow permissions Get-FlowOwnerRole

Set-FlowOwnerRole
Remove-FlowOwnerRole
P URP O SE C M DL ET
Read and respond to flow approvals Get-FlowApprovalRequest

Get-FlowApproval
RespondTo-FlowApprovalRequest
Read and delete connections Get-PowerAppConnection (previously Get-Connection)

Remove-PowerAppConnection (previously Remove-
Connection)
Read, update, and delete connection permissions Get-PowerAppConnectionRoleAssignment (previously Get-

ConnectionRoleAssignment)
Set-PowerAppConnectionRoleAssignment (previously Set-
ConnectionRoleAssignment)
Remove-PowerAppConnectionRoleAssignment (previously
Remove-ConnectionRoleAssignment)
Read and delete connectors Get-PowerAppConnector (previously Get-Connector)

Remove-PowerAppConnector (previously Remove-Connector)
Read, update, and delete custom connector permissions Get-PowerAppConnectorRoleAssignment (previously Get-
ConnectorRoleAssignment)
Set-PowerAppConnectorRoleAssignment (previously Set-
ConnectorRoleAssignment)
Remove-PowerAppConnectorRoleAssignment (previously
Remove-ConnectorRoleAssignment)
Read, add, and remove policy URL patterns Get-PowerAppPolicyUrlPatterns

New-PowerAppPolicyUrlPatterns
Remove-PowerAppPolicyUrlPatterns
Read, register, and remove management apps Get-PowerAppManagementApp

Get-PowerAppManagementApps
New-PowerAppManagementApp
Remove-PowerAppManagementApp
Power Apps cmdlets for administrators

Prerequisite
To perform the administration operations in the admin cmdlets, you'll need the following:
A user with any of these roles, Global admins, Azure Active Directory Global admins, or Dynamics 365
admin, can access the Power Apps admin PowerShell cmdlets. These roles no longer require a Power Apps
plan for administrative access to the Power Apps admin PowerShell cmdlets. However, these administrators
need to sign in to the Power Platform admin center at least once before using the PowerShell cmdlets. If
this is not done, the cmdlets will fail with an authorization error.
Microsoft 365 Global admin or an Azure Active Directory Global Administrator, or Dynamics 365 admin
permissions if you need to search through another user's resources. Note that Environment Admins only
have access to those environments and environment resources for which they have permissions.
P URP O SE C M DL ET S
Read, update, delete, and recover environments and Common New-AdminPowerAppEnvironment

Data Service databases Set-AdminPowerAppEnvironmentDisplayName
Get-AdminPowerAppEnvironment (previously Get-
AdminEnvironment)
Remove-AdminPowerAppEnvironment (previously Remove-
AdminEnvironment)
Get-AdminPowerAppSoftDeletedEnvironment
Recover-AdminPowerAppEnvironment
Copy-PowerAppEnvironment
Backup-PowerAppEnvironment
Get-PowerAppEnvironmentBackups
Restore-PowerAppEnvironment
Remove-PowerAppEnvironmentBackup
Reset-PowerAppEnvironment
New-AdminPowerAppCdsDatabase
Get-AdminPowerAppCdsDatabaseLanguages
Get-AdminPowerAppCdsDatabaseCurrencies
Get-AdminPowerAppEnvironmentLocations
Delete Common Data Service database Remove-LegacyCDSDatabase
Read, update, and delete environment permissions Get-AdminPowerAppEnvironmentRoleAssignment (previously

Get-AdminEnvironmentRoleAssignment)
These cmdlets only work today for environments that do not Set-AdminPowerAppEnvironmentRoleAssignment (previously
have a Common Data Service database. Set-AdminEnvironmentRoleAssignment)
Remove-AdminPowerAppEnvironmentRoleAssignment
(previously Remove-AdminEnvironmentRoleAssignment)
Set-AdminPowerAppEnvironmentRuntimeStat
Read, update, remove, and recover canvas apps Get-AdminPowerApp (previously Get-AdminApp)
Remove-AdminPowerApp (previously Remove-AdminApp)
Get-AdminPowerAppConnectionReferences
Set-AdminPowerAppAsFeatured
Clear-AdminPowerAppAsFeatured
Set-AdminPowerAppAsHero
Clear-AdminPowerAppAsHero
Set-AdminPowerAppApisToBypassConsent
Clear-AdminPowerAppApisToBypassConsent
Get-AdminDeletedPowerAppsList
Get-AdminRecoverDeletedPowerApp
Read, update, and delete canvas app permissions Get-AdminPowerAppRoleAssignment (previously Get-
AdminAppRoleAssignment)
Remove-AdminPowerAppRoleAssignment (previously
Remove-AdminAppRoleAssignment)
Set-AdminPowerAppRoleAssignment (previously Set-
AdminAppRoleAssignment)
Set-AdminPowerAppOwner (previously Set-AdminAppOwner)
Read, update, and delete flows Get-AdminFlow

Enable-AdminFlow
Disable-AdminFlow
Remove-AdminFlow
Remove-AdminFlowApprovals
Read, update, and delete flow permissions Get-AdminFlowOwnerRole

Set-AdminFlowOwnerRole
Remove-AdminFlowOwnerRole
Read and delete connections Get-AdminPowerAppConnection (previously Get-

AdminConnection)
Remove-AdminPowerAppConnection (previously Remove-
AdminConnection)
Read, update, and delete connection permissions Get-AdminPowerAppConnectionRoleAssignment (previously

Get-AdminConnectionRoleAssignment)
Set-AdminPowerAppEnvironmentConnectionRoleAssignment
(previously Set-AdminConnectionRoleAssignment)
Remove-AdminPowerAppConnectionRoleAssignment
(previously Remove-AdminConnectionRoleAssignment)
Read and delete custom connectors Get-AdminPowerAppConnector (previously Get-

AdminConnector)
Remove-AdminPowerAppConnector (previously Remove-
AdminConnector)
Read, update, and delete custom connector permissions Get-AdminPowerAppConnectorRoleAssignment (previously

Get-AdminConnectorRoleAssignment)
Set-AdminPowerAppConnectorRoleAssignment (previously
Set-AdminConnectorRoleAssignment)
Remove-AdminPowerAppConnectorRoleAssignment
(previously Remove-AdminConnectorRoleAssignment)
Read a user's Power Apps user settings, user-app settings, Get-AdminPowerAppsUserDetails

and notifications
Read and delete a user's Power Automate settings, which are Get-AdminFlowUserDetails
not visible to user, but that support flow execution Remove-AdminFlowUserDetails
Create, read, update and delete data loss prevention policies Get-DlpPolicy (previously Get-AdminDlpPolicy)
for your organization using a three-way classification - New-DlpPolicy (previously Add-AdminDlpPolicy)
Business , Non-Business , and Blocked Remove-DlpPolicy (previously Remove-AdminDlpPolicy)
Set-DlpPolicy (previously Set-AdminDlpPolicy)
Learn more about the Power Platform data loss prevention

(DLP) SDK.
Read, add, remove, and update tenant settings Get-TenantSettings

Set-TenantSettings
Get-PowerAppTenantUrlPatterns
New-PowerAppTenantUrlPatterns
Remove-PowerAppTenantUrlPatterns
Get-AdminPowerAppTenantConsumedQuota
Read, add, and remove allowed consent/trial plans within the Remove-AllowedConsentPlans
tenant Add-AllowedConsentPlans
Get-AllowedConsentPlans
Read tenant assigned user licenses Get-AdminPowerAppLicenses
Read, update, and reset the environment that Power Apps Get-AdminPowerAppSharepointFormEnvironment
uses to save SharePoint form apps Set-AdminPowerAppSharepointFormEnvironment
Reset-AdminPowerAppSharepointFormEnvironment
Tips
Use Get-Help 'CmdletName' to get a list of examples.
To cycle through the possible options for input tags, click on the tab key after typing out the dash (-)
character, after the cmdlet name.
Example commands:
Get-Help Get-AdminPowerAppEnvironment
Get-Help Get-AdminPowerAppEnvironment -Examples
Get-Help Get-AdminPowerAppEnvironment -Detailed
Operation examples
Below are some common scenarios that show how to use new and existing Power Apps cmdlets.
Environments Commands
Power Apps Commands
Power Automate commands
API connection commands
Data Loss Prevention (DLP) policy commands
Environments commands
Use these commands to get details on and update environments in your tenant.
Display a list of all environments
Returns a list of each environment across your tenant, with details of each (e.g., environment name (guid), display
name, location, creator, etc).
Display details of your default environment
Get-AdminPowerAppEnvironment –Default
Returns the details for only the default environment of the tenant.
Display details of a specific environment
Get-AdminPowerAppEnvironment –EnvironmentName 'EnvironmentName'
Note : The EnvironmentName field is a unique identifier, which is different from the DisplayName (see first and
second fields in the output in the following image).
Power Apps commands

These operations are used to read and modify Power Apps data in your tenant.
Display a list of all Power Apps
Get-AdminPowerApp
Returns a list of all Power Apps across the tenant, with details of each (e.g., application name (guid), display name,
creator, etc).
Display a list of all Power Apps that match the input display name
Get-AdminPowerApp 'DisplayName'
Returns a list of all the Power Apps in your tenant that match the display name.
Note : Use quotation characters (") around input values that contain spaces.
Feature an application
Set-AdminPowerAppAsFeatured –AppName 'AppName'
Featured applications are grouped and pushed to the top of the list in the Power Apps mobile player.
Note : Like environments, the AppName field is a unique identifier, which is different from the DisplayName. If you
want to perform operations based on the display name, some functions will let you use the pipeline (see next
function).
Make an application a Hero app, using the pipeline
Get-AdminPowerApp 'DisplayName' | Set-AdminPowerAppAsHero
A Hero app will appear at the top of the list in the Power Apps mobile player. There can only be one Hero app.
The pipeline (represented as the '|' character between two cmdlets) takes the output of the first cmdlet and passes
it as the input value of the second, assuming the function has been written to accommodate the pipeline feature.
Note : an app must already be a featured app before it is changed to a hero.
Display the number of apps each user owns
Get-AdminPowerApp | Select –ExpandProperty Owner | Select –ExpandProperty displayname | Group
You can combine native PowerShell functions with the Power Apps cmdlets to manipulate data even further. Here
we use the Select function to isolate the Owner attribute (an object) from the Get-AdminApp object. We then
isolate the name of the owner object by pipelining that output into another Select function. Finally, passing the
second Select function output into the Group function returns a nice table that includes a count of each owner's
number of apps.
Display the number of apps in each environment
Get-AdminPowerApp | Select -ExpandProperty EnvironmentName | Group | %{ New-Object -TypeName PSObject -

Property @{ DisplayName = (Get-AdminPowerAppEnvironment -EnvironmentName $_.Name | Select -ExpandProperty
Download Power Apps user details
Get-AdminPowerAppsUserDetails -OutputFilePath '.\adminUserDetails.txt' –UserPrincipalName

'admin@bappartners.onmicrosoft.com'
The above command will store the Power Apps user details (basic usage information about the input user via their
user principal name) in the specified text file. It will create a new file if there is no existing file with that name, and
overwrite the text file if it already exists.
Export a list of assigned user licenses
Exports all the assigned user licenses (Power Apps and Power Automate) in your tenant into a tabular view .csv
file. The exported file contains both self-service sign up internal trial plans as well as plans that are sourced from
Azure Active Directory. The internal trial plans are not visible to admins in the Microsoft 365 admin center.
Set logged in user as the owner of a canvas app
Set-AdminPowerAppOwner –AppName 'AppName' -AppOwner $Global:currentSession.userId –EnvironmentName
'EnvironmentName'
Changes the owner role of a PowerApp to the current user, and replaces the original owner as a "can view" role
type.
Note : The AppName and EnvironmentName fields are the unique identifiers (guids), not the display names.
Display a list of deleted canvas apps in an environment
Get-AdminDeletedPowerAppsList -EnvironmentName 'EnvironmentName'
This displays all canvas apps that were recently deleted and may still be recovered.
Recover a deleted canvas app
Get-AdminRecoverDeletedPowerApp -AppName 'AppName' -EnvironmentName 'EnvironmentName'
This recovers a canvas app that is discoverable via Get-AdminDeletedPowerAppsList cmdlet. Any canvas app that
isn't displayed in Get-AdminDeletedPowerAppsList isn't recoverable.
Power Automate commands
Use these commands to view and modify data related to Power Automate.
Display all flows
Get-AdminFlow
Returns a list of all flows in the tenant.

Display flow owner role details
Get-AdminFlowOwnerRole –EnvironmentName 'EnvironmentName' –FlowName 'FlowName'
Returns the owner details of the specified flow.

Note : Like Environments and PowerApps, FlowName is the unique identifier (guid), which is different from the
display name of the flow.
Display flow user details
Get-AdminFlowUserDetails –UserId $Global:currentSession.userId
Returns the user details regarding flow usage. In this example we're using the user Id of the current logged in user
of the PowerShell session as input.
Remove flow user details
Remove-AdminFlowUserDetails –UserId 'UserId'
Deletes the details on a flow user completely from the Microsoft database. All flows the input user owns must be
deleted before the flow user details can be purged.
Note : The UserId field is the Object ID of the user's Azure Active Directory record, which can be found in the Azure
Portal under Azure Active Director y > Users > Profile > Object ID . You must be an admin to access this data
from here.
Export all flows to a CSV file
Get-AdminFlow | Export-Csv -Path '.\FlowExport.csv'
Exports all the flows in your tenant into a tabular view .csv file.
API connection commands
View and manage API connections in your tenant.
Display all native Connections in your default environment
Displays a list of all API connections you have in the default environment. Native connections are found under the
Data > Connections tab in the maker portal.
Display all custom connectors in the tenant
Get-AdminPowerAppConnector
Returns a list of all custom connector details in the tenant.

Data loss prevention (DLP) policy commands
NOTE
The ability to block connectors by using a three-way classification—Business , Non-Business , and Blocked —in addition
to DLP policy UI support in the Power Platform admin center are currently in public preview. There is new DLP policy
PowerShell support for three-way DLP policy classification, which is also in public preview. Legacy DLP policy support for
two-way classification (Business and Non-Business ), along with admin center UI and PowerShell support for two-way
classification, are currently generally available and will continue to be available for the foreseeable future. More information:
Connectors documentation
These cmdlets control the DLP policies on your tenant.

Create a DLP policy
New-DlpPolicy
Creates a new DLP policy for the signed-in admin's tenant.

Retrieve a list of of DLP objects
Get-DlpPolicy
Gets policy objects for the signed-in admin's tenant.

Update a DLP policy
Set-DlpPolicy
Updates details of the policy, such as the policy display name.

Remove a policy
Remove-DlpPolicy
Deletes a DLP policy.
Commands:
Remove-AllowedConsentPlans
Add-AllowedConsentPlans
Get-AllowedConsentPlans
The allowed consent plans cmdlets can be used to add or remove access to a particular type of consent plan from
a tenant. "Internal" consent plans are either trial licenses or community plans that users can sign themselves up
for via Power Apps/Power Automate portals. "Ad-hoc subscription" consent plans are trial licenses that users can
sign themselves up for via https://signup.microsoft.com or admins can assign to users via Azure Active Directory
(Azure AD) or the Microsoft 365 admin portal. By default all types of consent plans are allowed in a tenant. A
common use case for these cmdlets is if a Power Platform admin wants to block users within their tenant from the
ability to assign themselves trial licenses but retain the ability to assign trial licenses on behalf of users. This can
be accomplished by using the Remove-AllowedConsentPlans -Types "Internal" command as well as disabling the
setting AllowAdHocSubscriptions in Azure AD. It is important to note that when using Remove-
AllowedConsentPlans all existing plans of the specified type will be removed from all users in the tenant and will
not be recoverable. In addition, it will block all further assignment of plans of that type. If, at a later time, the Power
Platform admin wishes to re-enable plans of that type they can use Add-AllowedConsentPlans. If they want to
view the current state of allowed consent plans they can use Get-AllowedConsentPlans.
Questions?
If you have any comments, suggestions, or questions, post them on the Administering Power Apps community
board.
See also
Get started using the Power Apps admin module
Microsoft.PowerApps.Administration.PowerShell
The PowerShell cmdlets allow you to do similar tasks that you would do with the admin portals but do them in
scripting where you can sequentially execute multiple commands or pipe output from one to automate common
tasks. Using the PowerShell cmdlets or the management connectors, you can build flows and apps that help you to
implement your governance policies. There are multiple PowerShell cmdlets that you can work with. The following
is an overview of each that you would likely interact with.
P O W ERSH EL L C M DL ET L IB RA RY C O M M O N TA SK S
Power Apps cmdlets Designed for app makers and administrators to automate
PowerShell support for Power Apps tasks with environments and associated apps, flows, and
connectors.
Microsoft 365 cmdlets These are focused on Microsoft 365 related tasks and can be
https://docs.microsoft.com/office365/enterprise/powershell/ge used to automate user-related actions and tasks; for example,
tting-started-with-office-365-powershell assignment of licenses.
Dynamics 365 cmdlets These are useful if you have any environments with Common
https://docs.microsoft.com/powershell/dynamics365/customer Data Service databases. Modules include support for using
-engagement/overview the Common Data Service online admin API, as well as to
automate solution deployment to the Common Data Service
environments.
Microsoft Azure cmdlets The Azure cmdlets are useful if you are including any Azure
https://docs.microsoft.com/powershell/azure/overview components in your overall solution. This could also be used
to script setup of the on-premises application gateway.
You can use a combination of all the above cmdlets to build PowerShell scripts to do bulk operations on users,
environments or their resources.
TIP
Examples can also be found when installing and testing the Center of Excellence Starter Kit or using the Admin-in-a-Day
hands-on labs that can be found on GitHub (https://aka.ms/powerapps/admininaday).
Common PowerShell tasks

Displaying a list of environments
This will give you key information such as the Display Name and GUID of the environment. This is often what is
needed for follow-on operations.
Adding parameters such as -Default will allow you to generically find the default environment in the tenant.
Get-AdminPowerAppEnvironment -Default
Using the GUID you got back (which is the non-display name for the environment), you can drill into details of that
specific environment Get-AdminPowerAppEnvironment -Environment 'EnvironmentName'.
Another useful one is getting a list of connections in an environment. The following lists all the connections in the
tenant's default environment.
And finally, a little more complex example. This one pipes the output from one cmdlet to others and presents a nice
list of number apps in each environment in the tenant.
Get-AdminPowerApp | select -ExpandProperty EnvironmentName | Group | %{ New-Object -TypeName PSObject -

Property @{ DisplayName = (Get-AdminPowerAppEnvironment -EnvironmentName $_.Name | select -ExpandProperty

Power Platform data loss prevention (DLP) SDK
This topic introduces the capabilities of the DLP SDK and shows you how DLP can help you manage your tenant and
environment policy with experiences ranging from creating, reading, updating, to removing DLP policies. More
information : Data loss prevention policies
How to run this sample

1. Download or clone the Samples repo so that you have a local copy.
2. Open PowerShell ISE as an admin.
3. Run the following command:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
4. Edit RunSamples.ps1 and make the following changes:

Replace $TenantAdminName value with your tenant admin account
Replace $TenantAdminPassword value with your tenant admin account password
Replace $EnvironmentAdminName value with your environment admin account
Replace $EnvironmentAdminPassword value with your environment admin account password
Note: the tenant admin account should not be used as an environment admin account.
5. Run RunSamples.ps1.
What this sample does

This sample calls DLP APIs in Microsoft.PowerApps.Administration.PowerShell to create, read, update and remove
DLP policies. Below are the scenarios supported by the SDK.
1. Create a tenant-level policy that classifies connectors into Business , Non-business , and Blocked groups.
2. Create policy for all environments except certain environments that classifies connectors into Business , Non-
business , and Blocked groups.
3. Create policy for single environment that classifies connectors into Business , Non-business , and Blocked
groups.
4. Get list of tenant-level policies (all environments).
5. Update policy to move connector across groups (Business , Non-business , and Blocked ).
6. Test compatibility of existing policies that previously used legacy powershell APIs and now use new PowerShell
APIs.
How this sample works

This sample provides some DLP scenarios about how to call DLP APIs for your reference. You can run the sample
and see the result.
Requirements/supported configurations
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), give you the following options
to access data:
Web browser. No need to install anything to run customer engagement apps from a computer running a
supported web browser.
Dynamics 365 App for Outlook. An Outlook add-in that provides you with a complete set of customer
engagement apps capabilities right within Office Outlook.
Dynamics 365 for phones and Dynamics 365 for tablets. Lightweight applications that let you access
Common Data Service data on almost any web browser running on a tablet, smartphone, or non-Windows
computer.
Web browser requirements

You use a common web browser, such as Internet Explorer, Mozilla Firefox, Google Chrome or Apple Safari to view,
add, or edit information stored in your organization’s database. For more information about the supported web
browsers and hardware requirements, see Web application requirements for Microsoft Dynamics 365 apps.
Mobile device requirements

Users can work in customer engagement apps by using a supported browser on a mobile device, or by using
Dynamics 365 for phones. For more information about the mobile experience, see Set up Dynamics 365 apps for
phones and Dynamics 365 apps for tablets.
Microsoft Office requirements

Customer engagement apps leverage the capabilities of on-premises versions of Microsoft Office or Microsoft 365
and integrates with Office Word and Office Excel. For more information about the supported versions of Microsoft
Office, see Supported versions of Office.
For full Microsoft 365 feature integration with Dynamics 365 and Customer Engagement (on-premises), you'll
need Microsoft 365 Enterprise E3 or later. Skype for Business PSTN calling and conferencing requires Microsoft
365 Enterprise E5. Other Microsoft 365 plans are not supported. For more information on licensing and pricing,
see:
IP addresses and URLs

If certain IP address ranges or individual IP addresses are blocked in the environment, users may not be able to
reach Microsoft Dynamics 365 environments. Blocked IPs can also impact connecting Dynamics 365 apps to
Microsoft Exchange Server (on-premises). See the following:
Azure IP Ranges and Service Tags – Public Cloud
Azure IP Ranges and Service Tags – US Government Cloud
Azure IP Ranges and Service Tags – China Cloud
Azure IP Ranges and Service Tags – Germany Cloud
NOTE
You can search the Azure IP Ranges json file for the AzureCloud service tag for your region. For example, for Japan you'd
search for "azurecloud.japaneast" and "azurecloud.japanwest" to find the list of IP addresses to allow.
Dynamics 365 apps use several Microsoft URLs to help provide security, services, and features. Blocking any of the
required URLs will cause apps in Dynamics 365 to operate incorrectly or not at all. See:
Troubleshooting: Unblock required URLs.
Internet accessible URLs required for connectivity to Microsoft Dynamics 365

If you cannot access Microsoft Dynamics 365 apps, or specific URLs fail to load when you use Microsoft Dynamics
365, a proxy or firewall may be configured to prevent Dynamics 365 URLs from accessing server resources.
Add the following URLs to the approved list to allow traffic to proceed to these URLs.
Select your region:
See also
Plan for Deployment and Administration
Work with requirements as a solution architect for Power Platform and Dynamics 365
Required URLs for North America-based
organizations
To select a different region, see Internet accessible URLs required.
http://login.microsoftonline-p.com
https://login.live.com
https://secure.aadcdn.microsoftonline-p.com
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
https://mbs.microsoft.com
https://go.microsoft.com
https://urs.microsoft.com
https://auth.gfx.ms
https://sc.imp.live.com
https://dynamicscrmna.accesscontrol.windows.net
https://*.windows.net
https://*.microsoftonline.com
http://*.passport.net
http://*.crm.dynamics.com
https://home.dynamics.com
https://cloudredirectornam.cloudapp.net
https://cloudredirectornamsec.cloudapp.net
https://*.azureedge.net
https://www.crmdynint.com
See also
Required URLs for South America-based
organizations
https://auth.gfx.ms
https://dynamicscrmsam.accesscontrol.windows.net
https://*.crm2.dynamics.com
http://*.crm2.dynamics.com
https://cloudredirectorsam.cloudapp.net
https://cloudredirectorsamsec.cloudapp.net
See also
Required URLs for Europe, Africa, and Middle East-
based organizations
https://auth.gfx.ms
https://dynamicscrmemea.accesscontrol.windows.net
https://cloudredirectoreur.cloudapp.net
https://cloudredirectoreursec.cloudapp.net
See also
Required URLs for Asia/Pacific area-based
organizations
https://auth.gfx.ms
https://dynamicscrmapac.accesscontrol.windows.net
https://cloudredirectorapj.cloudapp.net
https://cloudredirectorapjsec.cloudapp.net
See also
Required URLs for Japan-based organizations
https://auth.gfx.ms
https://dynamicscrmjpn.accesscontrol.windows.net
https://cloudredirectorjpn.cloudapp.net
https://cloudredirectorjpnsec.cloudapp.net
See also
Required URLs for India-based organizations
https://auth.gfx.ms
https://dynamicscrmind.accesscontrol.windows.net
https://cloudredirectorind.cloudapp.net
https://cloudredirectorindsec.cloudapp.net
See also
Required URLs for Canada-based organizations
https://auth.gfx.ms
https://dynamicscrmcan.accesscontrol.windows.net
https://cloudredirectorcan.cloudapp.net
https://cloudredirectorcansec.cloudapp.net
See also
Required URLs for Oceania-based organizations
https://auth.gfx.ms
https://dynamicscrmoce.accesscontrol.windows.net
https://cloudredirectoroce.cloudapp.net
See also
Required URLs for Dynamics 365 US Government-
based organizations
https://auth.gfx.ms
https://dynamicscrmgcc.accesscontrol.usgovcloudapi.net
https://www.www.crmdynint-gcc.com
See also
Required URLs for United Kingdom-based
organizations
https://auth.gfx.ms
https://dynamicscrmgbr.accesscontrol.windows.net
https://cloudredirectoroce.cloudapp.net
See also
Your deployment will go more smoothly with some preliminary planning. The following table lists some of the
items to consider before you start the actual deployment process.
IT EM DESC RIP T IO N C O N SIDERAT IO N S
Environment discovery A detailed description of your Is there enough overlap in customers

organization’s environment in terms of and products across business units to
number of users, groups or teams, and be able to work in the same data? What
the number and type of business units type of security policy does the
or divisions. Identify current data that organization already have in place? Are
you would like to bring into customer there any special requirements in this
engagement apps (Dynamics 365 Sales, area? Is there a plan for business
Dynamics 365 Customer Service, growth that could affect the number of
Dynamics 365 Field Service, Dynamics users?
365 Marketing, and Dynamics 365
Project Service Automation), and your Plan for enough time to do this
overall data storage requirements. discovery; information that comes out
Include a business requirements of this exercise can affect the way you
analysis that describes your implement the service.
organization’s expectation or
requirements for a service level
agreement (SLA). An SLA is an
agreement between two or more
parties describing the deliverables,
support, and communication that each
party will provide to the other. Specify
your policies related to security and
privacy.
Single sign-on An authentication process that enables There are additional requirements to
a user to access multiple systems or implement single sign-on, therefore,
services through a single set of sign-on consider how important it is to your
credentials. For example, implementing organization.
single sign-on for an organization’s
network environment means that after More information: Manage user
a user signs in to the network, that account synchronization
user does not have to enter credentials
again when accessing customer
engagement apps. Note: For Microsoft
365 subscribers, the environment must
be in the same tenant as your
Microsoft 365 subscription. A user
account in Active Directory can only
sync with one tenant.
Integration with Microsoft 365 You can significantly enhance your More information: What is Office 365?
applications company’s online, collaborative
experience by integrating Microsoft 365
applications with your subscription. This
requires a separate purchase of an
Microsoft 365 subscription
You’ll have the best integration

experience if your Microsoft 365
subscription and environment are in
the same tenant.
For full Microsoft 365 feature

integration with Dynamics 365 and
Customer Engagement (on-premises),
you'll need Microsoft 365 Enterprise E3
or later. Skype for Business PSTN calling
and conferencing requires Microsoft
365 Enterprise E5. Other Microsoft 365
plans are not supported. For more
information on licensing and pricing,
see:- Dynamics 365 pricing
- Dynamics 365 Licensing Guide
Administrative roles in the Microsoft A number of administrative roles are Consider the available administrative
Online Services environment available to assign to users if you roles and the needs of your
manage your subscription in the environment to identify the roles you
Microsoft Online Services environment. want to use and the users you will
Administrative roles define choose for each role. The global
administrative responsibilities related to administrator role is the highest level
subscription management activities, for role, having all the permissions to
example, billing administration, manage any part of the subscription
password administration, and user process. We recommend that you
management administration. assign this role to more than one
person so that someone is always
available to manage all aspects of the
subscription. Note: Administrative roles
cover all subscription management
functions within the service. These
aren’t the same as the security roles
that you assign to users, which are
required and govern access to
resources in the service. See “Security
roles” in this table.
Security roles Customer engagement apps uses role- Every user must be assigned at least
based security. The security role one security role to access customer
assigned to a user determines the tasks engagement apps. Note: Security roles
the user is permitted to perform and aren’t the same as administrative roles
the data that the user is permitted to in the Microsoft Online Services
view. environment, which cover subscription
management and related activities in
the Microsoft 365 admin portal. See:
Administrative roles in the Microsoft
Online Services environment in this
table.
Importing data Customer engagement apps offer a If you import data from other systems,
wizard to help with importing data consider the way you’ll process the data
from other applications and services. to minimize errors. More information:
Product updates Some releases will include optional Product updates may affect existing
product updates that you can choose customizations in your environment.
to enable. Review the documentation associated
with each product update before you
enable it in a production environment.
Additionally, some product updates,
such as the sales and service process
forms, can’t be removed or easily
reverted to the previous functionality.
Therefore, you should give careful
consideration before you enable a
product update. Tip: If you’re unsure
whether you want to enable a product
update in a environment used in
production, sign up for a trial
subscription to evaluate the new
functionality. More information: About
trial environments
See also
Requirements
Grant users access
Users can access the model-driven apps with the most recent versions of these popular browsers:
Microsoft Edge (recommended: Chromium-based Edge)
Chrome
Firefox
Safari
Internet Explorer (not recommended)
TIP
For optimal performance and experience, we recommend you use the latest version of a modern browser.
For more detailed information about supported browsers, see Web application requirements.
For a mobile device, such as an iPad or smartphone, the following apps are available:
Dynamics 365 for phones and Dynamics 365 for tablets
For more detailed information about supported phones and tablets, see Dynamics 365 mobile and tablet device
support.
NOTE
Users who try to view model-driven apps on an unsupported browser are redirected to the Unified Interface experience.
For more information, see Unified Interface Overview.
If you have added content to forms or dashboards in an iFrame, you might have implemented security restrictions around
certain actions in that content, such as external links. Keep in mind that in Firefox, this security restriction code will likely
be unsupported.
Known issues when you run model-driven apps with certain web
browsers
This section describes the known issues when you run model-driven apps in a web browser.
Limited copy and paste support in Firefox and Chrome
Copy and paste functionality by using the clipboard is not yet fully supported on the Firefox and Chrome web
browsers; the Copy a Link button at the top of the page may not function as expected.
You receive an error opening an Excel worksheet when you use Safari
If you export an Office Excel worksheet as a Dynamic Worksheet while using Safari, you may receive an error when
trying to open the file. To remedy this, right-click the file, click Get Info , and, under Open With , select Excel.
See Also
Supported web browsers and mobile devices - earlier versions
Web application requirements
This section lists the hardware and software requirements for model-driven apps and mobile device client
applications.
Web application hardware requirements

The following table lists the minimum and recommended hardware requirements for the web application.
C O M P O N EN T M IN IM UM REC O M M EN DED
Processor 1.9 gigahertz (GHz) x86- or x64-bit 3.3 gigahertz (GHz) or faster 64-bit
dual core processor with SSE2 dual core processor with SSE2
instruction set instruction set
Memory 2-GB RAM 4-GB RAM or more
Display Super VGA with a resolution of 1024 x Super VGA with a resolution of 1024 x
768 768
Running model-driven apps on a computer that has less than the recommended requirements may result in
inadequate performance. Additionally, satisfactory performance may be experienced running systems that use a
different hardware configuration than those published here—for example, a system with a modern quad-core
processor, lower clock speed, and more RAM.
Network requirements
Model-driven apps are designed to work best over networks that have the following elements:
Bandwidth greater than 50 KBps (400 kbps)
Latency under 150 ms
Notice that these values are recommendations and don’t guarantee satisfactory performance. The recommended
values are based on systems using out-of-the box forms that aren’t customized. If you significantly customize the
out-of-box forms, we recommend that you test the form response to understand bandwidth needs. More
information: Verify network capacity and throughput for clients
Supported versions of Internet Explorer and Microsoft Edge

The following table describes the Windows and Internet Explorer or Microsoft Edge versions supported for use
with the web application.
W IN DO W S VERSIO N IN T ERN ET EXP LO RER 10 IN T ERN ET EXP LO RER 11 2 M IC RO SO F T EDGE
Windows 10 Not supported1 Supported Supported
Windows 8.1 Not supported1 Supported Not supported
Windows 8 Not supported Not supported1 Not supported

W IN DO W S VERSIO N IN T ERN ET EXP LO RER 10 IN T ERN ET EXP LO RER 11 M IC RO SO F T EDGE
Windows 7 Not supported Supported Not supported
1 This version of Windows doesn’t support the version of Internet Explorer. More information: Internet Explorer 11
– FAQ for IT Pros
2 Check requirements for individual apps, such as Customer Service Hub application requirements.
IMPORTANT
Although you may be able to use Internet Explorer 8, Internet Explorer 9, or an Internet Explorer and Windows combination
that is not supported in the previous table, those web browsers are not recommended and are not supported with this
version of customer engagement apps.
Using plug-ins or other third-party extensions in your browser can increase load times on pages with lists of data.
Supported non-Internet Explorer web browsers

The web application can run in any of the following web browsers running on the specified operating systems:
Mozilla Firefox (latest publicly-released version) running on Windows 10, Windows 8.1, Windows 8, or
Windows 7
Google Chrome
Google Chrome (latest publicly-released version) running on Windows 10, Windows 8.1, Windows 8,
Windows 7, or Google Nexus tablet
Google Chrome (latest publicly-released version) running on the two latest publicly-release Mac OS
versions
Apple Safari (latest publicly-released version) running on the two latest publicly-release Mac OS versions, or
Apple iPad
To find the latest release for these web browsers, visit the software manufacturer’s website.
IMPORTANT
Using plug-ins or other third-party extensions in your browser can increase load times on pages with lists of data.
Mozilla Firefox ESR (Extended Support Release) versions aren’t supported.
Supported versions of Office

To use customer engagement apps (such as Dynamics 365 Sales and Customer Service) with Microsoft Office
integration features, such as Export to Excel and Mail Merge, you must have one of the following Microsoft Office
versions on the computer that is running the web application:
Microsoft 365
Office 2016
Office 2013
Office 2010
For full Microsoft 365 feature integration with Dynamics 365 and Customer Engagement (on-premises), you'll
need Microsoft 365 Enterprise E3 or later. Skype for Business PSTN calling and conferencing requires Microsoft
365 Enterprise E5. Other Microsoft 365 plans are not supported. For more information on licensing and pricing,
see:
Printing reports
The Reporting ServicesMicrosoft ActiveX control is required to print reports. If you try to print a report and the
control isn’t installed, you’ll be prompted to install it. The installer package is named RSClientPrint.cab and can
found on the SQL Server Reporting Services server at <drive>:\Program files\Microsoft SQL Server\
<MSSQL>\Reporting Services\ReportServer\bin.
Transport Layer Security (TLS) requirement

Web browsers and other client applications that use Transport Layer Security (TLS) versions earlier than TLS 1.2
won't be able to connect to their Dynamics 365 (online) environments and the admin center.
For more information, see these blog posts:
Updates coming to connection security
TLS 1.2 support at Microsoft
See also
On-premises server cipher suites and TLS
requirements
A cipher suite is a set of cryptographic algorithms. This is used to encrypt messages between clients/servers and
other servers.
Before a secure connection is established, the protocol and cipher are negotiated between server and client based
on availability on both sides.
To comply with our security policy for a secure connection, your server must have the following:
1. Transport Layer Security (TLS) 1.2 (or higher) compliance
2. At least one of the following ciphers:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
You may either upgrade the Windows version or update the Windows TLS registry to make sure that you server
end-point supports one of these ciphers.
See also
Dynamics 365 Server-side sync
Exchange server TLS guidance
Cipher Suites in TLS/SSL (Schannel SSP)
Manage Transport Layer Security (TLS)
How to enable TLS 1.2
This section provides information on how Common Data Ser vice , the underlying data platform for Power Apps,
handles security from user authentication to authorization that allows users to perform actions with data and
services. Conceptually, security in Common Data Service is there to ensure users can do the work they need to do
with the least amount of friction, while still protecting the data and services. Security in Common Data Service can
be implemented as a simple security model with broad access all the way to highly complex security models
where users have specific record and field level access.
The following is a high-level overview of how security model is implemented in Common Data Service.
Users are authenticated by Azure Active Directory (Azure AD).
Licensing is the first control-gate to allowing access to Power Apps components.
Ability to create applications and flows is controlled by security roles in the context of environments.
A user's ability to see and use apps is controlled by sharing the application with the user. Sharing of canvas
apps is done directly with a user or Azure AD group but is still subject to Common Data Service security roles.
Sharing of model-driven apps is done via Common Data Service security roles.
Environments act as security boundaries allowing different security needs to be implemented in each
environment.
Flows and Canvas apps use connectors, the specific connections credentials and associated service entitlements
determine permissions when apps use the connectors.
Environments with Common Data Service add support for more advanced security models that are specific to
controlling access to data and services in the Common Data Service environment.
TIP
To learn about how to help secure and govern Power Platform apps like Power Automate, check out the Microsoft Learn:
Introduction to Power Automate security and governance.
See also
What is Common Data Service?
Block access by location with Azure AD Conditional Access
Cross-tenant inbound and outbound restrictions
Governance considerations
Many customers wonder: How can Power Apps and Power Automate be made available to their broader business
and supported by IT? Governance is the answer. It aims to enable business groups to focus on solving business
problems efficiently while complying with IT and business compliance standards. The following content is intended
to structure themes often associated with governing software and bring awareness to capabilities available for each
theme as it relates to governing Power Apps and Power Automate.
C O M M O N Q UEST IO N S REL AT ED TO EA C H T H EM E F O R W H IC H
T H EM E T H IS C O N T EN T A N SW ERS
Architecture What are the basic constructs and concepts of Power

Apps, Power Automate, and Common Data Service?
How do these constructs fit together at design time

and runtime?
Security What are the best practices for security design

considerations?
How do I leverage our existing user and group

management solutions to manage access and security
roles in Power Apps?
Alert and Action How do I define the governance model between citizen
developers and managed IT services?
How do I define the governance model between

central IT and the business unit admins?
How should I approach support for non-default

environments in my organization?
Monitor How are we capturing compliance / auditing data?
How can I measure adoption and usage within my

organization?
Architecture
It's best to familiarize oneself with Environments as the first step to building the right governance story for your
company. Environments are the containers for all resources utilized by a Power Apps, Power Automate and
Common Data Service. Environments Overview is a good primer which should be followed by What is Common
Data Service?, Types of Power Apps, Microsoft Power Automate, Connectors, and On-premises Gateways.
Security
This section outlines mechanisms that exist to control who can access Power Apps in an environment and access
data: licenses, environments, environment roles, Azure Active Directory, Data Loss Prevention policies and admin
connectors that can be used with Power Automate.
Licensing
Access to Power Apps and Power Automate starts with having a license, the type of license a user has determines
the assets and data a user can access. The following table outlines differences in resources available to a user based
on their plan type, from a high-level. Granular licensing details can be found in the Licensing overview.
PLAN DESC RIP T IO N
Microsoft 365 Included This allows users to extend SharePoint and other Office assets
they already have.
Dynamics 365 Included This allows users to customize and extend customer
engagement apps (Dynamics 365 Sales, Dynamics 365
Customer Service, Dynamics 365 Field Service, Dynamics 365
Marketing, and Dynamics 365 Project Service Automation),
they already have.
Power Apps plan This allows:

making enterprise connectors and Common Data
Service accessible for use.
users to use robust business logic across application
types and administration capabilities.
Power Apps Community This allows a user to use Power Apps, Power Automate,
Common Data Service and customer connectors in a single for
individual use. There is no ability to share apps.
Power Automate Free This allows users to create unlimited flows and perform 750
runs.
Power Automate plan See Microsoft Power Apps and Microsoft Power Automate
Licensing Guide.
Environments
After users have licenses, environments exist as containers for all resources utilized by Power Apps, Power
Automate and Common Data Service. Environments can be used to target different audiences and/or for different
purposes such as developing, testing and production. More information can be found in the Environments
Overview.
Secure your data and network
Power Apps and Power Automate do not provide users with access to any data assets that they don't already
have access to. Users should only have access to data that they really require access to.
Network Access control policies can also apply to Power Apps and Power Automate. For environment, one can
block access to a site from within a network by blocking the sign-on page to prevent connections to that site
from being created in Power Apps and Power Automate.
In an environment, access is controlled at three levels: Environment roles, Resource permissions for Power Apps,
Power Automate, etc… and Common Data Service security roles (if a Common Data Service data base is
provisioned).
When Common Data Service is created in an environment the Common Data Service roles will take over for
controlling security in the environment (and all environment admins and makers are migrated).
The following principals are supported for each role type.
EN VIRO N M EN T T Y P E RO L E P RIN C IPA L T Y P E ( A Z URE A D)
Environment without Common Data Environment role User, group, tenant

Service
Resource permission: Canvas app User, group, tenant
Resource permission: Power Automate, User, group

Custom Connector, Gateways,
Connections1
Environment with Common Data Environment role User

Service
Resource permission: Canvas app User, group, tenant
Resource permission: Power Automate, User, group

Custom Connector, Gateways,
Connections1
Common Data Service role (applies to User

all model-driven apps and components)
1Only certain connections (like SQL) can be shared.
NOTE
In the Default environment, all users in a tenant are granted access to the Environment Maker role.
Azure AD tenant Global Administrators have admin access to all environments.
FAQ - What permissions exist at an Azure AD tenant level?

Today, Power Platform admins can perform the following:
1. Download the Power Apps & Power Automate license report
2. Create DLP policy scoped only to 'All Environments' or scoped to include/exclude specific environments
3. Manage and assign licenses via Office admin center
4. Access all environment, app, and flow management capabilities for all environments in the tenant available
through:
Power Apps Admin PowerShell cmdlets
Power Apps management connectors
5. Access the Power Apps and Power Automate admin analytics for all environments in the tenant:
https://aka.ms/paadminanalytics
https://aka.ms/flowadminanalytics
Consider Microsoft Intune
Customers with Microsoft Intune can set mobile application protection policies for both Power Apps and Power
Automate apps on Android and iOS. This walkthrough highlights setting a policy via Intune for Power Automate.
Consider location-based conditional access
For customers with Azure AD Premium, conditional access policies can be defined in Azure for Power Apps and
Power Automate. This allows granting or blocking access based upon: user/group, device, location.
Creating a Conditional Access Policy
1. Sign-in to https://portal.azure.com
2. Select Azure Active Directory
3. Select Conditional Access.
4. Select + New Policy
5. Select user and groups
6. Select the cloud apps - select Common Data Ser vice to control access to customer engagement apps
7. Apply conditions (user/group, device, location)
Prevent data leakage with data loss prevent policies
Data loss prevention policies (DLP) enforce rules for which connectors can be used together by classifying
connectors as either Business Data only or No Business Data allowed. Simply, if you put a connector in the business
data only group, it can only be used with other connectors from that group in the same application. Power Platform
admins can define policies that apply to all environments.
FAQ
Q: Can I control, on the tenant level, which connector is at all available, e.g. No to Dropbox or Twitter but Yes to
SharePoint)?
A: This is not possible. Customers can subscribe to Audit events to perform corrective action if there are flows that
have been built that create concerns for customers. In fact, a very large Power Apps customer has leveraged this
approach to apply another level of governance.
Q: What about Sharing connectors between users? E.g. the connector for Teams is a general one that can be shared
(?)
A: Connectors are available to all users. With the exception of premium or custom connectors which need either an
additional license (premium connectors) or have to be explicitly shared (custom connectors)
Alert and action

In addition to monitoring, many customers want to subscribe to software creation, usage or health events so they
know when to perform an action. This section outlines a few means to observe events (manually and
programmatically) and perform actions triggered by an event occurrence.
Build Power Automate flows to alert on key audit events
1. An example of alerting that can be implemented is subscribing to Microsoft 365 Security and Compliance Audit
Logs.
2. This can be achieved through either a webhook subscription or polling approach. However, by attaching Power
Automate to these alerts, we can provide administrators with more than just email alerts.
Build the policies you need with Power Apps, Power Automate, and PowerShell
1. These PowerShell cmdlets place full control in the hands of admins to automate the governance policies
necessary.
2. The Management connectors provide the same level of control but with added extensibility and ease-of-uses by
leveraging Power Apps and Power Automate.
3. The following Power Automate templates for administration connectors exist for ramping up quickly:
a. List new Power Automate Connectors
b. Get List of new Power Apps, Power Automate flows and Connectors
c. Email me a weekly summary of Office 365 Message Center notices
d. Access Office 365 Security and Compliance Logs from Power Automate
4. Use this blog and app template ramp up quickly on the administration connectors.
5. Additionally, it's worth checking out content shared in the Community Apps Gallery, here's another example of
an administrative experience built using Power Apps and admin connectors.
FAQ
Problem Currently, all users with Microsoft E3 licenses can create apps in the Default environment. How can we
enable Environment Maker rights to a select group, for example. 10 persons to create apps?
Recommendation The PowerShell cmdlets and Management connectors provide full flexibility and control to
administrators to build the policies they want for their organization.
Monitor
It's well understood that monitoring as a critical aspect of managing software at scale, this section highlights a
couple of means to get insight in Power Apps and Power Automate development and usage.
Review the audit trail
Activity logging for Power Apps is integrated with Office Security and Compliance center for comprehensive
logging across Microsoft services like Common Data Service and Microsoft 365. Office provides an API to query
this data, which is currently used by many SIEM vendors to use the Activity Logging data for reporting.
View the Power Apps and Power Automate license report
1. Go to the Power Platform admin center.
2. Select Analytics > Power Automate or Power Apps .
3. View Power Apps and Power Automate admin analytics
You can get information about the following:
Active User and App usage - how many users are using an app and how often?
Location – where is the usage?
Service Performance of connectors
Error reporting – which are the most error prone apps
Flows in use by type and date
Flows created by type and date
Application-level auditing
Service Health
Connectors used
View what users are licensed
You can always look at individual user licensing in the Microsoft 365 admin center by drilling into specific users.
You can also use the following PowerShell command to export assigned user licenses.
Exports all the assigned user licenses (Power Apps and Power Automate) in your tenant into a tabular view .csv file.
The exported file contains both self-service sign up internal trial plans as well as plans that are sourced from Azure
Active Directory. The internal trial plans are not visible to admins in the Microsoft 365 admin center.
View app resources used in an Environment
1. In the Power Platform admin center, select Environments in the navigation menu.
2. Select an Environment.
3. Optionally, the list of resources used in an Environment may be downloaded as a .csv.
One of the key features of Common Data Service is its rich security model that can adapt to many business usage
scenarios. This security model is only in play when there is a Common Data Service database in the environment.
As an administrator, you likely won't be building the entire security model yourself, but will often be involved in
the process of managing users and making sure they have the proper configuration as well as troubleshooting
security access related issues.
Role based security

Common Data Service uses role-based security to group together a collection of privileges. These security roles
can be associated directly to users, or they can be associated with Common Data Service teams and business
units. Users can then be associated with the team, and therefore all users associated with the team will benefit
from the role. A key concept of Common Data Service security to understand is all privilege grants are
accumulative with the greatest amount of access prevailing. Simply put, if you gave broad organization level read
access to all contact records, you can’t go back and hide a single record.
Business Units
Business units work in conjunction with security roles to determine the effective security that a user has. Business
units are a security modeling building block that helps in managing users and the data they can access. Business
units define a security boundary. Every Common Data Service database has a single root business unit.
You can create child business units to help further segment your users and data. Every user assigned to a
Common Data Service environment will belong to a business unit. While business units could be used to model
1:1 a true organization hierarchy, more often they lean more towards just defined security boundaries to help
achieve the security model needs.
To better understand let’s look at the following example. We have three business units. Woodgrove is the root
business unit and will always be at the top, that is unchangeable. We have created two other child business units
A and B. Users in these business units have very different access needs. When we associate a user with this
Common Data Service environment, we can set the user to be in one of these three business units. Where the
user is associated will determine which business unit owns the records that user is the owner of. By having that
association allows us to tailor a security role to allow the user to see all records in that business unit.
Entity/Record Ownership
Common Data Service supports two types of record ownership. Organization owned, and User or Team owned.
This is a choice that happens at the time the entity is created and can’t be changed. For security purposes, records
that are organization owned, the only access level choices is either the user can perform the operation or can’t.
For user and team owned records, the access level choice for most privileges are tiered Organization, Business
Unit, Business Unit and Child Business Unit or only the user’s own records. That means for read privilege on
contact, I could set user owned, and the user would only see their own records.
To give another example, let’s say User A is associated with Division A, and we give them Business Unit level Read
access on Contact. They would be able to see Contact #1 and #2 but not Contact #3.
When you configure or edit security role privileges you are setting the access level for each option. The following
is an example of the Security Role privilege editor.
In the above you can see the standard privilege types for each entity Create, Read, Write, Delete, Append, Append
To, Assign and Share. You can edit each of these individually. The visual display of each will match the key below
as to what level of access you have granted.
In the above example, we have given organization level access to Contact which means that the user in Division A
could see and update contacts owned by anyone. In fact, one of the most common administrative mistakes is
getting frustrated with permissions and just over granting access. Very quickly a well-crafted security model
starts looking like swiss cheese (full of holes!).
Teams
Teams are another important security building block. Teams are owned by a Business Unit. Every Business Unit
has one default team that is automatically created when the Business Unit is created. The default team members
are managed by Common Data Service and always contain all users associated with that Business Unit. You can’t
manually add or remove members from the default team, they are dynamically adjusted by the system as [new
users are associated/disassociated with business units] (https://docs.microsoft.com/power-
platform/admin/create-edit-business-units). There are two types of teams, owning teams and access teams.
Owning Teams can own records, which gives any team member direct access to that record. Users can be
members of multiple teams. This will allow it to be a powerful way of granting permissions to users in a broad
way without micromanaging access at the individual user level. Access teams are discussed below as part of
Record Sharing.
Record Sharing
Individual records can be shared on a one by one basis with another user. This is a powerful way of handling
exceptions that don’t fall into the record ownership or member of a business unit access model. It should be an
exception though because it is a less performant way of controlling access. Sharing tougher to troubleshoot
because it is not a consistently implemented access control. Sharing can be done at both the user and team level.
Sharing with a team is a more efficient way of sharing. A more advanced concept of sharing is with Access Teams
which provides auto creation of a team and sharing of record access with the team based on an Access Team
Template (template of permissions) which is applied. Access teams can also be used without the templates, with
just manual add/remove of it’s members. Access teams are more performant because they don’t allow owning
records by the team or having security roles assigned to the team. Users get access because the record is shared
with the team and the user is a member.
Record-level security in Common Data Service
You might be wondering – what determines access to a record? That sounds like a simple question but for any
given user it is the combination of all their security roles, the business unit they are associated with, the teams
they are members of and the records that are shared with them. The key thing to remember is all access is
accumulative across all those concepts in the scope of a Common Data Service database environment. These
entitlements are only granted within a single database and are individual tracked in each Common Data Service
database. This all of course requires they have an appropriate license to access Common Data Service.
Field-level security in Common Data Service
Sometimes record-level control of access is not adequate for some business scenarios. Common Data Service has
a field-level security feature to allow more granular control of security at the field level. Field-level security can be
enabled on all custom fields and most system fields. Most system fields that include personal identifiable
information (PII) are capable of being individually secured. Each field’s metadata defines if that is an available
option for the system field.
Field-level security is enabled on a field by field basis. Access is then managed by creating a Field Security Profile.
The profile contains all fields that have field-level security enabled and the access granted by that specific profile.
Each field can be controlled within the profile for Create, Update and Read access. Field Security Profiles are then
associated with a user or Teams to grant those privileges to the users to the records they already have access to.
It’s important to note that field-level security has nothing to do with record-level security, a user must already
have access to the record for the Field Security Profile to grant them any access to the fields. Field-level security
should be used as needed and not excessively as it can add overhead that is detrimental if over used.
Managing Security Across Multiple Environments
Security roles and Field Security Profiles can be packaged up and moved from one environment to the next using
Common Data Service solutions. Business Units and Teams must be created and managed in each Common Data
Service environment along with the assignment of users to the necessary security components.
Configuring Users Environment Security
Once roles, teams and business units are created in an environment it is time to assign the users their security
configurations. First, when you create a user you will associate the user with a business unit. By default, this is the
root business unit in the organization. They are also added to the default team of that business unit.
In addition, you would assign any security roles that user needs. You would also add them as members of any
teams. Remember teams can also have security roles, so the effective rights of the user is the combination of
directly assigned security roles combined with those of any teams they are members of. Security is always
additive offering the least restrictive permission of any of their entitlements. The following is a good walkthrough
of configuring environment security.
If you have used field-level security, you would need to associate the user or a team of the user to one of the Field
Security Profiles you created.
Security is a complex topic and is best accomplished as a joint effort between the application makers and the
team administering the users permissions. Any major changes should be coordinated well in advance of
deploying the changes into the environment.
See also
Configure environment security
System and application users
There is a list of special system and application users that is created when the system is provisioned. Special
system users are created for integration and support scenarios. Application users are created during system
provisioning for setup and configuration management. Application users can also be used for performing back-end
services.
Most of these users are hidden from user views but they can be found by using the Advanced Find on the Users
entity. Do not delete or modify these users including changing or reassigning security role.
SEC URIT Y RO L E
USER T Y P E F UL L N A M E USER N A M E P URP O SE A SSIGN ED
System SYSTEM n/a See below n/a
Support user crmoln@microsoft.co To allow Microsoft Support user (does

m support staff to have not have privilege to
restricted/limited customer data)
access to any
customer
environment for
customer support
Delegated admin crmoln2@microsoft.c See For partners: the System admin

om Delegated admin
Application Business Application bap_sa@microsoft.co To setup Power Apps System admin

Platform Service m system and
account configurations
Dynamics 365 Dynamics365Athena- Service application to DataLakeWorkspaceA

Athena- CDStoAzuredatalake perform data ppAccess
CDStoAzuredatalake @onmicrosoft.com integration between
Common Data
Service to Azure Data
Lake
Dynamics 365 Dynamics365Athena2 Service application to DataLakeWorkspaceA

Athena2- - perform data ppAccess
CDStoAzuredatalake CDStoAzuredatalake integration between
@onmicrosoft.com Common Data
Service to Azure Data
Lake
Dynamics 365 Dynamics365Enterpri Service application to N/A

EnterpriseSales- seSales- perform data
CDStoAzuredatalake CDStoAzuredatalake integration between
@onmicrosoft.com Common Data
Service (Sales) to
Azure Data Lake
SEC URIT Y RO L E
USER T Y P E F UL L N A M E USER N A M E P URP O SE A SSIGN ED
# SIAutoCapture SIAutoCapture@onmi To be used for Auto SalesInsights

crosoft.com Capture solution AutoCapture Admin
business
requirements to
perform data query
and execute plugins
from backend
services.
# SalesInsights SalesInsights@onmicr To allow Sales Insights Relationship Insights

osoft.com to communicate with Admin and EAC App
Common Data Access
Service and Azure
Data Lake for analysis
and data updates.
Microsoft Project Project@microsoft.co Allow Project for the Project System and
m Web and Roadmap Portfolio User
Service to
communicate with
Common Data
Service
Power Apps Checker Pacheckerapp@micros To perform static Export customizations

Application oft.com analysis of Power and Solution checker
Apps solutions to
assist in identifying
performance and
stability risks
Powerqueryonline- Powerqueryonline- Service application to N/A

CDStoAzuredatalake CDStoAzuredatalake perform data query
@onmicrosoft.com between Common
Data Service and
Azure Data Lake
Provision User provisionapp@fabrika To perform System admin

m.com Application
installation from
AppSource or System
updates from
Microsoft
DataLakeStorage DataLakeStorage@on To allow solutions to DataLakeWorkspaceA

microsoft.com manage workspaces, ppAccess
workspace
permissions and the
discovery of
workspaces.
The purpose of the system account?

The System user is a built-in user account that is used to allow customers to perform system updates via plug-
ins.
The primary usage of this user account is to meet special business requirements that require elevation of
privileges; for example, running background processes to integrate with other applications.
It can also be used to handle rollup scenarios where individual users do not have the required privilege. For
example, the priority of a Case is automatically set to the highest priority of an individual user’s tasks and
individual users can only update their own task priority but not the Case priority.
Technical details on permissions?
This user account can perform any actions and has all system privileges.
Records created/updated by this user account are audited.
Technical details on the security?
This user account cannot sign in to Dynamics 365 apps.
Administrators have the option to use this user account when registering their plug-ins.
This user account does not have a mailbox, so they cannot be used to send or receive emails.
The details of this user account cannot be modified from the User Form interface.
This user account does not show up in any views.
The purpose of the application users?
The application user is a built-in user account that is used to perform integration and system back-end service
to support a particular feature.
Since these are built-in user accounts, they cannot be updated. The security role that is assigned to these
accounts cannot be updated either. This is to prevent any service outages.
Configure user security to resources in an
environment
Common Data Service uses a role-based security model to help secure access to the database. This topic
explains how to create the security artifacts that you must have to help secure resources in an environment.
Security roles can be used to configure environment-wide access to all resources in the environment, or to
configure access to specific apps and data in the environment. Security roles control a user's access to an
environment's resources through a set of access levels and permissions. The combination of access levels and
permissions that are included in a specific security role governs the limitations on the user's view of apps and
data, and on the user's interactions with that data.
An environment can have zero or one Common Data Service database. The process for assigning security roles
for environments that have no Common Data Service database differs from that for an environment that does
have a Common Data Service database.
Predefined security roles

Environments include predefined security roles that reflect common user tasks with access levels defined to
match the security best-practice goal of providing access to the minimum amount of business data required to
use the app.
These security roles can be assigned to the user, owner team and group team.
There is another set of security roles that is assigned to application users. Those security roles are installed by
our services and cannot be updated.
Environment Admin Create, Read, Write, Delete, TheEnvironment Adminrole can

Customizations, Security Roles perform all administrative actions on
an environment, including the
following:
Add or remove a user from
either the Environment Admin
or Environment Maker role.
Provision a Common Data
Service database for the
environment. After a database
is provisioned, the System
Customizer role should also be
assigned to an Environment
Admin to give them access to
the environment's data.
View and manage all resources
created within an environment.
Set data loss prevention
policies. More information:
Environment Maker Customizations Can create new resources associated

with an environment, including apps,
connections, custom APIs, gateways,
and flows using Microsoft Power
Automate. However, this role doesn't
have any privileges to access data
within an environment. More
information: Environments overview
System Administrator Create, Read, Write, Delete, Has full permission to customize or
Customizations, Security Roles administer the environment, including
creating, modifying, and assigning
security roles. Can view all data in the
environment. More information:
Privileges required for customization
System Customizer Create (self), Read (self), Write (self), Has full permission to customize the
Delete (self), Customizations environment. However, users with this
role can only view records for
environment entities that they create.
More information: Privileges required
for customization
Common Data Service User Read (self), Create (self), Write (self), Can run an app within the
Delete (self) environment and perform common
tasks for the records that they own.
Note that this only applies to non-
custom entities. More information:
Create or configure a custom security
role
Delegate Act on behalf of another user Allows code to impersonate, or run as

another user. Typically used with
another security role to allow access to
records. More information:
Impersonate another user
Support User Read Customizations, Read Business Has full Read permission to
Management settings customization and business
management settings to allow
Support staff to troubleshoot
environment configuration issues.
Does not have access to core records.
*The scope of these privileges is global, unless specified otherwise.

NOTE
Environment Maker and Environment Admin are the only predefined roles for environments that have no Common
Data Service database.
The Environment Makerrole can create resources within an environment, including apps, connections, custom
connectors, gateways, and flows using Power Automate. Environment makers can also distribute the apps they build
in an environment to other users in your organization. They can share the app with individual users, security groups,
or all users in the organization. More information: Share an app in Power Apps
For users who make apps that connect to the database and need to create or update entities and security roles, you
need to assign the System Customizer role in addition to the Environment Maker role. This is necessary because the
Environment Maker role doesn't have privileges on the environment's data.
If the environment has a Common Data Service database, a user must be assigned the System Administrator role
instead of the Environment Admin role for full admin privileges, as described in the preceding table.
Assign security roles to users in an environment that has no Common

A user who already has the Environment Admin role in the environment can take these steps.
NOTE
Roles can be assigned toowner teamsandAzure AD group teams, in addition to individual users.

2. SelectEnvironments > [select an environment].
3. In the Access tile, select See all for Environment admin or Environment maker to add or remove
people for either role.
4. Specify the names of one or more users or security groups from Azure AD, or specify that you want to
add your entire organization.
Assign security roles to users in an environment that has a Common
Verify that the user you want to assign a security role to is present in the environment. If not, add the user to
the environment. You'll be able to assign a security role as part of the process of adding the user. More
information: Add users to an environment
In general, a security role can only be assigned to users who are in the Enabled state. But if you need to assign a
security role to users in the Disabled state, you can do so by enabling
allowRoleAssignmentOnDisabledUsers in OrgDBOrgSettings.
To add a security role to a user who is already present in an environment:
2. SelectEnvironments > [select an environment] >Settings >Users + permissions > Users .
3. Select Manage users in Dynamics 365 .
4. Select the user from the list of users in the environment, and then select Manage roles .
5. Assign one or more security roles to the user.
6. SelectOK .
Create or configure a custom security role

If your app uses a custom entity, its privileges must be explicitly granted in a security role before your app can
be used. You can either add these privileges in an existing security role or create a custom security role.
NOTE
Every security role must include a minimum set of privileges before it can be used. These are described later in this
article.
TIP
The environment might maintain the records that can be used by multiple apps; therefore, you might need multiple
security roles to access the data by using different privileges. For example:
Some users (call them Type A) might only need to read, update, and attach other records, so their security role will
have read, write, and append privileges.
Other users might need all the privileges that Type A users have, plus the ability to create, append to, delete, and
share. The security role for these users will have create, read, write, append, delete, assign, append to, and share
privileges.
For more information about access and scope privileges, seeSecurity roles and privileges.
1. Sign in to the Power Platform admin center, and select the environment for which you want to update a
security role.
2. Select the environment's URL.
3. If you see published apps and tiles, select the gear icon ( ) in the upper-right corner, and then select
Advanced settings .
4. In the menu bar, select Settings > Security .
5. Select Security roles .
6. Select New .
7. From the security role designer, enter a role name on the Details tab. From the other tabs, you'll select
the actions and the scope for performing that action.
8. Select a tab, and search for your entity. For example, select the Custom Entities tab to set permissions
on a custom entity.
9. Select the privileges Read, Write, Append .
Minimum privileges to run an app

When you create a custom security role, you need to include a set of minimum privileges into the security role
in order for a user to run an app. We've created a solution you can import that provides a security role that
includes the required minimum privileges.
Start by downloading the solution from the Download Center: Common Data Service minimum privilege
security role.
Then, follow these directions to import the solution: Import solutions.
When you import the solution, it creates the min pr v apps use role, which you can copy (see: Create a
security role by Copy Role). When the Copy Role process is completed, navigate to each tab—Core Records ,
Business Management , Customization , and so on—and set the appropriate privileges.
IMPORTANT
You should try out the solution in a development environment before importing it into a production environment.
See also
Grant users access
There are different ways to obtain access to a particular record in customer engagement apps (Dynamics 365
Project Service Automation). To be able to do a certain action with an entity (Create, Read, Write, Delete, Append,
Append to, Assign, Share), two major checks are done: privilege and access checks. The access check only takes
place once the privilege check passes.
Privilege check
The privilege check is the first barrier that needs to be passed in order to do a certain action with a record of an
entity. The privilege checks validate that the user has the required privilege for that entity. For each entity, whether
out of the box or custom, there exist different privileges to provide interaction capabilities with the records of that
type.
For example, for Account, the privileges are:

security role.
Read Required to open a record to view the contents. Which

records can be read depends on the access level of the

changed depends on the access level of the permission


In the case of many-to-many relationships, you must have
Append privileges for both entities being associated or
disassociated.

example, if a user has Append To rights on an opportunity,
the user can add a note to the opportunity. The records that
can be appended to depend on the access level of the
Assign Required to give ownership of a record to another user. Which

records can be assigned depends on the access level of the

security role.
In order to perform an action on a record, the user needs to have either the required privilege assigned through a
role directly, or needs to be member of a team that has a security role with the privilege assigned. If this is not the
case, then the user will get an access denied error stating that they do not hold the necessary privilege to perform
the action.
For example, in a scenario where a user wants to create an Account record, it is necessary that the user has the
Create privilege either through a security role assigned to them or to a team they belong to.
NOTE
When creating or editing a security role, a privilege is granted to that role with a given access level. The access level is not
taken into account in the privilege check, this is done in the access check when the privilege check is passed.
Access check
If the privilege check is passed, then the access check takes place. The access check verifies that the user has the
required rights to perform the action they are trying to do.
There are four different ways in which a user can have access rights to perform an action in a particular record.
These are:
Ownership
Role access
Shared access
Hierarchy access
IMPORTANT
All of these are checked during the access check so it is possible that the user has access to perform the required action on
the record in more than one way.
Ownership
A user can have access to a particular record because either they own the record in question or they belong to a
team that owns the record. In both cases, any access level will suffice to have access regardless of the business unit
the record belongs to. As the privilege check was already passed, this means the user has appropriate access to
perform the action.
NOTE
In case the user belongs to a team that owns the record, the user has access to the record as well.
Role access
Users can have access to perform an action on a record because of the security roles they hold. In this case, the
access level of the privilege a role has is taken into account. There are four major scenarios that correspond to the
different access levels that are not User, which is covered in the ownership case.
The record belongs to the user or a team the user belongs to
In this case, the user must either have or belong to a team that has a role assigned that has the required privilege
with at least User-level access.
NOTE
For roles assigned to teams with Basic-level access user privilege, the role's inheritance configuration also comes into play. If
the team has the Member's privilege inheritance set to Team privileges only , then the user will only be able make use
of that privilege for records owned by the team. For more information, go to Team member's privilege inheritance.
The record belongs to the same business unit as the user

with at least Business Unit-level access.
The record belongs to a business unit that is a descendant of the user's business unit
with at least the access level Parent:Child Business Units.
The record belongs to a business unit that is not a descendant of the user's business unit
with Organization-level access.
Shared access
Another way to get access to a record without having an explicit role assigned that allows this is through shared
access. Shared access is obtained when a record is shared with a user, team, or organization by a user that has
appropriate share rights. There are five ways in which a user can have shared access to a record.
The record was shared with the user directly
If a record is shared with the user to perform a certain action, then the user would have access to do that action
provided the user passed the privilege check.
A related record was shared with the user directly
The following scenario takes place when a record A is related to a record B. If the user has shared access to
perform a certain action on the record A, it would then have inherited access to perform the same action on the
record B, provided the user passed the privilege check.
The record was shared with a team that the user belongs to
If a record is shared with a team to perform a set of actions, then the users that belong to that team would have
access to do those actions provided they passed the privilege check.
A related record was shared with a team that the user belongs to
The following scenario takes place when a record A is related to a record B. If record A is shared with a team to
perform a set of actions, and record A is related to record B, then the users that belong to that team would have
access to do those actions in both records A and B, provided they passed the privilege check.
The record was shared with the entire organization
If a record is shared with an organization to perform a set of actions, then all the users that belong to that
organization will be able to perform those actions provided they passed the privilege check.
Hierarchy access
The hierarchy access only takes place if Hierarchy Security management is enabled in that organization and for
that entity, and if the user is a manager.
In this case, the user would have access to the record if both of the following are met:
The manager has a security role assigned directly or through a team that has the access level Business Unit or
Parent:Child Business Units.
Plus, any one of the following:
The record is owned by a direct report.
A direct report is a member of the owner team.
The record was shared to perform the required action with a direct report.
The record was shared to perform the required action with a team a direct report belongs to.
See also
Create or edit a security role to manage access
Email exfiltration controls for connectors
Microsoft Exchange allows admins to disable email auto-forwards and auto-replies to remote domains (external
recipients) by using specific message type headers such as ‘Auto-forward’ received from Outlook and Outlook on
the web clients.
Similarly, Power Platform has the inbuilt ability to insert specific SMTP headers in emails sent through Power
Automate and Power Apps using the Microsoft 365 Exchange/Outlook connector. These SMTP headers can now be
used to set up appropriate exfiltration (unauthorized transfer of data from one device to another) rules in Exchange
for outbound emails.
For more details on the Microsoft 365 Outlook connector, see: SMTP headers.
Block exfiltration of forwarded emails

Admins can set up Exchange mail flow rules to monitor or block emails sent by Power Automate and/or Power
Apps using the Microsoft 365 Outlook connector. The format of the SMTP header sent by Power Platform is as
follows. A reserved word ‘Microsoft Power Automate’ or ‘Microsoft Power Apps’ is inserted with the header type:
‘x-ms-mail-application’. For example:
**x-ms-mail-application: Microsoft Power Automate**; User-Agent:

azure-logic-apps/1.0 (workflow afa0fb167803450aa650267e95d43287; version
08586093372199532216) microsoft-flow/1.0
x-ms-mail-operation-type: Forward
Further, in order to identify the operation ID, a reserved word ‘Forward’ or ‘Reply’ or ‘Send’ is inserted with the
header type: ‘x-ms-mail-operation-type’. For example:
x-ms-mail-application: Microsoft Power Automate; User-Agent:

08586093372199532216) microsoft-flow/1.0
**x-ms-mail-operation-type: Forward**
Exchange admins can use these headers to set up exfiltration blocking rules in the Exchange admin center as
enumerated in the example below. Here the ‘mail flow’ rule rejects outbound email messages with:
‘x-ms-mail-operation-type’ header set as ‘Forward’ and
‘x-ms-mail-application’ header set as ‘Microsoft Power Automate’
This is equivalent to the Exchange ‘mail flow’ rule set up for message type equal to ‘auto-forward’ while using
Outlook and Outlook on the web clients.
Exempt specific flows from exfiltration blocking
In addition to the new ‘x-ms-mail-application’, Power Platform also inserts the workflow identifier as the new ‘User-
Agent’ header which is equal to the app or flow ID.
x-ms-mail-application: Microsoft Power Automate; User-Agent:

08586093372199532216) microsoft-flow/1.0
**x-ms-mail-operation-type: Forward**
If admins wanted to exempt some flows (or apps) from the exfiltration due to a legitimate business scenario, they
can use the workflow ID as part of the user-agent header to do the same. All other exception conditions offered by
Exchange rules such as sender address also remain available to exempt the legitimate business use cases from the
blocking enforcement.
Alternately, admins can use other exception capabilities in Exchange mail rules to exempt flows from the exfiltration
blocking rules (for example, a unique sender address) to allow legitimate business use cases to bypass the control.
Control user access to environments: security groups
and licenses
If your company has multiple Common Data Service environments, you can use security groups to control which
licensed users can be a member of a particular environment.
Consider the following example scenario:
EN VIRO N M EN T SEC URIT Y GRO UP P URP O SE
Coho Winery Sales Sales_SG Provide access to the environment that

creates sales opportunities, handles
quotes, and closes deals.
Coho Winery Marketing Marketing_SG Provide access to the environment that

drives marketing efforts through
marketing campaigns and advertising.
Coho Winery Service Service_SG Provide access to the environment that

processes customer cases.
Coho Winery Dev Developer_SG Provide access to the sandbox

environment used for development
and testing.
In this example, four security groups provide controlled access to a specific environment.
Note the following about security groups:
When users are added to the security group, they are added to the Common Data Service environment.
When users are removed from the group, they are disabled in the Common Data Service environment.
When a security group is associated with an existing environment with users, all users in the environment
that are not members of the group will be disabled.
If a Common Data Service environment does not have an associated security group, all users with a Common
Data Service license (customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation)),
Power Automate, Power Apps, etc.) will be created as users and enabled in the environment.
If a security group is associated with an environment, only users with Common Data Service licenses that are
members of the environment security group will be created as users in the Common Data Service
environment.
When you assign a security group to an environment, that environment will not show up in
home.dynamics.com for users not in the group.
If you do not assign a security group to an environment, the environment will show up in
home.dynamics.com even for those who have not been assigned a security role in that Common Data Service
environment.
If you do not specify a security group, all users who have a Common Data Service license, (customer
engagement apps (such as Dynamics 365 Sales and Customer Service)) will be added to the new
environment.
New : Security groups cannot be assigned to default and developer environment types. If you've already
assigned a security group to your default or developer environment, we recommend removing it since the
default environment is intended to be shared with all users in the tenant and the developer environment is
intended for use by only the owner of the environment.
Common Data Service environments support associating the following group types: Security and Microsoft
365. Associating other group types is not supported.
NOTE
All licensed users, whether or not they are members of the security groups, must be assigned security roles to access
environments. You assign the security roles in the web application. Users can't access environments until they are assigned
at least one security role for that environment. For more information, see Configure environment security.
Create a security group and add members to the security group

2. Select Groups > Groups .
3. Select + Add a group .
4. Change the type to Security group , add the group Name and Description . Select Add > Close .
5. Select the group you created, and then next to Members , select Edit .
6. Select + Add members . Select the users to add to the security group, and then select Save > Close
several times to return to the Groups list.
7. To remove a user from the security group, select the security group, next to Members , select Edit . Select -
Remove members , and then select X for each member you want to remove.
NOTE
If the users you want to add to the security group are not created, create the users and assign to them the Common Data
Service licenses.
To add multiple users, see: bulk add users to Office365 groups.
Create a user and assign license

1. In the Microsoft 365 admin center, select Users > Active users > + Add a user . Enter the user
information, select licenses, and then select Add .
More information: Add users and assign licenses at the same time
Associate a security group with a Common Data Service environment

3. In the Settings page, select Edit ( ).
4. Select a security group, select Done , and then select Save .
The security group is associated with the environment.

Remove a security group's association with a Common Data Service
environment
(Dynamics 365 admin, Microsoft 365 Global admin, or Power Platform admin).
3. In the Settings page, select Delete ( ).

4. Confirm removal, select Remove , and then select Save .
The security group associated with the environment will be removed and the environment's access will no longer
be restricted to only users that are members of that group.
See also
Cross-tenant inbound and outbound restrictions
With tenant restrictions, organizations can control access to SaaS cloud applications, based on the Azure AD tenant
the applications use for single sign-on. With tenant restrictions, organizations can specify the list of tenants that
their users are permitted to access. Azure AD then only grants access to these permitted tenants using Azure AD-
based tenant restriction.
Additionally, if organizations want to enforce tenant isolation for Power Platform connections, then they can use
Power Platform’s tenant isolation capability. Note that the Power Platform tenant isolation feature does not impact
Azure AD-based access outside of Power Apps and Power Automate. Power Platform tenant isolation only works
for connectors using Azure AD-based authentication such as Office 365 Outlook or SharePoint. If you want to block
connectors that use MSA authentication, you can create a data loss prevention policy and classify the connector
under the Blocked group.
Power Platform tenant isolation ability is available with two options: one-way or two-way restriction.
NOTE
For now, this capability can be enabled for your tenant by opening a support case and providing the details of your tenant
ID.
One-way tenant isolation (inbound connection restriction)

One-way tenant isolation or inbound isolation will block connection establishment attempts to your tenant from
other tenants. For example, as an admin of Contoso.com (tenant A), if you have enabled one-way tenant isolation
then Azure AD-based Power Platform connection creation attempts from any other tenants like Fabrikam.com
(tenant B) will fail.
One-way tenant isolation restricts incoming connection attempts into your tenant, hence the term inbound
connection restriction.
C O N N EC T IO N C REATO R T EN A N T C O N N EC T IO N SIGN - IN T EN A N T A C C ESS A L LO W ED?
A A Yes
A (one-way data loss prevention policy B Yes

enforced)
B A (one-way data loss prevention policy No (inbound)

enforced)
B B Yes
Two-way tenant isolation (inbound and outbound connection
restriction)
Like one-way tenant isolation, two-way tenant isolation will block connection establishment attempts to your
tenant from other tenants. Additionally, two-way tenant isolation will also block connection establishment attempts
from your tenant to other tenants. For example, as an admin of Contoso.com (tenant A), if you have enabled two-
way tenant isolation then connection creation attempts from any other tenants like Fabrikam.com (tenant B) will
fail. Additionally, Azure AD-based Power Platform connection creation attempts from Contoso.com (tenant A) to
any other tenants like Fabrikam.com (tenant B) will fail.
Two-way tenant isolation restricts incoming connection attempts into your tenant, hence the term inbound
connection restriction. Two-way tenant isolation also restricts outgoing connection attempts from your tenant,
hence the term outbound connection restriction.
C O N N EC T IO N C REATO R T EN A N T C O N N EC T IO N SIGN - IN T EN A N T A C C ESS A L LO W ED?
A A Yes
A (two-way data loss prevention policy B No (outbound)

enforced)
B A (two-way data loss prevention policy No (inbound)

enforced)
B B Yes
Your organization's data is likely one of the most important assets you're responsible for safeguarding as an
administrator. The ability to build apps and automation to use that data is a large part of your company's success.
You can use Power Apps and Power Automate for rapid build and rollout of these high-value apps so that users
can measure and act on the data in real time. Apps and automation are becoming increasingly connected across
multiple data sources and multiple services. Some of these might be external, third-party services and might even
include some social networks. Users generally have good intentions, but they can easily overlook the potential for
exposure from data leakage to services and audiences that shouldn't have access to the data.
You can create data loss prevention (DLP) policies that can act as guardrails to help prevent users from
unintentionally exposing organizational data. DLP policies can be scoped at the environment level or tenant level,
offering flexibility to craft sensible policies that strike the right balance between protection and productivity. For
tenant-level policies you can define the scope to be all environments, selected environments, or all environments
except ones you specifically exclude. Environment-level policies can be defined for one environment at a time.
DLP policies enforce rules for which connectors can be used together by classifying connectors as either
Business or Non-Business . If you put a connector in the Business group, it can only be used with other
connectors from that group in any given app or flow. Sometimes you might want to block the usage of certain
connectors altogether by classifying them as Blocked .
DLP policies are created in the Power Platform admin center. They affect Power Platform canvas apps and Power
Automate flows. To create a DLP policy, you need to be a tenant admin or have the Environment Admin role.
NOTE
The ability to block connectors by using a three-way classification—Business , Non-Business , and Blocked —in addition
to DLP policy UI support in the Power Platform admin center is now generally available. There is new DLP policy PowerShell
support for three-way DLP policy classification, which is also generally available. Legacy DLP policy support for two-way
classification (Business and Non-Business ), along with admin center UI and PowerShell support for two-way classification,
is currently generally available and will continue to be available for the foreseeable future. More information: Connectors
documentation
Connector classification
Data groups are a simple way to categorize connectors within a DLP policy. The three data groups available are
the Business data group, the Non-Business data group, and the Blocked data group.
A good way to categorize connectors is to place them in groups based on the business-centered or personal-use-
centered services that they connect to in the context of your organization. Connectors that host business-use data
should be classified as Business and connectors that host personal-use data should be classified as Non-
Business . Any connectors that you want to restrict usage of across one or more environments should be
classified as Blocked .
When a new policy is created, by default all connectors are placed in the Non-Business group. From there they
can be moved to Business or Blocked based on your preference. You manage the connectors in a data group
when you create or modify the properties of a DLP policy from the admin center. See Create a data loss
prevention (DLP) policy. You can also change the initial classification of connectors by editing your DLP policy. See
Edit a DLP policy.
NOTE
Until recently, some HTTP connectors weren't readily available for DLP policy configuration by using the DLP policy UI or
PowerShell. As of May 2020, the following HTTP connectors can now be classified by using the DLP policy UI and
PowerShell, like any other Power Platform connector: HTTP , HTTP Webhook , and When a HTTP request is received . If
legacy DLP policies are being updated using the new DLP UI, a warning message will be displayed to admins indicating that
these three HTTP connectors are now being added to the DLP purview and that they should ensure that these connectors
are placed in the right DLP grouping.
Since child flows share an internal dependency with HTTP connector, the grouping that admins choose for HTTP connector
in a DLP policy might impact the ability to run child flows in that environment/tenant. Make sure your HTTP connectors are
classified in the appropriate group for your child flows to function. If there are any concerns in classifying it as Business in
shared environments such as the default environment, our advice is to classify it as Non-Business or to block it. Then,
create dedicated environments where makers can use HTTP connector, but restrict the maker list so that you can unblock
makers from building child flows.
The Content Conversion connector is an integral feature of Microsoft Power Platform, used to convert an HTML
document to plain text. It applies both to Business and Non-Business scenarios and doesn't store any data context of
the content converted through it; therefore, it's not available for classification through DLP policies.
How data is shared among data groups

Data can't be shared among connectors that are located in different groups. For example, if you place SharePoint
and Salesforce connectors in the Business group and you place Gmail in the Non-Business group, makers can't
create an app or flow that uses both the SharePoint and Gmail connectors. This in turn restricts data flows
between these two services in Microsoft Power Platform.
Although data can't be shared among services in different groups, it can be shared among services within a
specific group. From the earlier example, because SharePoint and Salesforce were placed in the same data group,
makers can create an app or flow that uses both SharePoint and Salesforce connectors together. This in turn
allows data flows between these two services in Microsoft Power Platform.
The key point is that connectors in the same group can share data in Microsoft Power Platform, whereas
connectors in different groups can't share data.
The effect of the Blocked data group
Data flow to a specific service can be blocked altogether by marking that connector as Blocked . For example, if
you place Facebook in the Blocked group, makers can't create an app or flow that uses the Facebook connector.
This in turn restricts data flows to this service in Microsoft Power Platform.
All third-party connectors can be blocked. All Microsoft-owned premium connectors (except Common Data
Service) can be blocked.
List of connectors that can't be blocked
All connectors driving core Microsoft Power Platform functionality (like Common Data Service, Approvals, and
Notifications) as well as connectors enabling core Office customization scenarios like Microsoft Enterprise Plan
standard connectors will remain non-blockable to ensure core user scenarios remain fully functional.
However, these non-blockable connectors can be classified into Business or Non-Business data groups. These
connectors broadly fall into the following categories:
Microsoft Enterprise Plan standard connectors (with no additional licensing implications).
Microsoft Power Platform–specific connectors that are part of the base platform capabilities. Within this,
Common Data Service connectors are the only premium connectors that can't be blocked, because Common
Data Service is an integral part of Microsoft Power Platform.
The following connectors can't be blocked by using DLP policies.
M IC RO SO F T EN T ERP RISE P L A N STA N DA RD C O N N EC TO RS C O RE P O W ER P L AT F O RM C O N N EC TO RS
Excel Online (Business) Approvals
Microsoft Forms Pro Notifications
Microsoft Teams Common Data Service
Microsoft To-Do (Business) Common Data Service

(current environment)
Microsoft 365 Groups Power Apps Notifications
Microsoft 365 Outlook
Microsoft 365 Users
OneDrive for Business
OneNote (Business)
Planner
Shifts
SharePoint
Skype for Business Online
Power BI
Yammer
Kaizala
Microsoft 365 Groups Mail (Preview)
Cloud App Security
NOTE
If a currently unblockable connector is already in the Block group (for example, because it was blocked when restrictions
were different), it will remain in the same group until you edit the policy. You will get an error message stopping you from
saving the policy until you move the unblockable connector to a Business or Non-Business group.
Custom connector classification

By default, custom connectors aren't part of the standard configuration capabilities of DLP policies in the Power
Platform admin center. However, you can use DLP policy PowerShell commands to set them up into Business ,
Non-Business , and Blocked groups. More information: Data Loss Prevention (DLP) policy commands
Unlike standard and premium connectors, which are available to all environments in the tenant, custom
connectors are scoped specifically to an individual environment. Therefore, you can't use tenant-level DLP policies
to manipulate custom connectors, you must use environment-level DLP policies. By using PowerShell, you can
configure DLP policy to include these connectors. After they're added, they can then be managed in the admin
center.
NOTE
Only custom connectors that are stored in a tenant's default environment will be displayed with their associated icon and
display name in the policy editor. All other custom connectors will be displayed with the default connector icon and their
internal name.
Default data group for new connectors

One data group must be designated as the default group to automatically classify any new connectors added to
Microsoft Power Platform after your policy has been created. Initially, the Non-Business group is the default
group for new connectors and all services. You can change the default data group to the Business or Blocked
data group, but we don't recommend that you do so.
Any new services that are added to Power Apps will be placed in the designated default group. For this reason, we
recommend you keep Non-Business as the default group and manually add services into the Business or
Blocked group after your organization has evaluated the impact of allowing business data to be shared with the
new service.
NOTE
Microsoft 365 enterprise license connectors and a few core Microsoft Power Platform connectors are exempt from being
marked as Blocked and can only be classified as Business or Non-Business . If Microsoft adds any new connectors that
can't be blocked and if you've set the default group for the DLP policy as Blocked , these connectors will be automatically
marked as Non-Business instead of Blocked .
Policy scope
DLP policies can be created at both the tenant and environment level. Tenant admins have the permissions to
create tenant-level policies; environment admins have the permissions to create environment-level policies.
Tenant-level policies
Tenant admins can define three types of scopes for tenant-level data policies:
Option 1: Apply to all environments.
Option 2: Apply to multiple environments (but not all).
Option 3: Apply to all environments except certain specifically excluded ones.
It's typical for tenant admins to define DLP policies for their entire tenant but exclude certain environments, as
described in option 3. For the excluded environments, tenant admins can define alternate DLP policies and apply
them to multiple environments, as described in option 2. Option 1 is for DLP policy rules that must apply across
the entire tenant, without exception.
Tenant admins can define more than one multiple-tenant–level policy for the environments in their tenant. These
policies can be set for mutually exclusive or overlapping environment scopes.
Environment-level policies
Environment admins can define environment-level data policies for one environment at a time. Environment
admins can't exclude their environments from tenant-level policies. Therefore, all the restrictions defined by the
tenant admins scoped for their environment still apply, in addition to any environment-level policy that they have
individually defined for their environment.
As is true of tenant admins with tenant-level policies, environment admins can define more than one
environment-level policy for their environment.
Even though environment admins might manage more than one environment, they can't include more than one
environment in the environment-level policy. They must define individual environment-level policies for each
environment that they manage.
View policy
Using the view policy feature, environment admins can view tenant-level policies and policies within
environments that the admin has access to, at an individual policy level. Non-admins can also view tenant-level
policies using this feature.
Combined effect of multiple DLP policies

As tenant or environment admins, you can create more than one DLP policy and apply it to the same
environment. At design and runtime, all policies that are applicable to the environment in which the app or flow
resides are evaluated together to decide whether the resource is in compliance or violation of DLP policies.
Blocked classification impact across multiple policies
If any policy (tenant-level or environment-level) that's applicable to an environment marks a connector as
Blocked , no app or flow can use that connector in the environment. It doesn't matter whether any other policy
classifies that connector as Business or Non-Business , because Blocked is the most restrictive classification for
the connector; therefore, Blocked is always the final outcome of multiple policy evaluations.
Business/Non-Business classification impact across multiple policies
Compared to evaluating the effect of the Blocked classification, evaluating the effect of the Business or Non-
Business classification across multiple policies is more complex. You can classify a given connector, such as
SharePoint, as Business in policy A and as Non-Business in policy B. What matters is what other connectors
SharePoint is grouped with across policy A and policy B.
Note that the most restrictive grouping is finally imposed when all the policies applicable to an environment are
evaluated together. Consider an example of three policies (A, B, and C) across 10 connectors (SharePoint, Twitter,
Salesforce, Facebook, Face API, Microsoft 365 Outlook, Basecamp 3, Adobe Sign, Azure Blob storage, and Box).
These connectors are classified as Business or Non-Business as represented by two categories each across the
three policies (-E1-, -E2-, -E3-, -E4-, -E5-, and -E6-).
Policy A
-E1- Business – SharePoint, Twitter, Salesforce, Microsoft 365 Outlook, Basecamp 3
-E2- Non-Business – Facebook, Face API, Adobe Sign, Azure Blob storage, Box
Policy B
-E3- Business – SharePoint, Facebook, Face API, Microsoft 365 Outlook, Basecamp 3
-E4- Non-Business – Twitter, Salesforce, Adobe Sign, Azure Blob storage, Box
Policy C
-E5- Business – Facebook, Face API, Twitter, Salesforce, Microsoft 365 Outlook
-E6- Non-Business – SharePoint, Adobe Sign, Azure Blob storage, Box, Basecamp 3
When all three policies are applied together to the same environment, the net result is fragmentation of
connectors across eight (23 = 8) groups, as depicted below. Only connectors in the same group (out of eight
possible combinations) can be used in a given app or flow.
Consolidated grouping
-E1-, -E3-, -E5- Group 1 – Microsoft 365 Outlook
-E1-, -E3-, -E6- Group 2 – SharePoint, Basecamp 3
-E1-, -E4-, -E5- Group 3 – Twitter, Salesforce
-E1-, -E4-, -E6- Group 4 – NULL
-E2-, -E3-, -E5- Group 5 – Facebook, Face API
-E2-, -E3-, -E6- Group 6 – NULL
-E2-, -E4-, -E5- Group 7 – NULL
-E2-, -E4-, -E6- Group 8 – Adobe Sign, Azure Blob storage, Box
To summarize: an app or flow can only use connectors from these individual groups at any given time, and not
mix connectors across the eight different groups. From the examples above, note that multiple DLP policies
applied to an environment will fragment your connector space in complicated ways. Therefore, we highly
recommended that you apply a minimum number of DLP policies to any given environment.
Impact of DLP policies on apps and flows

If admins have disallowed certain connectors to be used together in an environment by classifying them as
Business or Non-Business —or marked certain connectors as Blocked by using tenant-level or environment-
level DLP policies—these restrictions can negatively affect makers and users of Power Apps and Power Automate.
The restrictions are enforced at both design time and at runtime.
As an admin, you should have a process and plan in place to handle these types of support needs if you're using
DLP policies.
Design-time impact on apps and flows
Users who create or edit a resource affected by the DLP policy will see an appropriate error message about any
DLP policy conflicts. For example, Power Apps makers will see the following error when they use connectors in an
app that don't belong together or have been blocked by DLP policies. The app won't add the connection.
Similarly, Power Automate makers will see the following error when they try to save a flow that uses connectors
that don't belong together or have been blocked by DLP policies. The flow itself will be saved, but it will be marked
as Suspended and won't be executed unless the maker resolves the DLP violation.
Runtime impact on apps and flows
As an admin, you can decide to modify the DLP policies for your tenant or for specific environments at any point.
If apps and flows were created and executed in compliance with an earlier DLP policy, some of them might be
negatively affected by any policy changes you make.
Users who use a resource that's in violation of the latest DLP policy will see an error message about the DLP
policy conflict. For example, Power Apps makers and users will see the following error when they try to open an
app that uses connectors that don't belong together or have been blocked by DLP policies.
Similarly, Power Automate makers and users won't be able to start a flow that uses connectors that don't belong
together or have been blocked by DLP policies. A background system process marks the flow as Suspended , and
the flow won't be executed until the maker resolves the DLP policy violation.
NOTE
The flow suspension process works in a polling mode. It takes about five minutes for the latest DLP policy changes to be
assessed against active flows to mark them as suspended due to DLP policy violations. This change isn't instantaneous.
Known issues
We are working to address the following known issues and limitations:
1. Tenant-level policies created through the new UI enforce default grouping (typically non-business) on custom
connectors. Currently there is no way to explicitly classify custom connectors in tenant-level policies or ignore
them altogether. In order to manage custom connector settings explicitly using environment-level policies,
exclude these environments from the tenant-level policies.
2. Sorting by Created and Modified fields on Data Policy list view doesn’t work correctly.
3. Three-way DLP policy creation isn't available through admin connectors. Also, the Power Platform for Admins
connector always blocks LBI/Non-business group.
4. If the default group is set as blocked, the list of connectors that can't be blocked won't apply when you use
PowerShell to create DLP policies.
5. Canvas apps assessment for DLP violations at launch time/runtime does not work as expected.
See also
Create a data loss prevention (DLP) policy
Manage data loss prevention (DLP) policies
To protect data in your organization, you can use Power Apps to create and enforce policies that define the
consumer connectors that specific business data can be shared with. These policies are called data loss prevention
(DLP) policies. DLP policies ensure that data is managed in a uniform manner across your organization, and they
prevent important business data from being accidentally published to connectors such as social media sites.
DLP policies can be created at the tenant level or at the environment level and are managed from the Power
Prerequisites
Tenant-level
Tenant-level policies can be defined to include or exclude specific environments. To follow the steps described in
this article for tenant-level policies, one of the following permissions is required:
Power Platform admin permissions
Microsoft 365 Global admin permissions
We refer to these roles throughout this article as tenant admins. More information: Use service admin roles to
manage your tenant
Environment-level
To follow the steps for environment-level policies, you need to have Power Apps Environment Admin permissions.
Find and view DLP policies

To find and view DLP policies, see Find and view DLP policies.
The DLP policy process

The following are the steps you follow to create a DLP policy:
1. Assign the policy a name.
2. Classify connectors.
3. Define the scope of the policy. This step doesn't apply to environment-level policies.
4. Select environments.
5. Review settings.
These are covered in the next section.
Walkthrough: Create a DLP policy

In this example walkthrough, we'll create a tenant-level DLP policy. We'll add SharePoint and Salesforce to the
Business data group of a DLP policy. We'll also add Facebook and Twitter to the Blocked data group. We'll leave
the remaining connectors in the Non-Business data group. We'll then exclude test environments from the scope
of this policy and apply the policy to the remaining environments, such as default and production environments
in the tenant.
After this policy is saved, any Power Apps or Power Automate maker who is part of the DLP policy's environment
can create an app or a flow that shares data between SharePoint or Salesforce. Any Power Apps or Power
Automate resource that includes an existing connection with a connector in the Non-business data group won't
be allowed to establish connections with SharePoint or Salesforce connectors, and vice versa. Also, these makers
won't be able to add Facebook or Twitter connectors to any Power Apps or Power Automate resource.
1. In Power Platform admin center, select Data policies > New policy .
If no policies exist in the tenant, you'll see the following page.
2. Enter a policy name, and then select Next .

3. Review the various attributes and settings you can make on the Assign Connectors page.
Attributes
AT T RIB UT E DESC RIP T IO N
Name The name of the connector.
Blockable Connectors that can be blocked. For a list of connectors

that can't be blocked, see List of connectors that can't be
blocked.
Type Whether connector usage requires a Premium license or

is it included in the base/Standard license for Power
Platform.
Publisher The company that publishes the connector. This value can
be different from the service owner. For example,
Microsoft can be the publisher of the Salesforce
connector, but the underlying service is owned by
Salesforce, not Microsoft.
About Select the URL for more information about the connector.
Lists
P IVOT DESC RIP T IO N
Business (n) Connectors for business-sensitive data. Connectors in this

group can't share data with connectors in other groups.
Non-Business/ Connectors for non-business data, such as personal use

Default (n) data. Connectors in this group can't share data with
connectors in other groups.
Blocked (n) Blocked connectors can't be used where this policy is

applied.
Actions
Set default group The group that maps any new connectors added by
Power Platform after your DLP policy is created. More
information: Default data group for new connectors
Search Connectors Search a long list of connectors to find specific connectors

to classify. You can search on any field in the connector
list view, such as Name , Blockable , Type , or Publisher .
You can take the following actions:
DESC RIP T IO N
1 Assign one or more connectors

across connector classification
groups
2 Connector classification group pivot

tables
3 Search bar to find connectors across

properties like Name , Blockable ,
Type , or Publisher
4 Connector classification group that

maps any new connectors added by
Power Platform after your DLP policy
is created.
5 Select, multi-select, or bulk-select

connectors to move across groups
DESC RIP T IO N
6 Alphabetical sort capability across

individual columns
7 Action buttons to assign individual

connectors across connector
classification groups
4. Select one or more connectors. For this walkthrough, select the SalesForce and SharePoint connectors, and
then select Move to Business from the top menu bar. You can also use the ellipsis ( ) to the right of the
connector name.
The connectors will appear in the Business data group.
Connectors can reside in only one data group at a time. By moving the SharePoint and Salesforce
connectors to the Business data group, you're preventing users from creating flows and apps that
combine these two connectors with any of the connectors in the Non-Business or Blocked groups.
For connectors like SharePoint that are not blockable, the Block action will be grayed out and a warning
will appear.
5. Review and change the default group setting for new connectors, if you need to. We recommend keeping
the default setting as Non-Business to map any new connectors added to Power Platform by default.
Non-Business connectors can be manually assigned to Business or Blocked later by editing the DLP
policy, after you've had a chance to review and assign them. If the new connector setting is Blocked , any
new connectors that are blockable will be mapped to Blocked , as expected. However, any new connectors
that are unblockable will be mapped to Non-Business because by design they can't be blocked.
In the upper-right corner, select Set default group .
After you've completed all the connector assignments across the Business /Non-Business /Blocked
groups and set the default group for new connectors, select Next .
6. Choose the scope of the DLP policy. This step isn't available for environment-level policies, because they're
always meant for a single environment.
For the purpose of this walkthrough, you will exclude test environments from this policy. Select Exclude
cer tain environments , and on the Add Environments page, select Next .
7. Review the various attributes and settings on the Add Environments page. For tenant-level policies, this
list will show the tenant-level admin all the environments in the tenant. For environment-level policies, this
list will only show the subset of environments in the tenant that are managed by the user who has signed
in as an environment admin.
Attributes
Name The name of the environment.
Type The type of the environment: trial, production, sandbox,

default
Region The region associated with the environment.
Created by The user who created the environment.
Created (On) The date on which the environment was created.
Lists
P IVOT DESC RIP T IO N
Available (n) Environments that aren't explicitly included or excluded in

the policy scope. For environment-level policy and tenant-
level policies with scope defined as Add multiple
environments , this list represents the subset of
environments that aren't included in the policy scope. For
tenant-level policies with scope defined as Exclude
cer tain environments , this pivot represents the set of
environments that are included within the policy scope.
Added to policy (n) For environment-level policy and tenant-level policies with
scope defined as Add multiple environments , this
pivot represents the subset of environments that are
within the policy scope. For tenant-level policies with
scope defined as Exclude cer tain environments , this
pivot represents the subset of environments that are
excluded from the policy scope.
Actions
Add to policy Environments in the Available category can be moved

to the Added to policy category by using this action.
Remove from policy Environments in the Added to policy category can be

moved to the Available category by using this action.
8. Select one or more environments. You can use the search bar to quickly find the environments of interest.
For this walkthrough, we'll search for test environments - type sandbox. After we select the sandbox
environments, we assign them to the policy scope by using Add to policy from the top menu bar.
Because the policy scope was initially selected as Exclude cer tain environments , these test
environments will now be excluded from the policy scope and the DLP policy settings will be applied to all
the remaining (Available ) environments. For environment-level policy, you can only select a single
environment from the list of available environments.
After making selections for environments, select Next .
9. Review the policy settings, and then select Create Policy .
The policy is created and appears in the list of DLP policies. As a result of this policy, SharePoint and Salesforce
apps can share data in non-test environments—such as production environments—because they're both part of
the same Business data group. However, any connector that resides in the Non-Business data group—such as
Outlook.com—won't share data with apps and flows by using SharePoint or Salesforce connectors. Facebook and
Twitter connectors are altogether blocked from being used in any app or flow in non-test environments such as
production or default environments.
It's good practice for admins to share the list of DLP policies with their organization so that users are aware of the
policies before they create apps.
This table describes how the DLP policy you created affects data connections in apps and flows.
C O N N EC TO R SH A REP O IN T SA L ESF O RC E O UT LO O K . C O M FA C EB O O K T W IT T ER
M AT RIX ( B USIN ESS) ( B USIN ESS) ( N O N - B USIN ESS) ( B LO C K ED) ( B LO C K ED)
SharePoint Allowed Allowed Denied Denied Denied

(Business)
Salesforce Allowed Allowed Denied Denied Denied

(Business)
Outlook.com Denied Denied Allowed Denied Denied

(Non-Business)
C O N N EC TO R SH A REP O IN T SA L ESF O RC E O UT LO O K . C O M FA C EB O O K T W IT T ER
M AT RIX ( B USIN ESS) ( B USIN ESS) ( N O N - B USIN ESS) ( B LO C K ED) ( B LO C K ED)
Facebook Denied Denied Denied Denied Denied

(Blocked)
Twitter (Blocked) Denied Denied Denied Denied Denied
Because no DLP policy has been applied to test environments, apps and flows can use any set of connectors
together in these environments.
Use DLP PowerShell commands

See Data Loss Prevention (DLP) policy commands.
See also
An organization's data is critical to its success. Its data needs to be readily available for decision-making, but the
data needs to be protected so that it isn't shared with audiences who shouldn't have access to it. To protect this
data, you can use Power Apps to create and enforce data loss prevention (DLP) policies that define the consumer
connectors that specific business data can be shared with. For example, an organization that uses Power Apps
might not want the business data that's stored in SharePoint to be automatically published to its Twitter feed.
To create, edit, or delete DLP policies, you must have either Environment Admin or Power Platform admin
permissions.
Find and view DLP policies

2. In the navigation pane, select Data policies . If you have a long list of policies, use the Search box to find
specific DLP policies.
The list view shows the following attributes:
Name The name of the policy.
Scope The type of policy, such as environment-level or tenant-

level
Applied to The environment scope associated with the policy.

For an environment-level policy, this will be a specific
(single) environment name associated with the policy.
For a tenant-level policy, this can be one of the following
values:
All environments
All environments, except (n)
(n) environments
A single environment name
Created by The user who created the policy.

Created (On) The date on which the policy was created.
Modified by The user who modified the policy.
Modified (On) The date on which the policy was modified.
Edit a DLP policy

2. From the list of DLP policies, select an environment, and then select Edit Policy . If you have a long list of
policies, use the Search box to find specific environments.
NOTE
Environment admins can't edit policies that were created by the tenant admin.
3. Proceed through the steps described in Create a DLP policy, and then select Update Policy .
NOTE
Environment-level DLP policies can't override tenant-wide DLP policies.
Delete a DLP policy

2. From the list of DLP policies, select an environment, and then select Delete Policy . If you have a long list
of policies, use the Search box to find specific environments.
NOTE
Environment admins can't delete policies that were created by the tenant admin.
3. In the confirmation dialog box, select Delete .
Change the default data group

2. From the list of DLP policies, select an environment, and then select Edit Policy . If you have a long list of
policies, use the Search box to find specific environments.
NOTE
Environment admins can't edit policies created by the tenant admin.
3. Select the Connectors step in the Edit Policy process.

4. In the upper-right corner, select Set default group .
5. Choose a default group, and then select Apply . More information: Connector classification and Default
data group for new connectors
6. Select Next as needed to close the Edit Policy process.
The data group you chose will be the default group to automatically classify any new connectors added to Power
Platform after your policy has been created.
Use DLP PowerShell commands

See Data loss prevention (DLP) policy commands.
See also
Power Platform data loss prevention (DLP) SDK
This topic introduces the capabilities of the DLP SDK and shows you how DLP can help you manage your tenant
and environment policy with experiences ranging from creating, reading, updating, to removing DLP policies. More
information : Data loss prevention policies
How to run this sample

1. Download or clone the Samples repo so that you have a local copy.
2. Open PowerShell ISE as an admin.
3. Run the following command:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
4. Edit RunSamples.ps1 and make the following changes:

Replace $TenantAdminName value with your tenant admin account
Replace $TenantAdminPassword value with your tenant admin account password
Replace $EnvironmentAdminName value with your environment admin account
Replace $EnvironmentAdminPassword value with your environment admin account password
Note: the tenant admin account should not be used as an environment admin account.
5. Run RunSamples.ps1.
What this sample does

This sample calls DLP APIs in Microsoft.PowerApps.Administration.PowerShell to create, read, update and remove
DLP policies. Below are the scenarios supported by the SDK.
1. Create a tenant-level policy that classifies connectors into Business , Non-business , and Blocked groups.
2. Create policy for all environments except certain environments that classifies connectors into Business , Non-
business , and Blocked groups.
3. Create policy for single environment that classifies connectors into Business , Non-business , and Blocked
groups.
4. Get list of tenant-level policies (all environments).
5. Update policy to move connector across groups (Business , Non-business , and Blocked ).
6. Test compatibility of existing policies that previously used legacy powershell APIs and now use new PowerShell
APIs.
How this sample works

This sample provides some DLP scenarios about how to call DLP APIs for your reference. You can run the sample
and see the result.
Field-level security to control access
Record-level permissions are granted at the entity level, but you may have certain fields associated with an entity
that contain data that is more sensitive than the other fields. For these situations, you use field-level security to
control access to specific fields.
The scope of field-level security is organization-wide and applies to all data access requests including the
following:
Data access requests from within a client application, such as web browser, mobile client, or Microsoft
Dynamics 365 for Outlook.
Web service calls using the Dynamics 365 Customer Engagement Web Services (for use in plug-ins, custom
workflow activities, and custom code)
Reporting (using Filtered Views)
Overview of field-level security

Field-level security is available for the default fields on most out-of-box entities, custom fields, and custom fields
on custom entities. Field-level security is managed by the security profiles. To implement field-level security, a
system administrator performs the following tasks.
1. Enable field security on one or more fields for a given entity.
2. Associate one more existing security profiles, or create one or more new security profiles to grant the
appropriate access to specific users or teams.
A security profile determines the following:
Permissions to the secure fields
Users and Teams
A security profile can be configured to grant user or team members the following permissions at the field
level:
Read . Read-only access to the field's data.
Create . Users or teams in this profile can add data to this field when creating a record.
Update . Users or teams in this profile can update the field's data after it has been created.
A combination of these three permissions can be configured to determine the user privileges for a specific data
field.
IMPORTANT
Unless one or more security profiles are assigned to a security enabled field, only users with the system administrator
security role will have access to the field.
Example for restricting the mobile phone field for the Contact entity
Imagine your company's policy is that sales members should have different levels of access to contact mobile
phone numbers as described here.
USER O R T EA M A C C ESS
Vice presidents Full. Can create, update, and view mobile phone numbers for
contacts.
Sales Managers Read-only. Can only view mobile phone numbers for contacts.
Salespersons and all other users None. Cannot create, update or view mobile phone numbers
for contacts.
To restrict this field, you would perform the following tasks.

Secure the field.
1. In the web app, go to Settings > Customizations .
3. Select Entities > Contact > Fields .
4. Select mobilephone , select Edit .
5. Next to Field Security , select Enable , select Save and Close .
6. Publish the customization.
Configure the security profiles.
1. Create the field security profile for sales managers.
a. In the web app, go to Settings > Security .
b. Select Field Security Profiles .
c. Select New , enter a name, such as Sales Manager access contact mobile phone, and select Save .
d. Select Users , select Add , select the users that you want to grant read access to the mobile phone
number on the contact form, and then select Add .
TIP
Instead of adding each user, create one or more teams that include all users that you want to grant read
access.
e. Select Field Permissions , select mobilephone , select Edit , select Yes next to Allow Read , and
then select OK .
2. Create the field security profiles for vice presidents.
a. Select New , enter a name, such as VP access contact mobile phone, and select Save .
b. Select Users , select Add , select the users that you want to grant full access to the mobile phone
number on the contact form, and then select Add .
c. Select Field Permissions , select mobilephone , select Edit , select Yes next to Allow Read , Allow
Update , and Allow Create , and then select OK .
Any users not defined in the previously created field security profiles will not have access to the mobile phone field
on contact forms or views. The field value displays ********, indicating that the field is secured.
Which fields can be secured?

Every field in the system contains a setting for whether field security is allowed. You can view this in the field
definition from Solution Explorer. In Solution Explorer expand Entities , expand the entity that you want, select
Fields , and then open the field that you want. If Enable can be selected, the field can be enabled for field security.
Although most attributes can be secured, there are system attributes, such as IDs, timestamps, and record tracking
attributes, that can't. Below are a few examples of attributes that can't be enabled for field security.
ownerid, processid, stageid, accountid, contactid
createdby, modifiedby, OwningTeam, OwningUser
createdon, EntityImage_Timestamp, modifiedon, OnHoldTime, overriddencreatedon
statecode, statuscode
You can view the entity metadata for your organization including which fields can be enabled for field security, by
installing the Metadata Browser solution described in Browse the Metadata for Your Organization. You can also
view the metadata for an uncustomized organization in the Office Excel file called EntityMetadata.xlsx included in
the top-level folder of the SDK. Download the SDK
Best practices when you use field security

When you use calculated fields that include a field that is secured, data may be displayed in the calculated field to
users that don't have permission to the secured field. In this situation, both the original field and the calculated
field should be secured.
Some data, such as addresses, are actually made up of multiple fields. Therefore, to completely secure data that
includes multiple fields, such as addresses, you must secure and configure the appropriate field security profiles on
multiple fields for the entity. For example, to completely secure addresses for an entity, secure all relevant address
fields, such as address_line1, address_line2, address_line3, address1_city, address1_composite, and so on.
See also
Video: Field Level Security in Microsoft Dynamics CRM 2015
Create a field security profile
Add or remove security from a field
Hierarchy security
Set up security permissions for a field
You can restrict access to a field by creating a field security profile. After you create the profile, you assign users
and or teams to that profile, and set up specific read, create, or write permissions for the field.
More information: Security concepts
Dynamics 365.
2. In the web app, go to Settings > Security .
3. Click Field Security Profiles , and then on the command bar, click New .
4. Enter a name and a description (optional) and click Save .
5. Under Common , click Field permissions .
6. Select a field, and then click Edit .
7. Select the permissions that you want to assign to users or teams, and then click OK .
8. To add users or teams:
a. Under Members , click Teams or Users .
b. On the command bar, click Add .
c. In the Look Up Records dialog box, select a team or user from the list (or search for a team or user),
and then click Select .
d. Repeat the preceding steps to add multiple teams or users, and then click Add .
See also
Enable or disable security for a field
Enable or disable security for a field to control access
Field-level security lets you set which fields users can see or edit. For example, if want to prevent users from
accidentally changing an account name, you can restrict them from editing that field. In Dynamics CRM 2013, you
could only set field-level security for custom fields, but in Dynamics CRM 2015 or later, you can also set field-level
security for some default fields. More information: Field-level security
To set which users and teams have read or write access to fields, see Set up security permissions for a field.
NOTE
You can't change the permissions on a field that you don't have permission to access.

2. Click Customize the System .
3. Under Components , expand Entities , expand the entity that has the field you want to secure, and then
click Fields .
4. In the list of fields, double-click the field you want to secure.
5. In the Field window, on the General tab, to the right of Field Security , specify whether to Enable or
Disable security for the field.
6. Click Save or Save and Close .
7. When your customizations are complete, publish them:
To publish customizations for only the entity that you are currently editing, in the navigation pane,
select the entity, and then click Publish .
To publish customizations for all unpublished entities at one time, in the navigation pane, click
Entities , and then on the command toolbar, click Publish All Customizations .
See also
Field-level security
Set up security permissions for a field
Add teams or users to a field security profile to
control access
Role-based security controls access to a specific entity type, record-based security controls access to individual
records, and field-level security controls access to specific fields. You can use a field security profile to manage the
permission of users and teams to read, create, or write in secured fields. For example, the System Administrator
field security profile gives full access to all secured fields.
1. Go to Settings > Security .
2. Choose Field Security Profiles .
3. Choose the profile name that you want to add teams or users to.
4. Under Related, choose Teams or Users .
5. On the Actions toolbar, choose Add .
6. Select a team or user from the list. You can search for a team or user first.
7. Choose Add .
8. Close the field security profile record.
See also
Control data access
Manage teams
Using teams is optional. However, teams provide an easy way to share business objects and let you collaborate
with other people across business units. While a team belongs to one business unit, it can include users from other
business units. You can associate a user with more than one team.
You can use three types of teams:
An owner team owns records and has security roles assigned to the team. The team's privileges are defined
by these security roles. In addition to privileges provided by the team, team members have the privileges
defined by their individual security roles and team member's privilege inheritance roles, and by the roles
from other teams in which they are members. A team has full access rights on the records that the team
owns. Team members are added manually to the owner team.
An Azure Active Directory (Azure AD) group team. Similar to owner team, an Azure AD group team can own
records and can have security roles assigned to the team. There are two group team types, and they
correspond directly to the Azure AD group types – Security and Office. The group security role can be just
for the team or for team member with User privileges member's privilege inheritance. Team members are
dynamically derived (added and removed) when they access the environment based on their Azure AD
group membership.
An access team doesn't own records and doesn't have security roles assigned to the team. The team
members have privileges defined by their individual security roles and by roles from the teams in which
they are members. The records are shared with an access team, and the team is granted access rights on the
records, such as Read, Write, or Append.
Owner/group team or access team?

The type of team you choose depends on the goals, nature of the project, and even the size of your organization.
There are a few guidelines that you can use when choosing the team type.
When to use owner or group teams
Your organization's policies require the ability for records to be owned by entities other than users, such as the
team entity.
The number of teams is known at the design time of your system.
Daily reporting on progress by owning teams is required.
When to use access teams
The teams are dynamically formed and dissolved. This typically happens if clear criteria for defining the teams,
such as established territory, product, or volume are not provided.
The number of teams is not known at the design time of your system.
The team members require different access rights on the records. You can share a record with several access
teams, each team providing different access rights on the record. For example, one team is granted the Read
access right on the account and another team, the Read, Write, and Share access rights on the same account.
A unique set of users requires access to a single record without having ownership of the record.
Common to all team types

Who can create teams?
Anyone who has Create, Read, Update (Write), Delete (CRUD) privileges on the Team entity, can create any of the
team types.
Add a Team administrator

When you create a team, you need to add a Team administrator with a security role that has Read privilege to the
Team entity. In the web app, go to Settings > Security > Teams and select a team to enter the Team
administrator.
What inherited privilege do Team administrators have?

Team administrators have access to Team owned records. Team administrators do not need to be added to a team
and do not show up as a member of the team.
About owner teams

An owner team can own one or more records. To make a team an owner of the record, you must assign a record to
the team.
While teams provide access to a group of users, you must still associate individual users with security roles that
grant the privileges they need to create, update, or delete user-owned records. These privileges can't be applied by
assigning security roles to a team and then adding the user to that team. If you need to provide your team
members the team privileges directly without their own security role, you can assign the team a security role that
has member's privilege inheritance.
If an owner team doesn't own records and doesn't have security roles assigned to the team, it can be converted to
an access team. It is a one-way conversion. You can't convert the access team back to the owner team. During
conversion, all queues and mailboxes associated with the team are deleted. When you create a team in the web
application, you have to choose the team type Owner .
For more information, see Assign a record to a user or team.
Create an owner team
1. Make sure that you have the System Administrator, Sales Manager, Vice President of Sales, Vice President of
Marketing, or CEO-Business Manager security role or equivalent permissions.
2. In the web app, go to Settings > Security . In Microsoft Dynamics 365 for Outlook, go to Settings >
System > Security .
3. Select Teams .
4. On the Actions toolbar, select New button.
5. Enter a team name.
6. Select a business unit.
7. Enter an administrator.
8. Select Owner in Team Type .
9. Complete other required fields, and then select Save .
If you don't select the business unit to which the team will belong, by default, the root business unit is
selected. The root business unit is the first business unit created for an organization.
Edit an owner team

2. In the web app, go to Settings > Security . In Dynamics 365 for Outlook, go to Settings > System >
Security .
3. Select Teams .
4. In the Teams drop-down list, select All Owner Teams or another appropriate view.
5. In the grid, select the team you want to edit.
6. On the Actions toolbar, select Edit , change the desired fields, and then select Save .
About group teams

Applies to Common Data Service
Using Azure Active Directory groups to manage a user's app and data access
The administration of app and data access for Microsoft Common Data Service has been extended to allow
administrators to use their organization's Azure Active Directory (Azure AD) groups to manage access rights for
licensed Common Data Service users.
Both types of Azure AD groups—Office and Security—can be used to secure user-access rights. Using groups lets
administrators assign a security role with its respective privileges to all the members of the group, instead of
having to provide the access rights to an individual team member.
Both types of Azure AD groups — Office and Security — with a Membership type Assigned can be used to secure
user-access rights. Membership type Dynamic User and Dynamic Device is not supported. Using groups lets
administrators assign a security role with its respective privileges to all the members of the group, instead of
having to provide the access rights to an individual team member.
The administrator can create Azure AD group teams that are associated to the Azure AD groups in each of the
Common Data Service environments and assign a security role to these group teams. For each Azure AD group,
the administrator can create group teams based on the Azure AD group membership types. The administrator can
create separate group teams for owners, members, guests and members, and guests, and assign a respective
security role to each of these teams.
When members of these group teams access these environments, their access rights are automatically granted
based on the group team's security role.
Provision and deprovision users
Once the group team and its security role is established in an environment, user access to the environment is
based on the user membership of the Azure AD groups. When a new user is created in the tenant, all the
administrator needs to do is assign the user to the appropriate Azure AD group, and assign Common Data Service
licenses. The user can immediately access the environment without the need to wait for the administrator to assign
a security role.
When users are deleted/disabled in Azure AD or removed from the Azure AD groups, they lose their group
membership and won't be able to access the environment when they try to sign in.
Remove user access at run time
When a user is removed from the Azure AD groups by an administrator, the user is removed from the group team,
and they lose their access rights the next time they access the environment. The memberships for the user's Azure
AD groups and Common Data Service group teams are synchronized, and the user's access rights are dynamically
derived at run time.
Administer user security role
Administrators no longer have to wait for the user to sync to the environment and then to assign a security role to
the user individually by using Azure AD group teams. Once a group team is established and created in an
environment with a security role, any licensed Common Data Service users who are added to the Azure AD group
can immediately access the environment.
Lock down user access to environments
Administrators can continue to use an Azure AD security group to lock down the list of users synced to an
environment. This can be further reinforced by using Azure AD group teams. To lock down environment or app
access to restricted environments, the administrator can create separate Azure AD groups for each environment
and assign the appropriate security role for these groups. Only these Azure AD group team members have the
access rights to the environment.
Share Power Apps to team members of an Azure AD group
When canvas and model-driven apps are shared to an Azure AD group team, team members can immediately run
the apps.
User-owned and team-owned records
A new property has been added to the security role definition to provide special team privileges when the role is
assigned to group teams. This type of security role allows team members to be granted User/Basic-level privileges
as if the security role is directly assigned to them. Team members can create and be an owner of records without
the need to have an additional security role assigned.
A group team can own one or more records. To make a team an owner of the record, you must assign the record
to the team.
While teams provide access to a group of users, you must still associate individual users with security roles that
grant the privileges that they need to create, update, or delete user-owned records. These privileges can't be
applied by assigning a nonmember's privilege inherited security role to a team and then adding the user to that
team. If you need to provide your team members the team privileges directly, without their own security role, you
can assign the team a security role that has member's privilege inheritance.
For more information, see Assign a record to a user or team.
Create a group team

Prerequisites:
a. An Azure Active Directory (Azure AD) Group is required for each group team.
b. Obtain the Azure AD Group's ObjectID from your https://portal.azure.com site.
c. Create a custom security role that contains privileges per your team's collaboration requirement. Please
see the discussion of member's inherited privileges if you need to extend the team member's privileges
directly to a user.
2. In the web app, go to Settings > Security . In Microsoft Dynamics 365 for Outlook, go to Settings >
System > Security .
3. Select Teams .
4. On the Actions toolbar, select New button.
5. Enter a team name.
6. Select a business unit.
7. Enter an administrator.
8. Select Team Type (a drop-down list is displayed).
9. Select AAD Security or Office group (this must match the Azure AD Group type).
10. Enter the respective Azure AD ObjectID of the Azure AD Security or Office group.
11. Select Membership Type , and then one of the following:
Members and guests
Members
Owners
Guests
The Azure AD group members from the selected membership type will be mapped to the group team when
the member accesses the system.
12. Select Save .
If you don't select the business unit to which the team will belong, by default, the root business unit is
selected. The root business unit is the first business unit created for an organization.
Edit a group team
2. In the web app, go to Settings > Security . In Dynamics 365 for Outlook, go to Settings > System >
Security .
3. Select Teams .
4. In the Teams drop-down list, select All AAD Office or Security Teams .
5. In the grid, select the team you want to edit.
6. On the Actions toolbar, select Edit , change the desired fields (Membership Type cannot be updated), and
then select Save .
NOTE
You can only create one group team for each Azure AD group membership type per environment, and the Azure AD
ObjectId of the group team cannot be edited once the group team is created.
Membership Type cannot be changed after the group team is created. If you need to update this field, you will need to
delete the group team and create a new one.
All existing group teams created prior to the new Membership Type field being added are automatically updated as
Members and guests . There is no loss in functionality with these group teams as the default group team is mapped to
the Azure AD Group Members and guests membership type.
If your environment has a security group, you will need to add the group team's Azure AD group as a member of that
security group in order for the group team's users to be able to access the environment.
The list of team members listed in each group team only displays the user members who have accessed the environment.
This list doesn't show all the group members of the Azure AD group. The team member's privileges are derived
dynamically at run-time when the team member accesses the application. The security role of the team is not assigned
directly to the team member. Since team member's privileges are derived dynamically at run-time, the team member's
Azure AD group memberships are cached upon the team member's log-in. This means that any Azure AD group
membership maintenance done on the team member in Azure AD will not be reflected until the next time the team
member logs in or when the system refreshes the cache (after 8 hours of continuous log-in).
Team members are maintained in each group team at run-time and the operation is done at the database level; therefore,
the update to group team event is not available for plugin.
You do not need to assign team members with an individual security role if your group team's security role has a
member's privilege inheritance and the security role contains at least one privilege that has User level permission.
About access teams and team templates

You can create an access team manually by choosing the team type Access , or let the system create and manage
an access team for you. When you create an access team, you can share multiple records with the team.
A system-managed access team is created for a specific record, other records can't be shared with this team. You
have to provide a team template that the system uses to create a team. In this template, you define the entity type
and the access rights on the record that are granted to the team members when the team is created.
A team template is displayed on all record forms for the specified entity as a list. When you add the first user to the
list, the actual access team for this record is created. You can add and remove members in the team by using this
list. The team template applies to the records of the specified entity type and the related entities, according to the
cascading rules. To give team members different access on the record, you can provide several team templates,
each template specifying different access rights.
For example, you can create a team template for the Account entity with the Read access right, which allows the
team members to view the specified account. For another team that requires more access to the same account, you
can create a team template with Read, Write, Share and other access rights. To be added to the team, a minimum
access level a user must have on the entity specified in the template is Basic (User) Read.
Because of the parental relationship between the team template and system-managed access teams, when you
delete a template, all teams associated with the template are deleted according to the cascading rules. If you
change access rights for the team template, the changes are applied only to the new auto-created (system-
managed) access teams. The existing teams are not affected.
NOTE
A user must have sufficient privileges to join an access team. For example, if the access team has Delete access rights on an
account, the user must have Delete privileges on the Account entity to join the team. If you're trying to add a user with
insufficient privileges, you'll see this error message: "You can't add the user to the access team because the user doesn't have
sufficient privileges on the entity."
For step-by-step instructions on how to create a team template and add the entity form, see Create a team
template and add to an entity form
Maximum settings for system-managed access teams

The maximum number of team templates that you can create for an entity is specified in the
MaxAutoCreatedAccessTeamsPerEntity deployment setting. The default value is 2. The maximum number of entities
that you can enable for auto-created access teams is specified in the MaxEntitiesEnabledForAutoCreatedAccessTeams
deployment setting. The default value is 100. You can use the Set-CrmSetting Windows PowerShell command to
update this value.
See also
Create a team template and add to an entity form
About team templates
Add teams or users to a field security profile
About team templates
Download: Access Teams in Microsoft Dynamics CRM
Download: Scalable security modeling with Microsoft Dynamics CRM
Entity relationship behavior
About collaborating with team templates
Using teams is optional, however, teams give you an easy way to share information and collaborate with users
across business units. A team is a group of users. As a group, you will be able to track information about the
records and perform assigned tasks in much more efficient and coordinated way. While a team belongs to only
one business unit, it can include users from other business units. A user can be associated with more than one
team.
There are two types of teams that you can work with: owner and access.
An owner team owns records and has security roles assigned to the team. The team’s privileges are defined
by these security roles. In addition to privileges provided by the team’s security roles, users have the
privileges defined by their individual security roles and by the roles from other teams in which they are
members. A team has full access rights on the records that the team owns.
An access team doesn’t own records and doesn’t have security roles assigned to the team. The users have
privileges defined by their individual security roles and by the roles from other teams in which they are
members. The records are shared with an access team and the team members are granted access rights on
the records, such as Read, Write, or Append.
An access team can be created manually (user-created) or automatically (system-managed). You can share multiple
records with a user-created access team. A system-managed team is created for a specific record and other records
can’t be shared with this team. For system-managed teams, you have to provide a team template that the system
uses to create a team. In this template, you define the entity type and the access rights on the record that are
granted to the team members when the team is created. A team template is displayed on all record forms for the
specified entity as a list. When you add the first user to the list, the actual access team for this record is created. You
can add and remove members in the team using this list. The team template applies to the records of the specified
entity type and the related entities, according to the cascading rules. To give team members different access on the
record, you can provide several team templates, each template specifying different access rights. For example, you
can create a team template for the account entity with the Read access right, which allows the team members to
view the specified account. For another team that requires more access to the same account, you can create a team
template with Read, Write, Share and other access rights.
Only entities that are enabled for system-managed access teams can be specified in the template.
If you change access rights in the team template, the changes are only applied to new system-managed access
teams. The existing teams aren’t affected.
For information about how to create a team template, enable an entity for system-managed access teams and how
to customize the entity form to add the team template, see Create a team template and add to an entity form.
See also
Create a team template and add to an entity form
Manage teams
Create a team template to control access rights for
automatically created teams
A team template can be used for the entities that are enabled for automatically created access teams. In the team
template, you have to specify the entity type and the access rights on the entity record. For example, you can
create a team template for an account entity and specify the Read, Write, and Share access rights on the account
record that the team members are granted when the team is automatically created. After you create a team
template, you have to customize the entity main form to include the new team template. After you publish
customizations, the access team template is added in all record forms for the specified entity in a form of a list. For
example, you created a team template called “Sales team” for the account entity. On all account record forms
you’ll see the list called “Sales team”. You can add or remove team members using this list.
Enable an entity for access teams

environment] > Settings > User's + permissions > Teams .
2. Select the check box for a team.
5. In the navigation pane, expand Entities , and then choose the entity you want to use in the team template.
6. On the Entity Definition form, in the Communication & Collaboration section, select the Access
Teams checkbox.
7. On the Actions toolbar, select Save .
Add a team template to the entity form

4. In the navigation pane, expand Entities , expand the entity you want to use in the team template, and then
select Forms .
5. In System Forms , select Active Forms > Main form.
6. On the Main form, open the Inser t tab.
7. On the ribbon, choose Sub-Grid .
The Set Proper ties dialog box appears.
8. In Set Proper ties , complete the required fields, and then select the Display label on the Form check
box.
9. In the Records drop-down list, select All Record Types .
10. In the Entity drop-down list, select Users .
11. In the Default View drop-down list, select Associated Record Team Members .
12. In the Team Template drop-down list, select the desired template and choose Set .
The team template you selected now appears on the Main form.
13. On the Actions toolbar, select Save , and then select Publish .
NOTE
The Access Team template does not get exported with its entity in a Solution. Administrators will need to recreate the
template when exporting the entity into another environment.
Enhance security by encrypting your data
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), use standard SQL Server cell
level encryption for a set of default entity attributes that contain sensitive information, such as user names and
email passwords. This feature can help organizations meet FIPS 140-2 compliance.
All new and upgraded organizations use data encryption by default. Data encryption can’t be turned off.
Users who have the system administrator security role can change the encryption key at any time.
Change an organization encryption key

environment] > Settings > Encr yption > Data encr yption .
update the setting.
1. Select an environment and go to Settings > Encr yption > Data encr yption .
2. In the Change Encr yption Key box type the new encryption key and then select Change .
3. Select OK in the confirmation message and then select Close to exit the Data Encryption page.
4. We recommend that you copy the key to a safe place. See the next section.
Copy your organization data encryption key

We strongly recommend that you make a copy of your data encryption key.
1. Sign in with the System Administrator or System Customizer security role or equivalent permissions.
2. Select an environment and go to Settings > Encr yption .
3. In the Data Encr yption dialog box, select Show Encr yption Key , in the Current encr yption key box
select the encryption key, and copy it to the clipboard.
4. Paste the encryption key into a text editor such as Notepad.
WARNING
By default, customer engagement apps generate a passphrase that is a random collection of Unicode characters.
Therefore, you must save the system-generated passphrase by using an application and file that supports Unicode
characters. Some text editors, such as Notepad use ANSI coding by default. Before you save the passphrase using
Notepad, select Save As , and then in the Encoding list, select Unicode .
5. As a best practice, save the text file that contains the encryption key on a computer in a secure location on
an encrypted hard drive.
See also
SQL Server Encryption
FIPS 140 Evaluation
Manage Your Data
Manage the encryption key
All environments of Common Data Service use SQL Server Transparent Data Encryption (TDE) to perform real-time
encryption of data when written to disk, also known as encryption at rest.
By default, Microsoft stores and manages the database encryption key for your environments so you don't have to.
The manage keys feature in the Power Platform admin center gives administrators the ability to self-manage the
database encryption key that is associated with the Common Data Service tenant.
IMPORTANT
Self-managed database encryption keys are only available for customers who have more than 1000 Power Apps plan and/or
Dynamics 365 plan licensed user seats and who have opted in to the feature. To opt in to this program, submit a support
request.
Encryption key management is only applicable to Azure SQL environment databases. The following features and services use
their own key to encrypt their data and can't be encrypted with the self-managed encryption key:
Relevance Search
Mobile Offline
Activity Log (Microsoft 365 portal)
Exchange (Server-side sync)
Note the following:
The self-manage the database encryption key feature must be turned on by Microsoft for your tenant before you can use
the feature.
To use the data encryption management features for an environment, the environment must be created after the self-
manage the database encryption key feature is turned on by Microsoft.
Encryption key management cannot be applied to environments that have data stored in File and Image fields.
A majority of existing environments have file and log stored in non-Azure SQL databases. These environments cannot be
opted in to self-managed encryption key. Only new environments (once you signed up for this program) can be enabled
with self-managed encryption key.
Introduction to key management

With key management, administrators can provide their own encryption key or have an encryption key generated
for them, which is used to protect the database for an environment.
The key management feature supports both PFX and BYOK encryption key files, such as those stored in a hardware
security module (HSM). To use the upload encryption key option you need both the public and private encryption
key.
The key management feature takes the complexity out of encryption key management by using Azure Key Vault to
securely store encryption keys. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud
applications and services. The key management feature doesn't require that you have an Azure Key Vault
subscription and for most situations there is no need to access encryption keys used for Common Data Service
within the vault.
The manage keys feature lets you perform the following tasks.
Enable the ability to self-manage database encryption keys that are associated with Common Data Service
environments.
Generate new encryption keys or upload existing .PFX or .BYOK encryption key files.
Lock and unlock tenant environments.
WARNING
While a tenant is locked, all environments within the tenant can't be accessed by anyone. More information: Lock the
tenant.
Understand the potential risk when you manage your keys

As with any business critical application, personnel within your organization who have administrative-level access
must be trusted. Before you use the key management feature, you should understand the risk when you manage
your database encryption keys. It is conceivable that a malicious administrator (a person who is granted or has
gained administrator-level access with intent to harm an organization's security or business processes) working
within your organization might use the manage keys feature to create a key and use it to lock all environments in
the tenant.
Consider the following sequence of events.
The malicious administrator signs in to the Power Platform admin center, goes to the Environments tab and
selects Manage encr yption key . The malicious administrator then creates a new key with a password and
downloads the encryption key to their local drive, and activates the new key. Now all the environment databases
are encrypted with the new key. Next, the malicious administrator locks the tenant with the newly downloaded key,
and then takes or deletes the downloaded encryption key.
These actions will result in disabling all the environments within the tenant from online access and make all
database backups un-restorable.
IMPORTANT
To prevent the malicious administrator from interrupting the business operations by locking the database, the managed keys
feature doesn't allow tenant environments to be locked for 72 hours after the encryption key has changed or activated.
Additionally, anytime an encryption key is changed for a tenant, all administrators receive an email message alerting them of
the key change. This provides up to 72 hours for other administrators to roll back any unauthorized key changes.
Key management requirements

Privileges required
To use the manage keys feature you need one of the following privileges:
Global admin membership.
Microsoft 365 Service administrators group membership.
System administrator security role for the environment that you want to manage the encryption key.
Encryption key requirements
If you provide your own encryption key, your key must meet these requirements that are accepted by Azure Key
Vault.
The encryption key file format must be PFX or BYOK.
2048-bit RSA or RSA-HSM key type.
PFX encryption key files must be password protected.
For more information about generating and transferring an HSM-protected key over the Internet see How to
generate and transfer HSM-protected keys for Azure Key Vault.
Key management tasks

To simplify the key management tasks, the tasks are broken down into three areas:
1. Generate or upload the encryption key for a tenant
2. Activate an encryption key for a tenant
3. Manage encryption for an environment
Administrators can use the Power Platform admin center or the Microsoft.Xrm.OnlineManagementAPI PowerShell
module cmdlets to perform the key management tasks described here.
Generate or upload the encryption key for a tenant
All encryption keys are stored in the Azure Key Vault, and there can only be one active key at any time. Since the
active key is used to encrypt all the environments in the tenant, managing the encryption is operated at the tenant
level. Once the key is activated, each individual environment can then be selected to use the key for encryption.
Use this procedure to set the manage key feature the first time for an environment or to change (or roll-over) an
encryption key for an already self-managed tenant.
WARNING
When you perform the steps described here for the first time you are opting in to self-managing your encryption keys. More
information: Understand the potential risk when you manage your keys.

4. Select New key on the toolbar.
5. On the left pane, complete the details to generate or upload a key:
Select a Region . This option is only shown if your tenant has multiple regions.
Enter a Key name .
Choose from the following options:
To create a new key, select Generate new (.pfx) . More information: Generate a new key (.pfx).
To use your own generated key, select Upload (.pfx or .byok) . More information: Upload a key
(.pfx or .byok).
6. Select Next .
7. Email notification is sent to all administrators. More information: Encryption key change notification.
Generate a new key (.pfx )
1. Enter a password, and then re-enter the password to confirm.
2. Select Create , and then select the created file notification on your browser.
3. The encryption key .PFX file is downloaded to your web browser's default download folder. Save the file in a
secure location (we recommend that this key is backed up along with its password).
To perform this task using PowerShell, see Get-CRMGenerateProtectionkey and Set-CrmTenantProtectionKey.
Upload a key (.pfx or .byok)
1. Select Upload the Key , select the .pfx or .byok1 file, and then select Open .
2. Enter the password for the key, and then select Create .
1 For.byok encryption key files, make sure you use the subscription id as shown on the screen when you export
the encryption key from your local HSM. More information: How to generate and transfer HSM-protected keys for
Azure Key Vault.
To perform this task using PowerShell, see New-CRMImportProtectionKey and Set-CrmTenantProtectionKey.
NOTE
To reduce the number of steps for the administrator to manage the key process, the key is automatically activated when it is
uploaded the first time. All subsequent key uploads require an additional step to activate the key.
Activate an encryption key for a tenant

Once an encryption key is generated or uploaded for the tenant, it can be activated.
4. Select a key that has an Available state and then select Activate key on the toolbar.
5. Select Confirm to acknowledge the key change and that all administrators will be notified. More information:
When you activate a key for the tenant, it takes a while for the key management service to activate the key. The
status of the Key state displays the key as Installing when the new or uploaded key is activated. Once the key is
activated, the following occurs:
All encrypted environments automatically get encrypted with the active key (there is no downtime with this
action).
When activated, the encryption key will be applied to all environments that are changed from Microsoft-
provided to self-managed encryption key.
To perform this task using PowerShell, see Set-CrmProtectWithTenantKey.
IMPORTANT
To streamline the key management process so that all environments are managed by the same key, the active key can't be
updated when there are locked environments. All locked environments must be unlocked before a new key can be activated.
If there are locked environments that don't need to be unlocked, they must be deleted.
NOTE
After an encryption key is activated, you can't activate another key for 24 hours.
Manage encryption for an environment

By default, each environment is encrypted with the Microsoft-provided encryption key. Once an encryption key is
activated for the tenant, administrators can elect to change the default encryption to use the activated encryption
key. To use the activated key, follow these steps.
Apply encryption key to an environment
2. Select the Environments tab.
3. Open a Microsoft-provided encrypted environment.
4. Select See all .
5. In the Environment Encr yption section, select Manage .
7. Select Apply this key to accept changing the encryption to use the activated key.
8. Select Confirm to acknowledge that you are managing the key directly and that there is downtime for this
action.
Return a managed encryption key back to Microsoft-provided encryption key
Returning to the Microsoft-provided encryption key configures the environment back to the default behavior
where Microsoft manages the encryption key for you.
2. Select the Environments tab, and then select an environment that is encrypted with a self-managed key.
3. Select See all .
4. In the Environment Encr yption section, select Manage , and then select Confirm .
5. Under Return to standard encr yption management , select Return .
6. For production environments, confirm the environment by entering the environment's name.
7. Select Confirm to return to standard encryption key management.
To perform this task using PowerShell, see Set-CrmProtectWithMicrosoftKey.
Lock the tenant
Since there is only one active key per tenant, locking the encryption for the tenant disables all the environments
that are in the tenant. All locked environments remain inaccessible to everyone, including Microsoft, until a Power
Platform admin in your organization unlocks it by using the key that was used to lock it.
Cau t i on
You should never lock the tenant environments as part of your normal business process. When you lock a
Common Data Service tenant, all the environments will be taken completely offline and they can't be accessed by
anyone, including Microsoft. Additionally, services such as synchronization and maintenance are all stopped. If you
decide to leave the service, locking the tenant can ensure that your online data is never accessed again by anyone.
Note the following about tenant environments locking:
Locked environments can't be restored from backup.
Locked environments are deleted if not unlocked after 28 days.
You can't lock environments for 72 hours after an encryption key change.
Locking a tenant locks all active environments within the tenant.
IMPORTANT
Once the lock process begins, all encryption keys with either an Active or Available state are deleted. The lock process can
take up to an hour and during this time unlocking locked environments is not allowed.

2. Select the Environments tab and then on the command bar select Manage encr yption keys .
3. Select the Active key and then select Lock active environments .
4. On the right pane select Upload active key , browse to and select the key, enter the password, and then select
Lock .
5. When prompted, enter the text that is displayed on your screen to confirm that you want to lock all
environments in the region, and then select Confirm .
To lock a tenant using the PowerShell cmdlet, see Set-CrmLockTenantProtectedInstances.
Unlock locked environments
To unlock environments you must first upload and then activate the tenant encryption key with the same key that
was used to lock the tenant. Please note that locked environments do not get unlocked automatically once the key
has been activated. Each locked environment has to be unlocked individually.
IMPORTANT
The unlock process can take up to an hour. Once the key is unlocked, you can use the key to Manage encryption for an
environment.
You can't generate a new or upload an existing key until all locked environments are unlocked.
Un l o c k en c r ypt i o n key

2. Select the Environments tab and then select Manage encr yption keys .
3. Select the key that has a Locked state, and then on the command bar select Unlock key .
4. Select Upload locked key , browse to and select the key that was used to lock the tenant, enter the password,
and then select Unlock . The key goes into an Installing state. You must wait until the key is in an Active state
before you can unlock locked environments.
5. To unlock an environment, see the next section.
Un l o c k en vi r o n m en t s
1. Select the Environments tab, and then select the locked environment name.
TIP
Don't select the row. Select the environment name.
2. In the Details section, select See all to display the Details pane on the right.
3. In the Environment encryption section on the Details pane select Manage .
4. On the Environment encr yption page select Unlock .
5. Select Confirm to confirm that you want to unlock the environment.

6. Repeat the previous steps to unlock additional environments.
To unlock an environment using the PowerShell cmdlet, see Set-CrmUnlockTenantProtectedInstance.
Environment database operations

A customer tenant can have environments that are encrypted using the Microsoft managed key and environments
that are encrypted with the customer managed key. To maintain data integrity and data protection, the following
controls are available when managing environment database operations.
1. Restore The environment to overwrite (the restored to environment) is restricted to the same environment
that the backup was taken from or to another environment that is encrypted with the same customer
managed key.
2. Copy The environment to overwrite (the copied to environment) is restricted to another environment that is
encrypted with the same customer managed key.
NOTE
If a Support Investigation environment was created to resolve support issue in a customer managed environment,
the encryption key for the Support Investigation environment must be changed to customer managed key before
the Copy environment operation can be performed.
3. Reset The environment's encrypted data will be deleted including backups. After the environment is reset,
the environment encryption will revert back to the Microsoft managed key.

IMPORTANT
When an encryption key is activated or changed, all administrators receive an email message alerting them of the change.
This provides a means to allow other administrators to verify and confirm that the key was updated by an authorized
administrator. Since it takes time to activate the key and to encrypt all the environments, and to send out the email
notification, an encryption key can only be updated once every 24 hours.
See also
Microsoft.Xrm.OnlineManagementAPI PowerShell reference
SQL Server: Transparent Data Encryption (TDE)
Document management with SharePoint lets users manage common document types, such as Word, Excel,
PowerPoint, OneNote, and create folders to save and manage those documents in customer engagement apps
Dynamics 365 Project Service Automation), that are seamlessly stored in SharePoint.
NOTE
The document management feature isn't supported for users with Power Apps for Microsoft 365 licenses. These users
should upgrade to the appropriate licensing. More information: Compare Office 365 for Business Plans
The document management feature is supported for SharePoint sites with classic and modern experience.
Depending on your environment, there are several customer engagement apps and SharePoint configurations
possible.
C O N F IGURAT IO N M O RE IN F O RM AT IO N
Customer engagement apps with SharePoint Online Set up Dynamics 365 apps to use SharePoint Online
Customer engagement apps with SharePoint on-premises Configure server-based authentication with Dynamics 365
apps and SharePoint on-premises
Administrators set up document management, specify permissions for managing tasks, and ensure that the
SharePoint site URLs are correct.
See also
SharePoint Document Management software requirements
SharePoint Document Management software
requirements
If you want to use SharePoint document management functionality with model-driven apps in Dynamics 365, such
as Dynamics 365 Sales and Customer Service, you must meet the requirements listed in this topic.
Use document management

If you are using server-based integration with SharePoint, you can use any of the following SharePoint versions.
SharePoint Online
SharePoint 2016 on-premises
SharePoint 2013 SP1 on-premises (or a later version).
A SharePoint site collection . You also need to have at least one site collection configured and available for
model-driven apps in Dynamics 365.
Ser ver-based SharePoint integration must be enabled.
IMPORTANT
The document management feature requires that model-driven apps in Dynamics 365 and SharePoint Online subscriptions
be under the same tenant.
SharePoint Foundation versions aren’t compatible with model-driven apps in Dynamics 365 document management.
Users who access SharePoint from model-driven apps in Dynamics 365 must have appropriate permissions on the
SharePoint site collection where the document management components are installed. For more information about
how to grant membership on a site collection, see the SharePoint Help.
Server-based SharePoint integration

Earlier versions of model-driven apps in Dynamics 365 document management use a client-to-server strategy to
authenticate and transmit data from model-driven apps in Dynamics 365 to SharePoint. Server-based (using
server-to-server authentication) SharePoint integration provides the following benefits:
User interface that is consistent with the newly-updated user interface.
Users can create and view folders when using document management.
To configure and use document management, you do not need to be signed in to both model-driven apps in
Dynamics 365 and SharePoint.
See also
You can use the document management capabilities of SharePoint from within a Common Data Service model-
driven app or a customer engagement app, such as Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation.
You can store and manage documents in the context of a record on a SharePoint Server, and leverage the
SharePoint infrastructure to share, manage, and collaborate efficiently. Because the documents are stored on a
SharePoint Server, users who aren't running the app can directly access the documents on the SharePoint
Server, provided they have the appropriate permissions.
For document management functionality, you enable server-based SharePoint integration on a site collection in
SharePoint. Server-based SharePoint provides the following benefits.
Users sign-in once and do not have to sign-in to both customer engagement apps and SharePoint.
No additional software is required to install on SharePoint.
SharePoint documents will display in lists.
Users can perform SharePoint actions from the command bar.
See also
Manage your documents
Validate and fix SharePoint site URLs
Enable SharePoint document management for specific entities
Set up customer engagement apps to use SharePoint
Online
When you use SharePoint Online with customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), you
can:
Create, upload, view, and delete documents stored in SharePoint from within customer engagement apps.
Use the SharePoint document management abilities within customer engagement apps, such as checking the
document in and out and changing document properties.
Enable non-customer engagement apps users, such as customers who want to review a bid, to directly
access the SharePoint documents, provided they have the appropriate permissions.
IMPORTANT
This topic is for organizations who wish to deploy for the first time or upgrade to server-based SharePoint integration. After
you enable server-based SharePoint integration, you can't revert to the previous client-based authentication method.
TIP
Check out the following video: Connect to SharePoint Online
To set up customer engagement apps to use SharePoint Online, complete the following steps.
Assign user permissions to the Team SharePoint site

Your customer engagement apps and Microsoft 365 users are not automatically allowed access to your SharePoint
sites. You must work within the SharePoint site to assign specific permission levels to individual users or groups.
Assign users to the Team site
1. Browse to the Microsoft 365 admin center and sign in using Microsoft 365 Global administrator credentials.
2. Open the Microsoft 365 app launcher, and then select SharePoint .
3. On the left-side menu, select Team Site .
4. On the Home page, select SHARE (upper-right corner).
5. To view the default permissions for your team site, select lots of people .
6. By default, all users in your Microsoft 365 organization are able to add and edit documents on the Team
SharePoint site. To invite others, choose Invite people and add people external to your organization to share
documents.
For more information about SharePoint permissions, see Introduction: Control user access with permissions
Configure customer engagement apps for SharePoint document

management
If you are a new organization and have not yet deployed document management, see Configure a new
organization.
If your organization is already using document management with Microsoft Dynamics CRM List Component, you
must switch to server-based SharePoint integration. More information: Switching from the list component or
changing the deployment
IMPORTANT
Server-based SharePoint integration uses the entity display name to build the SharePoint library. When you upgrade to
server-based SharePoint integration, be sure to check that the display names in your document library on SharePoint match
the entity display names. More information: "Validation Error" when you try to configure server-based SharePoint integration
for Microsoft Dynamics CRM Online and SharePoint Online.
These names should match.
Configure a new organization
If your organization has not deployed document management, when a System Administrator logs in an alert
message will be displayed to enable server-based SharePoint integration.
NOTE
If you don't see the alert and have not previously enabled server-based SharePoint integration, clear your browser cache or
open customer engagement apps using Internet Explorer with InPrivate browsing to have the alert display again. Once you
configure server-based integration, the alert will no longer appear.

2. Select Settings > Integration > Document management settings , and then select Enable ser ver-
based SharePoint integration .
3. In the Enable Server-based SharePoint Integration alert select Next .
4. Choose Online for where your SharePoint sites are located, and then choose Next .
5. If your customer engagement apps are not connected to a SharePoint online site, enter the URL (for example
https://contoso.sharepoint.com) of your SharePoint site that you will use for auto folder creation, and then
choose Next .
TIP
To see your SharePoint site collections, in the Microsoft 365 admin center, select Admin centers > SharePoint , and
then select site collections .
6. The URL will be checked for being a valid SharePoint online site and for existing in the same Microsoft 365
tenant as your organization. After enabling server-based SharePoint integration you can't go back to the
previous client-side integration. Choose Enable .
Next steps
Once server-based SharePoint integration is enabled you will need to enable the entities you want available for
document management integration. More information: Enable document management on entities
Once server-based SharePoint integration is enabled you can also enable integration with OneNote and OneDrive.
More information: Set up OneNote integration and Enable OneDrive for Business (online)
Using Document Management

You are now ready to add document storage locations to the entities you enabled above and start managing
documents. Begin by opening a document management-enabled record (for example, Contact).
1. Browse to your web application.
2. Choose an account, such as the Adventure Works sample account.
3. On the nav bar, select the down arrow next to the account name, and then select Documents .
4. Select Upload , and then browse to a document to upload to the new folder in your Microsoft 365SharePoint
Online Team site.
5. Select a folder location, and then select Ok .
6. To see the document in your Microsoft 365SharePoint Online Team site, select to the left of the document
name (you'll see a check mark), and then select Open Location .
7. Select Site Contents to see all the document libraries created for the managed entities you selected.
The entities you selected to be managed by Document Management appear as document libraries (for
example: Account, Article, Case, Lead, Opportunity, Product, Quote, and Sales Literature).
Known issue
SharePoint Online has introduced a new feature that enables a SharePoint or global administrator in Microsoft 365
to block or limit access to SharePoint and OneDrive content from unmanaged devices. For more information, see
Control access from unmanaged devices.
You can set access at three levels:
1. Allow full access from desktop apps, mobile apps and the web
2. Allow limited, web-only access
3. Block access
For "Block Access" level, only devices that satisfy the AD trust policy defined by the SharePoint or global admin can
open SharePoint site and perform operations.
Impact on customer engagement apps and SharePoint Online integration
When SharePoint Online is configured for "Block Access", customer engagement apps receives a 401 UnAuthorized
response from SharePoint Online for all operations triggered using server-to-server integration. This is because
SharePoint Online rejects the AppAssertedUser token (the claims-based token which is used for server-to-server
authentication between customer engagement apps and SharePoint Online).
Work around
As a workaround, you can set the unmanaged devices policy to "Allow full access from desktop apps, mobile apps,
and the web" on SharePoint Online.
1. Sign in to https://admin.microsoft.com as a global or SharePoint admin. If you see a message that you don't
have permission to access the page, you don't have Microsoft 365 administrator permissions in your
organization.
2. In the left pane, select Admin centers > SharePoint .
3. In the SharePoint admin center, select access control in the left pane.
4. Under Unmanaged devices , select Allow full access from desktop apps, mobile apps, and the web .
5. Select Ok .
Information transmitted between customer engagement apps and

SharePoint when you use server-based SharePoint integration
When you use the document management feature in customer engagement apps by using server-based SharePoint
integration, the following information is transmitted between customer engagement apps and SharePoint:
Entity name for the entity that is used to create folders in SharePoint, such as Account, Article, or Lead. To
configure the entities that are integrated, go to Settings > Document Management > Document
Management Settings .
See also
Configure server-based authentication with
Server-based SharePoint integration for document management can be used to connect customer engagement
Marketing, and Dynamics 365 Project Service Automation), with SharePoint on-premises. When using server-
based authentication, Azure AD Domain Services is used as the trust broker and users do not need to sign in to
SharePoint.
Permissions required
Microsoft 365
Global admin membership - this is required for administrative-level access to the Microsoft 365 subscription
and to run the AzurePowerShell cmdlets.
Run SharePoint Integration Wizard privilege. This is required to run the Enable Server-based
Authentication wizard.
By default, the System Administrator security role has this permission.
Farm Administrators group membership - this is required to run most of the PowerShell commands on the
SharePoint server.
Set up server-to-server authentication with SharePoint on-premises

Follow the steps in the order provided to set up customer engagement apps with SharePoint 2013 on-premises.
IMPORTANT
The steps described here must be completed in the order provided. If a task is not completed, such as a PowerShell
command that returns an error message, the issue must be resolved before you continue to the next command, task, or
step.
Verify prerequisites
Before you configure customer engagement apps and SharePoint on-premises for server-based authentication, the
following prerequisites must be met:
SharePoint prerequisites
SharePoint 2013 (on-premises) with Service Pack 1 (SP1) or later version
IMPORTANT
SharePoint Foundation 2013 versions aren't supported for use with customer engagement apps document
management.
Install the April 2019 Cumulative Update (CU) for the SharePoint 2013 product family. This April 2019 CU
includes all SharePoint 2013 fixes (including all SharePoint 2013 security fixes) released since SP1. The April
2019 CU does not include SP1. You need to install SP1 before installing the April 2019 CU. More
information: KB4464514 SharePoint Server 2013 April 2019 CU
SharePoint configuration
If you use SharePoint 2013, for each SharePoint farm, only one customer engagement app can be
configured for server-based integration.
SharePoint website must be accessible via the Internet. A reverse proxy may also be required for
SharePoint authentication. More information: Configure a reverse proxy device for SharePoint Server
2013 hybrid
SharePoint website must be configured to use SSL (HTTPS) on TCP port 443 (no custom ports are
supported) and the certificate must be issued by a public root Certificate Authority. More
information: SharePoint: About Secure Channel SSL certificates
A reliable user property to use for claims-based authentication mapping between SharePoint and
customer engagement apps. More information: Selecting a claims mapping type
For document sharing, the SharePoint search service must be enabled. More information: Create and
configure a Search service application in SharePoint Server
For document management functionality when using the Dynamics 365 mobile apps, the on-
premises SharePoint server must be available through the Internet.
Other prerequisites
SharePoint Online license. Customer engagement apps to SharePoint on-premises server-based
authentication must have the SharePoint service principal name (SPN) registered in Azure Active Directory.
To achieve this, at least one SharePoint Online user license is required. The SharePoint Online license can
derive from a single user license and typically comes from one of the following:
A SharePoint Online subscription. Any SharePoint Online plan is sufficient even if the license isn't
assigned to a user.
An Microsoft 365 subscription that includes SharePoint Online. For example, if you have Microsoft
365 E3, you have the appropriate licensing even if the license isn't assigned to a user.
For more information about these plans, see Find the right solution for you and Compare SharePoint
options
The following software features are required to run the PowerShell cmdlets described in this topic.
Microsoft Online Services Sign-In Assistant for IT Professionals Beta
MSOnlineExt
To install the MSOnlineExt module, enter the following command from an administrator PowerShell
session. PS> Install-Module -Name "MSOnlineExt"
IMPORTANT
At the time of this writing, there is an issue with the RTW version of Microsoft Online Services Sign-In Assistant for IT
Professionals. Until the issue is resolved, we recommend that you use the Beta version. More information: Microsoft
Azure Forums: Cannot install Azure Active Directory Module for Windows PowerShell. MOSSIA is not installed.
A suitable claims-based authentication mapping type to use for mapping identities between customer
engagement apps and SharePoint on-premises. By default, email address is used. More information: Grant
customer engagement apps permission to access SharePoint and configure the claims-based authentication
mapping
Update the SharePoint Server SPN in Azure Active Directory Domain Services
On the SharePoint on-premises server, in the SharePoint 2013 Management Shell, run these PowerShell
commands in the order given.
1. Prepare the PowerShell session.
The following cmdlets enable the computer to receive remote commands and add Microsoft 365 modules
to the PowerShell session. For more information about these cmdlets see Windows PowerShell Core
Cmdlets.
Enable-PSRemoting -force
New-PSSession
Import-Module MSOnline -force
Import-Module MSOnlineExtended -force
2. Connect to Microsoft 365.

When you run the Connect-MsolService command, you must provide a valid Microsoft account that has
Global admin membership for the SharePoint Online license that is required.
For detailed information about each of the Azure Active DirectoryPowerShell commands listed here, see
Manage Azure AD using Windows PowerShell
$msolcred = get-credential
connect-msolservice -credential $msolcred
3. Set the SharePoint host name.

The value that you set for the variable HostName must be the complete host name of the SharePoint site
collection. The hostname must be derived from the site collection URL and is case sensitive. In this example,
the site collection URL is https://SharePoint.constoso.com/sites/salesteam, so the hostname is
SharePoint.contoso.com.
$HostName = "SharePoint.contoso.com"
4. Get the Microsoft 365 object (tenant) id and SharePoint Server Service Principal Name (SPN).
$SPOAppId = "00000003-0000-0ff1-ce00-000000000000"
$SPOContextId = (Get-MsolCompanyInformation).ObjectID
$SharePoint = Get-MsolServicePrincipal -AppPrincipalId $SPOAppId
$ServicePrincipalName = $SharePoint.ServicePrincipalNames
5. Set the SharePoint Server Service Principal Name (SPN) in Azure Active Directory.
$ServicePrincipalName.Add("$SPOAppId/$HostName")
Set-MsolServicePrincipal -AppPrincipalId $SPOAppId -ServicePrincipalNames $ServicePrincipalName
After these commands complete do not close the SharePoint 2013 Management Shell, and continue to the
next step.
Update the SharePoint realm to match that of SharePoint Online
On the SharePoint on-premises server, in the SharePoint 2013 Management Shell, run this Windows PowerShell
command.
The following command requires SharePoint farm administrator membership and sets the authentication realm of
the SharePoint on-premises farm.
Cau t i on
Running this command changes the authentication realm of the SharePoint on-premises farm. For applications
that use an existing security token service (STS), this may cause unexpected behavior with other applications that
use access tokens. More information: Set-SPAuthenticationRealm.
Set-SPAuthenticationRealm -Realm $SPOContextId
Create a trusted security token issuer for Azure Active Directory on SharePoint
The following commands require SharePoint farm administrator membership.
For detailed information about these PowerShell commands, see Use Windows PowerShell cmdlets to administer
security in SharePoint 2013.
1. Enable the PowerShell session to make changes to the security token service for the SharePoint farm.
$c = Get-SPSecurityTokenServiceConfig
$c.AllowMetadataOverHttp = $true
$c.AllowOAuthOverHttp= $true
$c.Update()
2. Set the metadata endpoint.
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $SPOContextId + "/metadata/json/1"

$acsissuer = "00000001-0000-0000-c000-000000000000@" + $SPOContextId
$issuer = "00000007-0000-0000-c000-000000000000@" + $SPOContextId
3. Create the new token control service application proxy in Azure Active Directory.
New-SPAzureAccessControlServiceApplicationProxy -Name "Internal" -MetadataServiceEndpointUri

$metadataEndpoint -DefaultProxyGroup
NOTE
The New- SPAzureAccessControlServiceApplicationProxy command may return an error message indicating that
an application proxy with the same name already exists. If the named application proxy already exists, you can ignore
the error.
4. Create the new token control service issuer in SharePoint on-premises for Azure Active Directory.
$acs = New-SPTrustedSecurityTokenIssuer –Name "ACSInternal" –IsTrustBroker:$true –MetadataEndpoint

$metadataEndpoint -RegisteredIssuerName $acsissuer
Grant customer engagement apps permission to access SharePoint and configure the claims-based
authentication mapping
The following commands require SharePoint site collection administration membership.
1. Register customer engagement apps with the SharePoint site collection.
Enter the SharePoint on-premises site collection URL. In this example,
https://sharepoint.contoso.com/sites/crm/ is used.
IMPORTANT
To complete this command, the SharePoint App Management Service Application Proxy must exist and be running.
For more information about how to start and configure the service, see the Configure the Subscription Settings and
App Management service applications subtopic in Configure an environment for apps for SharePoint (SharePoint
2013).
$site = Get-SPSite "https://sharepoint.contoso.com/sites/crm/"

Register-SPAppPrincipal -site $site.RootWeb -NameIdentifier $issuer -DisplayName "crm"
2. Grant customer engagement apps access to the SharePoint site. Replace

https://sharepoint.contoso.com/sites/crm/ with your SharePoint site URL.
NOTE
In the following example, the customer engagement app is granted permission to the specified SharePoint site
collection by using the –Scope site collection parameter. The Scope parameter accepts the following options. Choose
the scope that is most appropriate for your SharePoint configuration.
site . Grants the customer engagement apps permission to the specified SharePoint website only. It doesn't
grant permission to any subsites under the named site.
sitecollection . Grants the customer engagement apps permission to all websites and subsites within
the specified SharePoint site collection.
sitesubscription . Grants the customer engagement apps permission to all websites in the SharePoint
farm, including all site collections, websites, and subsites.
$app = Get-SPAppPrincipal -NameIdentifier $issuer -Site "https://sharepoint.contoso.com/sites/crm/"

Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.Rootweb -Scope "sitecollection" -Right
"FullControl"
3. Set the claims-based authentication mapping type.
IMPORTANT
user's SharePoint on-premises work email address for mapping. When you use this, the user's email addresses must
match between the two systems. For more information, see Selecting a claims-based authentication mapping type.
$map1 = New-SPClaimTypeMapping -IncomingClaimType

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName
"EmailAddress" -SameAsIncoming
Run the Enable server-based SharePoint integration wizard

Follow these steps:
2. In the Document Management area, click Enable ser ver-based SharePoint integration .
3. Review the information and then click Next .
4. For the SharePoint sites, click On-premises , and then Next .
5. Enter the SharePoint on-premises site collection URL, such as https://sharepoint.contoso.com/sites/crm. The
site must be configured for SSL.
6. Click Next .
7. The validate sites section appears. If all sites are determined valid, click Enable . If one or more sites are
determined invalid, see Troubleshooting server-based authentication.
Select the entities that you want to include in document management
By default, Account, Article, Lead, Product, Quote, and Sales Literature entities are included. You can add or remove
the entities that will be used for document management with SharePoint in Document Management Settings .
Go to Settings > Document Management . More information: Enable document management on entities
Add OneDrive for Business integration

After you complete customer engagement apps and SharePoint on-premises server-based authentication
configuration, you can also integrate OneDrive for Business. With customer engagement apps and OneDrive for
Business integration, users can create and manage private documents using OneDrive for Business. Those
documents can be accessed in once the system administrator has enabled OneDrive for Business.
On the Windows Server where SharePoint Server on-premises is running, open the SharePoint Management Shell
and run the following commands:
Add-Pssnapin *

$ClientId = "00000007-0000-0000-c000-000000000000"
$wellKnownApp= New-Object -TypeName "Microsoft.SharePoint.Administration.SPWellKnownAppPrincipal" -

ArgumentList ($ClientId, $PermissionXml)
Selecting a claims-based authentication mapping type

user's SharePoint on-premises work email address for mapping. Note that whatever claims-based authentication
type you use, the values, such as email addresses, must match between customer engagement apps and
SharePoint. Microsoft 365 directory synchronization can help with this. More information: Deploy Microsoft 365
Directory Synchronization in Microsoft Azure. To use a different type of claims-based authentication mapping, see
Define custom claim mapping for SharePoint server-based integration.
IMPORTANT
To enable the Work email property, SharePoint on-premises must have a User Profile Service Application configured and
started. To enable a User Profile Service Application in SharePoint, see Create, edit, or delete User Profile service applications
in SharePoint Server 2013. To make changes to a user property, such as Work email, see Edit a user profile property. For
more information about the User Profile Service Application, see Overview of the User Profile service application in
SharePoint Server 2013.
See also
Set up SharePoint integration with customer engagement apps
Enable SharePoint document management for
specific entities
Store the documents related to entity records in SharePoint and quickly access, share, and manage these
documents from customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics
365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), by enabling
document management on the specific entities.
TIP
If you haven't set up server-based SharePoint integration, you may want to do that before enabling document
management for specific entities. For more information, see Set up SharePoint integration.
Dynamics 365. Or verify that you have Read and Write privileges on all record types that are customizable.
3. Select Settings > Integration > Document management settings > Document Management
Settings .
4. Select the entities that you want to use to manage SharePoint documents.
If a URL is not already specified, enter the URL of the SharePoint site where the document locations and
folders for storing documents will be created, and then select Next .
5. Consider these server-based integration settings.
Check Based on entity to have document libraries and folders that are based on the Account entity
automatically created on the SharePoint site. Users will not be prompted to create them.
If you don't want folders automatically created, clear the Based on entity check box.
IMPORTANT
If you have customer engagement apps and SharePoint Online, make sure the site is under the same Microsoft 365
tenant as your Dynamics 365 environments.
Select Finish .
For more information on server-based integration, see Set up SharePoint integration.
IMPORTANT
With the exception of the opportunity and contract entities, a hierarchical folder structure will not be automatically
created in SharePoint for entities that have more than one many-to-one (N:1) relationship with the parent entity.
For document management to function correctly for an entity, the entity relationship must be one-to-many (1:N)
between the entity and the SharePoint document entity. The documents that exist in the SharePoint document library
will not appear in the app for entities with many-to-one (N:1) or many-to-many (N:N) relationships between the entity
and a SharePoint document entity.
See also
Store documents related to your records in SharePoint folders and manage the folders and documents from within
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation). Integrating SharePoint document
management with customer engagement apps makes it easy to access and share documents associated with your
records.
TIP
If you're using CRM 2013 SP1 or later, you can take advantage of server-based SharePoint integration between customer
engagement apps and SharePoint Online. Server-based SharePoint integration provides an immersive document
management experience consistent with the look and feel of customer engagement apps.
You can use server-based SharePoint integration for on-premises and hybrid SharePoint deployments. For information about
setting up server-based SharePoint integration using a wizard, see Set up SharePoint integration
If you have already set up SharePoint document management, and want to edit your site records, use the following
procedure.
Edit site records

Dynamics 365.
2. In the web apps, go to Settings > Document Management .
3. Select SharePoint Sites .
4. Select the site record you want to modify, and then select Edit .
5. Modify any of the following settings:
Name . Add or change the name for the site..
Owner . By default, the person who created the site is listed as the owner of the site record.
Description . Add or change the description for the site. For example, specify what documents the
site contains.
URL Type . Specify whether you want to add an absolute (full) or relative URL for the site.
Absolute URL . To point this site record to a site collection or site in SharePoint, specify the
fully qualified URL of the site collection or site. You can use this record as a parent site to
create other site records with relative URLs for sites inside the site collection or sites on the
same SharePoint site.
Relative URL . Use this option when you have at least one site record pointing to a site
collection in SharePoint. In the Parent Site box, select an existing site record. If the site record
that you selected as a parent site points to a site collection on SharePoint, specify the name of
an existing site in the second box. If the site record that you selected as a parent site points to
a site on SharePoint, specify the name of an existing subordinate site on SharePoint.
6. Select Save .
NOTE
To activate or deactivate a site record, on the SharePoint Sites page, select the site record, and then in the Records group,
select Activate or Deactivate .
See also
Create or edit document location records
SharePoint document locations are records in customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation), that point to a SharePoint document library or folder.
To store documents for records, the document libraries or folders must be in place. If customer engagement apps
are unable to create the document libraries and folders automatically, you can manually create these in SharePoint.
After you create the document libraries and folders in SharePoint, you must create document location records in
customer engagement apps to point to these SharePoint document libraries and folders.
2. Choose SharePoint Document Locations .
3. Choose New .
4. Specify the following information as required:
Name . Type a name for the document location. This name displays in the location list in the entity
record.
Owner . By default, you are added as the owner of this location record.
Description . Type a description for the document location.
URL Type . Select whether you want to create the location with an absolute URL or relative URL.
Select Absolute URL , and in the Absolute URL box, specify the fully qualified URL of the
location of the folder in SharePoint.
- OR -
Select Relative URL . In Relative URL , to create a relative document location to the existing
site or document location record, select the existing SharePoint site or document location
record. In the second box, enter the name of the SharePoint folder.
Regarding . Choose the Lookup button . In the Look Up Record dialog box, in the Look for list,
select the type of records you want to find. search and select the record for which you want to create
the location record and choose OK .
NOTE
To activate or deactivate a document location, on the Document Locations page, select the document location record, and
choose Activate or Deactivate .
Permissions required for document management
tasks
The following table shows the default security roles or other permissions that are needed to perform each
document management with SharePoint task.
IMPORTANT
If you’re using Dynamics 365 for Outlook, you can’t do any of these tasks while you’re offline.
TA SK S REL AT ED TO DO C UM EN T M A N A GEM EN T M IN IM UM SEC URIT Y RO L E O R OT H ER P ERM ISSIO N REQ UIRED
Enable or disable document management Security roles: System Administrator or System Customizer
Privileges: Read, Write on all record types that are

customizable.
SharePoint site permissions: Create, Read, Write, Append,

Append To
Create or edit site records Security roles: System Administrator or System Customizer
SharePoint site permissions: Site Create, Read, Write, Append,

Append To
Create or edit document location records Security roles: Salesperson
SharePoint site permissions: Read, Append To
SharePoint Document Location permissions: Create, Read,

Write, Append, Append To
Run the Enable Server-based SharePoint Integration Wizard Security roles: System Administrator
Privileges: All other security roles will require the Run

SharePoint Integration Wizard permission to run the Enable
Server-based SharePoint Integration Wizard.
Make a site your default site Security roles: System Administrator or System Customizer
SharePoint site permissions: Read, Write
Validate sites Security roles: System Administrator or System Customizer
SharePoint site permissions: Read, Write

TA SK S REL AT ED TO DO C UM EN T M A N A GEM EN T M IN IM UM SEC URIT Y RO L E O R OT H ER P ERM ISSIO N REQ UIRED
Add or edit a document location from a record Security roles: Any
SharePoint site permissions: Read, Append To
SharePoint Document Location permissions: Create, Read,

Write, Append, Append To
Fix a broken location Security roles: Any
SharePoint Document Location permissions: Read, Write
Manage documents Security roles: Any
SharePoint Document Location permissions: Read, Write
See also
Manage Your Documents
Troubleshooting the Enable server-based SharePoint Integration wizard

Review the error log for information about why the site doesn’t validate. To do this, click Error Log in the Enable
Server-Based SharePoint Integration wizard after the validate sites stage is completed.
The enable server-based SharePoint integration validation check can return one of the following four types of
failures.
Failed Connection
This failure indicates that the SharePoint server could not be accessed from where the validation check was run.
Verify that the SharePoint URL that you entered is correct and that you can access the SharePoint site and site
collection by using a web browser from the computer where the Enable Server-Based SharePoint Integration
wizard is running. More information: Troubleshooting hybrid environments (SharePoint)
Failed Authentication
This failure can occur when one or more of the server-based authentication configuration steps were not
completed or did not complete successfully. More information: Set up SharePoint integration
This failure can also occur if an incorrect URL is entered in the Enable Server-Based SharePoint Integration wizard
or if there is a problem with the digital certificate used for server authentication. Similarly, this failure can occur as
a result of a SharePoint site rename when the URL is not updated in the corresponding SharePoint Site record.
More information: Users receive "You don't have permissions to view files in this location" message
Failed authorization or 401 unauthorized error
This failure can occur when the claims-based authentication types do not match. For example, in a hybrid
deployment such as customer engagement apps to SharePoint on-premises, when you use the default claims-
based authentication mapping, the Microsoft account email address used by the user must match the SharePoint
user’s Work email . More information: Define custom claim mapping for SharePoint server-based integration
SharePoint Version Not Supported
This failure indicates that the SharePoint edition, version, required service pack, or required hotfix are missing.
Troubleshooting SharePoint
Issues that affect server-based authentication can also be recorded in SharePoint logs and reports. For more
information about how to view and troubleshoot SharePoint monitoring, see the following topics. View reports
and logs in SharePoint 2013 and Configure diagnostic logging in SharePoint 2013
Known issues with server-based authentication

This section describes the known issues that may occur when you set up or use customer engagement apps and
SharePoint server-based authentication.
Failed authentication is returned when validating a SharePoint site even though you have appropriate
permission
Applies to: customer engagement apps with SharePoint Online, customer engagement apps with SharePoint on-
premises.
This issue can occur when the claims-based authentication mapping that is used provides a situation where the
claims type values don’t match between customer engagement apps and SharePoint. For example, this issue can
occur when the following items are true:
You use the default claims-based authentication mapping type, which for customer engagement apps to
SharePoint Online server-based authentication uses the Microsoft account unique identifier.
The identities used for Microsoft 365, Dynamics 365 administrator, or SharePoint Online administrator
don’t use the same Microsoft account, therefore the Microsoft account unique identifiers don’t match.
“Private key not found” error message returned when you run the CertificateReconfiguration.ps1 Windows
PowerShell script
This content also applies to the on-premises version.
This issue can occur when there are two self-signed certificates located in the local certificate store that have the
same subject name.
Notice that this issue should only occur when you use a self-signed certificate. Self-signed certificates should not
be used in production environments.
To resolve this issue, remove the certificates with the same subject name that you don’t need using the Certificate
Manager MMC snap-in and note the following.
IMPORTANT
It can take up to 24 hours before the SharePoint cache will begin using the new certificate. To use the certificate now, follow
the steps here to replace the certificate information in customer engagement apps.
To resolve this issue by following the steps in this article, the existing certificate cannot be expired.
Replace a certificate that has the same subject name

1. Use an existing or create a new and self-signed certificate. The subject name must be unique to any
certificate subject names that are registered in the local certificate store.
2. Run the following PowerShell script against the existing certificate, or the certificate that you created in the
previous step. This script will add a new certificate in customer engagement apps, which will then be
replaced in a later step.
CertificateReconfiguration.ps1 -certificateFile <Private certificate file (.pfx)> -password <private-

certificate-password> -updateCrm -certificateType AlternativeS2STokenIssuer -serviceAccount <serviceAccount>
-storeFindType FindBySubjectDistinguishedName
3. Remove the AlternativeS2STokenIssuer type certificate from the configuration database. To do this, run these
PowerShell commands.
Add-PSSnapin Microsoft.Crm.PowerShell
$Certificates = Get-CrmCertificate;
$alternativecertificate = "";
foreach($cert in $Certificates)
{ if($cert.CertificateType -eq "AlternativeS2STokenIssuer") { $alternativecertificate = $cert;} }
Remove-CrmCertificate -Certificate $alternativecertificate
You receive “The remote server returned an error: (400) Bad Request” and “Register-SPAppPrincipal: The
requested service, 'http://wgwitsp:32843/46fbdd1305a643379b47d761334f6134/AppMng.svc' could not be
activated” error messages
Applies to: SharePoint on-premises versions used with customer engagement apps.
The remote server returned an error: (400) Bad Request error message can occur after the certificate installation,
such as when you run the CertificateReconfiguration.Ps1 script.
The Register-SPAppPrincipal: The requested service,
'http://wgwitsp:32843/46fbdd1305a643379b47d761334f6134/AppMng.svc' could not be activated error
message can occur when you grant permission to access SharePoint by running the Register-SPAppPrincipal
command.
To resolve both of these errors after they occur, restart the web server where the web application is installed. More
information: Start or Stop the Web Server (IIS 8)
“Something went wrong while interaction with SharePoint” error message received
Applies to: All versions when used with SharePoint Online
This error can be returned to the user who doesn’t have site permissions or the user has had permissions
removed from the SharePoint site where document management is enabled. Currently, this is a known issue with
SharePoint Online where the error message that is displayed to the user doesn’t indicate that the user’s
permissions are not sufficient to access the site.
See also
Troubleshoot SharePoint Online integration
Troubleshoot SharePoint integration
This topic explains how to fix common issues that may occur with SharePoint document management.
Missing Documents button - validate and fix

If Documents is missing from entities such as account, use the following to restore.
1. Make sure you have the System Administrator security role or equivalent permissions. Check your security
role: a. Follow the steps in View your user profile. b. Don't have the correct permissions? Contact your
system administrator.
2. Fix the missing Documents button. Follow these steps:
a. Identity the entity for which the documents link should be visible (e.g. account, contact, opportunity...etc.).
b. Go to Settings > Document Management Settings .
c. Make sure the entity you wished to have documents link (selected in Step 1) are selected and a valid
SharePoint URL is specified.
d. Complete the wizard.
e. Verify the Documents button appears.
For more information, see Enable SharePoint document management for specific entities.
Malformed FetchXML or LayoutXML - validate and fix

Malformed FetchXML or LayoutXML can cause any of the following issues:
Documents associated grid is missing
Unable to view folders
Unable to view documents inside folders
Document is not getting deleted
Error Message – "Required parameter is null or undefined: url" while opening the documents tab
Error Message – "System.NullReferenceException" while uploading a document
Document being downloaded instead of opening in new tab
There can be many causes for FetchXML or LayoutXML to be malformed. The most common cause is customizing
the entity/grid view, adding/removing columns, and other similar customizations.
If FetchXML or LayoutXML are malformed, use the following to restore.
1. Make sure you have the System Administrator security role or equivalent permissions. Check your security role:
b. Don't have the correct permissions? Contact your system administrator.
2. In the web app, go to Settings > Customizations > Solutions .
3. Create a solution (named SharePointDocumentSolution). For more information, see Create a solution.
4. Choose Entities > Add Existing > Entity > find and add SharePoint Document entity (select all fields,
forms, views).
6. Publish all customizations.
7. Select the created (SharePointDocumentSolution) solution.
8. Export the solution and choose the Package type as "Unmanaged". SharePointDocumentSolution.zip will be
downloaded.
9. Delete the solution that was created during step 3 from the organization.
10. Extract the exported solution zip file (downloaded file from Step 8).
11. In the solution contents folder, locate and then open Solution.xml .
12. Change the following value in Solution.xml , and then save it.
From <Managed>0</Managed> to <Managed>1</Managed> .
13. In the solution contents folder, locate and open customization.xml .
14. Search the <SavedQuery> element where the savedquer yid attribute is equal to "0016f9f3-41cc-4276-
9d11-04308d15858d".
15. If the <SavedQuery> element found in step 14 is similar to <SavedQuery unmodified="1"> , remove the
unmodified="n" attribute.
16. Search layoutxml of Document associated grid (search for Document Associated).
17. Make the changes as indicated below for the layoutxml section:
<layoutxml>
<grid name="sharepointdocument" object="9507" jump="fullname" select="1" icon="0" preview="1">
<row name="sharepointdocument" id="sharepointdocumentid">
<cell name="fullname" width="300"
imageproviderfunctionname="DocumentManagement.FileTypeIcon.loadSharePointFileTypeIcon"
imageproviderwebresource="$webresource:SharePoint_main_system_library.js" />
<cell name="modified" width="150" />
<cell name="sharepointmodifiedby" width="150" />
<cell name="relativelocation" width="200" />
<cell name="servicetype" width="90" />
<cell name="documentid" ishidden="1" />
<cell name="title" ishidden="1" />
<cell name="author" ishidden="1" />
<cell name="sharepointcreatedon" ishidden="1" />
<cell name="sharepointdocumentid" ishidden="1" />
<cell name="filetype" ishidden="1" />
<cell name="readurl" ishidden="1" />
<cell name="editurl" ishidden="1" />
<cell name="ischeckedout" ishidden="1" />
<cell name="absoluteurl" ishidden="1" />
<cell name="locationid" ishidden="1" />
<cell name="iconclassname" ishidden="1" />
</row>
</grid>
</layoutxml>
IMPORTANT
All the attributes configured in the layout xml require their corresponding respective attributes to be present in the
Fetch XML. The grid will return an error when this configuration is incorrect.
18. Make the changes as below for the FetchXml section:
<fetch distinct="false" mapping="logical">

<entity name="sharepointdocument">
<attribute name="documentid" />
<attribute name="fullname" />
<attribute name="relativelocation" />
<attribute name="sharepointcreatedon" />
<attribute name="ischeckedout" />
<attribute name="filetype" />
<attribute name="modified" />
<attribute name="sharepointmodifiedby" />
<attribute name="servicetype" />
<attribute name="absoluteurl" />
<attribute name="title" />
<attribute name="author" />
<attribute name="sharepointdocumentid" />
<attribute name="readurl" />
<attribute name="editurl" />
<attribute name="locationid" />
<attribute name="iconclassname" />
<order attribute="relativelocation" descending="false" />
<filter>
<condition attribute="isrecursivefetch" operator="eq" value="0" />
</filter>
</entity>
</fetch>
19. Similarly search the <SavedQuery> element where the savedquer yid attribute is equal to "a5b008ac-07d9-
4554-8509-2c05767bff51".
21. Search layoutxml of All SharePoint Document (search for All SharePoint Document).
<layoutxml>
<grid name="sharepointdocument" jump="fullname" select="1" icon="0" preview="1">
<cell name="sharepointcreatedon" width="300" />
<cell name="documentid" ishidden="1" />
<cell name="sharepointdocumentid" ishidden="1" />
</row>
</grid>
</layoutxml>

<attribute name="sharepointdocumentid" />
<filter>
</filter>
<order attribute="relativelocation" descending="false" />
</entity>
</fetch>
24. Similarly search the <SavedQuery> element where the savedquer yid attribute is equal to "cb177797-b2ac-
42a8-9773-5412321a965c".
26. Search layoutxml of OneNote SharePoint Document (search for OneNote SharePoint Document).
<layoutxml>
<grid name="sharepointdocument" jump="fullname" select="1" icon="0" preview="1">
<cell name="sharepointcreatedon" width="300" />
</row>
</grid>
</layoutxml>

<filter type="and">
<condition attribute="documentlocationtype" operator="eq" value="1" />
<filter type="or">
<condition attribute="filetype" operator="eq" value="one" />
<condition attribute="filetype" operator="eq" value="onetoc2" />
</filter>
</filter>
<order attribute="sharepointcreatedon" descending="true" />
</entity>
</fetch>
29. Save the file.

30. Zip the folder.
31. Open a model-driven app in Dynamics 365.
32. Navigate to Settings > Solutions
33. Import the solution (zipped file in Step 8).
34. Publish all customizations.
35. Verify that any of the issues associated with the malformed FetchXML or LayoutXML are resolved. For
example, verify that Document associated grid displays in all the required SharePoint documents.

In customer engagement apps (such as Dynamics 365 Sales and Customer Service), SharePoint site and document
location records contain links to site collections, site, document libraries, and folders in SharePoint. These site and
document location records are associated with records so that the documents for records can be stored in
SharePoint.
When the links between customer engagement apps and SharePoint break, you must validate and fix the links so
that the records continue to point to the correct document libraries and folders for managing the documents.
Dynamics 365.
2. Find and fix the URLs. To do this, follow these steps.
a. Go to Settings > Document Management .
b. Click SharePoint Sites .
c. Select the site URLs that you want to validate, and then click or tap Validate .
3. Customer engagement apps validate all the selected site URLs and their immediate subordinate site and
document library URLs. It then displays the results in Validating Sites .
4. To fix a URL, open the site record, and enter the correct URL. More information: Create or edit site records.
5. Click Save & Close .
Users receive "You don't have permissions to view files in this location"
message
This error message can occur when the SharePoint site that is configured with document management has been
renamed, but the SharePoint sites URL record has not been updated to reflect the change.
1. Go to Settings > Document Management > SharePoint Sites .
2. Open the SharePoint Site record that has been renamed and enter the Absolute URL with new URL.
3. Select Save & Close .
See also
Troubleshooting document management issues
This topic explains how to use information provided in error messages to fix issues with the document
management feature. Below is an index that will help you to reach the right solution. The link in each cell navigates
to the reason and mitigation steps for the corresponding error message.
Error messages
The following are error messages that are possible with document management.
Error Message 1
Document library <entity name> has been renamed or deleted from SharePoint site <SharePoint site> . Rerun the
document management wizard and try again.
Error Message 2
Folder <folder name> has been renamed or deleted from SharePoint. It was expected inside <folder path> path.
Restore the folder on SharePoint and try again.
Index of errors
ERRO R ERRO R M ESSA GE 1 ERRO R M ESSA GE 2
Refresh the document grid for existing Mitigation steps for missing document Mitigation steps for missing folder
record library
Load the document grid after creating Mitigation steps for missing document Mitigation steps for missing folder
new record library
Upload file Mitigation steps for missing document Mitigation steps for missing folder
library
Create new file/folder Mitigation steps for missing document Mitigation steps for missing folder
library
Add location Mitigation steps for missing document Mitigation steps for missing folder
library
Edit location Mitigation steps for missing document Mitigation steps for missing folder
library
Reason and mitigation steps for missing document library

Error message displayed for missing document library:
"Document library <entity name> has been renamed or deleted from SharePoint site <SharePoint site> . Rerun the
document management wizard and try again."
Error message in Unified Interface:
or
Error message in the web client:
or
Log file:
Reason
This error typically occurs when the SharePoint document library was created for the record. Because of some
changes in SharePoint, the document library doesn’t exist anymore. This can happen because the document library
was deleted or moved to a different SharePoint site.
Mitigation steps for missing document library
1. The error message shows the name of the document library that is missing. It also shows the path where the
document library is expected on the SharePoint site.
2. Select Settings -> Document Management Settings .
3. Make sure the entity for the document library found from step 1 is selected and a valid SharePoint URL is
specified.
4. Complete the Document Management Settings wizard.
5. The last step of wizard should have the status of document library as succeeded.
6. Once complete, verify that document library is now present on the SharePoint site in the path shown in the
error message.
7. Launch the application and repeat the operation that produced the error.
Reason and mitigation steps for missing folder

Error message displayed for missing folder:
"Folder " <folder name> " has been renamed or deleted from SharePoint. It was expected inside " <folder path> "
path. Restore the folder on SharePoint and try again.
Error message when the entity-based folder structure is not enabled.
Folder path is ../<entity name>/<record name>
Error message in the Unified Interface:

or
or
Log file:
Error message when the entity-based folder structure is enabled.

Folder path is ../<account or contact>/<account or contact name>/<entity name>/<record name>
Error message in the Unified Interface:

or
or
Log file:
Reason
This error typically occurs when the SharePoint folder was created for the record. Because of a change in
SharePoint, the folder doesn’t exist anymore. This can happen because the folder for this record was either
renamed, deleted, or moved to different location.
Mitigation steps for missing folder
1. The error message shows the name of the folder which is missing. It also shows the path where the folder
was expected on the SharePoint site. Navigate to this path in SharePoint.
2. Create a new folder on SharePoint with the name the same as the folder name provided in error message.
3. Once complete, verify that folder is now present on the SharePoint site in the path shown in the error
message.
4. Launch the application and repeat the operation that produced the error.
See also
The customizations and configurations described here can cause issues with the document management feature.
Components from an Iframe

Opening a component from an Iframe in an entity form from a Unified Interface app will not succeed. For example,
loading the Document Associated Grid for an entity form in an Iframe loads the grid in the Iframe but users will not
be able to interact with the document records from the grid.
Third-party solutions that modify Document Management folders

Deploying third-party solutions that modify the folders used with the Document Management feature can cause
unexpected behavior. Examples include the following:
Creation of entity record level SharePoint folders.
Renaming of previously auto-created entity record level SharePoint folders.
Moving previously auto-created entity record level SharePoint folders to another location.
If you experience unexpected behavior with the document management feature caused by a third-party solution,
contact the third-party solution vendor.
"File not found" error when adding a file from a SharePoint site
If you receive a File not found error or encounter a problem while adding a file from a SharePoint site or
SharePoint subsite in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), the likely
cause is that you have not created the document location records in the model-driven app to point to these
SharePoint document libraries and folders.
SharePoint document locations are records in model-driven apps, such as Dynamics 365 Sales and Customer
Service, that point to a SharePoint document library or folder. To use any SharePoint site or subsite in SharePoint
integration, you must run the Document Management Settings wizard once with the corresponding site URL, so
that the document libraries are created in the site.
To store documents for records, the document libraries or folders must be in place. If model-driven apps are unable
to create the document libraries and folders automatically, you can manually create these in SharePoint. After you
create the document libraries and folders in SharePoint, you must create document location records in model-
driven apps to point to these SharePoint document libraries and folders.
For more information, see Create or edit document location records.
"File not found" error when using multiple SharePoint sites

If you receive a File not found error when using multiple SharePoint sites, the likely cause is that there are no
document libraries for a new SharePoint site. You must run the Document Management Settings wizard for any
newly added SharePoint sites.
The following describes the scenario that causes the error.
1. Run the Document Management Settings wizard for the default SharePoint site.
2. In the model-driven app in Dynamics 365, add a new SharePoint site (go to Advanced Settings >
Document Management > SharePoint Sites > Add SharePoint Site ). This creates a SharePoint site
entry only in the application and does not create the document libraries in SharePoint that are required for
document management.
3. Open any entity where document management is enabled, and create the document location for the new
site that you added in step 2 as the parent site.
4. You will encounter the "File Not Found" error. The cause of the error is that there are no document libraries
for this new SharePoint site in SharePoint.
To mitigate this issue, run the Document Management Settings wizard for this newly added site as well.
Points to consider:
Document management works only for entities that are selected while running the Document Management
Settings wizard.
The SharePoint site for which the Document Management Settings wizard is last run becomes the default
site. You can reset the default site if required by running the Document Management Settings wizard again
for that particular site.
For more information, see Create or edit document location records.
SharePoint enforces resource throttling with 5000 or more documents

A document library with 5000 or more documents might experience resource throttling. Users may experience the
following behavior with document management and OneNote integration:
A sort on columns other than the default sorted column, may return the error message "The throttling limit has
been exceeded by this operation."
Microsoft OneNote integration will not work when the document library has 5000 or more documents.
If you have more than 5000 documents in your document library, you can view the documents in the default grid
view. For more details, see Manage large lists and libraries in SharePoint.
Relationship must be one-to-many (1:N) between an entity and a

SharePoint document entity
Users cannot see documents when many entities are pointing to a SharePoint document location, a many-to-many
relationship (N:N). The relationship must be one-to-many (1:N) between any entity and a SharePoint document
entity.
In Common Data Service you can create an entity and enable the Document management property for the entity.
This allows for the entity to participate in integration with SharePoint. Power Apps and Common Data Service
support only a one-to-many relationship (1:N) between any entity and a SharePoint document related entity. A
many-to-one or a many-to-many relationship between an entity and a SharePoint document entity results in the
app not listing the documents that exist in the SharePoint document library.
Document location for child entities

Documents of a child entity only appear in the parent documents folder when the parent document location has
been created. To create the location, navigate to the Documents tab of the parent record. If no such location is
created, child documents will not appear in the parent entity folder. Once the location is created, child documents
will begin to appear in the parent entity folder.
Document folder location for multiple lookups
If the entity selected for the Based on entity folder structure has two lookups, documents will not be stored inside
the entity folder, but will be stored in the root folder. For example, if the Based on entity folder structure is set to
Account, and you have an entity with two lookup accounts, such as Work Order, the documents related to Work
Orders will not be stored inside any account document location, but will be stored in the root folder.
See also
Troubleshoot SharePoint integration
Application lifecycle management
Application lifecycle management (ALM) is important as the applications your organization builds become more
complex and as more of your company depends on their stability. In this topic we discuss using ALM to handle
more complex scenarios.
NOTE
Check out our new application lifecycle management (ALM) guide for Power Platform!
ALM is not a one-size-fits-all concept. It can vary from organization to organization and even within, based on the
type of solution being built. If you were to look at a typical mission-critical solution, the following would be a good
health check of your current Power Platform ALM maturity:
Are you deploying managed solutions? Managed solutions are how Microsoft intends for solutions to
be deployed to environments beyond development. All ALM tooling and solution features from Microsoft to
support deployment will be targeted toward this goal.
Are your development environments single purpose? As much as capacity allows, you should try to
have individual development environments for each solution. This ensures you don't get cross-solution
contamination.
Are your development environments disposable? You should at any point be able to easily recreate
the development environment. This could be due to someone making corrupting changes or just because
you finished development and deleted the old environment and now you're ready to build V2 of the solution.
The key to success here is having the unmanaged solution and any dependent managed solutions to import
to recreate the environment. Don't forget any reference data that might be needed. Ideally, these assets are
stored in source control, which we will discuss next.
Is source control/version control your definitive source of truth? Using a tool like Azure DevOps Git
repos or another source/version control to track your solution assets allows tracking of changes made and
by whom across releases.
While you can check in the whole solution file, this works best in combination with Solution Packager, which
shares out to a source control friendly and readable format. This also enables you to quickly recreate your
dev environment or deploy to production since the solution assets come from the source control repo,
ensuring a consistent process.
Are you using Solution Packager? Solution Packager allows taking a solution file and breaking it down
into individual files for each solution component. This allows what you check in to source control to be
traced at a very granular level and helps avoid conflicts with multiple people checking in changes.
Solution Packager is also how you take individual files from source control and repackage them for
managed solution deployment to other environments like test and production.
Can you ser vice (bug fix) production while working on your next version? A key concept of a
healthy ALM practice is not making changes in test or production. By having a good source control and
environment strategy, you can ensure your dev–test–production release pipeline stays viable even while you
are working on the next version.
Do you have automated ALM? While all of the above can be done manually, having an automated,
repeatable process is ideal. Using the tooling like Microsoft Power Platform Build Tools (which we will
discuss later) with Azure DevOps, much of the ALM process, including the approvals, can be automated to
progress through the release pipeline.
Use the above ALM health check to measure where you are in your goal of having healthy ALM practices for your
solutions.
Next, let's look at some of the things you should consider as an administrator to help guide the application through
its lifecycles from new to production and then ongoing maintenance and enhancements. For purposes of this
section, application refers to the whole set of components from Power Apps canvas or model-driven apps,
workflows, and any Common Data Service customizations.
N EW A P P L IC AT IO N S EXIST IN G A P P L IC AT IO N S B EIN G UP GRA DED
Who is the application owner, and who is involved in Are any new connectors being used by the application?
maintaining it?
Who are the users of the apps? Are they already licensed? Is there any new reference data to update?
What environment did you build the app in? Are there any new canvas, Power Automate flows, or Common
Data Service solutions added in this update?
Are there any Power Apps canvas or model-driven apps as Any changes to how users are assigned security roles?
part of the application?
Are there any flows? Any impact on existing Common Data Service data?
What connectors are the apps using? Any changes in the required licenses?
Does anything require an on-premises gateway? Potentially any of the considerations from the New Application
column, if it was not a consideration at the time.
Does the application use Common Data Service entities? Is any ALM automation needed?
Is the application dependent on any other existing applications

or external services?
Are there different security roles for different types of users?
Is there any existing data that must be migrated into the new
production system?
Does the application have reference data that needs to be in

the production environment?
Who will be testing the application? Will it be in a separate

environment?
How will users report problems or enhancements?
How frequently do you plan to do updates?
How will ALM be handled?
The answers to these questions will help you put together an application profile and decide how best to support the
team with deploying the application. This is not an exhaustive list, but a starting point for you to develop your own
set of questions for applications.
Getting ready for a new application

Armed with the above information, consider each of the following as you get ready to deploy the new application:
Licensing. Acquire licenses and assign them for users.
Azure AD Group. Consider whether having a group that has all the app users would help with sharing the
application's components with them. In fact, you might find having a few groups with subsets of the overall
application users allows sharing with just the right subset that needs the components.
Environments. If necessary, create new environments, considering how the application will be tested prior to
production deployment.
Data Loss Prevention policies. Do current ones support the app? Are new ones needed? Do you need to
adjust for how the application components are using connectors?
Automation. Is there any automation that would help with ongoing app administration?
Tools to help manage, plan, track, and deploy

Depending on the complexity of the application, anything from using a SharePoint List to track work and new
features, and OneDrive to store exported assets, to a more complete solution like Visual Studio Team Services can
help add some structure to your application life cycle process. What is appropriate for your organization depends
on the size and maturity of the team that is building the overall application. The less technical will probably find a
solution like OneDrive and SharePoint more approachable. Azure DevOps Services has several features that are
tailored to support application lifecycle management. Azure DevOps Services is also free to get started. See Azure
DevOps. The following are some of those features:
Work item planning and tracking.
Version control. Offers a way to store exported assets. Using SDK tools like Solution Packager allows this to scale
up to larger teams working on Common Data Service solution package customizations. For more details, review
SolutionPackager tool.
Build and release automation. This can be helpful for automating everything from exporting of Common Data
Service solutions for backup, to compiling developer-built components. The release automation can take
solutions and developer assets and coordinate deploying to test and production environments. These
deployments can also leverage approval checkpoints as appropriate. Microsoft has released a preview of a
Power Apps build tool that includes a number of Azure DevOps tasks for automating deployment of Common
Data Service solutions. There are also community tools like Xrm.CI.Framework with which you can deploy
Common Data Service solutions.
The following is an example of the Team Status Dashboards that give the team an all-up view of their progress.
Exporting from the source environment
We've covered the concept of exporting from Power Apps, Power Automate, and Common Data Service in other
content. Let's look at additional considerations when exporting as part of an application lifecycle management
process:
Always save a copy of the exported Power Apps canvas app, Power Automate or Common Data Service solution
file.
For Common Data Service solutions, if you are publishing a managed solution, make sure you also export an
unmanaged solution.
For Common Data Service solution export, you should always perform a publish on the solution or publish all
for all solutions prior to export to ensure all changes are exported as expected. When possible, you should also
run solution checker to ensure there are no problems.
For workflows and canvas apps, review the connectors that are used. Any custom connectors will need to be
recreated prior to import in the target environment or must be included in the Common Data Service solution.
Importing into the target environment

We also covered import, but let's look at a few more things to consider:
Always evaluate what is already in the target environment.
Create any necessary custom connectors prior to import.
If you are importing a Common Data Service solution that is dependent on other Common Data Service
solutions, make sure those are already imported into the Common Data Service environment.
If you import an unmanaged Common Data Service solution, make sure you publish all after import has
completed.
Remember, when you import an update to a Power Apps canvas application, you must publish the new version
before others can see it.
If you are importing Common Data Service changes that remove any entities and data, consider a proactive on-
demand backup prior to the import.
Updating existing applications

The import feature, shown earlier, allows the maker to update an existing app in the target environment. Here are
some considerations:
Custom connector updates must be performed first because your app might rely on new data definitions.
Custom connector updates might take a few minutes to be reflected in the portal. During that time, new
operations might return a 404 error when invoked.
If extensive changes are being made, consider creating a new custom connector and leaving the old connector
intact. This can also be beneficial in the event the maker needs to roll back, because the previous version of the
app will use the old (existing) connector.
Power Apps uses caching for the web and mobile clients, so changes might not be immediate. For the web client,
be sure to clear your cache to see the new changes. On the mobile client, swipe down to refresh app metadata.
Ongoing application maintenance

Once your application has been deployed you can mostly go into maintenance mode responding to user inquiries
as needed. Here are a few things to consider while you are between updates:
Power Apps canvas applications need to be periodically republished for best performance and stability. About
every six months you should republish your deployed Power Apps canvas applications even if they haven't
changed. This ensures the application picks up the latest runtime changes in the environments.
Keep an eye on your Common Data Service environment storage usage as well as your API quotas and adjust
resources and licensing as needed.
Retiring and removing an application

As your organization evolves, it's likely one or more of the applications deployed will no longer be needed. In this
section we will walk through some things to consider when retiring an application.
Confirm that any users understand the shutdown. Consider shutdown notifications in advance to ensure
business continuity and minimize impact.
Removing access to the application components is often a good first step. Leaving it in this state for a period of
time also helps to alert users and give them a chance to argue their case or save any data needed.
Deleting an environment will remove all associated Power Apps, workflows, and Common Data Service data.
This is not the approach to take if you have multiple applications sharing the environment and you are retiring
just a single application.
When removing connections, you need to first consider the Power Apps canvas apps and workflows that might
still be using them. This can be checked by looking at what is associated with the connection prior to deleting.
Custom connections are sometimes better to be left if they might be reused later because they would require
extra effort to re-establish in the future.
To remove a Power Apps model-driven app depends on whether the Common Data Service solution containing
it was installed as managed or unmanaged. If it was installed as unmanaged, you can delete the application
module to remove it from users. Removing unmanaged Common Data Service solution components requires
manually removing one item at a time from the environment. Removing the Common Data Service solution
itself in this situation only removes the container and not the components. This is one of the key benefits of
managed solutions—the ability to uninstall them as a unit.
If the solution installed is managed, you would uninstall/remove the Common Data Service solution containing
it from the instance. When you remove the Common Data Service solution that contains that application, it's
important to note that it also removes any other components and data as well. If you only want to remove the
application, the best approach would be to remove the application in the development environment for that
Common Data Service solution and then import the update using the Stage for Upgrade option on import. This
will remove only that component, leaving all other components and data intact.
Moving reference data to another environment

Applications often have data that is configuration, or reference data. This could be, for example, a list of territories,
product lists, or other data that configures and makes the app work. Often components in the application take
dependencies on the IDs of this data. The Configuration Migration Tool is designed to move this type of data from
one Common Data Service environment to another. The key features of the tool allow you to:
Select only the entities and fields for which you want to move data.
Maintain unique IDs of the records as they are moved.
Avoid duplicate records by defining a uniqueness condition for each entity based on a combination of fields.
Support updating of existing records.
Define a schema for what data is moved and use it over and over.
Filter only the records you want to move.
The following image outlines the basic process for using the tool.
The output from the tool is a .zip file containing the data and the schema file. The same tool can be used to import
the data into the target Common Data Service environment. You can also package the data with a Solution
Deployer package that we will discuss shortly, allowing it to be deployed alongside one or more Common Data
Service solutions. There are also community tools like Microsoft.Xrm.DevOps.Data to manage, export, and import
data packages by command line using PowerShell.
More information: Move configuration data across environments
Using the Package Deployer

So far, we've only talked about importing Common Data Service solutions manually via the user interface. The
Package Deployer also works for Common Data Service solutions. The Package Deployer allows you to build a
package that contains one or more Common Data Service solutions as well as one or more data files to import
after the solutions are imported.
It is also possible for developers to build custom code that reacts to events from the package deployment process.
This code can be used to handle updates to the target environment. Once the package is built, the package can be
deployed interactively via the tool, or by command line using PowerShell. More information: Create packages for
the Package Deployer
The Data Integrator (for Admins) is a point-to-point integration service used to integrate data into Common Data
Service. It supports integrating data from multiple sources—for example, Dynamics 365 Finance and Operations,
Dynamics 365 Sales and SalesForce (Preview), SQL (Preview)—into Common Data Service. It also supports
integrating data into Dynamics 365 Finance and Operations and Dynamics 365 Sales. This service has been
generally available since July 2017.
We started with first-party apps—for example, Dynamics 365 Finance and Operations and Dynamics 365 Sales.
With the help of Power Query or M-based connectors, we are now able to support additional sources like
SalesForce (Preview) and SQL (Preview) and will extend this to 20+ sources in the near future.
TIP
Check out the blog: Data Integrator Updates – New features with an intuitive user interface providing a fluent experience.
How can you use the Data Integrator for your business?
The Data Integrator (for Admins) also supports process-based integration scenarios like Prospect to Cash that
provide direct synchronization between Dynamics 365 Finance and Operations and Dynamics 365 Sales. The
Prospect to Cash templates that are available with the data integration feature enable the flow of data for accounts,
contacts, products, sales quotations, sales orders, and sales invoices between Finance and Operations and Sales.
While data is flowing between Finance and Operations and Sales, you can perform sales and marketing activities in
Sales, and you can handle order fulfillment by using inventory management in Finance and Operations.
The Prospect to Cash integration enables sellers to handle and monitor their sales processes with the strengths
from Dynamics 365 Sales, while all aspects of fulfillment and invoicing happen using the rich functionality in
Finance and Operations. With Microsoft Dynamics 365 Prospect to Cash integration, you get the combined power
from both systems.
See the video: Prospect to cash integration
For more information about the Prospect to Cash integration, see the documentation on the Prospect to Cash
solution.
We also support Field Service integration and PSA (Project Service Automation) integration to Dynamics 365
Finance and Operations.
Data Integrator Platform

The Data Integrator (for Admins) consists of the Data Integration platform, out-of-the-box templates provided by
our application teams (for example, Dynamics 365 Finance and Operations and Dynamics 365 Sales) and custom
templates created by our customers and partners. We have built an application-agnostic platform that can scale
across various sources. At the very core of it, you create connections (to integration end points), choose one of the
customizable templates with predefined mappings (that you can further customize), and create and execute the
data integration project.
Integration templates serve as a blueprint with predefined entities and field mappings to enable flow of data from
source to destination. It also provides the ability to transform the data before importing it. Many times, the schema
between the source and destinations apps can be very different and a template with predefined entities and field
mappings serves as a great starting point for an integration project.
How to set up a data integration project
There are three primary steps:
1. Create a connection (provide credentials to data sources).
2. Create a connection set (identify environments for connections you created in the previous step).
3. Create a data integration project using a template (create or use predefined mappings for one or more
entities).
Once you create an integration project, you get the option to run the project manually and also set up a schedule-
based refresh for the future. The rest of this article expands on these three steps.
How to create a connection
Before you can create a data integration project, you must provision a connection for each system that you intend
to work with in the Microsoft Power Apps portal. Think of these connections as your points of integration.
To create a connection
1. Go to Power Apps.
2. Under Data, select Connections and then select New connection .
3. You can either select a connection from the list of connections or search for your connection.
4. Once you select your connection, select Create . Then you will be prompted for credentials.
5. After you provide your credentials, the connection will be listed under your connections.
NOTE
Please make sure that the account you specify for each connection has access to entities for the corresponding applications.
Additionally, the account for each connection can be in a different tenant.
How to create a connection set

Connection sets are a collection of two connections, environments for the connections, organization mapping
information, and integration keys that can be reused among projects. You can start using a connection set for
development and then switch to a different one for production. One key piece of information that is stored with a
connection set is organization unit mappings—for example, mappings between the Finance and Operations legal
entity (or company) and Dynamics 365 Sales organization or business units. You can store multiple organization
mappings in a connection set.
To create a connection set
1. Go to Power Apps Admin center.
2. Select the Data Integration tab in the left-hand navigation pane.
3. Select the Connection Sets tab and select New connection set .
4. Provide a name for your connection set.
5. Choose the connections you created earlier and select the appropriate environment.
6. Repeat the steps by choosing your next connection (think of these as source and destination in no specific
order).
7. Specify the organization to business unit mapping (if you are integrating between Finance and Operations
and Sales systems).
NOTE
You can specify multiple mappings for each connection set.
8. Once you have completed all the fields, select Create .

9. You will see the new connection set you just created under the Connection sets list page.
Your connection set is ready to be used across various integration projects.

How to create a data integration project
Projects enable the flow of data between systems. A project contains mappings for one or more entities. Mappings
indicate which fields map to which other fields.
To create a data integration project
1. Power Apps Admin center.
Go to
2. Select the Data Integration tab in the left navigation pane.

3. While in the Projects tab, select New Project in the top right corner.
4. Provide a name for your integration project.

5. Select one of the available templates (or create your own template). In this case, we are moving the
Products entity from Finance and Operations to Sales.
6. Select Next and choose a connection set you created earlier (or create a new connection set).
7. Make sure you have chosen the right one by confirming the connection and environment names.
8. Select Next and then choose the legal entity to business unit mappings.
9. Review and accept the privacy notice and consent on the next screen.
10. Proceed to create the project and then run the project which in turn executes the project.
On this screen, you will notice several tabs—Scheduling and Execution histor y —along with some
buttons—Add task , Refresh entities , and Advanced Quer y —that will be described later in this article.
Execution history
Execution history shows the history of all project executions with project name, timestamp of when the project was
executed, and status of execution along with the number of upserts and/or errors.
Example of project execution history.
Example of successful execution, showing status as completed with # of upserts. (Update Insert is a logic to
either update the record, if it already exists, or to insert new record.)
For execution failures, you can drill down to see the root cause.
Here is an example of a failure with project validation errors. In this case, the project validation error is due
to missing source fields in the entity mappings.
If the project execution is in 'ERROR' state, then it will retry execution at the next scheduled run.
If the project execution is in 'WARNING' state, then you will need to fix the issues on the source. It will retry
execution at the next scheduled run.
In either case, you could also choose to manually 're-run execution.'
NOTE
Anytime you execute a project, manually or schedule based, it generates a detailed log which shows project name, last
updated timestamp along with status. You can view this under the execution history for each project. Project execution
history is maintained for 45 days after which it is automatically purged.
How to set up a schedule -based refresh

We support two types of executions/writes today:
Manual writes (execute and refresh project manually)
Schedule-based writes (auto-refresh)
After you create an integration project, you get the option to run it manually or configure schedule-based writes,
which lets you set up automatic refresh for your projects.
To set up schedule-based writes
2. You can schedule projects in two different ways.
Either select the project and select the Scheduling tab or launch the scheduler from the project list page by
clicking the ellipsis next to the project name.
3. Select Recur ever y and once you have completed all the fields, select Save schedule .
You can set a frequency as often as 1 minute or have it recur a certain number of hours, days, weeks, or months.
Note that the next refresh won't start until the previous project task completes its run.
Also note that under Notifications, you can opt in for email-based alert notifications, which would alert you on job
executions that either completed with warnings and/or failed due to errors. You can provide multiple recipients,
including groups separated by commas.
NOTE
Currently, we support scheduling 50 integration projects at any given time per paid tenant. However you can create
more projects and run them interactively. For trial tenants, we have an additional limitation that a scheduled project
would only run for first 50 executions.
While we support scheduling projects to run every minute, please bear in mind that this may put a lot of stress on your
apps and in turn impact overall performance. We highly encourage users to test project executions under true load
conditions and optimize for performance with less frequent refreshes. In production environments, we do not
recommend running more than 5 projects per minute per tenant.
To optimize performance and not overload the apps, we currently limit project executions to 500k rows per execution per
project.
Anytime you execute a project, manually or schedule based, it generates a detailed log which shows project name, last
updated timestamp along with status. You can view this under the execution history for each project. Project execution
history is maintained for 45 days after which it is automatically purged.
Customizing projects, templates, and mappings

You use a template to create a data integration project. A template commoditizes the movement of data that in
turn helps a business user or administrator expedite integrating data from sources to destination and reduces
overall burden and cost. A business user or administrator can start with an out-of-the-box template published by
Microsoft or its partner and then further customize it before creating a project. You can then save the project as a
template and share with your organization and/or create a new project.
A template provides you with source, destination, and direction of data flow. You need to keep this in mind while
customizing and/or creating your own template.
You can customize projects and templates in these ways:
Customize field mappings.
Customize a template by adding an entity of your choice.
How to customize field mappings
To create a connection set
2. Select the project for which you want to customize field mappings and then select the arrow between
source and destination fields.
3. This takes you to the mapping screen where you can add a new mapping by selecting Add mapping at the
top right corner or Customize existing mappings from the dropdown list.
4. Once you have customized your field mappings, select Save .

How to create your own template
To create your own template by modifying existing templates
2. Identify source and destination and direction of flow for your new template.
3. Create a project by choosing an existing template that matches your choice of source and destination and
direction of flow.
4. Create the project after choosing the appropriate connection.
5. Before you save and/or run the project, at the top right corner, select Add task .
This will launch the Add task dialog.
6. Provide a meaningful task name and add source and destination entities of your choice.
7. The dropdown list shows you all your source and destination entities.
In this case, a new task was created to sync User entity from SalesForce to Users entity in Common Data
Service.
8. Once you create the task, you will see your new task listed and you can delete the original task.
9. You just created a new template—in this case, a template to pull User entity data from SalesForce to
Common Data Service. Select Save to save your customization.
10. Follow the steps to customize field mappings for this new template. You could run this project and/or save
the project as a template from the Project list page.
11. Provide a name and description and/or share with others in your organization.
To create your own template from blank templates

2. Create a data integration project. Select the Data integration tab in the left navigation pane.
3. Select New project and provide a name for your project. For example, "Demo_CreateYourOwnTemplate
project".
4. In the Select a template list page, pick a generic blank template. For this example, choose the Sales to
Fin and Ops template since we want to move data from Dynamics 365 Finance and Operations to
Dynamics 365 Sales.
5. Follow the steps 6 through 9 here to finish creating a data integration project. Select Save .
6. You'll see the Tasks page which is empty since it's a blank template, without any tasks. Select Add task to
pick an entity from the drop-down list and add a new task. In this case, for demo purposes, we will create an
Activities Sales to Fin and Ops task by picking Activities entity for Dynamics 365 Finance and
Operations and Dynamics 365 Sales. Select Create .
7. You'll see a new task has been added Activities Sales to Fin and Ops . Select Save to save your changes.
8. The project is created. Select Save as template from the Projects list page.
9. Provide and name and description, then select Save . Additionally, select Share with ever yone in my
organization to share this template.
You'll see the newly created template listed on the Templates list page.
Additionally, after creating a new integration project, when you choose Select a template you'll see your newly
created template as part of the Select a template list.
Advanced data transformation and filtering

With Power Query support, we now provide advanced filtering and data transformation of source data. Power
Query enables users to reshape data to fit their needs, with an easy-to-use, engaging, and no-code user
experience. You can enable this on a project-by-project basis.
How to enable advanced query and filtering
To set up advanced filtering and data transformation
2. Select the project where you want to enable advanced query and then select Advanced Quer y .
3. You will get a warning that enabling advanced query is a one-way operation and cannot be undone. Select
OK to proceed and then select the source and destination mapping arrow.
4. You are now presented with the familiar entity mapping page with a link to launch Advanced Query and
Filtering.
5. Select to link to launch the Advanced Query and Filtering user interface, which gives you source field data
in Microsoft Excel-type columns.
6. From the top menu, you get several options for transforming data such as Add conditional column ,
Duplicate column , and Extract .
7. You can also right-click any column for more options such as Remove columns , Remove duplicates , and
Split column .
8. You also can filter by clicking each column and using Excel-type filters.
9. Default value transforms can be achieved using the conditional column. To do this, from the Add Column
dropdown list, select Add Conditional Column and enter the name of the new column. Fill in both Then
and Other wise with what should be the default value, using any field and value for If and equal to .
10. Notice the each clause in the fx editor, at the top.
11. Fix the each clause in the fx editor and select OK .

12. Each time you make a change, you apply a step. You can see the applied steps on the right-hand pane (scroll
to the bottom to see the latest step). You can undo a step in case you need to edit. Additionally, you can go
to the Advanced editor by right-clicking the Qr ySourceData on the left pane, at the top to view the M
language that gets executed behind the scenes, with the same steps.
13. Select OK to close the Advanced Query and Filtering interface and then, on the mapping task page, pick the
newly created column as the source to create the mapping accordingly.
For more information on Power Query, see Power Query documentation.

NOTE
Once Advanced Quer y and Filtering is enabled, transforms via Fn are not supported, and instead should be
defined using Advanced Query and Filtering.
Currently, we do not support doing joins across multiple data sources (either via the Get data button or M query) in
Advanced Query and Filtering.
If you encounter Power Query evaluation limits with the error:
The powerquery job failed with error: Exception ExceptionType:MashupEvaluationException,
ExceptionMessage:EvaluationQuotaReached, EvaluationResponse:
{"ResultType":"ErrorCode","Code":"EvaluationQuotaReached"
Review the guidance on Power Query Online Limits.
Modifying the url directly in the mashup editor is not supported. Only the filter applied using the mashup editor UI
or specified in source filter edit field on mapping page will be used.
Performance tuning
There are several factors that impact the performance of an integration scenario. Performance is highly dependent
on:
Which applications you are integrating: Dynamics 365 Finance and Operations and Common Data Service
Which entities are used: the entities' shape, validation, and business logic (standard and customizations)
The Data Integrator takes the data from the source application and pushes it into the target application. The main
performance considerations are on how source and target applications scale with the concerned entities. It
leverages the best available technologies to pull/push data in a performant manner.
Dynamics 365 Finance and Operations uses the data management framework which provides a way to pull/push
data in the most performant fashion. The data management framework is used to manage data entities and data
entity packages in Microsoft Dynamics 365 Finance and Operations.
Dynamics 365 for Common Data Service uses OData APIs along with parallelism to maximize the performance.
You can use the following settings to tune the performance of Dynamics 365 Finance and Operations based on
load, entity, and resources.
Exporting data from Dynamics 365 Finance and Operations:
Direct export (skip Staging On ) Make sure the entities used for integration support direct export (skip
Staging On ). This allows export to run in bulk fashion and the staging table is bypassed. If you run with
skip Staging Off , then it falls back to row by row calls and data is inserted in the staging table.
Enable change tracking for entities Change tracking enables incremental export of data from Microsoft
Dynamics 365 Finance and Operations by using data management. In an incremental export, only records
that have changed are exported. To enable incremental export, you must enable change tracking on entities.
Without change tracking, you will do full exports which may affect performance. For complex scenarios, use
custom query for change tracking.
Importing data to Dynamics 365 Finance and Operations:
Make sure the entity itself is performant. If possible, create set-based entities.
If the number of rows to be imported are high and entity does not support set operations: Data
management can be configured to import the entity with parallel tasks. This can be configured in data
management (parameters), by configuring the entity execution parameters. This would use batch
framework to create parallel tasks, which is based on resource availability to run in parallel.
Turning off validations (optional): While the Data Integrator does not bypass any business logic and
validations, you may optionally turn off the ones that are not required to improve performance.
Consider the following tips to ensure performance while importing or exporting data from Common Data Service
environments.
Importing/Exporting data to/from customer engagement apps
Ensure indexes are defined for integration keys.
Data Integrator error management and
troubleshooting
The Data Integrator is a point-to-point integration service used to integrate data from multiple sources--for
example, Dynamics 365 Finance and Operations, Dynamics 365 Sales, Salesforce, and Microsoft SQL (Preview)--
into Common Data Service. It also supports integrating data into Dynamics 365 Finance and Operations and
Dynamics 365 Sales. The Integrate data into Common Data Service topic provides detailed step-by-step
instructions to help you set up projects for process-based integration scenarios like Prospect to Cash, Field Service,
and Project Service integrations.
While we are constantly evolving and driving fixes into the platform based on customer feedback, we understand
there is a need to provide guidance when you run into issues. This topic walks you through error management and
troubleshooting some of these issues.
View health of project executions

Every time a data integration project is executed (manually or scheduled), you can view the status of the execution
on the admin dashboard and/or the project list page.
The admin dashboard provides a one-stop real-time view of all your project runs and their status with a drill-down
to view execution details. The dashboard shows you the individual and summarized count of executions. These are
color-coded to show the status of each project: green for completed projects, yellow for completed projects with
warnings, and red for projects with an error status. Similarly, the green, yellow, and red icons on the project list
page indicate the status of your projects.
Additionally, to view more details, you can drill through project executions via the admin dashboard by selecting
individual bar charts.
Now you can drill through individual errors.
You can also view project execution details by selecting the individual projects on the project list page and viewing
the historical executions and status on the Execution histor y tab.
If you get a warning or error, you can drill down more by clicking through the executions on the Execution
histor y tab.
Project monitoring
We highly encourage our customers and partners to subscribe to email-based notifications so you receive email
alerts on project executions that completed with either warnings or errors. For each project, on the Scheduling
tab, you can select email-based notifications and provide multiple email addresses (including group addresses),
separated by commas.
Any time a project completes with a warning or is in the error state, you get an email notification indicating the
project execution status with a drillthrough link to the specific failure.
Selecting the link takes you directly to your project execution status, which you can further drill through for specific
errors.
Project execution status

When a data integration project is executed (manually or scheduled), it creates a detailed log with project name, a
time stamp showing the last update, and the project status.
Each project execution is marked with the status Completed, Warning, or Error:
Completed
Status if all records were upserted successfully. ("Upsert" or "update insert" is a logic to either update the
record, if it already exists, or to insert a new record.)
Warning
Status if some records were upserted successfully, while some failed or errored out.
Error
Status if none of the records were successful and/or errored out, and there were no upserts or inserts in the
destination.
If the project execution is in the Error state, then it will automatically retry execution at the next scheduled
run.
You can also manually retry an execution by selecting Re-run execution via the ellipsis (...) on the Execution
histor y page.
Quick tips on troubleshooting common scenarios

Here are some quick tips that will help you troubleshoot some of the common scenarios.
Connection or environment issues
If you are unable to see your connections or environments in the drop-down while trying to create a Connection
set, here are some of the things you can do to troubleshoot the issue:
Connection : Ensure you have created your connections under Data/Connections on
https://make.powerapps.com and that they are in the Connected state. If you see a Fix Connection
notification, you should double-check the credentials used for the account, and use the Switch account
option from the ellipsis (...) to reauthenticate.
Environment : If you don’t see your environments in the drop-down, ensure that the account you used to
create the connections has the appropriate access to the entity. A good way to test this is by creating a flow
(using Microsoft Power Automate).
Here is an example of creating a simple flow to test your connection to Dynamics 365 Finance and
Operations:
1. Create a new flow (choose Create from blank ) under Business logic/Flow from
https://make.powerapps.com.
2. Select a Recurrence trigger. Under New Step , search for and select Dynamics 365 Finance and
Operations connector .
3. Select Create record as an action. In the drop-down, ensure that you are logged in with the
appropriate account. This is the same account you use to create a connection for your data integration
projects.
4. Select the drop-down under environment to show all the Dynamics 365 Finance and Operations
environments. This is a good step to verify that your account (from the previous step) has access to
the environments.
5. Once you have picked your environment, confirm that you have access to all the entities under it.
Organizations : This is where you would specify the legal entity (for example, USMF) for Dynamics 365
Finance and Operations, the business unit for Dynamics 365 Sales, or the Common Data Service
organization name. If you miss this step, you get a message that contains valid names corresponding to your
application that you then need to plug in under Organizations.
Project validation errors
First, you validate a data integration project, and then execute it. Some of the top reasons for validation errors
include:
Incorrect company/business unit selected during project creation
Missing mandatory columns
Incomplete or duplicate mapping
Field type mismatch
Here is an example of how the error manifests in the case of duplicate mapping. The orange banner indicates
mapping issues.
When you drill further into the project execution history, you see there is a duplicate field issue.
When you inspect the mapping, you can identify duplicates. In this case, the source field fax is incorrectly mapped
to ADDRESSCITY.
Once you fix the mapping, the error should go away, and you should be able to execute the project successfully.
Project execution issues

If you are notified of a project execution that completed with a warning or is in an error state, the first step is to drill
into the execution history. From the project list page, select the individual project and review the latest execution on
the Execution histor y tab. You can then click through to the specific error.
If this is an integration project where Dynamics 365 Finance and Operations is the source, go to the Data
Management workspace in Dynamics 365 Finance and Operations. Then filter projects based on your data
integration project name, or specifically choose the type of import or export job.
Additionally, you can open the job history of the project and drill through the job ID based on the time stamp of
your execution. You can also inspect the execution log, view historical runs, and view the staging data.
Preview: About on-premises gateway

The on-premises gateway allows Power Apps and Power Automate to reach back to on-premises resources to
support hybrid integration scenarios. The gateway leverages Azure Service Bus relay technology to security allow
access to on-premises resources.
Gateway on-premises install

The gateway service must run on a local server in your on-premises location. The server does not have to be the
same one as the resources it will proxy access to, however it should be on the same local network to reduce latency.
It does however need to be able to access the target resource with as low of latency as possible. Multiple
application and flow connections can use the same gateway install. You can only install one gateway on a server.
During the install the gateway is set up to use NT Service\PBIEgwService for the Windows service signin. You can
switch this to a domain user or managed service account if you’d like.
You can use the same gateway in multiple environments as long as the gateway region and the environment
region match. See FAQ for regions in Power Automate
Gateway administration access

By default, you have this permission on any gateway that you install. As the administrator you can grant another
user permission to coadministrate the gateway. It's recommended you always have multiple administrators
specified to handle employee events in your organization.
Use of stored credentials

When you set up a data source on the gateway you'll need to provide credentials for that data source. All actions to
that data source will run using these credentials. Credentials are encrypted securely, using asymmetric encryption
before they're stored in the cloud. The credentials are sent to the machine running the gateway on-premises where
they're decrypted when the data source is accessed.
Port usage
The gateway service creates an outbound connection to Azure Service Bus so there are no inbound ports required
to be open. The outbound connection communicates on ports: TCP 443 (default), 5671, 5672 9350 through 9354.
It's recommended that you add the IP addresses to an approval list for the data region in your firewall. You can
download the latest list here: https://www.microsoft.com/download/details.aspx?id=41653. These IP addresses are
used for outbound communication with Azure Service Bus.
Gateway access
Most of the Power Apps and Power Automate licenses have access to use the gateway with the exception of some
of the lower end Microsoft 365 licenses (Business and Office Enterprise E1 SKUs).
Updates to the data gateway

Updates are not auto-installed for the on-premises data gateway. It's highly encouraged to remain current with the
latest data gateway version as the updates to the gateway are released on a monthly basis.
Gateway disaster recovery

A recovery key is assigned (that is, not auto-generated) by the administrator at the time the on-premises data
gateway is installed. The recovery key is required if the gateway is to be relocated to another machine, or if the
gateway is to be restored. Therefore, the key should be retained where other system administrators can locate it if
necessary.
See also
On-premises data gateway
On-premises server cipher suites and TLS requirements
Preview: On-premises data gateway management

The on-premises data gateway acts as a bridge, providing quick and secure data transfer between on-premises
data (data that is not in the cloud) and the Power BI, Power Automate, Logic Apps, and Power Apps services. More
information: What is an on-premises data gateway?
On the Data page of the Power Platform admin center, you can view and manage on-premises data gateways.
Users who are part of the Azure AD Global administrator role (which includes Global admins), Power BI service
administrators, and Gateway administrators will have access to data gateway management on the Power Platform
admin center. However, there might be differences in the features available and the operations that can be
performed by each of these roles.
The Azure AD Global administrator role (which includes Global admins) and Power BI service administrators can
use the Tenant administration setting to control the list of gateways exposed. Only these admins will see the
Tenant administration toggle.
Turn on Tenant administration to see and manage all gateways installed in your enterprise.
Turn off Tenant administration to see and manage all gateways for which you are an administrator.
You can switch between these two views using this toggle in the upper-right corner of the page.
Data gateways
The Data page lists all on-premises data gateway clusters installed. In addition, you can review the following
information about these clusters:
Gateway cluster name : The name of the gateway cluster.
Contact info : Admin contact information for the gateway cluster.
Users : The list of gateway users.
Status : Select Check status to see whether the gateway connection is online or offline.
Gateways : The number of gateway members in the gateway cluster.
The gateway cluster list includes both on-premises data gateways and on-premises data gateways (personal
mode).
Details
Select a gateway cluster and then select Details to see the following information on gateway members.
Name : The name of the gateway member.

Device : The physical device on which the gateway is installed.
Status : Select ( ) to check the status of a gateway member.
Version : The gateway software version installed on the machine.
State : Select to enable or disable a gateway member.
After selecting a gateway member, you can select Remove to remove it. This does not uninstall the gateway from
the physical machine but removes all the metadata regarding the gateway.
Settings
Select Settings to set on-premises data gateway settings such as the gateway cluster name, department, General
settings and Power BI settings.
For more information on Allow user's cloud datasources to refresh through this gateway cluster , go to
Merge or append on-premises and cloud data sources.
For more information on Allow user's custom data connectors to refresh through this gateway cluster ,
go to Use custom data connectors with the on-premises data gateway.
For more information on Distribute requests across all active gateways in this cluster , go to Load balance
across gateways in a cluster.
Manage users
Select a gateway cluster and then select Manage users to see the list of gateway users. Add or remove gateway
admins on the Manage users page.
For personal gateways, this would show the owner of the personal gateway and cannot be changed due to the
security scope of personal gateways.
For on-premises data gateways in standard mode, users can be added in any of the following three categories:
Admin :
Power BI : Administrators have full control of the gateway, including adding other admins, creating data
sources, managing data source users, and deleting the gateway.
Power Apps and Power Automate : Administrators have full control of the gateway, including adding
other admins, creating connections, additionally sharing gateways in Can use and Can use + share
permission levels and deleting the gateway.
Others : Administrators have full control of the gateway, including adding other admins and deleting the
gateway.
Can use : Users who can create connections on the gateway to use for apps and flows but cannot share the
gateway. Use this permission for users who will run apps but not share them. Applies only to Power Apps and
Power Automate.
Can use + share : Users who can create a connection on the gateway to use for apps and flows, and
automatically share the gateway when sharing an app. Use this permission for users who need to share apps
with other users or with the organization. Applies only to Power Apps and Power Automate.
NOTE
Can Use and Can use + share apply only to Power Apps and Power Automate.
While sharing gateways for Can use and Can use + share permission levels, you can restrict the data source type that
the user can connect over the gateway. At least one data source type should be selected for the user to be successfully
added.
Can Use and Can use + share do not apply to custom connectors in Power Apps and Power Automate.
Remove a gateway cluster

Use Remove to remove a gateway cluster. This operation is available for data gateways in standard mode as well
as personal mode.
For more information, go to Remove or delete an on-premises data gateway.
Get help
For faster troubleshooting and assistance, select Get help to open a Get Help panel. Include the session ID in a
customer support ticket for any issues on the Data Gateways feature in the Power Platform admin center.
Manage gateways by region
Select the region drop-down list to see the gateway regions. When you select one of the regions, you'll see a list of
gateways installed in that region. You can manage users or view gateway members for these gateways. By default,
you'll see gateways within your tenant's default region.
Filter by gateway type

Select the gateway type drop-down list to filter by gateway type. By default, you'll see all data gateways running in
standard mode. Use the filter to see data gateways in personal mode or all gateways. For more information, see
Types of gateways.
Search
Use Search to find gateway clusters and see their details. You can search for gateway cluster names and contact
info, but not administrators.
Status
Select a gateway cluster, then select Details > Check status ( ) to check the status of a gateway cluster.
Manage gateway installers

As either an Azure AD Global administrator (which includes Global admins) or a Power BI service administrator, use
Manage gateway installers to manage who can install the on-premises data gateway in your enterprise. This
operation isn't available for gateway admins.
NOTE
This feature does not apply to on-premises data gateways (personal mode).
1. Go to the Power Platform admin center.

2. Select Data from the left-side menu.
3. Select Manage gateway installers .
4. Enable Restrict Users in your organization from installing gateways . This option is off by default,
allowing anyone in your organization to install a gateway.
5. Add users who can install gateways, and then select Add .
NOTE
Currently, we do not support groups for Manage Installers; you can add individual users.
6. To remove users who have permission to install gateways, select Remove installer ( ), and then select
Confirm .
NOTE
This does not impact gateways that are already installed. This feature only allows or restricts users from installing
gateways going forward.
If a person who doesn't have access to install gateways tries to install one, they will get the following error once
they provide their credentials during the gateway registration.
See also
Connecting to on-premises data sources with On-premises Data Gateway
Preview: Data source management

In the Data page of the Power Platform admin center (https://admin.powerplatform.microsoft.com), you can view
and manage Power BI cloud and on-premises data sources and gateway clusters. The on-premises data sources on
this page include all on-premises data source definitions for gateways you administer. The cloud data sources on
this page are cloud connections in your published Power BI reports.
This article describes managing data sources. For information on managing gateway clusters, see Preview: On-
premises data gateway management.
NOTE
The data sources tab will not be available for tenant or service administrators when Tenant Administration is turned on.
Data source name : The name of the data source.

Data source type : The type of the data source. For supported data sources, see Power BI data sources.
Users : Users who can use this data source in data sets and data flows.
Status : Select ( ) to check the status of a gateway member.
Gateway cluster name : The gateway cluster on which this data source was created. If it is a cloud data source,
this value will say “Cloud”.
Data source settings

Select a data source and then select Settings to see the following information. This view is currently read-only.
Data source name : The name of the data source.
Data source type : The type of the data source. For supported data sources, see Power BI data sources.
Connection Details : Connection information. Check back for updated information.
Authentication method : The authentication method chosen for this connection.
Manage users
Select a data source and then select Manage Users to see the list of current data source users. These users can use
this data source in published reports and data flows. Currently, you can remove users but not add users.
Remove a data source

Select a data source and then select Remove to remove the data source.
Get Help
For faster troubleshooting and assistance, select Get help to open a Get Help panel. Include the session ID in a
customer support ticket for any issues on the Data Gateways feature in the Power Platform admin center.
Region
Currently, data sources are only available for the default Power BI region. For other regions, you will not see any
data sources.
Search
Select Search to find data sources and see their details. You currently can search on data source names, data
source types, and gateway cluster names, but not users and status.
Data source status

Select a data source, then select Check status ( ) to see the status of a data source.
See also
Connecting to on-premises data sources with On-premises Data Gateway
Sample data gives you something to experiment with as you learn customer engagement apps (Dynamics 365
Project Service Automation), and helps you see how data is organized in the system. At some point, you'll
probably want to remove the sample data.
Or, if sample data isn't installed on your system, you may want to add it for training purposes. Later, when you're
ready, you can remove it.
IMPORTANT
Use sample data to learn and play around with system features. However, to avoid unwanted results, don't associate it with
any data you actually need.
1. Make sure you have the System Administrator security role or equivalent permissions.
2. Sign into the Power Platform admin center
3. Select Environments in the left navigation pane, select your environment, and then select Settings on the
top menu bar.
4. Select Data management to expand the category, then select Sample data .
5. A message appears that tells you whether the sample data is installed.
6. Select an action at the bottom of the screen:
Remove Sample Data , and then select Close .
Install Sample Data , and then select Close .
To close the screen without making changes, just select Close .
Importing data is often the first important task that you need to perform after you have installed customer
365 Marketing, and Dynamics 365 Project Service Automation). You can import data from various systems and
data sources into standard and customized fields of most business and custom entities. You can include related
data, such as notes and attachments. To assure data integrity, you can enable duplicate detection that prevents
importing duplicate records. More information: Detect duplicate data. For more complex data import scenarios,
you can write code using the data import web service. More information: Import data.
Preliminary steps before you import the data include:
1. Preparing source data files in one of the following formats: comma-separated values (.csv), XML
Spreadsheet 2003 (.xml), Compressed (.zip) or text files. You can import data from one source file or
several source files. A source file can contain data for one entity type or multiple entity types.
2. Preparing data maps for mapping data contained in the source file to the record fields. You must map
every column in the source file to an appropriate field. Unmapped data isn’t imported. More information:
Select a data map
There are several ways to import data:
NOTE
We recommend limiting your import to 20K rows or fewer.
1. To import large volumes of data, we recommend a programmatic way, as most efficient. When you import
data programmatically, you gain additional capabilities that are not available when you use other methods
of importing data. These advanced capabilities include viewing stored source data, accessing error logs
and creating data maps that include complex transformation mapping, such as concatenation, split, and
replace. See Import data.
2. For smaller import jobs, you can use the Import Data Wizard tool included in the web application.
NOTE
For the Import Data Wizard, the maximum file size for .zip files is 32 MB; for the other file formats, it’s 8 MB.
With the Import Data Wizard, you can specify the “Map Automatically” option. The wizard automatically maps all
the files and the column headings with record types and fields if:
The file names exactly match the display name of the record type.
The column headings of the file you are importing exactly match the display names of the fields in the record.
3. To add data for an individual record, the quickest way is to use Quick Create from the nav bar or New
from the entity form.
See also
Whether your data is stored in spreadsheets, databases, or other systems, you'll want to import the data into
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), so you can keep track of all your
customer information in one place. You use templates for importing many types of records, such as accounts, leads
or cases. There is a complete list in the Templates for Data Import wizard.
environment] > Settings > Data management > Templates .
update the setting.
1. Select an environment and go to Settings > Data management > Templates .
2. In the Templates for Data Impor t dialog box, choose the record type that you want to download the
template for, and then select Download .
3. In the file download box, select Save or Save as and navigate to a location for the file.
4. Select Close .
See also
Import data
Merge data
You can merge two records to combine the data or to remove duplicates. After doing a merge, check out the
Security considerations section to verify the changes meet your security requirements. You can merge Account,
Contact, and Lead entities.
Follow these steps to merge data.
1. Select the records to merge (for example account records), and then select Merge .
2. Select the master record and the fields to merge into the master record, and then select OK .
NOTE
The master record will inherit all of the subordinate record's child records. The subordinate record will be deactivated.
For more information, see Merge duplicate records for accounts, contacts, or leads.
Security considerations
Merging shared data may have unintended consequences. Check out the following scenarios and have a solid
understanding of the security-related results for each.
Scenarios
Scenario #1: Merge records that are owned by users
Scenario #2: Merge records that are shared to users
Scenario #3: Merge records that are shared to access team members
Scenario #4: Merge records that are owned by teams
Example settings used in the scenarios
The following example settings are used in the scenarios below:
Account entity : used to demonstrate record merge.
User One : a sample user.
User Two : a sample user.
Security role privileges : Both User One and User Two have Read privilege at the User level for the account
entity.
Test Account One : master account to merge. User One is assigned to this account.
Test Account Two : subordinate account which is merged into. User Two is assigned to this account.
Scenario #1: Merge records that are owned by users
Scenario
User One owns Test Account One
User Two owns Test Account Two
Test Account One (the master account) was merged with Test Account Two (the subordinate account)
Security-related results
After merging records:
User One
Has access to:
The merged master Account record - Test Account One
User Two
Has access to:
The inactive account (read-only) - Test Account Two
Scenario #2: Merge records that are shared to users
Scenario
User One shared Test Account One with User Two
User Two shared Test Account Two with User One
User One
Has access to:
User Two
Has access to:
Scenario #3: Merge records that are shared to access team members
Scenario
User One is a member of auto-created access team Account Access Team
User Two is a member of auto-created access team Account Access Team
For information about access teams, see About access teams and team templates.
User One
Has access to:
User Two
Has access to:
User Two is not added as a member of the Account Access Team (sub-grid) on Test Account One
Scenario #4: Merge records that are owned by teams

Scenario
User One is a member of Owner Team One
User Two is a member of Owner Team Two
For information about owner teams, see About owner teams.
User One
Has access to:
User Two
Has access to:
User Two is not added to Owner Team One
Change merge behavior

You can use the OrgDBOrgSettings tool to change database settings that govern default option behavior. With the
tool you can change the access settings for master or subordinate account records using the following settings:
GrantFullAccessForMergeToMasterOwner
GrantSharedAccessForMergeToSubordinateOwner
For more information, see Environment database settings.
Detect duplicate data so you can fix or remove it
To determine whether a record is a potential duplicate, Power Apps uses duplicate detection rules. When
publishing a duplicate detection rule, a matchcode is created for each existing record. A matchcode is also created
when a record is created or updated. When a record is in the process of being created or updated, its matchcode
can be checked automatically against the matchcodes of existing records. By default, customer engagement apps
(Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing,
and Dynamics 365 Project Service Automation), have simple duplicate detection rules for accounts, contacts, and
leads. For example, you detect duplicates by matching the record fields, such as email address, first name, and last
name.
Duplicate detection works by comparing generated match codes of existing records with each new record being
created. These match codes are created as each new record is created. Therefore, there is potential for one or
more duplicate records to be created if they are processed at the exact same moment. In addition to detecting
duplicates as they are created, you should schedule duplicate detection jobs to check for other potential duplicate
records.
NOTE
Duplicate detection works with Dynamics 365 for tablets, but isn't available for Dynamics 365 for phones.
IMPORTANT
You have to be a system administrator or a system customizer to create, enable, and publish duplicate detection rules for
your organization.
After publishing a duplicate detection rule, increasing the length of fields that are included in the duplicate detection criteria
goes undetected. The field length could exceed the matchcode length limit and not be verified. This may result in duplicates
not being detected.
You can create multiple detection rules for the same entity type. However, you can publish a maximum of five duplicate
detection rules per entity type at one time.
You can detect duplicates:

When you create or update records for entities that enabled for duplicate detection. This includes records
created with Dynamics 365 for Outlook and tracked in the web application. The duplicate detection dialog
is only displayed for the records created or updated in the user interface (UI). For example, for records
created by a workflow, the duplicate detection dialog is not displayed.
NOTE
Customer engagement apps have the ability to detect duplicates for the updated UI entities when you create or
update records using entity forms or grid views in the web application.
When Dynamics 365 for Outlook goes from offline to online.

During data import. You can specify whether or not to check for duplicates during the import.
NOTE
Duplicates can’t be detected when a user merges two records, converts a lead, or saves an activity as completed.
Duplicates also aren’t detected when a user changes the status of a record, such as activating or reactivating it.
To check for duplicates in the web application, you can use Detect Duplicates capability provided in More
Commands ( ) on the nav bar in the grid. The duplicate records are also detected when you import data
programmatically or through Import Data Wizard. In addition, you can check for duplicates by running scheduled
duplicate detection jobs. For step-by-step instructions on how to set up the duplicate detection job, see Run
system jobs to detect duplicates.
A duplicate detection job runs in the background while you do other things in the customer engagement apps.
You can request email notification from customer engagement apps upon the completion of a duplicate detection
job.
See also
Detect duplicate records and merge
Check for duplicates
Set up duplicate detection rules
Run system jobs to detect duplicates
Delete bulk records
Detect duplicate records and merge
Duplicate records can creep into your data when you or others enter data manually or import data in bulk.
Common Data Service helps you address potential duplicates by detecting duplicates for active records such as
accounts and contacts.
After you know there are duplicate records, you can merge the duplicates and retain the record you want. When
you merge a record, any related or child records are also merged. Your administrator might also set up duplicate
detection rules so duplicates are detected at the time of entering or updating records or importing records.
NOTE
The new experience of detecting duplicates and merging them is supported when duplicates are detected while manually
entering data in the app and not during import.
Resolve duplicates when creating or updating records

When duplicates are found while you create or update records, you can either ignore the duplicate detection dialog
box and save the record or you can merge the duplicate records to keep your data clean.
NOTE
The Merge option is available only for Account, Lead, and Contact entities.
When saving a new record or updated records, a Duplicate records found dialog box is shown if duplicates are
found based on the duplicate detection rules set up for your organization. More information: Set up duplicate
detection rules to keep your data clean
The dialog box shows the following details:

The Current record section of the dialog box shows the record that’s being created or updated.
The Duplicates found section shows the number of duplicate records found along with the record type.
The Matched records section shows the possible duplicate records.
The columns in the grids are shown dynamically based on the duplicate detection rule, so that you see relevant
information to identify why a record was considered as a duplicate. For example, based on the rule, if two accounts
are found to be duplicate because of same account name and email address, the Account Name and Email
columns are shown in the grid.
NOTE
If the duplicate detection rule is not set to exclude inactive records, both active and inactive records are considered while
detecting duplicates. More information: Set up duplicate detection rules to keep your data clean
You have an option to ignore the duplicates and save the new or updated record or merge the duplicate records.
To save the duplicate record, select Ignore and save .
- OR -
To merge the duplicate records, under the Matched records section, select the record that you want to
merge, and then select Merge .
The Merge (record type) dialog box appears.
1. In the dialog box, select the primary record.
NOTE
The option to select a primary record is available when both records are existing in the system. If a duplicate is
detected when a new record is being saved, then the new record is always considered as the secondary record.
The primary record is kept, and the secondary record is deactivated. Data from the secondary record is
copied over to the primary record. When you select a primary record, by default, all the fields of the primary
records are selected. This means that the data in these selected fields will be retained. You have an option to
choose the fields from the secondary record, too. When you do that, data from the selected fields of the
secondary record is copied over to the primary record and kept. All notes, activities, and details associated
with the secondary record are linked to the primary record.
2. Use the following options to select the fields for which the data must be retained, and select OK :
Merge records by choosing fields with data : When you select this, all the fields that have data
are selected regardless of whether the data is in the primary record or secondary record. If both
primary and secondary records have data in the same fields, the fields of primary record are selected.
View fields with conflicting data : When you select this, only the fields that have conflicting data
are shown so you can quickly select the fields from which you want to retain data. This is particularly
useful when there’s data in multiple fields and you only want to look at data that’s different in the two
records. This option is selected by default.
Select all fields in this section : When you select this, all fields available in that section of a record
are selected so you don’t have to manually select the fields in that section. It works as a ‘Select all’
option for fields in a section.
NOTE
You can’t merge data into an inactive record.
Merge records from a grid

You can merge two lead, account, or contact records.
To merge two records
In the list of accounts, contacts, or leads, select two records of the same record type, and on the command bar,
select Merge .
Follow the instructions from the Resolve duplicates when creating or updating records section of this topic.
Enable the improved duplicate detection and merge experience

To let users in your organization use the improved duplicate detection and merge experience, you must first enable
it.
To enable
1. In your app, on the nav bar, select the Settings icon, and then select Advanced Settings .
The Business Management settings page opens in a new browser tab.
2. On the nav bar, select Settings > Data Management > Duplicate Detection Settings .
- OR -
In the Power Platform admin center, select Environments > Settings > Data Management > Duplicate
Detection Settings .
3. For Enable improved duplicate detection and merge experience , select Yes and then select OK .
What happens when duplicates are found while qualifying leads?

When qualifying a lead, if a duplicate account or contact is detected while creating new records, a duplicate
warning is shown to you. Depending on whether your system administrator has enabled the improved duplicate
detection and merge experience, you will see the options to resolve duplicates.
Duplicate detection when improved duplicate detection and merge experience is disabled
When the improved duplicate detection experience is disabled, you will see the Duplicate warning dialog box.
In the Account and Contact fields, select the matching account and contact record and select Continue . To ignore
the duplicate warning and create new records, leave the Account and Contact fields blank, and select Continue .
The Account and Contact lookup fields are filtered with matched results and shown along with additional
information to precisely identify the record to which the lead should be linked. For example, when you select the
Contact lookup search icon, you'll see only matched contact records.
Duplicate detection when improved duplicate detection and merge experience is enabled
When the improved duplicate detection and merge experience is enabled, you will see the Account or Contact
may already exist dialog box.
The Matched accounts and Matched contacts sections will show all the matching records (based on the
duplicate detection rules) along with additional information to precisely identify the record to which the lead
should be linked.
To associate the lead record to an existing matching record, select the record, and select Continue . To create a new
account or contact record, select Ignore and save without selecting a matching record.
The lead is qualified.
See also
Detect duplicate data so you can fix or remove it
Check for duplicates
Set up duplicate detection rules
Run system jobs to detect duplicates
Delete bulk records
Set up duplicate detection rules to keep your data
clean
To maintain the integrity of your data, it's a good idea to have rules in place to reduce duplicate records in the
system. The customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365
Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), include default
duplicate detection rules for accounts, contacts, and leads, but not for other types of records. If you want the
system to detect duplicates for other record types, you'll need to create a new rule.
After you've created duplicate detection rules, you need to turn duplicate detection on.
1. Make sure that you have the System Administrator, System Customizer, Sales Manager, Vice President of
Sales, Vice President of Marketing, or CEO-Business Manager security role or equivalent permissions.
3. Select Settings > Data management > Duplicate detection rules .
4. To create a new duplicate detection rule, choose New . Type a name and description.
–OR–
To edit an unpublished existing duplicate detection rule, choose the duplicate detection rule.
–OR–
To edit a published duplicate detection rule, select the rule. On the Actions menu, choose Unpublish ,
and then choose the rule.
5. Select the criteria to be used to identify a record as a duplicate.
a. If you are creating a new rule:
In the Duplicate Detection Rule Criteria section, in the Base Record Type list, choose
the type of record that this rule applies to. For example, select Contacts .
In the Matching Record Type box, choose the type of record to compare. In most cases,
you'll probably want to use the same record type for Base Record Type and Matching
Record Type . It's also useful to be able to compare different record types. For example, you
might want to compare the Email field in Contacts to the Email field in Leads.
b. If you want the rule to consider only active records while detecting duplicates, select the Exclude
inactive matching records check box. You should also select this check box if your duplicate
detection rule criteria are based on a status field.
c. If you want the rule to be case-sensitive, select the Case-sensitive check box.
d. If you selected different record types for the base and matching record types, for each new
criterion, in the Base Record Field column, choose Select , and then choose a field name. In the
same row, in the Matching Record Field column, choose Select , and then choose a field name.
- OR -
If you selected the same record types for the base and matching record types, for each new
criterion, in the Field column, choose Select , and then choose a field.
e. In the same row, in the Criteria column, choose Select , and then choose an operator. For
example, select Exact Match .
f. If you specified Same First Characters or Same Last Characters , in the No. of Characters
column, choose Enter Value , and then enter the number of characters to compare.
g. If you don't want the rule to consider blank fields (null values) as equal while identifying
duplicates, select the Ignore Blank Values check box.
IMPORTANT
If the duplicate detection rule contains only one condition, blank values are ignored during duplicate detection
job.
The number of criteria that you can select is limited by the number of characters that can be stored in the
matchcode for the record. As you add criteria, watch the Current matchcode length value shown at
the bottom of the criteria list.
6. When you're finished adding criteria, choose Save and Close .

7. To make the new or changed duplicate detection rule usable, select the rule, and then choose Publish .
When you publish a duplicate detection rule, a matchcode is created for every record in the matching
record type for that rule. You can publish only five rules for the same base record type (Account, for
example) at a time. You might need to delete or unpublish an existing rule if you bump up against this
limit.
NOTE
We recommend that you set the duplicate detection criteria on a field that has unique values, for example, Email.
You can have more than one duplicate detection rule for each record type.
See also
Merge duplicate records for accounts, contacts, or leads
Developer's Guide: Duplicate Rule entities
Turn duplicate detection rules on or off for the whole
organization
To maintain the integrity of your data, it’s a good idea to set up duplicate detection rules to reduce duplicate
records in the system. Remember that after you create duplicate detection rules, you need to turn them on.
environment] > Settings > Data management > Duplicate detection .
Make sure you have the System Administrator, System Customizer, Sales Manager, Vice President of Sales, Vice
President of Marketing, or CEO-Business Manager security role or equivalent permissions to update the setting.
1. Select an environment and go to Settings > Data management > Duplicate detection .
2. Select or clear the Enable duplicate detection check box.
NOTE
If your system contains a large number of records, checking for duplicates can impact performance.
3. If you’re turning duplicate detection on, select or clear the check boxes to set when duplicates are detected:
When a record is created or updated
The system checks for duplicates when a user enters or updates records.
IMPORTANT
Duplicates aren’t detected when a user merges two records, activates or deactivates a record, or saves a
completed activity.
When Dynamics 365 for Outlook goes from offline to online

For users of Dynamics 365 for Outlook, the system detects duplicates when the user synchronizes
their data after working offline, as long as users have enabled duplicate detection in Outlook. To
enable duplicate detection in Outlook, select File > Dynamics 365 > Options . Choose the Local
Data tab, and then select the Enable duplicate detection during offline to online
synchronization check box.
During data impor t
When you use the Import Data wizard to bring in contacts, leads, accounts, or other types of data,
the wizard detects any duplicate records as long as you enable duplicate detection in the wizard. For
more information, see Import data from multiple sources.
4. Select OK .
See also
Outlook
To maintain the integrity of system data, you should check for duplicates regularly to make sure that users don't
inadvertently create duplicate contacts, accounts, leads, or other types of records.
The Check for Duplicates wizard helps you set up a bulk "job" that finds and cleans up duplicate records. You can
schedule the job to run daily, and you can receive an email confirmation when the job finishes.
NOTE
If you haven't already done so, create and publish duplicate detection rules, and turn duplicate detection on before you run
the wizard. More information: Set up duplicate detection rules to keep your data clean

2. Select Settings > Data management > Duplicate detection jobs .
3. Select New , or select the name of the duplicate detection job you want to run.
You'll see the Duplicate Detection wizard, which helps you create a job to check for duplicates.
4. Select Next .
5. In the Look for drop-down list, select the record type that you want to check for duplicates.
NOTE
What you see in this list depends on which duplicate detection rules are published. More information: Set up
duplicate detection rules to keep your data clean
6. In the Use Saved View drop-down list, select a view if you want to limit the records searched to records
in that view. For example, select Active Accounts. When you select a view, customer engagement apps
Marketing, and Dynamics 365 Project Service Automation), add the criteria to search on.
7. To further limit the records searched, select Select and then enter the criteria you want.
8. Select Next .
9. Accept the default name for the job, or type a different name.
10. Enter the start time for the job, and enter how often to run the job in days. (To run the job daily, type 1 .)
11. If you want to receive an email confirmation when the job is completed, select the Email options check
box. Enter an additional email address, if desired.
See also
Remove a large amount of specific, targeted data
with bulk deletion
The bulk deletion feature helps you to maintain data quality and manage the consumption of system storage by
deleting data that you no longer need.
For example, you can delete the following data in bulk:
Stale data.
Data that is irrelevant to the business.
Unneeded test or sample data.
Data that is incorrectly imported from other systems.
With bulk deletion you can perform the following operations:
Delete data across multiple entities.
Delete records for a specified entity.
Receive email notifications when a bulk deletion finishes.
Delete data periodically.
Schedule the start time of a recurring bulk delete.
Retrieve the information about the failures that occurred during a bulk deletion.
environment] > Settings > Data management > Bulk deletion .
update the setting.
Delete bulk data

1. Select an environment and go to Settings > Data management > Bulk deletion .
2. Select New to run the Bulk Deletion Wizard to create a bulk deletion job with the records you want to
delete.
For information about how to implement bulk delete in code, see Delete data in bulk.
See also
Manage your data
Data Encryption
You can view the status of, pause, postpone, and resume a system job that you created using Bulk Record
Deletion .
2. Select Settings > Data management > Bulk deletion .
3. In the Bulk Record Deletion window, you can perform the actions described in the following table.
TO DO T H IS
View status Look in the Status Reason column.
View detailed status, including success and failure Select the bulk-deletion job.
information
View queries submitted for deletion Select the bulk-deletion job, and then under Information ,
choose Proper ties .
Review the errors Select the bulk-deletion job, and then under Related ,
choose Failures .
Pause a bulk-deletion job 1. Select the bulk-deletion job, and then on the Actions
menu, choose Pause .
2. When the confirmation message appears, choose OK .
Note: Bulk deletion jobs of fewer than 1,000 records
cannot be paused.
Postpone a bulk-deletion job 1. Select the bulk-deletion job, and then on the Actions
menu, choose Postpone .
Resume a bulk-deletion job 1. Select the bulk-deletion job, and then on the Actions
menu, choose Resume .
Cancel a bulk-deletion job 1. Select the bulk-deletion job, and then on the Actions
menu, choose Cancel.
Modify recurrence of a bulk-delete job 1. Select the bulk-deletion job, and then on the Actions
menu, choose Modify Recurrence .
2. If you select the Run this job after ever y check box,
specify the interval after which you want the bulk-deletion
job to run, and then choose OK .
If you select the Run this job after ever y check box
when you create a bulk-deletion job, the job becomes
recurring and is moved to the Recurring Bulk Deletion
System Jobs view. You can only change the recurrence
for these recurring bulk-deletion jobs.
See also
Delete bulk records
Several features use system jobs to perform tasks automatically, including workflows, import, and duplicate
detection, running independently or in the background.
You can monitor them to ensure that they run smoothly or have completed successfully. In the Power Platform
admin center, select an environment. Go to Settings > Audit and logs > System Jobs to see a grid view of
system jobs.
Monitoring system jobs

If there is a problem with a system job, you can cancel, postpone, pause, or resume it. Select a job and then select
the Actions menu.
Canceling system jobs
You cannot resume a canceled system job.
Postponing completion of system jobs
Postponing an active system job stops any current and subsequent actions. You can specify a later time
when you want the system job to restart.
Pausing system jobs
You can resume a paused system job.
Resuming paused system jobs
Resuming restarts a system job that was paused.
TIP
1. If a system job fails, you can view the details about what steps failed and what the problems may have been. First,
open the system job record. To display details about system job failures, move your pointer over the warning
symbols.
2. To view system job failures in a format that you can print or copy and paste, select the Print button.
NOTE
You cannot make changes to the status of a system job that has been completed or canceled.
See also
Remove user personal data
After a user is deleted by the global admin from the Microsoft 365 admin center, the user's personal data can be
removed from all tenant environments. A user is deleted from the Microsoft 365 admin center when:
1. The user leaves the company. In this scenario, the user record remains in the tenant's Active Directory for 30
days before the record is deleted.
-Or-
2. The user requests their personal data be deleted. The user record is deleted immediately.
Once the user record is deleted from Active Directory, system admins can remove the user's personal data from all
environments.
Remove user personal data via User form

When the user record is deleted from Active Directory, the following message is displayed on the User form:
"This user's information is no longer managed by Microsoft 365. You can update this record to comply with the
GDPR by removing or replacing all personal data."
To remove personal data:
3. Select Disabled Users view.
4. Select a user.
5. Remove personal data, and then select Save .
Remove user personal data via Excel Import/Export

3. Select Disabled Users view.
4. Create an Excel template with all the user personal data columns that you want to update.
5. Select on Download File .
6. Open the downloaded Excel file, make your updates, and then save the file.
7. Return to the Disabled Users view window and select Impor t Data .
8. Choose your updated Excel in the Upload data file dialog box.
9. Make all the necessary changes on the Map Fields window.
10. Select Next and Submit .
Remove user personal data using Web services

You can also update the data for a disabled user using the Web API or Organization service. The user information is
stored in the SystemUser entity, and you can update data in any of the writeable attributes in the SystemUser entity.
For examples about updating data in a record, see:
Update and delete entities using the Web API
Use the Entity class for create, update and delete
See also
Analyze and share your data with Excel templates
When you enable auditing, customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), store the
change history for transactions in the form of audit logs in the database. You can delete the old or unwanted logs
to clean up the database space.
Cau t i on
permissions.
3. Select Settings > Audit and logs > Audit Log Management .
4. Select the oldest audit log. Then, on the command bar, choose Delete Logs .
5. In the confirmation message, choose OK .
NOTE
You can only delete the oldest audit log in the system. To delete more than one audit log, continue to delete the
oldest audit log until you have deleted enough logs.
See also
Retrieve and delete the history of audited data changes
Enable change tracking to control data
synchronization
Large organizations that synchronize their data with external data sources can now enable entities for change
tracking. You can export or retrieve a selected set of data, and then keep the external data warehouse in sync.
By selecting, or deselecting, change tracking for specific entities you can reduce the load on your server resources
and save processing time when extracting data and synchronizing it to an external store. You can enable change
tracking for both system and custom entities.
1. Go to Customizations > Customize the System .
2. Select an entity, and under Data Ser vices , select the Change Tracking check box.
See also
Replicate data to Azure SQL Database using Data
Export Service
The Data Export Service is an add-on service made available on Microsoft AppSource that adds the ability to
replicate data from Common Data Service database to a Azure SQL Database store in a customer-owned Azure
subscription. The supported target destinations are Azure SQL Database and SQL Server on Azure virtual
machines. The Data Export Service intelligently synchronizes the entire data initially and thereafter synchronizes on
a continuous basis as changes occur (delta changes) in the system. This helps enable several analytics and
reporting scenarios on top of data with Azure data and analytics services, and opens up new possibilities for
customers and partners to build custom solutions.
NOTE
You can use the Data Export Service with customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation).
We're now previewing a similar capability to export your Common Data Service data to Azure Data Lake Gen2. You'll be
able to link your Common Data Service environment to a data lake in your Azure subscription, select standard or custom
entities, and then export data to the data lake. All data or metadata changes (initial and incremental) in Common Data
Service are automatically pushed to Azure Data Lake Gen2 without any additional action. More information: Exporting
Common Data Service data to Azure Data Lake
For information about the programmatic interface for managing configuration and administration of the Data
Export Service, see Data Export Service in the developer guide.
Prerequisites for using Data Export Service

To start using the Data Export Service, the following prerequisites are required.
Azure SQL Database service
A customer owned Azure SQL Database subscription. This subscription must allow the volume of data that is
synchronized.
Firewall settings. We recommend that you turn off Allow access to Azure ser vices and specify the
appropriate client IP addresses listed in this topic. More information: Azure SQL database static IP addresses
used by the Data Export Service
Alternatively, you can turn on Allow access to Azure ser vices to allow all Azure services access.
For SQL Server on Azure VM, the "Connect to SQL Server over the Internet" option should be enabled. More
information: Azure: Connect to a SQL Server Virtual Machine on Azure
Additionally, configure your firewall rules to allow communication between Data Export Service and SQL
Server.
The database user must have permissions at the database and schema level according to the following
tables. The database user is used in the data export connection string.
Database permissions required.
P ERM ISSIO N T Y P E C O DE P ERM ISSIO N N A M E
CRTB CREATE TABLE
CRTY CREATE TYPE
CRVW CREATE VIEW
CRPR CREATE PROCEDURE
ALUS ALTER ANY USER
VWDS VIEW DATABASE STATE
Schema permissions required.
P ERM ISSIO N T Y P E C O DE P ERM ISSIO N N A M E
AL ALTER
IN INSERT
DL DELETE
SL SELECT
UP UPDATE
EX EXECUTE
RF REFERENCES
Azure Key Vault service

Customer owned Key Vault subscription, which is used to securely maintain the database connection string.
Grant PermissionsToSecrets permission to the application with the id "b861dbcc-a7ef-4219-a005-
0e4de4ea7dcf." This can be completed by running the AzurePowerShell command below and is used to
access the Key Vault that contains the connection string secret. More information: How to set up Azure Key
Vault
The Key Vault should be tagged with the organization (OrgId) and tenant ids (TenantId). This can be
completed by running the AzurePowerShell command below. More information: How to set up Azure Key
Vault
Configure your firewall rules to allow communication between Data Export Service and Azure Key Vault.
A version 9.0 or later version environment.
The Data Export Service solution must be installed.
Go to Settings > Microsoft Appsource > search or browse to Microsoft Dynamics 365 - Data
Expor t Ser vice , and then select Get it now .
Or, find it on Microsoft AppSource.
The entities that will be added to the Export Profile must be enabled with change tracking. To ensure a
standard or custom entity can be synchronized go to Customization > Customize the System , and then
click the entity. On the General tab make sure the Change Tracking option under the Data Ser vices
section is enabled.
You must have the System Administrator security role in the environment.
Web browser
Enable pop-ups for the domain https://discovery.crmreplication.azure.net/ in your web browser. This is required for
auto-sign in when you navigate to Settings > Data Export.
Services, credentials, and privileges required

To use the Data Export Service feature, you must have the following services, credentials, and privileges.
A subscription. Only users that are assigned the System Administrator security role can set up or make
changes to an Export Profile.
Azure subscription that includes the following services.
Azure SQL Database or AzureSQL Server on Azure virtual machines.
Azure Key Vault.
IMPORTANT
To use the Data Export Service the customer engagement apps and Azure Key Vault services must operate under the same
tenant and within the same Azure Active Directory. More information: Azure integration with Microsoft 365
The Azure SQL Database service can be in the same or a different tenant from the service.
What you should know before using the Data Export Service
Export Profiles must be deleted and then re-created whenever you perform any of the following actions on
an environment.
Restore an environment.
Copy (either full or minimal) an environment.
Reset an environment.
Move an environment to a different country or region.
To do this, delete the Export Profile in the EXPORT PROFILES view, then delete the tables and stored
procedures, and then create a new profile. More information: How to delete all Data Export Profile tables and
stored procedures
The Data Export Service doesn't work for sandbox or production environments that are configured with
Enable administration mode turned on. More information: Administration mode
The Data Export Service does not drop (delete) the associated tables, columns, or stored procedure objects in
the destination Azure SQL database when the following actions occur.
An entity is deleted.
A field is deleted.
An entity is removed from an Export Profile.
These items must be dropped manually. How to delete Data Export Profile tables and stored
procedures for a specific entity Metadata delete notifications are logged in the
unprocessablemessages folder. Error handling and monitoring
Export Profile
To export data from customer engagement apps, the administrator creates an Export Profile. Multiple profiles can
be created and activated to synchronize data to different destination databases simultaneously.
The Export Profile is the core concept of the Data Export Service. The Export Profile gathers set up and
configuration information to synchronize data with the destination database. As part of the Export Profile, the
administrator provides a list of entities to be exported to the destination database. Once activated, the Export
Profile starts the automatic synchronization of data. Initially, all data that corresponds to each selected entity is
exported. Thereafter, only the changes to data as they occur to the entity records or metadata in customer
engagement apps are synchronized continuously using a push mechanism in near real time. Therefore, you don't
need to set up a schedule to retrieve data from customer engagement apps.
Only entities that have change tracking enabled can be added to the Export Profile. Notice that, most of the
standard entities which capture data are change tracking enabled. Custom entities must be explicitly enabled for
change tracking before you can add them to an Export Profile. More information: Enable change tracking to control
data synchronization
The Data Export Service does both metadata and data synchronization. Each entity translates into one table, and
each field translates into a column in the destination database table. Table and column names use the schema name
of the metadata.
Once activated, an Export Profile gathers statistics for data synchronization that helps in operational visibility and
diagnostics of the data exported.
Data synchronization available with an Export Profile
C AT EGO RY F EAT URE SUP P O RT ED DATA T Y P ES
Initial Sync Metadata - Basic Data Types Whole Number, Floating Point Number,
Decimal Number, Single Line of Text,
Multi Line of Text, Date and Time data
types.
Initial Sync Metadata - Advanced Data Types Currency, PartyList, Option Set, Status,
Status Reason, Lookup (including
Customer and Regarding type lookup).
PartyList is only available for export
version 8.1 and above.
Initial Sync Data - Basic Types All basic data types.
Initial Sync Data - Advanced Types All advanced data types.
Delta Sync Modify Schema - Basic Types Add or modify field change, all basic
data types.
Delta Sync Modify Schema - Advanced Types Add or modify field change, all
advanced data types.
Delta Sync Modify Data - Basic Types All basic data types.
C AT EGO RY F EAT URE SUP P O RT ED DATA T Y P ES
Delta Sync Modify Data - Advanced Types All advanced data types, such as
PartyList.
Create an Export Profile

Ensure that following requirements are met before creating an Export Profile.
The Data Export Service solution is installed in your environment.
Maintain the SQL Database connection string in the Key Vault and copy the Key Vault URL to provide in the
Export Profile. More information: Azure: Get started with Azure Key Vault
The entities to be added to the Export Profile are enabled for change tracking. More information: Enable
change tracking to control data synchronization
Your SQL Database service has enough storage space to store the data.
You are a System Administrator in the environment.
1. Go to Settings > Data Expor t .
2. Review the notice, and click Continue or Cancel if you don't want to export data.
3. Click New to create a new Export Profile.
4. In the Proper ties step, enter the following information, and then click Next to continue without connecting
to the Key Vault. Clicking Validate uses the Key Vault URL you provided to connect to the Key Vault.
Name . Unique name of the profile. This field is mandatory.
Key Vault Connection URL . Key Vault URL pointing to the connection string stored with credentials
used to connect to the destination database. This field is mandatory. More information: How to set up
Azure Key Vault
IMPORTANT
The Key Vault Connection URL is case-sensitive. Enter the Key Vault Connection URL exactly as it is displayed
after you run the Windows PowerShell commands in this topic.
Schema . Name for an alternative database schema. Only alphanumeric characters are valid. This field
is optional. By default, dbo is the schema that is used for the destination SQL Database.
Prefix . Prefix to be used for the table names created in the destination database. This helps you easily
identify the tables created for the Export Profile in the destination database. When specified, make
sure that the prefix is less than 15 characters. This field is optional and only alphanumeric characters
are allowed.
Retr y count . The number of times a record is retried in case of a failure to insert or update in the
destination table. This field is mandatory. Acceptable values are 0-20 and the default is 12.
Retr y inter val . The number of seconds to wait before a retry in case of a failure. This field is
mandatory. Acceptable values are 0-3600 and the default is 5.
Write Delete Log . Optional setting for logging deleted records.
5. In the Select Entities step, select the entities that you want to export to the destination SQL Database, and
then click Next .
6. In the Select Relationships step, you can synchronize the M:N (many-to-many) relationships that exist
with the entities you selected in the previous step. Click Next .
7. In the Summar y step, click Create and Activate to create the profile record and connect to the Key Vault,
which begins the synchronization process. Otherwise, click Create to save the Export Profile and activate
later.
Modify an existing Export Profile

You can add or remove the entities and relationships in an existing Export Profile that you want to replicate.
2. In the All Data Export Profile view, select the Export Profile that you want to change.
3. On the Actions toolbar, click MANAGE ENTITIES to add or remove entities for data export. To add or
remove entity relationships, click MANAGE REL ATIONSHIPS .
4. Select the entities or entity relationships that you want to add or remove.
5. Click Update to submit your changes to the Export Profile.
IMPORTANT
When you remove an entity or entity relationship from an Export Profile it doesn't drop the corresponding table in the
destination database. Before you can re-add an entity that has been removed, you must drop the corresponding table in the
destination database. To drop an entity table, see How to delete Data Export Profile tables and stored procedures for a
specific entity.
Table details for the destination Azure SQL Database

The Data Export Service creates tables for both data and metadata. A table is created for each entity and M:N
relationship that is synchronized.
Once an Export Profile is activated, these tables are created in the destination database. These are system tables and
will not have the SinkCreatedTime and SinkModifiedTime fields added.
TA B L E N A M E C REAT ED
<Prefix>_GlobalOptionsetMetadata Upon Export Profile activation.
<Prefix>_OptionsetMetadata Upon Export Profile activation.
<Prefix>_StateMetadata Upon Export Profile activation.
<Prefix>_StatusMetadata Upon Export Profile activation.
<Prefix>_TargetMetadata Upon Export Profile activation.
<Prefix>_AttributeMetadata Upon Export Profile activation.
<Prefix>_DeleteLog Upon Export Profile activation when the delete log option is
enabled.
Resolving synchronization issues

Even after several retry attempts, record synchronization failures may occur from database storage constraints or
table locking due to long running queries. To resolve these failures you can force a resynchronization of only failed
records or a resynchronization of all records.
1. View your export profiles to look for any that have record synchronization failures. You do this by viewing
the data profiles in the Synchronization area or by opening a Export Profile , such as this profile that has a
contact entity record synchronization failure.
2. Examine the source of the synchronization failure and resolve it. More information: Error handling and
monitoring
3. After the problem has been resolved, resynchronize the failed records.
NOTE
Failed records synchronization is a public preview feature.
Preview features aren’t meant for production use and may have restricted functionality. These features are
available before an official release so that customers can get early access and provide feedback.
We expect changes to this feature, so you shouldn’t use it in production. Use it only in test and
development environments.
Microsoft doesn't provide support for this preview feature. Microsoft Dynamics 365 Technical Support
won’t be able to help you with issues or questions. Preview features aren't meant for production use and
are subject to a separate supplemental terms of use.
a. Sign in to your environment and go to Settings > Data Expor t .

b. Open the Export Profile that includes record synch failures.
c. On the Export Profile toolbar, click RESYNC FAILED RECORDS .
d. Click Ok upon successful resynchronization of the failed records on the confirmation dialog.
e. Verify that the Export Profile doesn't contain failed record notifications by opening the data export profile
and viewing the Failed Notifications counter on the PROPERTIES & OVERVIEW tab, which should be
0 . Click REFRESH on the Export Profile toolbar to make sure the Failed Notifications value is current.
4. If the record synchronization failures persist after you've tried resynchronizing by following the previous
steps, contact Microsoft Customer Support Services.
Error handling and monitoring

To view the synchronization status of an Export Profile, go to Settings > Data Expor t and open the Export Profile.
On the ENTITIES tab, the synchronization status is displayed including a Failed Records column for records that
could not be synchronized. For any failed records, a list of those records including the status reason can be
downloaded by clicking FAILED RECORDS on the command bar.
In the Export Profile you can click PROPERTIES & OVERVIEW to display the properties of the profile. Click
REL ATIONSHIPS to view the relationships synchronization status.
How to view detailed information about the records that failed to sync
Viewing the failed record logs can help you determine the cause of synchronization failures. To view failed records
in the destination Azure destination database, use Azure Storage Explorer, a free standalone app that allows you to
easily work with Azure Storage data. More information: Azure Storage Explorer.
2. In the In the All Data Export Profile view, select the Export Profile that has failed notifications.
3. On the Actions toolbar, click FAILED RECORDS .
4. In the Download Failed Records dialog box, click Copy Blob URL , and then click Ok .
NOTE
The blob URL is valid for up to 24 hours. If the URL exceeds the 24 hour period, repeat the steps described earlier to
generate a new blob URL.
5. Start Azure Storage Explorer.

6. In Azure Storage Explorer, click Connect to Azure Storage .
7. Paste the URL from your clipboard in to the Connect to Azure Storage box, and then click Next .
8. On the Connection Summary page, click Connect .
9. Azure Storage Explorer connects to the destination database. If failed records exist for the Export Profile,
Azure Storage Explorer displays failed record synchronization folders.
How to view detailed information about the records that failed to sync (Preview)
You can now download the failed records directly from within the Data Export Service user interface. This feature is
currently in Preview and would be great for you to test and provide feedback.
Steps to download failed records:
1. Identify the profile with failed records.
2. Select the profile and select Download Failed records (Preview) from the top menu bar.
3. In the Download Failed records dialog box, you will see a sorted list of last 20 (max) blob files. Select the
one you want to download, and then select Ok .
4. Once downloaded, open the file in a text editor of your choice (for example, Notepad) and view the details
for failures.
Failed record synchronization folder structure and log files

The Failed Records Azure Blob storage URL points to a location that has the following folder structure:
data . This folder contains failed data notifications and the associated JSON for record data.
metadata . This folder contains failed metadata notifications and the associated JSON for metadata.
failurelog . This folder contains logs that provides information about the synchronization failure and the
reason the failure occurred.
forcerefreshfailurelog . This folder contains errors from the last run of the Data Export Service Failed
Records command used to resynchronize failed records.
unprocessablemessages . This folder contains the data notifications that were not processed either due to
deletion of data or metadata and the associated JSON.
The failurelog and forcerefreshfailurelog folders are structured Year\Month\Day\Hour so that you can
quickly locate the latest failures. All failure records older than 30 days are deleted.
Here's an example log file that indicates a contact entity record synchronization failure.
Entity: contact, RecordId: 459d1d3e-7cc8-e611-80f7-5065f38bf1c1, NotificationTime: 12/28/2016 12:32:39 AM,

ChangeType: Update, FailureReason: The database 'tempdb' has reached its size quota. Partition or delete data,
drop indexes, or consult the documentation for possible resolutions.
The statement has been terminated.
Common reasons for record synchronization failures

Here are a few reasons why record synchronization failures may occur.
Insufficient storage for the destination database. Before you try to resynchronize the failed records, increase
or free Azure SQL Database storage as appropriate. When this problem occurs, a message similar to this is
recorded to the failure log.
The database 'databasename' has reached its size quota. Partition or delete data, drop indexes, or consult the
documentation for possible resolutions.
Synchronization timeouts with Azure SQL Database. This can occur during the initial synchronization of a
data export profile when large amounts of data are processed at one time. When this issue occurs,
resynchronize the failed records. Resolving synchronization issues
Best practices when using Azure SQL Database with Data Export
To avoid synchronization errors due to resource throttling, we recommend that you have an Azure SQL
Database Premium P1 or better plan when you use the Data Export Service. More information: Azure SQL
Database resource limits and SQL Database Pricing
Set the Azure SQL Database to use read committed snapshot isolation (RCSI) for workloads running
concurrently on the destination database that execute long running read queries, such as reporting and ETL
jobs. This reduces the occurrence of timeout errors that can occur with the Data Export Service due to
read\write conflicts.
To help improve query performance we recommend the Data Export Service database max degree of
parallelism (MAXDOP) be set to 1. More information: MSDN: Server Memory Options
Frequently assess the amount of fragmentation, and when necessary, rebuild the indexes in the Data Export
Service database. More information: Reorganize and Rebuild Indexes
Periodically update database statistics on tables and indexed views in the Data Export Service database.
More information: Update Statistics
Monitor the Data Export Service database's utilization. More information: Perf monitoring
About data synchronization latency

The Data Export Service is architected to synchronize data changes to the destination database using a push
mechanism by listening to changes as they happen in customer engagement apps. The service strives to push data
within a few minutes, but there are number of factors that can influence end-to-end synchronization latency.
Factors that influence the duration of synchronization include the following:
The current work load on customer engagement apps.
The data change rate in customer engagement apps.
The number of entities added to each export profile and their attributes.
SQL Server performance. For example:
SQL connection setup time.
SQL statement execution time.
Based on our monitoring of the service it's been observed that most on-going delta synchronization finishes in 15
minutes when the service operates under the following conditions:
The synchronization that occurs is a delta synchronization and not the initial synchronization. Delta
synchronization is only for data change operations, which include record create, update, and delete transactions.
Note that delta synchronization begins once the initial synchronization has finished.
The maximum data change rate in customer engagement apps for all the entities in the export profile is less
than 3000 records per hour. Any sudden increase in the data change rate due to bulk change of records
exceeding the maximum change rate will cause additional latency.
Each entity added to an export profile has less than 150 attributes.
Database connection or SQL statement execution finishes in less than 10 seconds. If this limit is exceeded it will
result in additional latency.
No destination database connection or SQL execution errors occur during synchronization.
When the above conditions are met, 15 minutes is a typical synchronization latency. Microsoft provides no service
level agreement (SLA) for the Data Export Service and makes no guarantees or commitments regarding
synchronization latency times.
How to set up Azure Key Vault

Run the Windows PowerShell script described here as an Azure account administrator to give permission to the
Data Export Service feature so it may access your Azure Key Vault. This script displays the key vault URL required
for creating the Export Profile that is used to access the connection string.
Before running the script, replace the placeholders for the following variables.
$subscriptionId. The Key Vault resource group you want to use. If a resource group doesn't already exist a
new one with the name you specify will be created. In this example, ContosoResourceGroup1 is used.
$location. Specify the location where the resource group is, or should be, located, such as West US .
$connectionString. The connection string to the Azure SQL Database. You can use the ADO.NET connection
string as it is displayed in your Azure dashboard.
$organizationIdList = Comma separated list of allowed organizations, listed by organization Id
(organizationId), to enable for Data Export Service. To find an organization's Id, go to Settings >
Customizations > Developer Resources . The organization Id is under environment Reference
Information .
$tenantId. Specifies the Azure Active Directory tenant Id to which the Key Vault subscription.
IMPORTANT
An Azure subscription can have multiple Azure Active Directory tenant Ids. Make sure that you select the correct Azure Active
Directory tenant Id that is associated with the environment that you will use for data export.
# -------------------------------------------------------------------------------- #
# Provide the value for the following parameters before executing the script
$subscriptionId = 'ContosoSubscriptionId'
$keyvaultName = 'ContosoKeyVault'
$secretName = 'ContosoDataExportSecret'
$resourceGroupName = 'ContosoResourceGroup1'
$location = 'West US'
$connectionString = 'AzureSQLconnectionString'
$organizationIdList = 'ContosoSalesOrg1_id, ContosoSalesOrg2_id'
$tenantId = 'tenantId'
# -------------------------------------------------------------------------------- #
# Login to Azure account, select subscription and tenant Id

connect-azaccount -Tenant $tenantId -Subscription $subscriptionId
# Create new resource group if not exists.

$rgAvail = Get-AzureRmResourceGroup -Name $resourceGroupName -Location $location -ErrorAction SilentlyContinue
if(!$rgAvail){
New-AzureRmResourceGroup -Name $resourceGroupName -Location $location
}
# Create new key vault if not exists.

$kvAvail = Get-AzureRmKeyVault -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -ErrorAction
SilentlyContinue
if(!$kvAvail){
New-AzureRmKeyVault -VaultName $keyvaultName -ResourceGroupName $resourceGroupName -Location $location
# Wait few seconds for DNS entry to propagate
Start-Sleep -Seconds 15
}
# Create tags to store allowed set of Organizations.

$secretTags = @{}
foreach ($orgId in $organizationIdList.Split(',')) {
$secretTags.Add($orgId.Trim(), $tenantId)
}
# Add or update a secret to key vault.

$secretValue = ConvertTo-SecureString $connectionString -AsPlainText -Force
$secret = Set-azKeyVaultSecret -VaultName $keyvaultName -Name $secretName -SecretValue $secretValue -Tags
$secretTags
# Authorize application to access key vault.

$servicePrincipal = 'b861dbcc-a7ef-4219-a005-0e4de4ea7dcf'
set-azkeyvaultaccesspolicy -VaultName $keyvaultName -ServicePrincipalName $servicePrincipal -
PermissionsToSecrets get
# Display secret url.

Write-Host "Connection key vault URL is "$secret.id.TrimEnd($secret.Version)""
How to delete all Data Export Profile tables and stored procedures
IMPORTANT
Before you run this SQL statement make sure that you have correctly defined the @prefix and @schema values in the
statement. The Export Profile will need to be re-created after you run this SQL statement.
-----------------------------------------------------------------
-- Provide the value for the following parameters
DECLARE @prefix nvarchar(32) =''
DECLARE @schema nvarchar(32) ='dbo'
-----------------------------------------------------------------
DECLARE @sql nvarchar(max) = '';
SELECT @sql += 'DROP TABLE ' + QUOTENAME([TABLE_SCHEMA]) + '.' + QUOTENAME([TABLE_NAME]) + ';'

FROM [INFORMATION_SCHEMA].[TABLES]
WHERE [TABLE_TYPE] = 'BASE TABLE' AND [TABLE_NAME] like @prefix + '_%' AND [TABLE_SCHEMA]= @schema;
PRINT @sql
EXEC SP_EXECUTESQL @sql;
PRINT 'Finished dropping all tables. Starting to drop all stored procedures now.'
SELECT @sql='';
SELECT @sql += 'DROP PROCEDURE ' + QUOTENAME([ROUTINE_SCHEMA]) + '.' + QUOTENAME([ROUTINE_NAME]) + ';'
FROM [INFORMATION_SCHEMA].[ROUTINES]
WHERE [ROUTINE_TYPE] = 'PROCEDURE' AND [ROUTINE_NAME] like @prefix + '_%' AND [ROUTINE_SCHEMA]= @schema;
PRINT @sql
PRINT 'Finished dropping all stored procedures. Starting to drop all types now.'
SELECT @sql='';
SELECT @sql += 'DROP TYPE ' + QUOTENAME(SCHEMA_NAME([SCHEMA_ID])) + '.' + QUOTENAME([NAME]) + ';'
FROM SYS.TYPES
WHERE is_user_defined = 1 AND [NAME] LIKE @prefix + '_%' AND [SCHEMA_ID]=SCHEMA_ID(@schema);
PRINT @sql
How to delete Data Export Profile tables and stored procedures for a
specific entity
IMPORTANT
Before you run this SQL statement make sure that you have correctly defined the @prefix, @schema, and @entityName
values in the statement. In this example, the leads entity table, types, and stored procedures are dropped.
-----------------------------------------------------------------
-- Provide the value for the following parameters
DECLARE @prefix nvarchar(32) ='crm'
DECLARE @schema nvarchar(32) ='dbo'
DECLARE @entityName nvarchar(32) ='lead'
-----------------------------------------------------------------
DECLARE @sql nvarchar(max) = '';
IF @prefix != ''
BEGIN
SET @prefix = @prefix + '_'
END
SELECT @sql += 'DROP TABLE ' + QUOTENAME([TABLE_SCHEMA]) + '.' + QUOTENAME([TABLE_NAME]) + ';'

FROM [INFORMATION_SCHEMA].[TABLES]
WHERE [TABLE_TYPE] = 'BASE TABLE' AND [TABLE_NAME] like @prefix + @entityName AND [TABLE_SCHEMA]= @schema;
PRINT @sql
PRINT 'Finished dropping the entity. Starting to drop the types associated with the entity'
SELECT @sql='';
SELECT @sql += 'DROP TYPE ' + QUOTENAME(SCHEMA_NAME([SCHEMA_ID])) + '.' + QUOTENAME([NAME]) + ';'
FROM SYS.TYPES
WHERE
is_user_defined = 1
AND (
[NAME] LIKE @prefix + @entityName +'Type'
OR [NAME] LIKE @prefix + @entityName +'IdType'
)
AND [SCHEMA_ID] = SCHEMA_ID(@schema);
PRINT @sql
Find the Azure Active Directory tenant Id for your tenant

1. Sign in to the Azure portal.
2. Under Azure ser vices select Tenant proper ties .
3. Select the value in the Tenant ID field.
Azure SQL database static IP addresses used by the Data Export Service
In Azure SQL Database, click Set ser ver firewall , turn Allow access to Azure ser vices to OFF , click Add client
IP , and then add the IP addresses appropriate for the region of your Dynamics 365 environment. More information:
Azure: Configure an Azure SQL Database server-level firewall rule using the Azure Portal
REGIO N IP A DDRESS
West US 40.112.139.218
East US 23.96.92.86
West Europe 40.68.252.224
East Asia 52.175.24.148
Southeast Asia 52.163.231.218
Central India 52.172.191.195

REGIO N IP A DDRESS
South India 52.172.51.15
North Europe 52.169.117.212
Japan West 138.91.22.196
Japan East 13.73.7.177
Brazil South 191.235.81.249
Australia Southeast 40.115.78.163
Australia East 13.73.202.160
Canada Central 52.228.26.31
Canada East 40.86.251.81
United Kingdom South 51.140.71.166
United Kingdom West 51.141.44.218
NOTE
North America customers should add IP addresses to an approved list for both East US and West US.
Known issues
Deleted records may get reinserted into entity table after a synchronization failure
When you recover from synchronization failures, records that had been previously deleted may get reinserted back
into the originating entity table. To work around this issue when synchronization failures occur, follow these steps.
1. Create Export Profiles that are Write Delete Log enabled. Re-create existing Export Profiles that don't have
Write Delete Log enabled.
2. Create and execute a SQL query for the Azure SQL destination database that searches for records in the
DeleteLog table. If one or more records are found it indicates the presence of deleted records.
3. If one or more records exist in the DeleteLog table, create and run a SQL query that detects environments
where the record Id for a record found in the DeleteLog table matches the record Id for a record in an
EntityName table and the versionNumber in the deleteLog is greater than the versionNumber on the record
in the EntityName table. When a record Id match occurs, delete the record from the EntityName table. For
example, if a record Id in the AccountId column of the DeleteLog table matches a record Id in the AccountId
column of the AccountBase entity table and the versionNumber in the DeleteLog is greater than the
versionNumber in the Account table, delete the record from the AccountBase entity table.
IMPORTANT
Depending on your business needs and requirements, we recommend that you execute the SQL queries for record
deletion frequently, but during non-operational hours.
Example query for entity record deletion.
DELETE FROM [dbo].[prefix_account] A

WHERE id IN (SELECT CONVERT(uniqueidentifier, recordid) FROM [dbo].[prefix_DeleteLog] DL WHERE DL.entityname
='account'
AND DL.VersionNumber > A.VersionNumber)
Entities that don't support data export

The entities listed here, although they support change tracking, aren't supported for data export using the Data
Export Service.
EN T IT Y TA B L E N A M E W O RK A RO UN D
Activity ActivityPointerBase Select the specific activity entities for

export, such as Phone Call,
Appointment, Email, and Task.
Unable to create a row greater than the allowable maximum row size (8K )
If your error logs show "Cannot create a row of size which is greater than the allowable maximum row size of
8060", you are running into an issue where you are exceeding the maximum allowable row size limit. The Data
Export Service does not support row size greater than maximum allowable row size of 8k. To mitigate this, you
need to ensure that you honor the row size limits.
Length of string in source is longer than destination schema for ColumnName
If your error logs show "String length in source longer than destination schema for [ColumnName,
MaxDataLength]" you are running into an issue where the string length of your source data is longer than
destination. If the string length of your source data is longer than destination, writes to destination will fail.To
mitigate this issue, you would either need to reduce size of data or increase the length of column, greater than
MaxLength manually in the DB.
Privacy notice
By using the Data Export Service, when you activate a data export profile from within Dynamics 365, the data of the
entities added to the profile is sent to Azure. The initial synchronization includes all the data associated with the
entities added to the export profile, but thereafter synchronization includes only new changes, which are
continuously sent to the Data Export Service. Data sent to the Data Export Service is stored temporarily in Azure
Service Bus and Azure Storage, processed in Azure Service Fabric, and finally synchronized (inserted, updated, or
deleted) to the destination database specified in your Azure subscription. After the data has been synchronized, it is
deleted from Azure Service Bus and Azure Storage. If there is a failure during data synchronization, minimal data
corresponding to entity type, record ID, and sync timestamp is stored in Azure Storage to allow for downloading a
list of records that were not updated.
An administrator can deactivate the data export profile at any time to stop data synchronization. In addition, an
administrator can delete the export profile to remove any failed record logs and can uninstall the Data Export
Service solution to stop using the Data Export Service.
Data synchronization happens continuously between Dynamics 365 and the Data Export Service in a secure
manner. Data is encrypted as it is continuously exchanged between Dynamics 365 and the Data Export Service.
Azure components and services that are involved with the Data Export Service are detailed in the following
sections.
Microsoft Azure Trust Center
Azure Service Fabric
This provides the API and compute Azure VMs to process record synchronize notifications received from Dynamics
365 and then process them to insert, update, or delete record data in the destination database. Micro-services that
are deployed on virtual machines managed by the Azure Service Fabric runtime handle all the compute services
related to data synchronization.
Azure Service Bus
This provides the message bus into which Dynamics 365 inserts the synchronization notification messages that are
processed by compute nodes in Azure Service Fabric. Each message stores information, such as the org id and
record, for which for which to sync data. Data in the Azure Service Bus is not encrypted at rest, but is only
accessible by the Data Export Service.
Azure Blob Storage
Data is temporarily stored in Azure Blob Storage in case the record sync notification’s data is too large to store in a
message or a transient failure is encountered to process the synchronization notification. These blobs are encrypted
by leveraging the latest feature in the Azure Storage SDK, which provides symmetric and asymmetric encryption
support and integration with Azure Key Vault.
Azure SQL
The Azure SQL Database stores data export profile configuration and data synchronization metrics.
See also
Entity relationships overview
AppSource: Data Export Service
Data Export Service
Team Blog: Introduction to Data Export Service
Move configuration data across environments and
organizations with the Configuration Migration tool
The Configuration Migration tool enables you to move configuration data across environments and organizations.
Configuration data is used to define custom functionality in customer engagement apps (Dynamics 365 Sales,
Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365
Project Service Automation), and is typically stored in custom entities. Configuration data is different from end
user data (account, contacts, and so on). A typical example of configuration data is what you define in Unified
Service Desk for Dynamics 365 to configure a customized call center agent application. The Unified Service Desk
entities, along with the configuration data that is stored in the entities, define an agent application. For more
information about Unified Service Desk, see Unified Service Desk Guide.
The Configuration Migration tool enables you to:
Select the entities and fields from where you want to export the configuration data.
Avoid duplicate records on the target system by defining a uniqueness condition for each entity based on a
combination of fields in the entity, which is used to compare against the values on the target system. If
there are no matching values, a unique record is created on the target system. If a matching record is
found, the record is updated on the target system.
NOTE
If no duplicate detection (uniqueness) condition is specified for an entity that is being exported, the tool uses the
primary field name of the entity to compare against the existing data on the target system.
Disable plug-ins before exporting data and then re-enable them on the target system after the import is
complete for all the entities or selected entities.
Validate the schema for the selected entities to be exported to ensure that all the required data/information
is present.
Reuse an existing schema to export data from a source system.
Automatically move DateTime fields forward at import for demo environments.
Embed the exported modules created from this tool (schema and data files) in other programs. For
example, you can use the exported data in Package Deployer along with other solutions files and data to
create and deploy packages on a environment. More information: Deploy packages using Package
Deployer
For information on downloading the Configuration Migration tool, see Download tools from NuGet.
How does the Configuration Migration tool work?

The following diagram illustrates how the Configuration Migration tool is used for migrating configuration data.
Define the schema of the source data to be expor ted : The schema file (.xml) contains information
about the data that you want to export such as the entities, attributes, relationships, definition of uniqueness of
the data, and whether the plug-ins should be disabled before exporting the data. More information: Create a
schema to export configuration data
Use the schema to expor t data : Use the schema file to export the data into a .zip file that contains the
data and the schema of the exported data. More information: Create a schema to export configuration data
Impor t the expor ted data : Use the exported data (.zip file) to import into the target environment. The
data import is done in multiple passes to first import the foundation data while queuing up the dependent data,
and then import the dependent data in the subsequent passes to handle any data dependencies or linkages. This
ensures clean data import. More information: Import configuration data
Troubleshoot configuration data migration issues using log files

The Configuration Migration tool provides logging support to get detailed information about errors that can
occur while signing in to the environment using the tool, activities performed by the tool during the schema
definition and export/import of the configuration data, and information about the data that was imported using
the tool. There are three log files generated by the tool that are available at the following location on the
computer where you run the tool: c:\Users\<UserName>\AppData\Roaming\Microsoft\Microsoft Common Data
Service Configuration Migration Tool\<Version>.
Login_ErrorLog.log : Provides information about the issues that occurred when you use the tool to sign
in to the environment. If there are any issues during sign in, a message appears on the tool’s login screen
with a link to this log file. The message states that an error occurred while processing the login request and
the user can view the error log. You can click the link in the message to view this log file. The log file is
created the first time you encounter any sign-in issues in the tool. Thereafter, the log file is used to log
information about a sign-in issue, whenever it occurs.
DataMigrationUtility.log : Provides detailed information about each task performed in the tool during
last run. You can view the log file from the tool by clicking the Logs menu on the main screen, and clicking
Running Log .
Impor tDataDetail.log : Provides detailed information about the data imported in the last import job by
using the tool. Each time you run an import job using this tool, the existing details from the log file are
moved to a file called ImportDataDetail._old.log in the same directory, and the ImportDataDetail.log file
displays information about the latest import job run using the tool. You can view this log file from the tool
by clicking the Logs menu on the main screen, and then clicking Last Impor t Log .
Best practices for migrating your configuration data by using the tool
The following are things you should consider while using this tool to migrate your configuration data:
While creating the export data schema, you must define uniqueness rules appropriately for each entity to
avoid any unintentional data updates on the target system.
Import the exported data in a pre-production environment (preferably a mirror image of the production
environment) to ensure that the data import results are as you intended.
Back up your production environment before importing the data.
See also
Download tools from NuGet
The Configuration Migration tool lets you build a schema to describe your export data. It also enables you to check
for any missing dependencies and relationships in the entities or fields to be exported to avoid an inconsistent
data set.
Before you begin

Download the Configuration Migration Tool. The Configuration Migration tool is available as a NuGet package. To
download the tool, see Download tools from NuGet. Follow the steps on this page to extract the
DataMigrationUtility.exe tool.
Create a schema and export configuration data

1. Start the Configuration Migration tool. Double-click DataMigrationUtility.exe in the folder: [your
folder]\Tools\ConfigurationMigration\
2. On the main screen, click Create schema , and click Continue .
3. On the Login screen, provide authentication details to connect to your environment from where you want
to export data. If you have multiple organizations on the server, and want to select the organization from
where to export the data, select the Always display list of available orgs check box. Click Login .
4. If you have multiple organizations, and you selected the Always display list of available orgs check
box, the next screen lets you choose the organization that you want to connect to. Select an organization to
connect to.
5. From the Select the solution list, select a solution from where you want to export the data:
6. In the selected solution, you can select the entities and fields to be exported or export all the entities within
the solution.
a. To select the entities and fields to be exported, from the Select Entity list, select the entity for which
you want to export the data. The Fields for the entity list displays all the fields of the selected
entity.
a. To add selected fields of the entity, click Add Fields .
b. To add the entity itself and all the fields, click Add Entity .
b. To export all the entities, click Add All next to the Select Entity list.
7. You can select the Show the relationships of the selected entity to view the related entities for the
selected entity so that you can export them as well.
8. The selected entities are displayed in the Selected Fields and Entities box.
If you want to remove an entity, field, or relationship, click to select it, right-click, and then select the
remove option.
If you want to remove all the items in the Selected Fields and Entities and start over, click Clear
Selection .
9. To validate the selected data to be exported, click Tools > Validate Schema .
10. A message is displayed if there are any missing dependencies. To close the message, click OK .
11. Add the missing entities, and then perform step 9 again to validate the data. A confirmation message is
displayed if there are no validation errors.
TIP
If the missing entity is not in the solution you selected for export, you can add the entity from the Default
Solution by selecting it from the Select the solution list.
12. Define the uniqueness condition for your data to be exported. To open a new screen, click Tools >
Configure Impor t Settings . For each entity that you have selected to export, add the field or fields on
which you want the records to be compared with existing records on the target system during the import.
Select a field, and click Add Field .
13. To disable plug-ins for all the entities before the data is imported on to the target system, select the
Disable plug-ins on all entities for impor t check box. The tool will disable all the plug-ins while
importing data on to the target server, and re-enable them after the import process.
14. To save the settings and return to the main screen, click Save .
NOTE
If you want to undo any changes in the Configure Impor t Settings dialog box, you must manually revert those
changes in this dialog box, and then click Save to save your changes, and close the dialog box.
15. In the main screen:

a. Click File > Save Schema to just save the schema without exporting the data. You are prompted to
specify the name and location of the schema file (.xml) to save. You can use the schema later to
export the data. You can exit the tool now.
b. Click Expor t Data to export the data and schema file. You are prompted to specify the name and
location of the schema file to be exported. Specify the name and location, and click Save . Go to the
next step.
c. Click Save and Expor t to choose whether to export the data after saving the schema file or not. You
are prompted to specify the name and location of the schema file to be exported. Specify the name
and location, and click Save . You are prompted to save the data file: click Yes to export it or No to
export it later. If you clicked Yes , go to the next step.
16. On the next screen, specify the location of the data file to be exported in the Save to data file box, and
then click Expor t Data . The screen displays the export progress status and the location of the exported file
at the bottom of the screen once the export is complete.
17. Click Exit to close the tool.
Reuse an existing schema to export configuration data

You can reuse a schema file that was generated using the Configuration Migration tool to quickly export data
across environments without having to create the schema all over again.
1. Start the Configuration Migration tool.
2. On the main screen, click Expor t data , and click Continue .
to export data. If you have multiple organizations on the server, and want to select the organization from
where to export the data, select the Always display list of available orgs check box. Click Login .
connect to.
5. On the next screen, select the schema file to be used for the data export.
6. Specify the name and location of the data file to be exported.
7. Click Expor t Data . The screen displays the export progress status and the location of the exported file at
the bottom of the screen once the export is complete.
8. Click Exit to close the tool.
See also
Modify a schema
Manage your configuration data
Configure date settings for demo data
Use the information below to automatically keep your demo environment data current.
Before you begin
You can set the values of datetime fields to automatically move forward by a specified duration. This allows you to
keep your demo data recent without the need to make manual updates. It will also work when using Configuration
Migration Utility files with the Package Deployer tool.
NOTE
This option is to keep data recent in your demo environments. It is not intended for production use.
2. On the main screen, click Create schema , and click Continue .
3. On the Login screen, provide authentication details to connect to your environment from where you want to
export data. If you have multiple organizations and want to select the organization from where to export the
data, select the Always display list of available orgs check box. Click Login .
4. If you have multiple organizations, and you selected the Always display list of available orgs check box,
the next screen lets you choose the organization that you want to connect to. Select an organization to
connect to.
5. On the next screen, select the schema file to be used for the data export or build a new schema.
6. Click Tools , and then click Configure Date Settings .
7. Choose the default date mode and select an entity to apply the settings to.
Select Absolute. Dates are not modified during impor t if you do not want dates to move forward
by default.
NOTE
You can still select individual fields to move forward at import. In the below example, only fields marked as Relative
will be automatically moved.
Alternatively, select Relative. Dates are renewed during impor t if you want all date values to auto-
move by default.
NOTE
This option will set dates to auto-move for all datetime fields on all entities. You may change this at the field level by
selecting Absolute .
h. Verify your selections for all fields on all entities in your schema.
i. Click Save and Expor t .
j. Specify the name and location of the data file to be exported.
k. Click Yes on the prompt: The schema save is complete. Would you like to expor t the data?
l. Specify the name and location of the data file to be exported.
m. Click Expor t Data . The screen displays the export progress status and the location of the exported
file at the bottom of the screen once the export is complete.
n. Click Exit to close the tool.
NOTE
Date values will be moved forward in one week increments at the time of import. The amount moved is based on the
date/time of export and the date/time of import. The timestamp attribute in the header of the data.xml file contains the date
and time of export.
Formula : Imported date = exported date + (date of data import – date of data export)
Example : To move dates forward by 3 months, and import the data on 10/1/2017: change the timestamp in the data.xml
file to 7/1/2017.
See also
Modify a schema
You can modify an existing schema file to include information about new configuration data or to update the
existing configuration data definition to enhance the configuration data export process.
Before you begin

You must have a schema file that was created using the Configuration Migration tool. More information: Create
a schema to export configuration data
Modify a schema file

1. Start the Configuration Migration tool. Double-select DataMigrationUtility.exe in the folder: [your
2. On the main screen, select Create schema , and select Continue .
3. On the Login screen, provide authentication details to connect to your environment for which you
originally created the export data schema file. If you have multiple organizations on the server, and want to
select an organization, select the Always display list of available orgs check box. Select Login .
4. If you have multiple organizations, and you selected the Always display list of available orgs check box,
the next screen lets you choose the organization that you want to connect to. Select an organization to
connect to.
5. On the main screen, select File > Load Schema .
6. Navigate to the schema file that you want to edit, select it, and select Open .
7. The schema file definition appears in the Configuration Migration tool. Make the required changes to the
schema definition file. For information about defining a schema file, see steps 5-14 in Create a schema to
export configuration data.
8. Save the updated schema file.
9. Select Exit to close the tool.
See also
After exporting your configuration data from the source environment, you are now ready to import it to the target
environment.
Before you begin


2. On the main screen, click Impor t data , and click Continue .
to import data. If you have multiple organizations on the Dynamics 365 server, and want to select the
organization where to import the configuration data, select the Always display list of available orgs
check box. Click Login .
connect to.
5. Provide the data file. (.zip) to be imported. Browse to the data file, and select it. Click Impor t Data .
6. This step is applicable only if the data that you are impor ting contains the user information of
the source system . Enter mapping user information on the target system. You can either map all of them
to the user who is running the import process or map to individual users by using a user map file (.xml). If
you choose the latter, you will have to either specify an existing user map file or the tool can generate it for
you. If you generate a new file, fill in the mapping user name in the New parameter for every user on the
source server. Select the user map file in the tool when you are done, and click OK .
The next screen displays the import status of your records. The data import is done in multiple passes to
first import the foundation data while queuing up the dependent data, and then import the dependent data
in the subsequent passes to handle any data dependencies or linkages. This ensures clean and consistent
data import.
7. Click Finish to close the tool.
See also
Manage your configuration data using the Configuration Migration tool
Deploy packages using Package Deployer and
Windows PowerShell
Microsoft Dynamics CRM Package Deployer enables administrators to deploy packages to a Common Data Service
environment.
NOTE
Package deployer also works with Dynamics 365 Customer Engagement (on-premises) organizations.
A “package” can consist of any or all of the following:

One or more Common Data Service solution files.
Flat files or exported data files from the Configuration Migration tool. For information about the
Configuration Migration tool, see Manage your configuration data.
Custom code that can run during or after the package is deployed to Common Data Service environment.
HTML content specific to the package that can display at the beginning and end of the package deployment
process. This can be useful to provide a description of the solutions and files that are deployed in the
package.
Developers create packages by using the package deployment template in Visual Studio. More information:
Create packages for Package Deployer
After a package is created, you can deploy it either by running CRM Package Deployer or by using Windows
PowerShell cmdlets for the tool.
IMPORTANT
Before you import and run a package in a production organization, test the package on a non-production mirror image of
the production organization.
Always back up the production organization before you deploy a package.
Deploying packages using the Package Deployer tool

You can use the Package Deployer tool (packagedeployer.exe) to deploy packages in the following ways.
Use CRM Package Deployer tool to deploy packages
Use CRM Package Deployer tool at the command line
Use Package Deployer tool to deploy packages

The Package Deployer tool can only process one package at a time. However, it provides users with the ability to
select a package to deploy from multiple packages available in the Package Deployer tool directory. Some of the
screens and actions in the tool differ based on the package definition. You do not have to install the Package
Deployer tool. Just download and run it.
1. Obtain the package to be deployed. A package is a collection of files and folders that is created in your Visual
studio project folder (<Project>\Bin\Debug) when you build your package project in Visual Studio. Copy the
following from your project debug folder:
<PackageName> folder : This folder contains the solutions, import configuration, and the contents
for your package.
<PackageName>.dll : The assembly contains the code for your package. By default, the name of the
assembly is the same as your Visual Studio project name.
For detailed information about creating a package by using Visual Studio, see Create a package for
the Package Deployer tool.
For this topic, let us assume that the package folder and assembly from the Visual Studio project
debug folder (<Project>\Bin\Debug) are copied to the c:\DeployPackage folder.
2. Obtain the Package Deployer tool. The Package Deployer tool is available as a NuGet package. To use the
Package Deployer, you must download and extract it to your local computer using nuget.exe.
Download nuget.exe from https://www.nuget.org/downloads, and save it to your computer, say d:\ . Then
run the following command at the command prompt to extract the package contents to a folder, say PD , on
your computer:
d:\nuget install Microsoft.CrmSdk.XrmTooling.PackageDeployment.Wpf -Version [VERSION] -O d:\PD
After you have extracted the Package Deployer tool, browse to the [ExtractedLocation]\tools folder to find
the PackageDeployer.exe file.
3. Copy the package folder and assembly from the c:\DeployPackage to the [ExtractedLocation]\tools folder.
4. After the files are copied, run the tool by double-clicking the PackageDeployer.exe file in the
[ExtractedLocation]\tools folder.
5. Click Continue on the main screen of the tool.

6. In the Connect to Microsoft Dynamics 365 for Customer Engagement screen, provide authentication
details to connect to your Dynamics 365 server where you want to deploy the package. If you have multiple
organizations, and want to select the organization where you want to deploy the package, select the Always
display list of available orgs check box. Click Login .
7. If you have multiple organizations on your Dynamics 365 server, select a Dynamics 365 apps organization to
connect to.
8. Select the package to be deployed, and click Next .
9. Follow the instructions on the subsequent screens to complete the deployment of your package.
The screens appear based on the definition of the package that you selected for deployment. For an end-to-
end package deployment that uses the Package Deployer tool, see the topic for the deployment of Unified
Service Desk packages: Deploy sample Unified Service Desk applications to CRM Server using Package
Deployer
Use Package Deployer tool at the command line

System administrators and customizers can pass parameters, such as a regional language code, to
packagedeployer.exe from the command line. These parameters may only be configured by running Package
Deployer tool at the command line.
NOTE
This feature was first introduced in Dynamics CRM Online 2016 Update 0.1.
Available parameters are in this table.
PA RA M ET ER DESC RIP T IO N DEFA ULT VA L UE
RuntimePackageSettings Instructs packagedeployer.exe to accept Not applicable

command line parameters such as LCID
and SkipChecks.
LCID=localeID Specifies the locale ID, such as 1033 for Use the default language
English-United States or 1036 for
French-France, from the available locale
IDs in the package. If not specified, the
default language will be used.
PA RA M ET ER DESC RIP T IO N DEFA ULT VA L UE
SkipChecks=true/false Use this parameter only when the False

target environment does not contain
any other solutions or customizations.
When set to true, solution import will
bypass some safety checks, which can
improve performance of the import.
The following example instructs CRM Package Deployer to bypass some safety checks and sets the language to
import as Polish.
packagedeployer.exe /Settings:"SkipChecks=true|lcid=1045"
NOTE
Use the pipe character | to separate parameters when you run packagedeployer.exe at the command line with multiple
parameters.
For more information about the parameters and values that can be passed to packagedeployer.exe, see Create
packages for the CRM Package Deployer.
Use Windows PowerShell to deploy packages

The Package Deployer tool also provides Windows PowerShell support to deploy packages.
Perform the following steps to use the PowerShell cmdlets to deploy packages:
Prerequisites
Import the Package Deployer PowerShell module
Use the cmdlet to retrieve packages
Use the cmdlet to connect to your Dynamics 365 Server
Use the cmdlet to deploy packages
Get detailed help on cmdlets
Prerequisites
Here are the prerequisites for using the PowerShell cmdlets:
PowerShell 3.0 or later is required to deploy a package by using PowerShell. To check your PowerShell
version, run a PowerShell window, and then run the following command: $Host
Set the execution policy to run the signed PowerShell scripts. To do so, run a PowerShell window as an
administrator, and then run the following command: Set-ExecutionPolicy -ExecutionPolicy AllSigned
Import the Package Deployer PowerShell module
You must import the Windows PowerShell module for the Package Deployer tool before you can use it. To import:
1. Obtain the PowerShell files for the Package Deployer. The PowerShell files for the Package Deployer tool are
available as a NuGet package. To use them, you must download and extract it to your local computer using
nuget.exe.
Download nuget.exe from https://www.nuget.org/downloads, and save it to your computer, say d:\ . Then
run the following command at the command prompt to extract the package contents to a folder, say PD-
PowerShell , on your computer:
d:\nuget install Microsoft.CrmSdk.XrmTooling.PackageDeployment.PowerShell -Version [VERSION] -O d:\PD-
PowerShell
After you have extracted the PowerShell files for the Package Deployer tool, browse to the
[ExtractedLocation]\tools folder to find the required files.
2. Start Windows PowerShell on your computer with elevated privileges (run as administrator).
3. At the prompt in the Windows PowerShell window, change your directory to the folder where you extracted
the files. In this case:
cd [ExtractedLocation]\tools\
4. Run the RegisterXRMPackageDeployment.ps1 script available at the [ExtractedLocation]\tools folder by

running the following command:
.\RegisterXRMPackageDeployment.ps1
You are now ready to use the Windows PowerShell cmdlets. To list the cmdlets that you registered, run the
following command at the prompt in the Windows PowerShell window:
Get-Help “Crm”
Use the cmdlet to retrieve packages

Before you can use the cmdlet, ensure that you have copied your package to the PackageDeployer folder (in this
case, [ExtractedLocation]\tools ). A package is a collection of files and folders that is created in your Visual Studio
project folder (<Project>\Bin\Debug) when you build your project in Visual Studio. Copy the entire contents of your
project debug folder to the PackageDeployer folder. For detailed information about building a package using
Visual Studio, see Create packages for the CRM Package Deployer.
1. In the PowerShell window, use the following cmdlet to return a list of packages available for import in the
specified folder (in this case, c:\CRM\SDK\Tools\PackageDeployer):
Get-CrmPackages –PackageDirectory [ExtractedLocation]\tools
2. If you want information about a package in a folder, you can use the Get-CrmPackages cmdlet along with
the –PackageName parameter to specify the name of the assembly in the folder that contains the package
definition.
Get-CrmPackages –PackageDirectory [ExtractedLocation]\tools –PackageName SampleCRMPackage.dll
3. The package assembly location can be stored in a variable by using the Get-CrmPackages cmdlet. Then it
may be reused in the Import-CrmPackage cmdlet to specify a value for the PackageDirectory parameter. For
example, you can store the information of one or more packages returned from the Get-CrmPackages
cmdlet in a variable called $MyPackages.
$MyPackages = Get-CrmPackages –PackageDirectory [ExtractedLocation]\tools
To display all the packages.

$MyPackages
To display only the third package.
$MyPackages[2].PackageAssemblyLocation
Then, you can reference each package in the array from 0 through n. For example, this cmdlet imports the
first package found in $MyPackages.
Import-CrmPackage -CrmConnection $CRMConn -PackageDirectory $MyPackages[0].PackageAssemblyLocation
Use the cmdlet to connect to your Dynamics 365 for Customer Engagement instance
1. Provide your credentials to connect to your Dynamics 365 apps or Dynamics 365 for Customer Engagement
apps (on-premises) instance. Running the following command will prompt you to type your user name and
password to connect to the Dynamics 365 instance, and we will store it in the $Cred variable, and use it later
for connecting to your Dynamics 365 Server.
$Cred = Get-Credential
2. Use the following command to get a connection to your Dynamics 365 apps or Dynamics 365 for Customer
Engagement apps (on-premises) instance. We will store the connection information in the $CRMConn
variable:
If you are connecting to the Dynamics 365 for Customer Engagement apps (on-premises) instance:
$CRMConn = Get-CrmConnection -ServerUrl https://<your_CRM_Server> -OrganizationName

<your_Org_Name> -Credential $Cred
If you are connecting to the Dynamics 365 server:
$CRMConn = Get-CrmConnection -DeploymentRegion NorthAmerica –OnlineType Office365 –

OrganizationName <your_Org_Name> -Credential $Cred
NOTE
For the DeploymentRegion parameter, valid values are NorthAmerica , EMEA , APAC SouthAmerica ,
Oceania , JPN , and NorthAmerica2 . For the OnlineType parameter, valid values are Office365 and
LiveID .
3. Your supplied credentials are validated when you run the command in step 2.
Use the cmdlet to deploy packages
Next, use the Dynamics 365 apps connection information stored in the $CRMConn variable to deploy packages to
the Dynamics 365 instance. The following command deploys a package, disassembles the package in the
c:\UnpackedFiles folder, and records information to a log file in the c:\MyLogFiles folder.
Import-CrmPackage –CrmConnection $CRMConn –PackageDirectory c:\CRM\SDK\Tools\PackageDeployer –PackageName

SampleCRMPackage.dll –UnpackFilesDirectory c:\UnpackedFiles -LogWriteDirectory C:\MyLogFiles -Verbose
NOTE
CrmConnection , PackageDirectory , and PackageName parameters are mandatory.
Instead of manually specifying the package folder, you can use a variable with the PackageDirectory parameter. More
information: Use the cmdlet to retrieve packages
For the PackageName parameter, you have to specify the name of the assembly that contains the package definition.
You do not need to specify the UnpackFilesDirectory parameter if your package does not unpack files during
package deployment. While defining a package in Visual Studio, you specify whether to unpack files using the
agentdesktopzipfile parameter in the ImportConfig.xml file. More information: Create packages for the CRM
Package Deployer
The Verbose parameter is optional, and is used to display a detailed log of the activities performed during the
package deployment process.
The optional RuntimePackageSettings parameter can be used together with the following parameters:
The LCID=localeID parameter specifies the locale ID, such as 1033 for English-United States or 1036 for French-
France, from the available locale IDs in the package. If not specified, the default language will be used.
The SkipChecks=true/false parameter should only be used when the target environment does not contain any
other solutions or customizations. When set to true, solution import will bypass some safety checks, which can
improve import performance.
The folder that you specify when you use the LogWriteDirectory parameter must already exist, and the user who is
running the Import-CrmPackage cmdlet must have write permission to the folder. Additionally, the -Verbose
parameter is required when you use the LogWriteDirectory parameter.
The LogWriteDirectory parameter was first introduced with Dynamics 365 (online), version 9.0. More information:
Dynamics 365 for Customer Engagement apps Developer Guide
The following example command imports a package named SampleCRMPackage and specifies English-United
States (1033) as the language to import the package.
Import-CrmPackage –CrmConnection $CRMConn –PackageDirectory c:\CRM\SDK\Tools\PackageDeployer –PackageName

SampleCRMPackage.dll –UnpackFilesDirectory c:\UnpackedFiles –RuntimePackageSettings LCID=1033
Get detailed help on cmdlets

In the PowerShell window, use the Get-Help cmdlet with a cmdlet name to view a detailed help for the cmdlet. For
example, to get detailed help for the Import-CrmPackage cmdlet:
Get-Help Import-CrmPackage -full
To view the online help for the cmdlets, see Dynamics 365 for Customer Engagement apps PowerShell Reference.
Troubleshoot package deployment issues by using log files

The Package Deployer tool provides logging support to get detailed information about errors that can occur when
someone signs in to the Microsoft Dynamics 365 for Customer Engagement instance using the tool and deploying
packages. By default, the tool generates three log files that are available at the following location on the computer
where you run the tool: c:\Users\<UserName>\AppData\Roaming\Microsoft\Microsoft Dynamics CRM Package
Deployer\<Version>. To specify a different folder, use the -LogWriteDirectory PowerShell cmdlet parameter. More
information: Use the cmdlet to retrieve packages
Login_ErrorLog.log: Provides information about the issues that occurred when you use the tool to sign in to
the Dynamics 365 instance. If there are any issues during sign in, a message appears on the tool’s login
screen with a link to this log file. The message states that an error occurred while processing the login
request and the user can view the error log. You can click the link in the message to view this log file. The log
file is created the first time you encounter any sign-in issues in the tool. Thereafter, the log file is used to log
information about a sign-in issue, whenever it occurs.
PackageDeployer.log : Provides detailed information about each task performed in the tool during the
deployment of the packages. You can view the log file from the tool by clicking the View Log File link at the
bottom of the screen.
ComplexImportDetail.log : Provides detailed information about the data imported in the last deployment by
using the tool. Each time you deploy a package using this tool, the existing details from the log file are
moved to a file called ComplexImportDetail._old.log in the same directory, and the ComplexImportDetail.log
file displays information about the latest import done using the tool.
Best practices for deploying packages

While deploying packages, Dynamics 365 administrators must:
Insist on a signed package assembly so that they can track an assembly back to its source.
Test the package on a pre-production instance (preferably a mirror image of the Production instance) before
running it on a production server.
Back up the Production instance before deploying a package.
See also
Create packages for the CRM Package Deployer
Create templates for articles
Article templates help you create new articles for your organization's knowledge base library. You can also create
templates with boilerplate text to help article writers use consistent language and messaging.
NOTE
This experience is applicable only to legacy Articles entity and not the new Knowledge Article entity.
Dynamics 365.
2. In the web app, go to Settings > Ser vice Management .
3. Select Ar ticle Templates .
4. To create a new article template, select New .
5. In the Ar ticle Template Proper ties dialog box, type the new article title, select the language, and then
select OK .
6. To add a section, in the Common Tasks area, select Add a Section , and specify the following:
a. In the Title box, type a title.
b. In the Instructions box, type a description of the information that users should provide in this
section when they use this template.
When a user creates a new article with this template, these instructions appear in the body text for
this section, and disappear when the user starts typing.
7. To reposition a section from the template, select the section you want to reposition, and in the Common
Tasks area, select the green arrows to move the section to the position you want.
When you select a section, its border turns green and the border lines become solid.
8. To remove the section, select the section you want to remove, and in the Common Tasks area, select
Remove a Section .
9. To edit a section, select the section you want to edit, and in the Common Tasks area, select Section
Proper ties . Edit the title and description.
10. To format the text, font, and color of the article title, headings, and body text of each section, use the tools on
the Modify toolbar.
11. When you're done, select Save or Save and close .
After you save the template, it is immediately available for use. If the template is not complete and you want
to finish it later, you can save the template, deactivate it (make it ready-only), and then complete it later.
When the template is complete, you can reactivate it.
NOTE
If you need to back up your templates, or export them for use in a different implementation, you can export them as part of
exporting customizations. More information: Export your customizations as a solution.
See also
eBook: Use KB articles to help your customers
Create templates for email
Save time when creating multiple email messages by making email templates. Email templates contain prefilled
data that you specify, so you don't have to re-enter the same information for each article.
An email template is attached to an email activity after the activity is created. Typically, each type of email activity
has its own email template type; for example, an email activity created from a case record would use a case email
template. You can also create global templates that are available for any record type, or personal templates
available only to you, or organizational templates available to anyone in your organization.
Dynamics 365.
3. Select Settings > Templates > Email templates .
5. In the Email Template Type dialog box, in the Template Type list, select the type, and then select OK .
IMPORTANT
If you select a specific record type, such as lead or opportunity, the template is available only for that record type.
This cannot be changed. To use the same content for another record type, create a new template.
6. On the Email Templates form, enter a Title and a Subject .

7. You can type a description of the template. This is not displayed to the recipient.
8. Type the text you want to send in this message. Use the Formatting toolbar to edit the text.
TIP
Although you cannot insert images or HTML directly into email messages or email templates, you can use the
copy feature in Internet Explorer to copy an image from a website and paste it into the email message or
email template. The image is available as long as the website is accessible.
To include a hyperlink in an email template, type the URL including the http://, for example,
http://contoso.com. Do not include a period or comma or a space after the URL or the link will break. Select
the link text and select Make this a Hyperlink ( ).
A link is automatically added to the URL and the text is underlined and changed to blue.
To include data fields in a hyperlink:
a. Select the link text and data fields. For example: http://contoso.com/q?{!User : City;}
b. Select Make this a Hyperlink ( ).

The text and data fields will be converted to a hyperlink. For example: <a
href="https://contoso.com/q?{!User : City;}">http://contoso.com/q?{!User : City;}</a>.
The hyperlink text will appear as a link when the template is used in an email.
There is no spell check built into customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service
Automation). There might be third-party solutions available. For more information, visit Microsoft Dynamics
Solution Finder.
The Formatting toolbar has limited fonts and font sizes. However, you can copy and paste content from Office
Word. This allows you to take advantage of features such as spell checking and some advanced text
formatting. To single-space a line of text, at the end of the line press Shift+Enter .
9. To insert data fields to display information such as a customer's name or data from a quote, from a
customer engagement apps record, select Inser t/Update , and then in the Data Field Values dialog box,
select Add .
10. In the Add Data Value dialog box, select the Record type and Field , and then select OK .
11. Select OK again to insert the data.
12. To enter customers' first and last names, you'll need to repeat these three data-insertion steps; first and last
names are separate data values.
TIP
Use the Default Text box to define what text is displayed if the record does not have data for the field.
13. Select Save or Save and Close .
NOTE
To change a shared template to a personal one or a personal template to a shared one, on the template form, on the
Actions menu, select Rever t to Personal Template , or select Make Template Available to Organization .
If you use an email template as a signature in another template, insert the signature template first. Otherwise, the Subject
line will be overwritten.
If you need to back up your templates, or export them for use in a different implementation, you can export them as part
of exporting customizations. More information: Export your customizations as a solution.
See also
Work with mail merge templates
You can use mail merge templates with Office Word to create customer-ready letters, faxes, e-mail messages, and
quotes.
Word templates are created and edited in Word, but can be uploaded to customer engagement apps (Dynamics
365 Project Service Automation), to use with mail merge and share with other users. Only Word .xml documents
can be used as templates. To learn more about how to create mail merge templates, see the online Help in Word.
Dynamics 365.
3. Select Settings > Templates > Mail merge templates .
4. To create a new mail merge template, select New .
5. In the Mail Merge Templates form, enter a Name and an Associated Entity (record type).
6. You can enter a description of the template. This is not displayed to the recipient.
7. Select Save .
8. Select Data Fields , select the columns to add as fields in your email, and then select OK .
9. Select Save , and then select Create Template in Word .
10. Select Add-ins , and then select CRM .
11. Proceed through the Mail Merge process and save the template.
12. Return to the Mail Merge Template page, and then select Choose File .
13. Select the newly created mail merge document, select Open , and then select Attach .
NOTE
To change a personal template to a shared one, after you save the record on the template form, on the More Actions
menu, select Make Available to Organization . To revert the template to a personal one, select Make Personal.
Use a mail merge template

After creating a mail merge template, follow these steps to use it.
1. In the Power Platform admin center, select an environment and open it.
2. Select Advanced Find and select the customers to send an email.
3. Select Mail Merge , choose the Personal mail merge template , and then select Download .
4. Open the downloaded file in Microsoft Word and go through the steps.
Analyze and share your data with Excel templates
Excel provides powerful ways to analyze and present your data. With Excel templates, you can easily create and
share your customized analysis with others in your organization.
Use Excel templates for:
Sales Forecasting
Pipeline Management
Leads Scoring
Territory Planning
And much more…
You can try out the Excel templates included with customer engagement apps (Dynamics 365 Sales,
Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365
Project Service Automation), to get a quick view of what kind of analysis is possible.
TIP
Check out the following video: Create documents directly from Dynamics CRM by using Word and Excel templates (2:38)
Create a new Excel template

Following are the steps for creating an Excel template.
Step 1: Create a new template from existing data
There are two places where you can create an Excel template:
From the Settings page . Go to Settings > Templates > Document Templates > New ( ). You must
have sufficient permissions to access to the Settings page, such as System Administrator or System
Customizer.
From a list of records . For example, go to Sales > Oppor tunities > My Open Oppor tunities . On the
menu bar, click Excel Templates > Create Excel Template .
The Create template page appears.
Select the data to include in the template

1. Click Excel Template .
2. Select an entity (record type) to include that entity's data. The views you can select in the next field depend
on the entity you select.
3. Select a view.
4. Click Edit Columns to add, remove, and adjust properties for the columns to include in the template.
5. Click Download File to create the template file.
WARNING
You can also download a template containing no data except for the columns associated with the record type (entity) using
Settings > Data Management > Templates for Data Impor t . For more information, see: Download a template for data
import.
IMPORTANT
Document template downloaded from one environment can only be used within that environment. environment to
environment migration for Word or Excel templates isn't currently supported.
During the creation of an Excel template, a maximum of 50 records are exported in the template file.
Step 2: Customize the data in Excel

Open the newly-created template in Excel to customize the data.
Let's walk through a simple example of customizing an Excel template using sample data.
Example customization of Opportunities data
1. Click Enable Editing to allow customization of the Excel spreadsheet.
2. Add a new column and name it "Expected Revenue".
3. Create a formula for expected revenue. Don't refer to cells using their addresses; define and use names
instead.
4. Create a pivot table and chart. These and other demo steps will be explained in a future update to this topic.
Place user-added content above or to the right of the existing data table. This prevents the content from
being overwritten if you add new data later and you create a new Excel template. For more information, see:
Best practices and considerations for using Excel templates.
5. Save the spreadsheet.

You're now ready to upload the Excel template.
Step 3: Upload the template and share with others
When you have your Excel template customized the way you want, you can upload it. Where you upload the
template determines its availability.
Administrators can use the Settings page to upload the Excel template. A template uploaded in Settings is available
to all users.
For admins: Upload the Excel template
1. Go to Settings > Templates > Document Templates .
2. Click Upload Template .
3. Drag the Excel file into the dialog box or browse to find and upload the file.
4. Click Upload .
Non-admin users can upload a template for their own use from a list of records.
For non-admins or admins wanting to create a personal template: Upload the Excel template
1. Open a page with a list of records, for example, the list of Sales Opportunities. Go to Sales >
Oppor tunities > My Open Oppor tunities .
2. On the menu bar, click Excel Templates > Create Excel Template .
3. Click Excel Template > Upload .
4. Drag the file into the dialog box or browse to find and upload the file.
5. Click Upload .
Step 4: Choose who can use the new template
Access to the newly-created Excel template depends on how you uploaded it, and on the access granted to the
security role. Be sure to check out Use security roles to control access to templates.
If you uploaded the template from the Settings page
The Information page for the uploaded Excel template will look like this.
Templates uploaded from the Settings page are available to all users. You don't need to take any further action.
If you uploaded the template from a list of records
The Information page for the uploaded Excel template will look like this.
Templates uploaded from a list of records are available to the user who uploaded the template. To share the
template with others, following these steps:
1. From the template Information page, click Share .
2. Use the Share personal document template page to share the Excel template with others and to set
permissions.
Export and analyze data using the new template
The process for using an Excel template looks like this.
Step 1: Select an entity to analyze

Select an entity (record type) to analyze with the Excel template you created. For example, go to Sales >
Oppor tunities > My Open Oppor tunities . Two new opportunities were added since the template was created.
Step 2: Export data using your new Excel template
Choose the Excel template you created.
This template was created from the Settings page so it will appear on the menu under Excel Templates . If it had
been created from a records list, it would appear under Personal Excel Templates .
If you have Microsoft Excel Online, you can see the data in place in an Excel window in customer engagement apps
(such as Dynamics 365 Sales and Customer Service). If not, or if you'd rather create the Excel file, click Download
<template name> .
Step 3: Analyze your data in Excel
What you see in the Excel spreadsheet is based on two things:
Records . The view you choose to export from determines what records you see in the exported Excel file.
For example, if you selected Closed Opportunities, you'll see those records even if you used the template
created with My Open Opportunities.
Columns . The template you used determines what columns appear in the table in the exported Excel file.
For example, the Closed Opportunities view has these columns: Potential Customer, Status, Actual Revenue,
and Actual Close Date. But if the template you used was based on My Open Opportunities, you'd see
columns associated with that view and any column filtering done when you created the template.
Step 4: Share the results with others
If you're using Excel, save a copy either online or to your computer. Send the file to others for their review and
input.
Try out the sample Excel templates

There are four Excel templates included with customer engagement apps.
The sample Excel templates were created with a specific record type (entity). You'll only be able to apply the
template to records of the same record type.
NAME EN T IT Y
Pipeline Management Opportunity (Sales area)
Campaign Overview Campaign (Marketing area)
Cases SLA Status Case (Service area)
Case Summary Case (Service area)
To apply a sample Excel template

1. Open a list of records with information with the entity type that matches the sample template. For example,
open a list of sales opportunities to apply the Pipeline Management template.
2. Click > Excel Templates , and then under Excel Templates , select the sample template.
3. Download the template or open it in place in Excel.
TIP
You can export the templates that are included in customer engagement apps, modify them, and then reimport them as new
templates. This can give you a running start on creating your own custom Excel templates.
Best practices and considerations for using Excel templates

Here are some things you need to be aware of to create and make best use of Excel templates.
Test your Excel templates
Excel has lots of features. It's a good idea to test your customizations to see that all Excel features work as expected
in your templates.
Privacy and pivot charts
By default pivot chart data is not updated when a spreadsheet is opened. This can create a security issue if certain
pivot chart data should not be seen by users with insufficient permissions.
Consider the following scenario:
An administrator creates a template with sensitive data in pivot charts and uploads the template.
A salesperson who should not have access to the sensitive data in the pivot charts uses the template to
create an Excel file to do some data analysis.
The outcome. The salesperson might be able to see the pivot chart data as uploaded by the administrator
including access to views the salesperson does not have permissions for.
In addition. iOS does not support updating pivot data and pivot charts when using the Excel app on iOS
devices.
Recommendation. Sensitive data should not be included in pivot tables and pivot charts.
Set pivot chart data to automatically refresh
Be default, pivot chart data does not automatically refresh when you open the spreadsheet. Regular charts
automatically update.
In Excel, right-click the pivot chart, and then click PivotChar t Options > Refresh data when opening the file .
Placing new data
If you want to add content to the Excel template, place your data above or to the right of the existing data. A second
option is to place your new content on a second sheet.
Excel templates with images may cause an error
If you try to analyze data with an Excel template that has an image saved in it, you may see the following error: "An
error occurred while attempting to save your workbook. As a result, the workbook was not saved." Try removing
the image from the template and reloading it.
Excel templates and Office Mobile app in Windows 8.1
Excel templates will not open in Windows 8.1 devices with Office Mobile app. You'll get the following error
message: "We've recovered as much of your document as we could, but you can't edit it. Try to open and repair the
document on your PC to fix the problem."
This is a known issue.
Use table column names and range names in formulas
When you create Excel formulas, don't use column titles or cell numbers. Instead, use the table column names, and
define names for cells or cell ranges.
Use security roles to control access to templates

Administrators can control access to Excel templates with some granularity. For example, you can give salespeople
Read but not Write access to an Excel template.
1. Click Settings > Security > Security Roles .
2. Select a role, and then click the Business Management tab.
3. Select Document Template to set access for templates available to the entire organization. Select
Personal Document Template for templates shared to individual users.
4. Click the circles to adjust the level of access.
To view and delete personal document templates
Follow these steps to delete personal document templates:
1. Click Advanced Find ( ).
2. For Look for , select Personal Document Templates .
3. Click Results (!) .
4. Select the personal document template to delete, and then click Delete ( ).
Excel template does not upload in Microsoft Edge
If your Excel template does not upload when using Microsoft Edge as your browser, update Microsoft Edge and try
again.
Privacy notice
If you use Microsoft Dynamics 365 (online), exporting data to a static worksheet creates a local copy of the
exported data and stores it on your computer. The data is transferred from Dynamics 365 (online) to your
computer by using a secure connection, and no connection is maintained between this local copy and Dynamics
365 (online).
When you export to a dynamic worksheet or PivotTable, a link is maintained between the Excel worksheet and
Dynamics 365 (online). Every time a dynamic worksheet or PivotTable is refreshed, you’ll be authenticated with
Dynamics 365 (online) using your credentials. You’ll be able to see the data that you have permissions to view.
An administrator determines whether or not an organization’s users are permitted to export data to Excel by using
security roles.
See also
Using Word templates
Use Word templates to create standardized
documents
After you create and import Office Word templates into customer engagement apps (Dynamics 365 Sales,
Service Automation), with one click users can generate standardized documents automatically populated with data.
This feature has some special considerations you should know about to successfully create Word templates.
TIP
Check out the following video: Create documents directly from Dynamics CRM by using Word and Excel templates (2:38)
WARNING
There is a known issue when creating templates in Word. This topic contains information on how to prevent interactions that
could potentially destabilize Word. See: Important! A known issue and how to avoid it
The following are the supported versions of Word.
A REA W O RD VERSIO N
Creating a Word template 2013, 2016
Using a Word document generated in customer engagement 2010, 2013, 2016

apps
NOTE
Macro-enabled Word documents (.docm) are not supported.
Follow the steps in this topic to successfully create and use Word templates in customer engagement apps.
Step 1: Create a Word template

Where you can create a template
There are three places in customer engagement apps where you can create a Word template:
From the Settings page . Go to Settings > Templates > Document Templates > New ( ). You'll need
sufficient permissions to access to the Settings page, such as System Administrator or System Customizer.
From a record . Open a record such as an account in Sales. Go to Sales > Client_Accounts > My Active
Accounts . Click an account to open it, and then click More (… ) > Word Templates > Create Word
Template . Templates created here are personal and available only to the user creating the template.
From a list of records . For example, go to Sales > Client_Accounts > My Active Accounts . Select a
single account, and then click More (… ) > Word Templates > Create Word Template .
TIP
To delete personal document templates, do the following:
1. Click Advanced Find ( ).
2. For Look for , select Personal Document Templates .
3. Click Results (!).
4. Select the personal document template to delete and then click Delete ( ).
After clicking Create Word Template , select an entity to filter with, and then click Word Template > Select
Entity .
The relationship selection page appears.

What are 1:N, N:1, and N:N relationships?
This screen requires an understanding of your customer engagement apps data structure. Your administrator or
customizer can provide information about entity relationships. For admin content, see: Entity relationships
overview.
Here are some example relationships for the Account entity.
REL AT IO N SH IP DESC RIP T IO N
An account can have multiple contacts.

REL AT IO N SH IP DESC RIP T IO N
A lead, account, or contact can have multiple accounts.
An account can have multiple marketing lists.
A marketing list can have multiple accounts.
The relationships you select on this screen determine what entities and fields are available later when you define
the Word template. Only select relationships you need to add data to the Word template.
NOTE
To ensure documents download in a timely matter, there is an upper limit of 100 for the number of related records returned
for each relationship. For example, if you're exporting a template for an account, and you want to include a list of its contacts,
the document will return at most 100 of the account's contacts.
Download the template

Click Download Template on the Select Entity page to create a Word file on your local computer with the
exported entity included as XML data.
IMPORTANT
Document template downloaded from one environment can only be used within that environment. environment to
environment migration for Word or Excel templates isn't currently supported.
Step 2: Enable the Developer tab

Open the Word template file. At this point, the document appears to be blank.
To see and add customer engagement apps XML data, you need to enable the Word Developer tab.
1. Go to File > Options > Customize Ribbon , and then enable Developer .
2. Click OK .
Developer now appears in the Word ribbon.
Important! A known issue and how to avoid it
There's a known issue with customer engagement apps apps-generated Word templates and Office Word. In the
next section, you'll be adding XML content control fields to the Word template.
WARNING
A few things can cause Word to freeze, requiring you to use Task Manager to stop Word:
You insert a content control other than Picture or Plain Text .
You make a textual change, such as changing the capitalization or adding text, to a content control. These changes can
occur through AutoCorrect as well as user edits. By default, Microsoft Word AutoCorrect capitalizes sentences. When you
add a content control field, Word sees it as a new sentence and will capitalize it when focus shifts away from the field.
To prevent issues with control fields, do the following:

Only add fields as Plain Text or Picture
1. You use the XML Mapping Pane to add entity fields to your Word template. Be sure to only add fields as
Plain Text or Picture .
Do not make any textual changes to the added content control

1. You can make formatting changes to content control fields, such as bolding the text, but no other textual
changes, including capitalization changes.
If you experience Word freezing or performance degradation, try turning off AutoCorrect.
Turn off AutoCorrect
1. With the template file open in Word, go to File > Options > Proofing > AutoCorrect Options .
2. Deselect Capitalize first letter of sentences and Automatically use suggestions from the spelling
checker .
3. Deselect Hyphens (--) with dash (-) on the AutoFormat and AutoFormat as You Type tabs.
4. Click OK .
If you followed the above recommendations, you're ready to define the Word template.
Step 3: Define the Word template

Use the XML Mapping Pane to define the Word template with entity fields.
1. In your Word template, click Developer > XML Mapping Pane .
The default XML schema is selected.
2. Select the XML schema. It will begin with "urn:microsoft-crm/document-template/".
IMPORTANT
If you have frequent accidental edits that cause Word to freeze or have performance degradation, be sure to turn off
the AutoCorrect options according to the section: "A known issue and how to avoid it".
3. Expand the entity, right-click the entity field, and then click Inser t Content Control > Plain Text .
The entity field is added to the Word template.
Add additional entity fields, add descriptive labels and text, and format the document.
A completed template might look like this:
Some content control fields you entered likely have multiple lines of data. For example, accounts have more
than one contact. To include all the data in your Word template, set the content control field to repeat.
Set content control fields to repeat
1. Put fields with repeating data in a table row.
2. Select the entire table row in the template.
3. In the XML Mapping Pane, right-click the relationship containing the content control fields, and then click
Repeating .
When you use the Word template in customer engagement apps to create a document, the table will
populate with multiple rows of data.
When the template has the fields and formatting you want, save it and upload it into customer engagement
apps.
Step 4: Upload the Word template back into customer engagement

apps
When you have your Word template built the way you want, save it so you can upload it into customer
engagement apps.
Access to the newly created Word template depends on how you uploaded it and to the access granted to the
security role. Be sure to check out Use Security Roles to control access to templates.
Administrators can use the Settings page to upload the Word template into customer engagement apps. A
template uploaded in Settings is available to all users in your organization.
For admins: Upload the Word template into customer engagement apps
1. Go to Settings > Templates > Document Templates .
2. Click Upload Template .
3. Drag the Word file in the dialog box or browse to the file.
4. Click Upload .
Non-admin users can upload a template for their own use from a list of records.
For non-admins or admins wanting to create a personal template: Upload the Word template into customer
engagement apps
1. Open a page with a list of records, for example, the list of customer accounts in Sales.
2. Select a single item such as an account, click More (… ) > Word Templates > Create Word Template .
3. Click Word Template > Upload .
4. Drag the Word file in the dialog box or browse to the file.
5. Click Upload .
Step 5: Generate a document from the Word template

To use the Word template you've created, do the following:
1. Open a record with information you want to create a document. For example, open a customer account
record in Sales.
2. Click More (… ) > Word Templates , and then under Word Templates select the template you created.
If the template you created is not visible, there are two possibilities:
a. Only templates built for the selected record type (entity) will be displayed. For example, if you open
an opportunity record, you will not see a template you created with the Account entity.
b. You need to refresh customer engagement apps to see the template. Either refresh your browser or
close and reopen customer engagement apps.
After you select your Word template, customer engagement apps create a Word document from the record
you selected.
Try out the sample Word templates
There are five Word templates included with customer engagement apps.
The sample Word templates were created with a particular record type (entity). You'll only be able to apply the
template to records of the same record type.
NAME EN T IT Y
Opportunity Summary Opportunity (Sales area)
Campaign Summary Campaign (Marketing area)
Case Summary Case (Service area)
Invoice Invoice (Sales area)
Account Summary Client_Account (Sales, Service, and Marketing areas)
To apply a sample Word template

1. Open a record with information with the entity type that matches the sample template. For example, open a
customer account record in Sales to apply the Account Summary template.
2. Click More (… ) > Word Templates , and then under Word Templates select the sample template.
Open the newly-created Word template and give it a look.
NOTE
You can review but not edit templates that are included in customer engagement apps.
Use Security Roles to control access to templates
Administrators can control access to Word templates with some granularity. For example, you can give salespeople
Read but not Write access to a Word template.
1. Click Settings > Security > Security Roles .
2. Select a role, and then click the Business Management tab.
3. Select Document Template to set access for templates available to the entire organization. Select
Personal Document Template for templates shared to individual users.
4. Click the circles to adjust the level of access.
Lists in created documents are not in the same order as records
Lists of records created from a custom template may not appear in the same order in Word documents as the
order in customer engagement apps. Records are listed in the order of the time and date they were created.
See also
Analyze your data with Excel templates
This article helps you troubleshoot and resolve issues related to Word templates.
I'm unable to see an entity image in a Word template for certain out-of-
the-box and custom entities
Reason
By default, only a few out-of-the-box entities—such as Account, Contact, Opportunity, Order, Invoice, Product, Lead,
Goal, and Territory—include an EntityImage value for the Primar y Image field, which you can use to upload the
image to a Word template. However, for other out-of-the-box (such as Quote, Business Unit, Appointment, and
Email) and custom entities, EntityImage isn't available.
Resolution
To show an image for entities that don't have an EntityImage by default, you create an image field for the entity,
upload the entity image to a record, and then add the entity image to the Word template. In the following example,
we add an EntityImage for a Discuss contract renewal appointment.
To create an image field for the entity
1. Go to Settings > Customizations > Customize the System .
2. In the solution explorer, under Components , expand Entities , and then select the entity. In this example,
we're selecting the Appointment entity.
3. In the Appointment entity, select Fields , and then select New .

4. In the new field form, enter Entity Image for the Display Name , enter EntityImage for the Name , and for
Data Type , select Image .
5. Save and close the form.

6. Verify that the new field has been added by selecting the entity name. In this example, we've added Entity
Image as a value for the Primar y Image field for the Appointment entity.
7. Publish the customizations.
To upload the entity image to the record
1. Open the entity record. In this example, we're opening a Discuss contract renewal appointment.
2. Select the image, and in the Choose Image dialog box, select Upload Image .
3. Select the image, and then select Change .
The image appears beside the entity.
To add the entity image to the Word template

1. Download and open the Word template.
The downloaded template is saved in the following format:
recordType organizationDateFormat time localDateFormat time.docx
For example, the downloaded template name for the appointment is: Appointment 2020-7-15 15-39-27
17-7-2020 12-28-00 PM.docx .
2. Open the XML Mapping pane, right-click to select new_entityimage , and then select Inser t Content
Control > Picture .
The entity image field with the image is added to the Word template.
3. Save and upload the Word template to your Dynamics 365 Sales Hub app.
Now, when you download and open a document based on this template, it will contain the image you added.
NOTE
Similarly, if you add an image to an entity form, follow this process to upload the image to the Word template.
See also
Use Word templates to create standardized documents
Integrate (synchronize) your email system
One of the main reasons people use customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), is
to store all customer communications in one place, so anyone with the appropriate permissions can see all
relevant customer records. For example, view all email associated with a particular contact, account, opportunity,
or case.
To store email and other messaging records, you need to synchronize your email system with customer
engagement apps. You can do this with server-side synchronization.
IMPORTANT
In previous versions of Dynamics CRM, you could also use the Email Router to synchronize records. The Email Router has
been deprecated as of the Dynamics 365 (online), version 9.0. We strongly recommend that you migrate all email
routing functionality to use server-side synchronization.
Internet Message Access Protocol (IMAP) email servers are not currently supported by server-side synchronization or
the Email Router.
Effective March 2020, the legacy Dynamics 365 for Outlook (also referred to as Outlook COM add-in) is deprecated.
Customers must transition to the modern Dynamics 365 App for Outlook before October 1, 2020. Microsoft will
continue to provide support, security and other critical updates to the Outlook COM Add-in until October 1, 2020.
For further information and steps to make a smooth transition, download Dynamics 365 for Outlook (COM add-in)
Playbook.
Using server-side synchronization

Server-side synchronization has these benefits:
Enables Dynamics 365 App for Outlook . With Dynamics 365 App for Outlook, customer engagement
apps information appears next to a user's Outlook email messages or appointments. They can view
information about contacts and leads stored in customer engagement apps and add contacts directly from
an email message. They can also link email, appointment, and contact records to new or existing records,
such as opportunity, account, or case records. Dynamics 365 App for Outlook is very simple to deploy and
it works with Outlook on the web (included in Microsoft 365) the Outlook desktop client, and Outlook
mobile. Learn more about Dynamics 365 App for Outlook.
Enables Exchange folder tracking . With folder tracking, users can simply drag email to an Exchange
folder to track it automatically in customer engagement apps. Folder tracking works on any mobile device
that supports Microsoft Exchange, which means users can track email from just about any device. Learn
more about folder tracking.
Automatic synchronization . When you synchronize records with server-side synchronization, the
synchronization happens automatically at the server level.
Enables multiple scenarios, including hybrid scenarios . You can use server-side synchronization to
connect:
Customer engagement apps to Exchange Online
Customer engagement apps to Exchange Server (on-premises)
Synchronize appointments, contacts, and tasks . In addition to email, you can synchronize Outlook
Synchronize with POP3 email ser vers . You can use server-side synchronization to synchronize
customer engagement apps with Gmail, Outlook.com, Yahoo, and other POP3 email servers. Note,
however, that you can't synchronize appointments, contacts, and tasks with POP3 email servers.
Integrated mailbox management and resource utilization . You can use the server-side
synchronization performance dashboard to quickly monitor mailbox performance across the organization.
You can also troubleshoot errors through error logging and reporting.
More information: Integrate your email system using server-side synchronization
NOTE
If you use server-side sync, you won't be able to view S/MIME encrypted messages. Encrypting emails with S/MIME
requires an application to use an S/MIME control which server-side sync does not support. For more information on
S/MIME encryption, see Encrypt messages by using S/MIME in Outlook Web App.
See also
Microsoft Dynamics CRM: How it works documentation Integrate your email system using server-side
synchronization
Troubleshooting and monitoring server-side synchronization issues
Deploy Dynamics 365 App for Outlook
Enable accessible email flow
To improve accessibility when reading and editing email in customer engagement apps (Dynamics 365 Sales,
Service Automation), we're introducing an app that provides an accessible email flow. This topic explains how
admins can enable this flow and how end users can access it.
For admins: Install the app

Follow these steps to deploy the solution and enable users to use the accessible flow.
Install the app
You can also sign in with system administrator or delegated admin security roles.
2. Select Admin centers > Dynamics 365 .
3. Select the environments tab, select the environment to add the app to, and then select Manage your
solutions .
4. Select the Email in Unified Interface app, and then select Install .
You can now see the app in the list of published apps. Go to Settings > My Apps to see it.
Provide users with permissions for the accessible email access flow
For users who want to have accessible email access, follow these steps.
1. Go to Settings > Security > Users .
2. In the list, select the user or users that you want to assign a security role to.
3. Select Manage Roles .
Only the security roles available for a user's business unit are displayed.
4. In the Manage User Roles dialog box, select the Email app access role security role, and then select OK .
Notify users
Once the app is installed, notify users that they need to reload the web application to see and use the accessible
email flow.
For end users: Use the accessible email flow

Users with the Email app access role , go to Sales , Ser vice , or Marketing . Select Email Messages to open
emails.
NOTE
If you don't see Sales , Ser vice , or Marketing , your customer engagement app has been customized. Talk to your
administrator or customizer.
Email Messages will not appear if Activities has been customized to not be included in the sitemap.
Here, you can read and manage your emails in the Email in Unified Interface app.
See also
Accessibility for people with disabilities
Server-side synchronization is the preferred option for organizations with users who run customer engagement
Marketing, and Dynamics 365 Project Service Automation), in a web browser or on a mobile device, such as a
tablet or smartphone. Server-side synchronization provides direct apps-to-email server synchronization. When
you use Exchange, this includes bi-directional synchronization of email, contacts, tasks, and appointments. The data
synchronized for each user can be controlled by using synchronization filters that are available from the
Synchronization tab in the user options dialog.
If you use a POP3 email server, the data that is synchronized includes email only.
Using server-side synchronization makes messaging data available to a web browser, tablet, or smartphone that is
running customer engagement apps.
For more information about server-side synchronization, see Server-side synchronization of email, appointments,
contacts, and tasks.
NOTE
A user can only map to a single Exchange or POP3 mailbox. Similarly, an Exchange or POP3 mailbox can only be mapped to
a single user. When customer engagement apps detect that an Exchange or POP3 mailbox has already been mapped to a
user, a dialog box is displayed to present a choice to the user whether to map the user to the Exchange mailbox. When the
user selects yes, it breaks the previous user to Exchange mailbox mapping and subsequently the synchronization that would
occur between the user and the Exchange mailbox.
Server-side synchronization frequency

When synchronization by using server-side synchronization occurs, the process is dynamic and unique for each
user’s mailbox. The synchronization algorithm ensures that mailboxes are synced according to dynamic
parameters such as the number of email messages and the activity within the mailbox. Normally, email
synchronization occurs every 5 minutes. When a mailbox has many email messages, the interval can be reduced
dynamically to 2 minutes. If the mailbox is less active, the interval can be increased up to 12 minutes. Generally
speaking, you can assume that a mailbox will be synced at least once every 12 minutes. Note that you can’t
manually synchronize records through server-side synchronization and when you track email (Track button), this
occurs immediately.
Features available with server-side synchronization

Some features offered by server-side synchronization include the following:
Sent Items folder : If your server version is 9.1.0000.16819 or greater, email messages sent from
Dynamics 365 apps using a server-side synchronization enabled Exchange mailbox will be visible in the
Sent Items folder in the Exchange sender mailbox. To determine your version, sign in and in the upper-
right corner of the screen, select the Settings button ( ) > About .
Email folder tracking : You can simply drag email to a folder to track it. Folder tracking works on any
mobile device that supports Microsoft Exchange, which means you can track email from just about any
device.
Doesn’t require Outlook : You don’t have to have the Dynamics 365 for Outlook add-in open to
synchronize records. You can still use Dynamics 365 for Outlook to track records manually even if you do
the synchronization through server-side sync. This also helps to boost the performance of the Outlook add-
in.
Suppor t for Dynamics 365 App for Outlook : You can track incoming email with the new Dynamics
365 App for Outlook. Dynamics 365 App for Outlook works with Outlook on the web. So all you need is a
browser to track incoming email.
Features available with server-side synchronization in both customer

engagement apps and Customer Engagement (on-premises)
Some features offered by server-side synchronization include the following:
Efficient resource utilization. Server-side synchronization provides integrated mailbox management.
You can disable inactive mailboxes that have permanent errors. It prevents resource hogging by applying an
upper limit on the allocated capacity and time-out requests.
Connection throttling. Server-side synchronization provides a way to control the number of parallel
connections opened against an email server to prevent overloading the mail server.
Data migration. Server-side synchronization supports migrating configuration data from Email Router to
server-side synchronization by using the migration wizard.
Ser vice isolation. Server-side synchronization has separate queue-management and configuration
settings for asynchronous operations, outgoing activities, and mailboxes. It is based off asynchronous
service architecture and may share the same process. In all cases, it manages server resources while
maintaining isolation with the asynchronous service.
Error repor ting for users and administrators. Server-side synchronization supports logging and
reporting of errors specific to an email or one or more mailboxes. More information: Error Logging for
Server-Side Synchronization.
NOTE
In customer engagement apps, you can synchronize emails using Dynamics 365 for Outlook or server-side synchronization.
If server-side synchronization is selected, the synchronization does not require running Dynamics 365 for Outlook. You will,
however, still need Dynamics 365 for Outlook to promote an item from Outlook.
See also
Synchronizing data with Outlook or Exchange FAQ
Supported email service configurations for server-
side synchronization
Depending on your customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics
365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), installation, you may
be deciding whether to use server-side synchronization or the Email Router/Outlook synchronization. This
following table lists what is supported by server-side synchronization for each type of installation. Later in this
topic, you can read about the scenarios that aren't supported by server-side synchronization.
IMPORTANT
The information here includes the POP3/SMTP and IMAP/SMTP systems supported by Microsoft. Although other
POP3/SMTP and IMAP/SMTP systems might work with Customer Engagement (on-premises), those systems were not
tested by Microsoft and are not supported.
Outlook on the web is not supported in a hybrid deployment: Customer Engagement (on-premises) with Exchange
Online.
You can create two different email server profiles: one for online mailboxes, and another for on-premises mailboxes.
Associate the mailboxes with the correct email server profile.
Manual tracking in Dynamics 365 for Outlook is not supported when a user's mailbox is configured to use server-side
synchronization with the POP/SMTP protocol.
For Dynamics CRM Online 2016 Update 1 and December 2016 Update for Dynamics 365 (online), we support service
encryption in Exchange Online with server-side sync.
A P P O IN T M EN T S,
C USTO M ER C O N TA C T S, A N D
EN GA GEM EN T A P P S EM A IL TA SK S
DEP LO Y M EN T EM A IL SY ST EM SY N C H RO N IZ AT IO N SY N C H RO N IZ AT IO N P ROTO C O L
Customer - Exchange Online Yes Yes Exchange Web

engagement apps - Exchange Server Services
2013 SP1
- Exchange Server
2016
-Exchange Server
2019
Customer - Gmail Yes No POP3/SMTP

engagement apps - Yahoo! Mail IMAP/SMTP
Using Exchange Online with customer engagement apps

Customer engagement apps support server-side synchronization with Exchange Online in the same tenant in
Microsoft 365 with Server to Server Authentication. Other authentication methods or settings are not
recommended or supported, including:
Using credentials specified by a user or queue
Using credentials specified in an email server profile
Using Impersonation

Mix of Exchange/SMTP and POP3/Exchange
Exchange Online profile mailbox with Exchange on-premises user. Use the Exchange Server (Hybrid) profile,
associate the mailbox to it, then test and enable.
Exchange Online profile mailbox with an Exchange mailbox that points to an external email server. Use the
POP3/SMTP Server profile, associate the mailbox to it, then test and enable.
Creation of mass email marketing campaigns
Extensibility scenarios like extending EWS/POP3/SMTP protocols and creating custom email providers
Exchange Server 2010 SP3
Exchange Server 2003 and Exchange Server 2007
Server-side synchronization in customer engagement apps requires a POP3/SMTP email server that is also
FIPS 140-2 compliant. Some email servers are not FIPS 140-2 compliant, such as MSN, Outlook.com, or
Windows Live Mail.
Multi-factor authentication isn't supported for customer engagement apps to Exchange Server (on-premises),
and Customer Engagement (on-premises) to Exchange Online.
Currently, connecting customer engagement apps with Exchange Online in a different tenant is not supported.
For most situations not supported by server-side synchronization, you can use the Microsoft Dynamics CRM Email
Router. More information: Integrate your email system
NOTE
appointments, contacts, and tasks in the same organization, because it may result in updated data not synchronizing to all
attendees.
See also
Set up server-side synchronization of email,
appointments, contacts, and tasks
You can use server-side synchronization to synchronize your email system with Dynamics 365 (online) apps at
the server level. For example, you can synchronize customer engagement apps (Dynamics 365 Sales, Dynamics
Service Automation), with Microsoft Exchange Online (hosted email server) or Microsoft Exchange Server (on-
premises). If you synchronize customer engagement apps with Exchange Online or Exchange Server, in addition
to Outlook email, you can synchronize Outlook appointments, contacts, and tasks.
You can also use server-side synchronization to synchronize customer engagement apps with a POP3 email
server for web-hosted email like Gmail or Outlook.com. If you synchronize email with a POP3 email server, you
can’t synchronize appointments, contacts, and tasks, however.
NOTE
Using encryption software (such as Vaultive) together with server-side synchronization is not supported.
If you use server-side sync, you won't be able to view S/MIME encrypted messages. Encrypting emails with S/MIME
requires an application to use an S/MIME control which server-side sync does not support. For more information on
S/MIME encryption, see Encrypt messages by using S/MIME in Outlook Web App.
Synchronization scenarios
Choose one of the following scenarios to configure server-side synchronization for your organization:
Connect to Exchange Server on-premises
Connect to a POP3 or SMTP server
See also
Server-side synchronization Troubleshooting server-side synchronization
With both customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), and Microsoft Exchange Online
hosted as online services, connecting the two is a simpler, more straightforward configuration.
TIP
Check out the following video: Connect to Exchange Online using server-side sync.
IMPORTANT
This feature requires that you have an Microsoft 365 subscription or a subscription to an online service such as SharePoint
Online or Exchange Online. For more information, see What is Microsoft 365 and how does it relate to Dynamics 365
(online)?
Get Exchange ready

To use Exchange Online with customer engagement apps, you must have an Exchange Online subscription that
comes as part of an Microsoft 365 subscription or that can be subscribed to separately. For information on
Exchange Online, see:
Exchange Online
Exchange Online Service Description
Microsoft 365 and Office 365 service descriptions
TIP
To make sure you've got a good connection to Exchange Online, run the Microsoft Remote Connectivity Analyzer. For
information on what tests to run, see Test mail flow with the Remote Connectivity Analyzer.
Verify you have the profile: Microsoft Exchange Online

If you have an Exchange Online subscription in the same tenant as your subscription, customer engagement apps
create a default profile for the email connection: Microsoft Exchange Online . To verify this profile:
2. Select Settings > Email > Ser ver profiles .
3. Select Active Email Ser ver Profiles and check that the Microsoft Exchange Online profile is in the list.
If the Microsoft Exchange Online profile is missing, verify you have an Exchange Online subscription and that
it exists in the same tenant as your subscription.
4. If there are multiple profiles, select the Microsoft Exchange Online profile and set it as default.
Configure default email processing and synchronization

Set server-side synchronization to be the default configuration method for newly created users.
2. Select Settings > Email > Email settings .
3. Set the processing and synchronization fields as follows:
Ser ver Profile : Microsoft Exchange Online
Incoming Email : Server-Side Synchronization or Email Router
Outgoing Email : Server-Side Synchronization or Email Router
Appointments, Contacts, and Tasks : Server-Side Synchronization
4. Select Save .
All new users will have these settings applied to their mailbox.
Configure mailboxes
New users will have their mailboxes configured automatically with the settings you made in the prior section. For
existing users added prior to the above settings, you must set the Server Profile and the delivery method for email,
In addition to administrator permissions, you must have Read and Write privileges on the Mailbox entity to set the
delivery method for the mailbox.
Choose one of the following methods:
Set mailboxes to the default profile
1. In the web app, go to Settings > Email Configuration > Mailboxes .
2. Choose Active Mailboxes .
3. Select all the mailboxes that you want to associate with the Microsoft Exchange Online profile, select Apply
Default Email Settings , verify the settings, and then select OK .
By default, the mailbox configuration is tested and the mailboxes are enabled when you select OK .
Edit mailboxes to set the profile and delivery methods
2. Select Active Mailboxes .
3. Select the mailboxes that you want to configure, and then select Edit .
4. In the Change Multiple Records form, under Synchronization Method , set Ser ver Profile to
Microsoft Exchange Online .
5. Set Incoming and Outgoing Email to Ser ver-Side Synchronization or Email Router .
6. Set Appointments, Contacts, and Tasks to Ser ver-Side Synchronization .
7. Select Change .
Approve email
To approve emails for customer engagement apps, a user requires:
1. The Approve Email Addresses for Users or Queues privilege.
2. The permissions as described in the table below.
Require admin approval?
Decide which approach you want your organization to follow for mailbox approval.
Permission model
The following table describes the permissions required to approve emails.
Terminology
Yes : can approve email
No : cannot approve email
n/a : not applicable
NOTE
This permission model is being gradually rolled out and will be available once it is deployed to your region. Check the version
number provided below for when the change will be provided.
SEC URIT Y RO L ES / B OT H RO L ES B OT H RO L ES SY ST EM SERVIC E EXC H A N GLO B A L

A P P L IC AT IO N S IN USE REQ UIRED: REQ UIRED: A DM IN A DM IN GE A DM IN
GLO B A L A DM IN EXC H A N GE A DM IN A DM IN
AND AND
SY ST EM A DM IN SY ST EM A DM IN
Custom Exchang 2 Yes 2 Yes No No No No
er e Online
engage
ment Exchang 3 Yes 3 Yes 3 No No n/a n/a
apps e On-
premises
Custom Exchang n/a n/a 1 Yes n/a n/a n/a

er e Online
Engage
ment Exchang n/a n/a 1 Yes n/a n/a n/a
(on- e On-
premises premises
)
1 We recommend you include your Exchange admin in custom business processes your organization follows for
this configuration.
2 We are updating for customer engagement apps/Exchange Online, for version 9.1.0.5805 or later.
3 We will be updating for customer engagement apps/Exchange On-premises. Check back for version information.
To determine your version, sign in and in the upper-right corner of the screen, select the Settings button ( ) >
About .
Require and configure mailbox approval
Follow these steps to approve email addresses for users and queues. By default, admins, as described in the
Permission model table, are required to approve emails.
Add Approve Email Addresses for Users or Queues privilege
To approve emails, a Dynamics user requires the Approve Email Addresses for Users or Queues privilege. A
system admin can assign the Approve Email Addresses for Users or Queues privilege to any security role and
assign the security role to any user.
To manually assign the Approve Email Addresses for Users or Queues privilege to a security role:
3. Select a security role, and then select the Business Management tab.
4. Under Miscellaneous Privileges , set the privilege level for Approve Email Addresses for Users or
Queues .
Approve mailboxes
3. Select the mailboxes that you want to approve, and then select More Commands (… ) > Approve Email .
4. Select OK .
Remove requirement to approve mailboxes
Admins, as described in the Permission model table, can change the settings so mailbox approval is not required.
3. Under Security and permissions , Process emails only for approved users and Process emails only
for approved queues to Off . These settings are enabled by default.
4. Select Save .
Test configuration of mailboxes

3. Select the mailboxes you want to test, and then select Test & Enable Mailbox .
This tests the incoming and outgoing email configuration of the selected mailboxes and enables them for
email processing. If an error occurs in a mailbox, an alert is shown on the Alerts wall of the mailbox and the
profile owner. Depending on the nature of the error, customer engagement apps try to process the email
again after some time or disables the mailbox for email processing.
To see alerts for an individual mailbox, open the mailbox and then under Common , select Aler ts .
The result of the email configuration test is displayed in the Incoming Email Status , Outgoing Email
Status , and Appointments, Contacts, and Tasks Status fields of a mailbox record. An alert is also
generated when the configuration is successfully completed for a mailbox. This alert is shown to the mailbox
owner.
You can find information on recurring issues and other troubleshooting information in Blog: Test and Enable
Mailboxes in Microsoft Dynamics CRM 2015 and Troubleshooting and monitoring server-side
synchronization.
Make sure you've got a good connection to Exchange Online by running the Microsoft Remote Connectivity
Analyzer. For information on what tests to run, see Test mail flow with the Remote Connectivity Analyzer.
TIP
If you're unable to synchronize contacts, appointments, and tasks for a mailbox, you may want to select the Sync items with
Exchange from this org only, even if Exchange was set to sync with a different org check box. Read more about
this check box.
Test email configuration for all mailboxes associated with an email

server profile
3. Select the Microsoft Exchange Online profile, and then select Test & Enable Mailboxes .
When you test the email configuration, an asynchronous job runs in the background. It may take a few
minutes for the test to be completed. Customer engagement apps test the email configuration of all the
mailboxes associated with the Microsoft Exchange Online profile. For the mailboxes configured with server-
side synchronization for synchronizing appointments, tasks, and contacts, it also checks to make sure they're
configured properly.
TIP
If you're unable to synchronize contacts, appointments, and tasks for a mailbox, you may want to select the Sync items with
Exchange from this org only, even if Exchange was set to sync with a different org check box. Read more about
this check box.
See also
Test mail flow by validating your connectors
With version 9.0., you can connect your customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation), with Microsoft Exchange Server (on-premises).
Check out the following white paper: Setup Guide: Server-side synchronization for CRM Online and Exchange
Server
Prerequisites
1. Exchange Ser ver . The following versions are supported: Exchange Server 2013 SP1, Exchange Server
2016, or Exchange Server 2019.
2. Authentication . During installation, Exchange configures Internet Information Services (IIS). To connect
customer engagement apps with Exchange Server, Windows (NTLM) or Basic authentication must be
enabled in Exchange Server. When configuring Windows (NTLM) authentication, make sure Basic
authentication is disabled on Exchange server.
For more information on authentication, see:
Exchange Server 2013: Authentication and EWS in Exchange
Exchange Server 2013: Default settings for Exchange virtual directories
3. ApplicationImpersonation role . You need to create and configure a service account with the
ApplicationImpersonation role in Microsoft Exchange. More information: Impersonation and EWS in
Exchange.
4. Secured connection . The connection between customer engagement apps and Exchange must be
encrypted via TLS/SSL and current cipher suites.
5. Exchange Web Ser vices (EWS) . Connections to EWS must be allowed through the firewall. Often a
reverse proxy is used for the exterior facing connection.
TIP
To make sure you've got a good connection to Exchange on-premises run the Microsoft Remote Connectivity Analyzer. For
Create an email server profile

3. Select New > Exchange Ser ver (Hybrid) .
4. For an Exchange email ser ver profile, specify the following details:
General
Name Specify a meaningful name for the profile.
Description Type a short description about the objective of the email

server profile.
Auto Discover Server Location Select Yes (recommended), if you want to use the
automatically discover service to determine the server
location. If you set this to No , you must specify the email
server location manually.
Incoming Server Location and Outgoing Server Location If you select No in Auto Discover Ser ver Location ,
enter a URL for Incoming Ser ver Location and
Outgoing Ser ver Location .
Credentials
Authenticate Using Impersonation Enter the credentials for the Exchange service account
granted the ApplicationImpersonation role.
User Name Type the user name for the Exchange service account.
Password Type the password for the Exchange service account.
Advanced
Additional Settings
Process Email From Select a date and time. Email received after the date and
time will be processed by server-side synchronization for
all mailboxes associated with this profile. If you set a value
less than the current date, the change will be applied to all
newly associated mailboxes and their earlier processed
emails will be pulled.
Minimum Polling Intervals in Minutes Type the minimum polling interval, in minutes, for
mailboxes that are associated with this email server
profile. The polling interval determines how often server-
side synchronization polls your mailboxes for new email
messages.
Maximum Concurrent Connections Type the maximum number of simultaneous connections

that can be made by customer engagement apps to the
corresponding email server per mailbox. Increase the
value to allow more parallel calls to Exchange to improve
performance or reduce the value if there are errors on
Exchange due to large number of calls from customer
engagement apps. The default value of this field is 10. The
maximum number is considered per mailbox or per email
server profile depending on whether the credentials are
specified in a mailbox or email server profile.
Move Failed Emails to Undeliverable Folder To move the undelivered email to the Undeliverable folder,
select Yes . If there's an error in tracking email messages in
Dynamics 365 apps as email activities, and if this option is
set to Yes , the email message will be moved to the
Undeliverable folder.
Email Notifications
Send an alert email to the owner of the email server If you want the email server profile owner to be notified
profile reporting on major events when more than 50% of the mailboxes fail, select Yes .
5. Select Save .
6. Select Test Connection and review the results. To diagnose issues, see the following section.
Troubleshooting the Exchange Server (Hybrid) profile connection
If you've run Test Connection and have issues with the Exchange Server (Hybrid) profile connection, use the
information in the Test Connection dialog box to diagnose and fix the connection.
In this case, there's a problem with Auto Discover. The admin should review the user name and password used for
Authentication Using Impersonation for the Exchange Server (Hybrid) profile.
Mailboxes in Microsoft Dynamics CRM 2015 and Troubleshooting and monitoring server-side synchronization.

Set server-side synchronization to be the default configuration method.
3. Under Synchronization methods , set the processing and synchronization fields as follows:
Ser ver Profile : The profile you created in the above section.
Appointments, Contacts, and Tasks : Server-Side Synchronization or Email Router
If you leave the Email processing form unapproved user and queues at the default values
(checked), you will need to approve emails and queues for user mailboxes as directed below in
Approve Email .
4. Select Save .
Configure mailboxes
To set mailboxes to use the default profile, you must first set the Server Profile and the delivery method for email,
Select one of the following methods:
3. Select all the mailboxes that you want to associate with the Exchange Server profile you created, select
Apply Default Email Settings , verify the settings, and then select OK .
4. In the Change Multiple Records form, under Synchronization Method , set Ser ver Profile to the
Exchange Server profile you created earlier.
7. Select Change .
Approve email
You need to approve each user mailbox or queue before that mailbox can process email.
4. Select OK .

1. Go to Settings > Email Configuration > Mailboxes .
3. Select the mailboxes you want to test, and then select Test & Enable Mailboxes .
generated when the configuration is successfully completed for a mailbox. This alert is shown to the
mailbox owner.
TIP
If you're unable to synchronize contacts, appointments, and tasks for a mailbox, you may want to select the Sync items
with Exchange from this org only, even if Exchange was set to sync with a different org check box. Read more
about this check box.

server profile
3. Select the profile you created, and then select Test & Enable Mailboxes .
mailboxes associated with the Exchange Server profile. For the mailboxes configured with server-side
synchronization for synchronizing appointments, tasks, and contacts, it also checks to make sure they're
TIP
See also
Test mail flow with the Remote Connectivity Analyzer
Autodiscover service
Managing the Autodiscover Service
Connect to POP3 or SMTP servers
Follow these steps to connect customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), with POP3
and SMTP email servers such as used for Gmail and Yahoo! Mail.
NOTE
For POP3/SMTP systems supported by Microsoft, check out the following topic: Supported email service configurations for
server-side synchronization.

3. Choose New > POP3/SMTP Ser ver .
General
Name Specify a meaningful name for the profile.
Description Type a short description about the objective of the email

server profile.
Incoming Server Location and Outgoing Server Location Enter the Incoming Ser ver Location and Outgoing
Ser ver Location
For example, Incoming: pop3.live.com and Outgoing:

smtp.live.com
Credentials
Authenticate Using Select a method to authenticate while connecting to the

specified email server.
- Credentials Specified by a User or Queue . If you

select this option, the credentials specified in the mailbox
record of a user or queue are used for sending or
receiving email for the respective user or queue. Note: To
ensure the credentials are secured, SQL encryption is used
to encrypt the credentials stored in the mailbox.
- Credentials Specified in Email Ser ver Profile . If you
select this option, the credentials specified in the email
server profile are used for sending or receiving email for
the mailboxes of all users and queues associated with this
profile. The credentials must have impersonation or
delegation permissions on the mailboxes associated with
profile. This option requires some configuration on the
email server, for example, configuring impersonation rights
on Exchange for the mailboxes associated with the profile.
Note: To ensure the credentials are secured, SQL
encryption is used to encrypt the credentials stored in the
email server profile if you're processing email by using
- Windows Integrated Authentication . This option
applies only to Exchange and SMTP email server types. If
you select this option, the credentials with which the
Asynchronous Service has been configured will be used.
- Without Credentials (Anonymous) . Not a valid
setting.
User Name Type the user name used to connect to the email server
for sending or receiving email for the mailboxes of all users
and queues associated with this profile. This field is
enabled and valid only if Authenticate Using is set to
Credentials Specified in Email Ser ver Profile . The
user name that you specify must have permission to send
and receive email from the mailboxes of users and queues
associated with this profile. Note: If you're using HTTP for
customer engagement apps, the User Name and
Password fields will be disabled. To enable the option,
change the value of the deployment property
AllowCredentialsEntryViaNonSecureChannels to 1.
Password Specify the password of the user that will be used

together with the user name to connect to the email
server for sending or receiving email for the mailboxes of
users and queues associated with this profile. The
password is stored securely. Note: If you're using HTTP for
customer engagement apps, the User Name and
Password fields will be disabled. To enable the option,
change the value of the deployment property
AllowCredentialsEntryViaNonSecureChannels to 1.
Use same settings for Outgoing If you want to use the same credential settings for the
incoming and outgoing connections, choose Yes .
Advanced
Incoming Port This field shows the port on the email server for accessing
the incoming email. This field is automatically populated
when you save the record.
Outgoing Port This field shows the port on the email server for accessing
the outgoing email. This field is automatically populated
Use SSL for Incoming Connection Choose Yes if the email channel is on a secure channel
and TLS/SSL must be used for receiving email.
Use SSL for Outgoing Connection Choose Yes if the email channel is on a secure channel
and TLS/SSL must be used for sending email.
Incoming Authentication Protocol and Outgoing Select a protocol that will be used for authentication for
Authentication Protocol incoming and outgoing email.
Additional Settings
Process Email From Select a date and time. Email received after the date and
time will be processed by server-side synchronization for
all mailboxes associated with this profile. If you set a value
less than the current date, the change will be applied to all
newly associated mailboxes and their earlier processed
Minimum Polling Intervals in Minutes Type the minimum polling interval, in minutes, for
mailboxes that are associated with this email server profile.
The polling interval determines how often server-side
synchronization polls your mailboxes for new email
messages.
Maximum Concurrent Connections Type the maximum number of simultaneous connections

that can be made by customer engagement apps to the
corresponding email server per mailbox. Increase the value
to allow more parallel calls to Exchange to improve
performance or reduce the value if there are errors on
Exchange due to large number of calls from customer
engagement apps. The default value of this field is 10. The
maximum number is considered per mailbox or per email
server profile depending on whether the credentials are
specified in a mailbox or email server profile.
5. Choose Save .

3. Under Synchronization methods , set the processing and synchronization fields as follows:
NOTE
Server-Side Synchronization or Email Router for Appointments, Contacts, and Tasks is not supported for the
POP3-SMTP profile.
Approve Email .
4. Select Save .
Configure mailboxes
3. Select all the mailboxes that you want to associate with the POP3-SMTP profile you created, select Apply
4. In the Change Multiple Records form, under Synchronization Method , set Ser ver Profile to the
POP3-SMTP profile you created earlier.
6. Set Appointments, Contacts, and Tasks to None .
7. Select Change .
Approve email
4. Select OK .

owner.
synchronization.
TIP

server profile
mailboxes associated with the POP3-SMTP profile. For the mailboxes configured with server-side
synchronization for synchronizing appointments, tasks, and contacts, it also checks to make sure they're
TIP
Network ports for Power Apps US Government

The following ports are open for outbound connections between Power Apps US Government and internet
services.
80 HTTP
443 HTTPS
465 Secure SMTP
995 Secure POP3
Customizations or email configurations in Power Apps US Government can only use these ports.
See also
Microsoft Power Apps US Government
Connect to IMAP or SMTP servers
Follow these steps to connect customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), with IMAP
email servers such as used for Gmail and Yahoo! Mail.
NOTE
Only emails in the Inbox folder are synchronized.
Existing POP3 email profiles will not be automatically converted to IMAP. There is no support for migrating from POP3 to
IMAP.
For IMAP/SMTP systems supported by Microsoft, check out the following topic: Supported email service configurations
for server-side synchronization.

3. Choose New > IMAP/SMTP Ser ver .
General
Name Specify a meaningful name

for the profile.
Description Type a short description

about the objective of the
email server profile.
Incoming Server Location Enter the Incoming

and Outgoing Server Ser ver Location and
Location Outgoing Ser ver
Location
For example, Incoming:

outlook.office365.com and
Outgoing:
smtp.office365.com
Credentials
Authenticate Using Select a method to

authenticate while
connecting to the specified
email server.
Credentials
Specified by a
User or Queue . If
you select this
option, the
credentials
specified in the
mailbox record of a
user or queue are
used for sending or
receiving email for
the respective user
or queue. Note: To
ensure the
credentials are
secured, SQL
encryption is used
to encrypt the
credentials stored
in the mailbox.
Credentials
Specified in
Email Ser ver
Profile . If you
select this option,
the credentials
specified in the
email server profile
are used for
sending or
receiving email for
the mailboxes of all
users and queues
associated with this
profile. The
credentials must
have
impersonation or
delegation
permissions on the
mailboxes
associated with
profile. This option
requires some
configuration on
the email server,
for example,
configuring
impersonation
rights on Exchange
for the mailboxes
associated with the
profile. Note: To
ensure the
credentials are
secured, SQL
encryption is used
to encrypt the
credentials stored
in the email server
profile if you're
processing email by
using server-side
synchronization.
Windows
Integrated
Authentication .
This option applies
only to Exchange
and SMTP email
server types. If you
select this option,
the credentials with
which the
Asynchronous
Service has been
configured will be
used.
Without
Credentials
(Anonymous) .
Not a valid setting.
User Name Type the user name used

to connect to the email
server for sending or
receiving email for the
mailboxes of all users and
queues associated with
this profile. This field is
enabled and valid only if
Authenticate Using is
set to Credentials
Specified in Email
Ser ver Profile . The user
name that you specify
must have permission to
send and receive email
from the mailboxes of
users and queues
associated with this profile.
Note: If you're using HTTP
for customer engagement
apps, the User Name and
Password fields will be
disabled. To enable the
option, change the value
of the deployment
property
AllowCredentialsEntryViaN
onSecureChannels to 1.
Password Specify the password of Use same settings for If you want to use the
the user that will be used Outgoing same credential settings
together with the user for the incoming and
name to connect to the outgoing connections,
email server for sending or choose Yes .
receiving email for the
mailboxes of users and
queues associated with
this profile. The password
is stored securely. Note: If
you're using HTTP for
customer engagement
apps, the User Name and
Password fields will be
disabled. To enable the
option, change the value
of the deployment
property
AllowCredentialsEntryViaN
onSecureChannels to 1.
Advanced
Incoming Port This field shows the port

on the email server for
accessing the incoming
email. This field is
automatically populated
Outgoing Port This field shows the port

on the email server for
accessing the outgoing
email. This field is
automatically populated
Use SSL for Incoming Choose Yes if the email

Connection channel is on a secure
channel and TLS/SSL must
be used for receiving
email.
Use SSL for Outgoing Choose Yes if the email

Connection channel is on a secure
channel and TLS/SSL must
be used for sending email.
Incoming Authentication Select a protocol that will

Protocol and Outgoing be used for authentication
Authentication Protocol for incoming and outgoing
email.
Additional Settings
Process Email From Select a date and time.

Email received after the
date and time will be
processed by server-side
synchronization for all
mailboxes associated with
this profile. If you set a
value less than the current
date, the change will be
applied to all newly
associated mailboxes and
their earlier processed
Minimum Polling Intervals Type the minimum polling

in Minutes interval, in minutes, for
mailboxes that are
associated with this email
server profile. The polling
interval determines how
often server-side
synchronization polls your
mailboxes for new email
messages.
Maximum Concurrent Type the maximum

Connections number of simultaneous
connections that can be
made to the
corresponding email
server per mailbox.
Increase the value to allow
more parallel calls to
Exchange to improve
performance or reduce the
value if there are errors on
Exchange due to large
number of calls from
customer engagement
apps. The default value of
this field is 10. The
maximum number is
considered per mailbox or
per email server profile
depending on whether the
credentials are specified in
a mailbox or email server
profile.
5. Choose Save .

NOTE
Server-Side Synchronization or Email Router for Appointments, Contacts, and Tasks is not supported for the
IMAP profile.
Approve Email .
4. Select OK .
Configure mailboxes
3. Select all the mailboxes that you want to associate with the IMAP profile you created, select Apply Default
Email Settings , verify the settings, and then select OK .
4. In the Change Multiple Records form, under Synchronization Method , set Ser ver Profile to the IMAP
profile you created earlier.
6. Set Appointments, Contacts, and Tasks to None .
7. Select Change .
Approve email
4. Select OK .

owner.
synchronization.
TIP

server profile
mailboxes associated with the IMAP profile. For the mailboxes configured with server-side synchronization
for synchronizing appointments, tasks, and contacts, it also checks to make sure they're configured properly.
TIP
Network ports for Power Apps US Government

The following ports are open for outbound connections between Power Apps US Government and internet
services.
80 HTTP
443 HTTPS
465 Secure SMTP
587 Secure SMTP
993 Secure IMAP
Customizations or email configurations in Power Apps US Government can only use these ports.
See also
Set up server-side synchronization
Connect Gmail accounts using OAuth 2.0
Follow the steps in this article to set up server-side synchronization to send and receive email in customer
365 Marketing, and Dynamics 365 Project Service Automation) from Gmail accounts using OAuth 2.0 as the
authorization mechanism.
NOTE
The Gmail OAuth email server profile works for up to 100 users. Create multiple OAuth profiles (steps 1-4) if you want to
associate the same profile with multiple users.
Availability
We're in the process of rolling out this feature. To determine if your environment can connect Gmail accounts using
OAuth 2.0, do the following:
1. In the web app, select Settings > Email configuration > Mailboxes . To open settings for apps that use
Unified Interface, look in the upper-right corner and select the Gear icon ( ). Then select Advanced
settings .
2. Select a mailbox and check the top menu bar for the Signin To Gmail icon. If present, the feature is enabled
for this environment.
Step 1: Enable IMAP or POP in Gmail

NOTE
These steps should be done by the system administrator.
For IMAP, follow the steps in: Check Gmail through other email platforms
For POP, follow the steps in: Read Gmail messages on other email clients using POP
Step 2: Create a project

NOTE
Using a Google account (could be the same one you’ll use to send and retrieve email or a different one), go to the
Google Developers Console and create a new project.
Follow the steps for Create a project in: Create, shut down, and restore projects
Step 3: Configure OAuth consent

NOTE
1. Select OAuth consent screen and then select the user type. Select Internal if you're using a GSuite admin
tenant and will be creating the app exclusively for your organization. Select External if you’re testing with a
stand-alone Gmail account.
2. Select Create .
3. Enter an application name and your environment's fully qualified domain name (for example:
contoso.crm.dynamics.com). Then, select Save .
4. Select Credentials > Create credentials .
5. Select OAuth client ID .

6. Select Configure consent screen .
7. Enter the following settings:
SET T IN G USE
Application type Web application

SET T IN G USE
Name The name of your web client
Authorized JavaScript origins Your environment's URL (for example,

https://contoso.crm.dynamics.com)
Authorized redirect URIs Your environment's URL with "/_grid/cmds?

dlg_gmailoauth.aspx" appended to it (for example,
https://contoso.crm.dynamics.com/_grid/cmds/dlg_gmailoa
uth.aspx)
8. Select Create . In the screen that appears, make note of the client ID and client secret. You'll use this data in
the next step.
Step 4: Create an email server profile

NOTE
Create a new IMAP or POP3 email server profile.

To create an IMAP email server profile, follow the steps in: Connect to IMAP or SMTP servers
To create a POP3 email server profile, follow the steps in: Connect to POP3 or SMTP servers
Use the following settings:
SET T IN G USE
IMAP incoming server location imap.gmail.com
POP3 incoming server location pop.gmail.com
IMAP and POP3 outgoing server location smtp.gmail.com
Authenticate using Gmail OAuth
Client ID From the previous step
Client secret From the previous step
Step 5: Configure the mailbox

NOTE
These steps should be done by the mailbox user.
1. In the web app, select Settings > Email configuration > Mailboxes .
2. Select the mailbox for the user configured in previous steps.
3. Use the following settings:
SET T IN G USE
Server profile The profile created in step 4
Incoming email Server-Side Synchronization or Email Router
Outgoing email Server-Side Synchronization or Email Router
4. Select Save .
5. Select Signin to Gmail .
6. Proceed through the Gmail sign-in and authorization pages.
Step 6: Test and enable

NOTE
These steps should be done by the mailbox user.
In the web app, select Test & Enable Mailbox to test the mailbox configured in step 5.
Troubleshooting and monitoring server-side
synchronization
This page is your source for issues and resolutions for troubleshooting server-side synchronization. Check back
for updated information as issues are discovered and resolutions recorded.
The Server-Side Snychronization Failures dashboard

Follow the steps in this KB article to enable and use a dashboard to get information on synchronization errors.
The Server-Side Synchronization Monitoring dashboard

You can use the Server-Side Synchronization Monitoring dashboard to get a quick look at the health of
mailboxes using server-side sync.
Go to any dashboard, click Select next to the dashboard title, and then click Ser ver-Side Synchronization
Monitoring .
This dashboard is made up of multiple charts, each providing insights into your organization's server-side sync
performance.
Click on a number in the list of mailboxes configured for server-side sync to get a specific mailbox status.
Click on the grid icon in each chart to view the records that are used to generate the chart.
Common alerts and recommended resolutions

Mailbox disabled for synchronization
Aler t: The mailbox has been disabled for synchronizing appointments, contacts, and tasks for the mailbox
because an error occurred while establishing a secure connection to the Exchange server. The owner of the
email server profile has been notified.
Solution: https://support.microsoft.com/kb/2993502
Error while establishing a secure connection
Aler t: Email cannot be received for the mailbox because an error occurred while establishing a secure
connection to the email server. The mailbox has been disabled for receiving email and the owner of the email
server profile has been notified.
Solution: https://support.microsoft.com/kb/2993502
Email message has "Pending Send" status
If you create an email message in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
and click the Send button, the message will not be sent unless email integration has been correctly configured
and enabled for sending email from customer engagement apps.
Verify that the user who sent the email is enabled for sending email.
2. Select Settings > Email > Mailboxes .
3. Change the view to Active Mailboxes.
4. Select the mailbox record for the user who sent the email, and then click the Edit button.
5. Verify the user is correctly configured and enabled for sending email:
If the user's mailbox record is configured to use server-side synchronization for outgoing email, verify
the user's email address is approved and is also tested and enabled. For more information about
configuring server-side synchronization, see Set up server-side synchronization of email,
Email address requires approval by Microsoft 365 administrator
Aler t: Email cannot be sent/received because the email address of the mailbox <User Name> requires an
approval by an Microsoft 365 administrator. The mailbox has been disabled for sending/receiving email and the
owner of the email server profile Exchange Online has been notified.
Cause:
This error will occur if a user is configured to use the Microsoft Exchange Online email server profile but their
email address has not been approved by an Microsoft 365 administrator. A user with the global administrator
role in Microsoft 365 needs to approve the email address for each user that uses the Microsoft Exchange Online
email server profile. The Microsoft Exchange Online profile uses server-to-server authentication between
customer engagement apps and Exchange Online. This authentication is dependent on a trust between
customer engagement apps and Exchange Online. By verifying the email address in customer engagement apps
as an Microsoft 365 global administrator, customer engagement apps be able to send and receive email for that
user without the need to provide any email credentials within customer engagement apps.
Solution:
To approve one or more mailboxes:
3. Select Active Mailboxes or perform an Advanced Find query to identify a list of mailboxes to update.
4. Select the list of mailboxes you want to approve and then click Approve Email .
5. Click OK to approve the email addresses.
6. Click Test & Enable Mailboxes to retest email processing for the enabled mailboxes.
Email addresses must be approved
Aler t: One or more mailboxes have been disabled for sending/receiving email because their email addresses
have not been approved. Approve the email addresses, and then enable the mailboxes for sending/receiving
email." or "Email cannot be received for the mailbox <Mailbox Name> because the email address of the mailbox
<Mailbox Name> is not approved and the mailbox has been disabled. The owner of the associated email server
profile <Email Server Profile name> has been notified.
Solution:
Mailboxes must be approved before the email will be processed. To approve mailboxes:
3. Select Active Mailboxes or perform an Advanced Find query to identify a list of mailboxes to update.
4. Select the list of mailboxes you want to approve and then click Approve Email .
5. Click OK to approve the email addresses.
6. Click Test & Enable Mailboxes to retest email processing for the enabled mailboxes.
NOTE
You can remove the requirement for approving mailboxes using: Settings > Administration > System Settings >
Email tab. Uncheck Process emails only for approved users and Process emails only for approved queues ,
then click OK . If you are using the Microsoft Exchange Online profile, email addresses must still be approved by an
Microsoft 365 global administrator.
Mailbox location could not be determined

Aler t: The mailbox location could not be determined while sending/receiving the email message <Message
Subject>. The mailbox <Mailbox Name> has been disabled for sending/receiving email and the owner of the
associated email server profile <Email Server Profile name> has been notified.
Solution: You will see this alert if your email server profile (Settings > Email Configuration > Email
Ser ver Profiles ) is configured to use the Auto Discover Ser ver Location option but auto discover cannot
detect the location of your mailbox. If this issue occurs, check with your Exchange administrator to verify your
network is configured for auto discover. You can update the email server profile and click No for Auto
Discover Ser ver Location . Then provide the Exchange web services URL for your Exchange deployment. For
example: https://ExchangeServerName/EWS/Exchange.asmx.
Credentials are incorrect or have insufficient permissions
Aler t: Email cannot be sent/received because the credentials specified in the associated email server profile are
incorrect or have insufficient permissions for sending/receiving email. The mailbox <Mailbox Name> has been
disabled for sending/receiving email and the owner of the email server profile <Email Server Profile name> has
been notified.
Solution:
This error can appear if incorrect credentials are provided or if the user account specified to access the mailbox
does not have sufficient permissions to the mailbox. Check credentials and permissions for the mailbox. If you
are providing credentials within an email server profile, make sure the user has impersonation permissions and
mailbox access to each associated mailbox.
For more information on configuring Exchange impersonation and granting mailbox access, see:
Configuring Exchange Impersonation
Allow Mailbox Access
Appointments can't be synchronized
Aler t: Appointments can't be synchronized because the Organizer field is not present.
Cause: The Organizer field is required for appointment records to synchronize. By default, this field isn't
included on the appointment form.
Solution:
To add the Organizer field to the appointment form:
1. In the web app, go to Settings > Customizations > Customize the System
2. Under Components , expand Entities > Appointment , and then click Forms .
3. Click Appointment , and then drag the Organizer field onto the form.
4. Click Save > Publish .
Appointments, contacts, and tasks can't be synchronized
Aler t: Appointments, contacts, and tasks can't be synchronized because the email address of the mailbox
<Mailbox Name> is configured with another organization. The best practice is to overwrite the configuration
when you test and enable the mailbox in your primary organization. Also, change the synchronization method
for your mailbox in non-primary organizations to None.
Solution:
To change the primary synchronization organization and overwrite the setting stored in Exchange, click:
Settings > Email Configuration > Mailbox > open a mailbox > Test & Enable Mailbox > select Sync
items with Exchange from this Organization only, even if Exchanges was set to sync with a
different Organization . This will allow server-side synchronization to work for this environment but the other
environment would no longer work for synching that mailbox through server-side synchronization. To change
the synchronization method for Appointments, Contacts, and Tasks, click: Settings > Email Configuration >
Mailbox > open a mailbox > select None for Appointments, Contacts, and Tasks .
For more information, see: When would I want to use this check box?
Potential issues and resolutions

Email fails to be sent or received when server-side synchronization is configured with Gmail
If customer engagement apps is configured to use Server-Side Synchronization with Gmail, you may encounter
one of the following errors:
Email cannot be received for the mailbox <Mailbox Name>. Make sure that the credentials specified in
the mailbox are correct and have sufficient permissions for receiving email. Then, enable the mailbox for
email processing.
An unknown error occurred while sending the email message "Test Message". Mailbox <Mailbox Name>
didn't synchronize. The owner of the associated email server profile <Email Server Profile Name> has
been notified.
For more information, see this kb article.
Using Dynamics 365 apps with Exchange Online
Customer engagement apps support server-side synchronization with Exchange Online in the same tenant with
Server to Server Authentication. Other authentication methods or settings are not recommended or supported,
including:
Using Credentials Specified by a User or Queue
Using Credentials Specified in Email Server Profile
Using Impersonation
Using model-driven apps with Exchange Online in a different tenant is currently not supported.
Mailbox deliveries regularly disabled
Mailbox delivery errors are classified as follows:
1. A permanent error (for example, 401 Unauthorized) or a transient error (for example, a network issue).
2. A server error (for example, invalid profile credentials) or a mailbox error (for example, invalid mailbox
credentials).
Customer engagement apps respond to the error as follows:
For server or mailbox permanent errors, the mailbox is disabled as soon as the error is detected.
For server or mailbox transient errors, delivery is retried up to 10 times with a 5 minute gap between
attempts. If delivery fails after 10 attempts, the error is considered permanent and the mailbox is
disabled.
Review the troubleshooting steps in this topic and if the issue is successfully resolved, enable the mailbox.
Mix of Exchange/SMTP and POP3/Exchange.
Creation of mass email marketing campaigns.
Extensibility scenarios like extending EWS/POP3/SMTP protocols and creating custom email providers.
Exchange Server 2003 and Exchange Server 2007.
Server-side synchronization in customer engagement apps require a POP3/SMTP email server that is
also FIPS 140-2 compliant. Some email servers are not FIPS 140-2 compliant, such as MSN,
Outlook.com, or Windows Live Mail.
For most situations not supported by server-side synchronization, you can use the Microsoft Dynamics CRM
Email Router. More information: Integrate your email system
NOTE
appointments, contacts, and tasks in the same organization, because it may result in updated Dynamics 365 apps data
not synchronizing to all attendees.
Appointment record is not created when tracked by invitee

Consider the following scenario regarding tracking an event:
1. An event organizer uses Outlook for the synchronization method.
2. An event invitee uses server-side synchronization for the synchronization method.
3. In Dynamics 365 for Outlook, the organizer creates an appointment and sends an invite to the invitee.
4. In Dynamics 365 for Outlook, the invitee tracks the appointment.
5. The invitee logs in to customer engagement apps and navigates to Marketing > Activities >
Appointment > My Appointments
Result: the appointment is not created for the invitee.
This is a known issue and is not supported. If the organizer is someone outside of the organization, a user who
is an invitee can still track the appointment and have the record created.
Service Appointments and Activities don't synchronize from Outlook to customer engagement apps
Changes made to Service Appointments and Activities will update in Dynamics 365 for Outlook when you
synchronize but the reverse is not true. When you make changes to Service Appointments or Activities in
Dynamics 365 for Outlook, the changes are not synchronized to customer engagement apps. Service
appointments are scheduled by an agent and need free/busy information for resources available only in
Be aware of Exchange Online receiving and sending limits
For enterprise customers with a large mail flow, make sure you're not running up against Exchange Online
receiving and sending limits. See Exchange Online Limits
See also
Server-side synchronization Best practices and things to know about server-side synchronization
{Hidden Gem}Understanding Server Side sync Performance Dashboard
When would I want to use this check box?
A user can be a member of more than one Dynamics 365 organization, but an Exchange mailbox (email address)
can only synchronize emails, appointments, contacts, and tasks with one organization, and a user that belongs to
that organization can only synchronize emails, appointments, contacts, and tasks with one Exchange mailbox. The
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation) store the organization ID ( OrgID ) for
the synchronizing organization and the last time the user synced in Exchange.
You can use the Sync items with Exchange from this Dynamics 365 org only, even if Exchange was set
to sync with a different org check box to overwrite the setting stored in Exchange if you want to change the
primary synchronizing organization. Why would you want to do this? In most cases, you won't need to. Most
users are members of just one organization. When an admin starts the synchronization for the user's Exchange
mailbox by testing and enabling the mailbox through server-side synchronization, the user's mailbox is
automatically set to synchronize appointments, contacts, and tasks with that organization.
However, you may want to select the check box in the following situations:
The OrgID setting in Exchange can inadvertently be overwritten in certain circumstances. For example,
let's say a user is a member of two organizations: one in North America and one in Japan. The admin for
the North American organization sets up the user's mailbox through server-side synchronization. Then
the admin for the organization in Japan sets up the same user's mailbox through server-side
synchronization, overwriting the OrgID setting stored in Exchange. The user will only be able to
synchronize appointments, contacts, and tasks with the organization in Japan. To reset the user's mailbox,
select the Sync items with Exchange from this Dynamics 365 org only, even if Exchange was
set to sync with a different org check box.
In some cases, you may not know the state of the configuration stored in Exchange, but the user's
Exchange mailbox is not able to synchronize for some reason. In this case, select the check box to start
synchronizing the mailbox with the appropriate organization.
If an admin has migrated users from one organization to another, a user's mailbox might still be set to
synchronize with the old organization. In this case, select the check box to start synchronizing the mailbox
with the appropriate organization.
To make sure an administrator doesn't inadvertently set a non-primary organization as the synchronizing
organization, it's a best practice to set the synchronization method for the non-primary organization to
None .
Set the synchronization method to "None" for the non-primary

organization
3. Choose the mailbox record to open it.
4. In the Mailbox dialog box, under Synchronization Method , select None in the Appointments,
Contacts, and Tasks list.
See also
Error logging for server-side synchronization
In this topic, you will learn about the error logging tasks performed by server-side synchronization. server-side
synchronization generates alerts if an error occurs while processing email. An error is classified based on the
nature of the error and on the object the error was encountered for.
The following table shows classification of errors based on the nature of the errors.
T RA N SIEN T ERRO RS P ERM A N EN T ERRO RS
- Errors are temporary in nature and may get fixed - These are permanent in nature and mostly occur when the
automatically after certain attempts. If the error persists after transient errors remain unresolved even after certain
reaching the configured retry count, a new error (without attempts. Permanent errors can also be triggered directly
changing the error code) is logged as a permanent error. without any transient errors (for example: password expired).
- These errors do not require a direct corrective action by a - Email processing for the affected mailboxes is stopped as a
user, but an administrator should look for any reliability or result of these errors. These require a corrective action by the
throttling issues. mailbox owner or an administrator.
- All errors appear in the Warning section of the - All permanent errors appear in Error section of the
administrator’s and user’s alert wall. administrator’s and user’s alert wall.
The errors are also classified based on the object on which the error is encountered:
Email-level errors. Errors that are specific to an email and prevent processing of an individual email
without impacting processing of other emails. Error alerts are displayed in the Alerts section of the email
form.
Mailbox-level errors. Errors that are specific to a mailbox and prevent processing of all emails in a
mailbox and require corrective action from the respective mailbox owner. Error alerts are displayed in the
alerts section of the email form, mailbox owner’s alert wall, and on the Mailbox form.
Profile-level errors. Errors which prevent processing of all emails in one or more mailboxes and require
corrective action from the associated email server profile owner. Error alerts are displayed on the alerts
section of the email server profile form, alerts wall of the owner of the email server profile, and on the alert
walls of the impacted mailbox owners - but no action is required from them.
To know how to view the alerts and the actions you can take on these alerts, see Monitor email processing errors.
See also
Supported scenarios for server-side synchronization
Best practices for server-side synchronization
Consider the following when planning and deploying server-side synchronization.
Best practices for configuring server-side synchronization

If you use customer engagement apps and Exchange Online
By default, the Microsoft Exchange Online email server profile is created for customer engagement apps (Dynamics
365 Project Service Automation), and should be your first choice. If you want to use your own profile, you use
customer engagement apps, and Exchange Online, and both services are on the same tenant, use the following
settings in your email server profile (Settings > Email Configuration > Email Ser ver Profiles ).
SET T IN GS REC O M M EN DAT IO N
Auto Discover Server Location Yes
Incoming Connection
Authenticate Using Server to Server Authentication
Use Impersonation No
Use same settings for Outgoing Yes
If you want to use one set of credentials to process emails with Outlook or Exchange
Using one account to process email to all mailboxes is easier to maintain but requires using an account that has
access to all mailboxes in Outlook or Exchange. The account must have impersonation rights on Exchange. If that
single account is compromised, all mailboxes using that account are compromised. Use the following settings in
your email server profile (Settings > Email Configuration > Email Ser ver Profiles to use a single account for
email processing.
Incoming Connection
Authenticate Using Credentials Specified in Email Server Profile
User Name The administrator's user name
Password The administrator's password
Use Impersonation Yes
Delegation (Use Impersonation = No) is not supported for syncing Appointments, Contacts, and Tasks.
If you want to use individual credentials to process emails with Outlook or Exchange
An alternative to a single account to process emails is using individual accounts. This method requires more
maintenance effort but does not focus security on a single account. If you want each user account to synchronize
with Outlook or Exchange and you're not using the Microsoft Exchange Online email server profile, use the
following settings (Settings > Email Configuration > Email Ser ver Profiles ).
Incoming Connection
Authenticate Using Credentials Specified by a User or Queue
Use Impersonation No
Set the following in each user mailbox.
Credentials
Allow to Use Credentials for Email Processing Yes
User Name The user name for the mailbox
Password The password for the mailbox
See also
Server-side synchronization Troubleshooting server-side synchronization
Edit mailboxes
By default, when users and queues are created in customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation), their respective mailbox records are also created. These mailbox records contain information that is
specific to an individual mailbox on the email server, like email address, mailbox credentials, and email
synchronization method. To process email messages using server-side synchronization for users and queues, their
respective mailbox records should be associated to an email server profile record in customer engagement apps.
If your organization wants to configure server-side synchronization using a forward mailbox, you can create a new
forward mailbox record.
IMPORTANT
Forward mailboxes are not recommended and you should use individual mailboxes instead. Please review: Forward mailbox
vs. individual mailboxes.
A forward mailbox is used as a collection box for email messages that are transferred from each user’s mailbox on
the email system by a server-side rule. The forward mailbox must be dedicated to server-side synchronization, and
must not be used as a working mailbox by an individual user. This can be used to process email messages for
users and queues whose mailboxes have Incoming Email Synchronization Method set to For ward Mailbox .
You must associate the forward mailbox record to an email server profile record to process email using server-
side synchronization.
TIP
You can use an Microsoft 365 shared mailbox when you create a queue in customer engagement apps and not consume an
Microsoft 365 license for a forwarding email account.
environment] > Settings > Email > Mailboxes .
1. Select an environment and go to Settings > Email > Mailboxes .
2. To edit an existing mailbox record, open the mailbox record.
3. In the mailbox record, specify the following details.
General
Name Type a meaningful name for the mailbox.

Owner Shows the owner of the mailbox. For a user mailbox that is
automatically populated, the owner of the mailbox is the
user itself. For a queue mailbox that is automatically
populated, the owner of the mailbox is the owner of the
queue record.
Email address Type the email address for the forward mailbox, such as
forwardmailbox@contoso.com.
For a user or a queue mailbox, the email address is the

same as that specified in the corresponding user or queue
record form. If you edit the email address here, the email
address in the user or queue record is updated
automatically.
Delete Emails After Processing Specify if you want to delete email from the mailbox after
processing. This field is available and can be set to Yes
only for a forward mailbox and a queue mailbox.
Regarding Select the user or queue that the mailbox is associated

with. This field is empty and cannot be set for a forward
mailbox.
Is Forward Mailbox This field indicates whether the mailbox record is a

forward mailbox. When set to No , it indicates that the
mailbox record is associated to an individual user or queue
in customer engagement apps.
Credentials
Allow to Use Credentials for Email Processing Select Yes if the email server profile associated to this
mailbox has Authenticate Using set to Credentials
Specified by a User or Queue . You must provide the
username and password when this field is set to Yes .
These credentials will be used to send and receive email
from the mailbox on the email server. Note: To ensure the
credentials are secured in customer engagement apps,
SQL encryption is used to encrypt the credentials stored
in the mailbox if you’re processing email by using server-
side synchronization.
Synchronization Method
Server Profile Select the email server profile that is used for email
processing for this mailbox.
For information on choosing a synchronization method,

see: Integrate your email system
Incoming Email Select the delivery method for incoming email. This will
determine how incoming email will be accessed for this
mailbox.
- None. Email won’t be received.

- Forward Mailbox. Email will be received using a forward
mailbox.
- Microsoft Dynamics 365 for Outlook. Email is received
by using Dynamics 365 for Outlook.
- Server-Side Synchronization or Email Router. Email is
received by using server-side synchronization or the Email
Router.
Outgoing Email Select the delivery method for outgoing email. This
determines how outgoing email will be sent for this
mailbox.
- None. Email won’t be sent.

- Microsoft Dynamics 365 for Outlook. Email is received
by using Dynamics 365 for Outlook.
- Server-Side Synchronization or Email Router. Email is sent
by using server-side synchronization or Email Router.
Note: For a forward mailbox, only None is allowed.
Appointments, Contacts, and Tasks Select whether you want to use Dynamics 365 for
Outlook or server-side synchronization to synchronize
If you select None , appointments, contacts, and tasks

won’t be synchronized.
Configuration Test Results
Incoming Email Status Show the result of the email configuration test for
incoming email. The various statuses can be:
- Not Run. The email configuration test has not been run
for this mailbox.
- Success. The incoming email has been configured and
email can be received for this mailbox.
- Failure. The incoming email has been configured but it is
not possible to pull email from the corresponding
configured mailbox.
Outgoing Email Status Show the result of the email configuration test for
outgoing email. The various statuses can be:
- Not Run. The email configuration test hasn’t been run

for this mailbox.
- Success. The outgoing email has been configured and
email can be sent from this mailbox.
- Failure. The outgoing email has been configured but it’s
not possible to send email from the corresponding
configured mailbox.
Appointments, Contacts, and Tasks Status Show the result of the synchronization of appointments,
contacts, and tasks. The various statuses can be:
- Not Run. The synchronization has not been tested for

this mailbox.
- Success. Appointments, contacts, and tasks can be
- Failure. Appointments, contacts, and tasks can’t be
Mailbox Test Completed On This field shows the date and time when the email
configuration was tested for this mailbox record.
4. Select Save or Save & Close .

Configure Outlook or Exchange folder-level tracking
You can enable folder-level tracking for Microsoft Exchange folders to map an Exchange inbox folder to a customer
engagement apps record so that all the emails in the Exchange folder get automatically tracked against the mapped
record in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation). Consider an example where you
have an account called Adventure Works. You can create a folder in your Outlook called Adventure Works under
your Inbox folder, and create some Exchange rules to automatically route the emails to the Adventure Works folder
based on the subject or the body of an email. Next, you can map your Exchange folder (Adventure Works) with the
account record (Adventure Works) to automatically track all the emails that land in the Adventure Works Exchange
folder, and set the regarding object as the Adventure Works account record.
TIP
Check out the following video: Folder Level Tracking in CRM Online 2015 Update 1
Enable folder-level tracking

1. Click Settings > Email Configuration .
2. Click Email Configuration Settings .
3. Confirm that Process Email Using is set to Ser ver-Side Synchronization .
4. Enable Use folder-level tracking from Exchange folders (ser ver-side synchronization must be
enabled) .
5. Configure other tracking options on this page, and then click OK .
Once you've enabled folder-level tracking, users will need to configure folder-tracking rules with Settings ( ) >
Options > Email > Configure Folder Tracking Rules .
Some important points about folder-level tracking

Folder-level tracking of emails will work only if your organization is configured to use server-side
synchronization for emails. Server-side synchronization must be configured for Exchange (and not POP3)
mailboxes. For more information, see Set up server-side synchronization of email, appointments, contacts,
and tasks.
You can track emails only in folders under your Inbox folder in Exchange. Other folder emails cannot be
tracked.
You can track up to a maximum of 25 folders per user account.
Any manual changes done to the regarding object in the tracked activity records will be overridden the next
time server-side synchronization kicks in. For example, if you have set up a mapping between the Adventure
Works folder and the Adventure Works account, all the emails in the Adventure Works Exchange folder will
be tracked as activities with the regarding set to the Adventure Works account record. If you change the
regarding to some other record, it will automatically be overridden the next time server-side
synchronization occurs. To change the regarding for any email, move the email to a different folder such as
the Inbox.
Folder-level tracking for queue mailboxes is not supported.
See also
System Settings dialog box - Email tab
Use Outlook category to track appointments and
emails
Server-side synchronization now allows tracking of emails, appointments and tasks in Outlook with a special
category Tracked to Dynamics 365 . Assigning this category to an email, appointment or a task in Outlook syncs
the item to customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation). Similarly, removing the
category from a tracked email, appointment or task untracks it from customer engagement apps.
You can also select multiple items and assign the Tracked to Dynamics 365 Outlook category to them thereby
tracking all of them to customer engagement apps. Quickly identify tracked items by observing the presence of this
category in your Inbox and other folders.
Configure category-based tracking through an OrgDBOrgSetting

As of version 9.1.0.4039 or higher, category tracking is on by default.
TIP
To determine your version, sign in to customer engagement apps, and in the upper-right side of the screen, select the
Settings button > About .
Use category to track Outlook items

Once the Tracked to Dynamics 365 category is available in Outlook, you can use it to track the following
Outlook items.
Email
Track an email by assigning it the Tracked to Dynamics 365 category. The category assignment can be seen
immediately in Outlook. At this time, the email is marked for tracking. server-side synchronization will sync the
email to customer engagement apps within 15 minutes, based on the email synchronization setting.
If an email is tracked and is categorized as Tracked to Dynamics , removing the category will untrack the email.
However, the corresponding email activity record is not deleted.
NOTE
You can set up a rule in Outlook to assign or remove a category. See Manage email messages by using rules.
Appointment
You can track an appointment by assigning it the Tracked to Dynamics 365 category. The appointment will be
tracked and synced to customer engagement apps based on server-side synchronization rules.
If an appointment is tracked and is categorized as Tracked to Dynamics , removing the category will untrack the
appointment. However, the corresponding Dynamics 365 apps appointment activity record is not deleted.
Task
NOTE
Assignment of tasks to people that is captured in Outlook will not be synced to customer engagement apps.
Use category-based tracking with App for Outlook

If you have Dynamics 365 App for Outlook, you can use category-based tracking with App for Outlook.
The following table lists different scenarios of tracking.
A C T IO N RESULT
Assign the Tracked to Dynamics 365 category to an Server-side synchronization will sync email/appointment within
email/appointment 15 minutes. Loading App for Outlook on that item will display
the tracked status.
Track an email/appointment using App for Outlook Email/Appointment is tracked. The Tracked to Dynamics
365 category is assigned immediately.
Removal of the Tracked to Dynamics 365 category on an Server-side synchronization will untrack the item in about 15
email/appointment minutes. Loading App for Outlook on that email will display
the tracked status. The activity record is not deleted from
Untrack an email/appointment using App for Outlook Email/Appointment is untracked and Tracked to Dynamics
365 category is removed.
Delegate users
If you allow someone else to manage your email and calendar by providing them delegate access, the delegate can
access your categories in Outlook, if the delegate has Editor permissions.
If your mailbox has the Tracked to Dynamics 365 category, the delegate can track your emails and appointments
by assigning the Tracked to Dynamics 365 category.
Category-based tracking with Dynamics 365 for Outlook

Category-based tracking is not supported with Dynamics 365 for Outlook. We recommend that you do not enable
OrgDBOrgSetting TrackCategorizedItems on an organization set up to use Dynamics 365 for Outlook.
Disable category-based tracking

You can disable category-based tracking for the Dynamics 365 apps organization by disabling OrgDBOrgSetting
TrackCategorizedItems .
NOTE
If you disable OrgDBOrgSetting TrackCategorizedItems , the Tracked to Dynamics 365 category is soft-deleted, with
the category assignment retained in Outlook. If you delete the category from the master list, it will be deleted permanently.
FAQ
Can I track my Outlook contacts by assigning the Tracked to Dynamics 365 categor y?
No, category-based tracking is not supported for Outlook contacts.
What happens if I rename the Tracked to Dynamics 365 categor y?
If you rename the category, server-side synchronization will continue to identify the category by its ID and it will be
used to track and untrack Outlook items.
What happens if I delete the Tracked to Dynamics 365 categor y?
If you delete the category, server-side synchronization will recreate it on the Exchange server in about 15 minutes.
When I turn on OrgDBOrgSetting TrackCategorizedItems for the first time, will my previously tracked
items be assigned the Tracked to Dynamics 365 categor y?
No, server-side synchronization will not go back in time to assign the category to already tracked items.
If I assign the Tracked to Dynamics 365 categor y to an Outlook conversation thread, what happens?
If you categorize a conversation thread as Tracked to Dynamics 365 , all the emails in that thread are assigned
the category and hence will be tracked.
Can I assign Tracked to Dynamics 365 categor y to recurring appointments?
If you categorize a recurring appointment as Tracked to Dynamics 365 , all the individual environments of the
appointment are assigned the category and will be tracked.
What happens when a Track of email fails?
By default, failed auto tracked emails will be retried in a new synchronization cycle – approximately every 15
minutes. Retries will be done up to 5 times. If the retries fail after 5 attempts, the email will be assigned the
category Tracked to Dynamics 365 (Undeliverable) and no further retries will occur. Auto tracked emails which
fail with the following errors will be retried:
Promotion of emails fail due to a plugin configured in the customer environment
Promotion of emails fail because of timeouts from either customer engagement apps or Microsoft Exchange
An email is rejected with InvalidSender or because of some unknown decisions
After 5 retries, if the failure to promote the email was due to a plugin error, try fixing the plugin. Then, assign the
Track to Dynamics 365 category to manually track the undelivered emails to get them tracked in customer
engagement apps.
How do I remove categor y-based tracking through OrgDBOrgSetting?
To disable the special Tracked to Dynamics 365 Outlook category, you need to enable the OrgDBOrgSetting in
your organization. Customer engagement apps provides the OrgDBOrgSettings tool that gives administrators the
ability to implement specific updates that were previously reserved for registry implementations.
1. Follow the instructions in this article for steps to extract the tool.
2. After extracting the tool, disable the OrgDBOrgSetting TrackCategorizedItems .
3. Disabling the OrgDBOrgSetting will remove the category Tracked to Dynamics 365 on all Exchange
mailboxes of the organization which have server-side synchronization enabled in about 15 minutes.
You can also use this tool to edit the OrgDBOrgSetting TrackCategorizedItems .
Track Outlook email by moving it to a tracked
Exchange folder
Track customer interactions wherever you are, and from virtually any device by using folder tracking. After you
set up a tracked folder, you can drag or move email to that folder to track it automatically in customer
365 Marketing, and Dynamics 365 Project Service Automation). Additionally, if you set a regarding record (such
as a specific account or opportunity record) for the folder, customer engagement apps automatically link all email
in that folder to that specific record. Tracked folders work in Exchange Online, Outlook on the web, or any other
mobile app that supports Exchange.
TIP
Tracked folders work with Exchange Inbox rules. This makes it easy to automatically route email messages to a particular
folder. For example, set up an Exchange rule that automatically routes email from a Contoso contact to a tracked Contoso
folder, which is linked to a specific Contoso opportunity. Tell me more about setting up rules.
To see folder tracking in action, see the video Folder Level Tracking in CRM Online .
Requirements for using tracked folders

The tracking folders feature must also be enabled by your administrator. For more information, contact
your administrator. For admin information on enabling tracked folders, see Configure folder-level tracking.
Your organization must use server-side synchronization as your email synchronization method. If you don't
know which synchronization method your organization uses, contact your administrator. For admin
information about setting up server-side synchronization, see Set up server-side synchronization.
Set up a tracked folder

1. In the web app, on the nav bar, click Options .
2. In the Set Personal Options dialog box, click the Email tab, and then under Select the email
messages to track in Dynamics 365 , click Configure Folder Tracking Rules .
3. In the Folder-Level Tracking dialog box, under Exchange Folder , click + New Folder Mapping , click
the down arrow in the box that appears, and then select the folder you want to track.
NOTE
You can only track folders or subfolders inside your Exchange Inbox. Only the folder you select will be tracked. For
example, if you select a folder that includes subfolders, the subfolders aren't tracked unless you specifically select
them in this dialog box. The maximum number of folders you can track is 25.
4. If you want to link the folder to a specific record—for example, an account or opportunity—under
Regarding Record in Dynamics 365 apps , click the Lookup button , and then search for the record.
5. Repeat steps 3 and 4 for any additional folders you want to track and (optionally) link to regarding records.
6. When you're done adding and linking folders, click Save .
Best practices for folder tracking

Make sure to take advantage of folder tracking on your mobile devices. If your device supports Exchange
email, folder tracking will work automatically. You don't need to install anything. Just drag or move email to
a tracked folder to automatically track that email.
Whether you set a regarding record for a folder or not depends on how you plan to use the folder:
If you receive a small volume of email from many different customers, you may want to create a
single folder called "Track in Dynamics 365" (or similar name) that isn't linked to a particular record.
That way, you can drag messages to that folder to track them automatically. If you later want to link
an email message in that folder to a specific record, open that activity record, and then fill in the
Regarding field.
If you receive large volumes of email from a particular customer, create a folder (or use an existing
folder) just for that customer and link it to a specific record. For example, create a Contoso folder
and set the regarding record to a Contoso account record or opportunity record.
Any email in response to email that has been tracked will only be auto tracked if the response email is in
the Inbox folder. If it has been moved manually or via Outlook rules into a sub-folder within Inbox, it will
not be tracked automatically. Workaround: (1) do not use rule-based folder routing or (2) do not manually
move email from a folder to the Inbox for any email response that you think needs to be tracked.
You can set up multiple folders that link to the same regarding record. For example, you could link a
Contoso Sales Proposal folder and a Contoso Legal Matters folder to the same Contoso account record.
It's best not to use the same folder for different records over a period of time. For example, let's say you're
tracking email communications for an opportunity with Customer 1, but you've won the opportunity, and
now you don't need to track further communications with that customer. You may be tempted to simply
change the regarding record for that folder to a new customer (Customer 2) you're working with. If you do
that, however, all email in that folder, including the email pertaining to Customer 1, will be associated with
Customer 2. So it's best in this case to create a new folder associated with Customer 2, and then set the
regarding record for that new folder to Customer 2. Then you can delete the regarding record for the
Customer 1 folder.
You can include an untracked folder inside a tracked folder. For example, let's say you want to store
personal email from a Contoso contact. You can create a Personal subfolder under the Contoso folder and
leave it untracked.
If you no longer need to track a folder, it's a good idea to untrack it for performance reasons. To untrack a
folder, remove it from the Folder-Level Tracking dialog box.
What happens when you untrack, move, delete, or rename folders, or

change the regarding record?
The following table shows what happens when untrack, move, or delete folders, or change the regarding record
linked to a tracked folder.
A C T IO N RESULT
Untrack a folder by deleting it from the Folder-Level All email messages previously included in that folder will still
Tracking dialog box be tracked, and the regarding record will still be linked to
those email messages. New email messages you add to that
folder won't be tracked.
Delete a folder from Outlook or Exchange All email messages included in that folder will be deleted from
Outlook or Exchange Online. Email messages already tracked
through that folder will not be deleted from customer
engagement apps, however.
Move a folder in Outlook or Exchange The folder and all its contents will continue to be tracked. If
you move a folder outside your Inbox, folder-level tracking
rules will be disabled.
Rename a folder in Outlook or Exchange The folder and all its contents will continue to be tracked. Tip:
When you rename folders, the software uses the Exchange
folder ID for tracking purposes – it's not dependent on the
actual name of the folder. This is important to know if you
delete a folder, and then rename a new folder with the same
name as the deleted folder. For example, let's say you delete
Folder 1, create Folder 2, and then rename Folder 2 to be
Folder 1. The tracking information for the original Folder 1
won't be retained in this case.
Remove the link between a tracked folder and a specific All messages in that folder that were previously linked will
record by deleting the link in the Folder-Level Tracking continue to be linked. New messages added to that folder
dialog box won't be linked.
Move an email message in a tracked folder that's linked to a If the new folder doesn't have a regarding record, the email
specific record to a different folder message will continue to be linked to the original record. If
the new folder has a regarding record, the email message will
be linked to that regarding record.
A C T IO N RESULT
Manually change the regarding record for an email message The tracked folder rule takes precedence. When the folder is
that's linked to a different regarding record through a tracked synchronized, the email message will be re-linked to the
folder record specified in the folder tracking rule, even if you change
the regarding record manually. To change the regarding
record in this case, do one of the following:
- Move the message to a tracked folder linked to the record

you want.
- Remove the link to the regarding record in the Folder-
Level Tracking dialog box before you manually change the
regarding record.
- Move the specific email message outside the tracked folder,
and then manually change the regarding record for that
email message.
Two users move the same email message to separate folders You can only set one regarding record for an email message.
that have different regarding records In this case, the record that's processed first is linked to the
regarding record.
See also
Outlook
Configure folder-level tracking
Set incoming and outgoing email synchronization
You have several options for synchronizing email messages with customer engagement apps (Dynamics 365 Sales,
Service Automation). Use the following information to deploy the best option for your company.
Set the synchronization method

You can set the default synchronization method applied to all newly created user mailboxes:
You can set the synchronization method for individual mailboxes:
2. Select Settings > Mailboxes , and then select a mailbox.
For information on picking a synchronization method, see Integrate your email system.
Incoming email messaging options

The available incoming email configurations that you can use when a user or a queue receives email messages are
as follows:
None . Use this option for users or queues that do not use customer engagement apps to track received
email messages.
Dynamics 365 for Outlook . This option is available for users and requires that Office Outlook be installed
on the user's computer. This option does not require the Email Router component and is not available for
queues.
Ser ver-Side Synchronization or Email Router . When you select this option, the server-side
synchronization or Email Router will process email messages directly from the user's or queue's inbox,
without using a forward or a sink mailbox. Although this option does not require a sink mailbox, it does
make troubleshooting server-side synchronization or Email Router issues more complex for larger user
bases (10 or more users) because each incoming email message is processed by the server-side
synchronization or Email Router in every user's mailbox instead of in a single dedicated mailbox.
For ward Mailbox . To use this option, you must install the Email Router. This option requires a sink mailbox,
which is a dedicated mailbox that collects email messages transferred from each user's mailbox by a server-
side rule. Although this option does not require users to run Outlook, it does require that the rule be
deployed for each user. You use the Rule Deployment Wizard to deploy rules to each user mailbox.
Outgoing email messaging options

The available outgoing email configurations that you can use when users or queues send email messages are as
follows:
None . Use this option for users or queues that do not use customer engagement apps to send email
messages.
Dynamics 365 for Outlook . This option is available for users and requires that Office Outlook be installed
on the user's computer. This option does not require the Email Router component and is not available for
queues.
Ser ver-Side Synchronization or Email Router . This option delivers email messages by using the server-
side synchronization or Email Router component. The email system must be SMTP-compliant. The server-
side synchronization or Email Router can be installed on the SMTP server or on a different computer that has
a connection to the SMTP server.
See also
Choose the records to synchronize between
customer engagement apps and Exchange
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), use online synchronization
filters to determine which records to synchronize between customer engagement apps and Exchange (using
server-side synchronization). You can modify the existing online synchronization filters or create new filters to
synchronize certain types of records. You can also delete, deactivate, or activate filters.
Email is not included in the synchronization filters because email is controlled by when the email is created in
customer engagement apps, whether the user is on the recipient list or not.
Create or modify online synchronization filters

1. In the web app, in the upper-right corner of the screen, click the Settings button > Options .
2. In the Set Personal Options dialog box, click the Synchronization tab.
3. Under Synchronize customer engagement apps items with Outlook or Exchange , click the filters
link.
Customer engagement apps displays the Synchronization Settings for Outlook or Exchange dialog box with
the User Filters tab selected. You can use this tab to create or edit a filter, or to delete, activate, or deactivate a
filter.
NOTE
If you're a system administrator, you can create or modify organization-wide filters (system filters) through the SDK. More
information: Tell me more about system filters
4. Do one of the following:

To open an existing filter, click the filter.
To create a new filter, click New .
Create or modify filter criteria

You use a criteria row to create or modify criteria in an offline synchronization filter. Each criteria row contains
three values: the field to use in the filter (for example, City ), an operator (for example, Equals or Contains ), and
the value to filter on (for example, WA ).
Add a criteria row

1. In the Look for list, select a record type.
2. Point to Select in the criteria grid, and then select the field to filter on from the list.
3. Select an operator from the list.
4. Enter a value to filter on.
Group rows of criteria
1. For each row you want to group, click the down arrow to the left of the field name, and then click Select
Row .
To remove a row from a group, click the down arrow to the left of the field name, and then click Delete . To
clear all rows from the criteria grid, click Clear .
2. Click Group AND or Group OR .
After creating a group, you can click the down arrow next to the And or Or to select from different options.
You can select a group, ungroup the group, change a Group AND to a Group OR or vice versa, add a clause,
or delete a group.
See also
Outlook
Control field synchronization with Outlook
With field synchronization, admins can set the sync direction between customer engagement apps (Dynamics 365
Project Service Automation), and Microsoft Dynamics 365 for Outlook fields. You can control synchronization
when using either Outlook synchronization or server-side synchronization (Exchange).
For example, a salesperson may want to take personal notes about a contact and not want the notes to
synchronize with data available to all users. An admin can set the Personal Notes field for contacts in Outlook to
not synchronize Dynamics 365 for Outlook with customer engagement apps so the salesperson's notes will
remain private.
TIP
Check out the following video: Configurability in Synchronizing Data with Outlook or Exchange in Microsoft Dynamics
CRM 2015
Set field synchronization between customer engagement apps and

Outlook
1. Sign in as an admin.
2. In the web app, select Settings > Administration > System Settings > Synchronization tab.
For Unified Interface, select Settings ( ) in the upper-right corner > Advanced Settings > Settings >
Administration > System Settings > Synchronization tab.
3. Under Synchronize items with Outlook or Exchange , select synchronized fields .
4. For the fields you want to change synchronization, choose the arrows in the Sync Direction column. Each
choice will change the direction.
TIP
Hover over a field name to see the fields mapped to it.
5. Select OK > OK to close the open dialog boxes.

Let your users know they can view (not change) the synchronization settings. More information: What
fields can be synchronized between customer engagement apps and Outlook?
Performance and synchronization

Configuring synchronization might have an impact on the time it takes to sync between Dynamics 365 for
Outlook and customer engagement apps. You should test your configuration before deploying to ensure
satisfactory sync times.
Permissions and synchronization

Role-based security controls access to a specific entity type, record-based security controls access to individual
records, and field-level security controls access to specific fields. All these can impact what is synchronized
between customer engagement apps and Dynamics 365 for Outlook or Exchange.
Best practice is to review the security settings for these security methods to ensure field synchronization is
processes as desired. For more information see:
Securing roles: Create or edit a security role
Securing fields: Add or remove security from a field
More information: How field security affects synchronization between customer engagement apps and Outlook
and Security concepts
See also
How field security affects synchronization with
Outlook
Securing a field with field-level security can impact synchronization between customer engagement apps
Dynamics 365 Project Service Automation) and Microsoft Dynamics 365 for Outlook. Consider the following
scenario.
NOTE
We do not recommend securing a field when the field is set to sync. Best practice is to NOT secure any sync fields. If you do
decide to secure sync fields, you'll need to do the following:
1. Secure the field using field-level security. More information: see "Set field-level security" below.
2. Change the sync direction so that sync does not attempt to update or write the field during synchronization. More
information: Control field synchronization between customer engagement apps and Outlook or Exchange
Scenario: Restrict users from changing Job Title

The Contoso company wants to promote consistent data entry. While sales personnel are out in the field, it's easy
for them to create different data entries to describe the same thing. For example, the same job title could be
entered as "Construction Manager", "Foreman", or "Site Manager". To prevent this, the Job Title field is secured. This
has consequences for synchronization.
Set field-level security
John, the admin for Contoso, sets security on several fields.
He did the following steps:

2. Choose Customize the System .
3. Expand Entities > Contact .
4. Choose Fields and select jobtitle . There are a lot of Contact fields so you'll need to advance several pages.
5. Choose Edit .
6. For Field Security, choose Enable > Save and Close .
7. Choose Publish All Customizations .
John also secured the following Contact fields so they won't appear in customer engagement apps:
ftpsiteurl, governmentid
Create and configure a field security profile
John creates a field security profile and assigns sales team members to the profile.
He did the following to create the field security profile:

2. Choose Field Security Profiles .
3. Create a profile. Choose New and enter a Name.
5. Choose the new profile > Users > Add
6. Select users and then choose Select > Add .
Set field permissions
With a field security profile created and users added to the profile, John can now set permissions on the fields to
match his organization's requirements.

2. Choose Field Security Profiles > your profile.
3. Choose Field Permissions > the field to secure > Edit
4. Change the security settings to match your company's requirements and then choose OK > Save and
Close .
What the user sees
Nancy, a salesperson at Contoso, uses Dynamics 365 for Outlook and creates a new contact and tracks it in
Dynamics 365 apps.
When Nancy synchronizes with customer engagement apps, she notices that the Job Title field is gone from the
contact. This is because Nancy doesn't have update rights for the Job Title field.
Nancy's manager, with update rights to the Job Title field, fills in the field with the correct job title: Construction
Manager.
Nancy synchronizes again with customer engagement apps and now the Job Title field is in the contact with the
correct title.
See also
Field-level security
What fields can be synchronized with Outlook?
Administrators can set whether a sync occurs and the sync direction for customer engagement apps (Dynamics
365 Project Service Automation), and Microsoft Dynamics 365 for Outlook fields.
You can set synchronization for the entities listed in the following tables. For information on how to set field
synchronization, see Control field synchronization between customer engagement apps and Outlook or Exchange
Entity: Appointment
C USTO M ER
EN GA GEM EN T A P P S
O UT LO O K F IEL DS DEFA ULT SY N C SET TA B L E SY N C F IEL D N OT ES
Appointment Time Appointment Time Aggregation of Start

Time, End Time,
Duration, All Day
Event, etc.
Attachments Computed Attachments Changes to

based on System
Settings.
Body , , , Description Outlook and

Exchange can contain
things like images and
links. Customer
engagement apps can
only contain multiple
lines of text.
Importance Priority Outlook has High

Importance, Low
Importance.
Location , , , Location
Optional Attendees Optional Attendees

C USTO M ER
Organizer Organizer See below.
Regarding Regarding See below.
Required Attendees Required Attendees
Show Time As Appointment Status
Subject , , , Subject
Notes
1. Organizer : In Outlook sync, an appointment created in customer engagement apps will not result in filling
in the Outlook Organizer field until it is further modified in Outlook. This applies to Appointment, Recurring
Appointment, and Service Activity. In server-side sync, a service activity created in Dynamics 365 apps will
result in filling in the Exchange Organizer field with the person who synchronizes this appointment.
2. Regarding: When you do a Set Regarding , the Regarding field in Outlook is replaced by the name of the
regarding object from customer engagement apps. Until you sync, the Set Regarding action in Dynamics
365 for Outlook and in customer engagement apps apps should not change the Regarding field in Outlook.
Entity: Contact
C USTO M ER
Anniversary , , , Anniversary
Assistant’s Name , , , Assistant
Assistant’s Phone , , , Assistant Phone
Birthday , , , Birthday
Business Fax , , , Fax
Business Phone , , , Business Phone
Business Phone 2 , , , Business Phone 2

C USTO M ER
Callback , , , Callback Number
Children , , , Children’s Names
Company Main , , , Company Phone

Phone
Department , , , Department
E-mail , , , Email
E-mail 2 , , , Email Address 2
E-mail 3 , , , Email Address 3
FTP Site , , , FTP Site
Full Name Full Name
Government ID , , , Government
Number
Home Address , , , Address 2 Changes to

based on System
Settings.
Home Phone , , , Home Phone
Home Phone 2 , , , Home Phone 2
Job Title , , , Job Title
Mailing , , , Address 1 Mailing Address

Address/Business changes to Business
Address Address based on
System Settings.
Manager’s Name , , , Manager
Mobile , , , Mobile Phone

C USTO M ER
Nickname , , , Nickname
Notes , , , Description Outlook and

links. Customer
engagement apps can
lines of text.
Other Address , , , Address 3 Changes to

based on System
Settings.
Other Phone , , , Telephone 3
Pager , , , Pager
Parent (Regarding) Company Name See Notes below.

(Regarding)
Spouse/Partner , , , Spouse/Partner Name
Web Page , , , Website
Yomi First Name , , , Yomi First Name
Yomi Last Name , , , Yomi Last Name
Notes
1. Parent (Regarding): When you do a Set Regarding , the Company field in Outlook is replaced by the
name of the regarding object from customer engagement apps. If not syncing, the set regarding action in
Dynamics 365 for Outlook and in customer engagement apps should not change the Company field in
Outlook. Users can control updating the Company field for Outlook contacts in Dynamics 365 for Outlook.
More information: Set personal options that affect tracking and synchronization between customer
engagement apps and Outlook or Exchange
2. When the Contact entity is deactivated (Status Reason: Inactive ), the Outlook field in Outlook will have
Categor y [Dynamics 365] Inactive . This is to help differentiate the inactive vs. active status from a pool
of tracked Outlook contacts.
Entity: Fax
C USTO M ER
Date Completed , , , Actual End
Due Date , , , Due Date See Notes below.

Importance, Low
Importance.

links. Customer
engagement apps can
lines of text.
Regarding Regarding See Notes below.
Start Date , , , Start Date
Status Status Computed from

Activity Status and
Status Reason.
Notes
1. Due Date: Includes Date and Time. When a task is created in Outlook, the system assigns the task a
reminder time. Reminder information is not synced from Outlook to customer engagement apps. However,
when a task has Due Time set, it will be synchronized to reminder time in Outlook.
If there is a Start Date value but no Due Date value in Outlook/Exchange, Outlook/Exchange will auto fill the
Due Date value with the Start Date whenever you change the Start Date directly in Outlook; If there is Start
Date value but no Due Date value in customer engagement apps, customer engagement apps will auto fill
the Due Date value with the Start Date. These are controlled by Outlook/Exchange and customer
engagement apps independently, not controlled by sync directions here.
365 for Outlook and in customer engagement apps should not change the Regarding field in Outlook.
Entity: Letter
C USTO M ER
C USTO M ER

Importance, Low
Importance.

links. Customer
engagement apps can
lines of text.

Activity Status and
Status Reason.
Notes
Due Date value with the Start Date whenever you change the Start Date directly in Outlook; if there is Start
the Due Date value with the Start Date. These are controlled by Outlook/Exchange and Dynamics 365 apps
independently, not controlled by sync directions here.
Entity: Phone Call

C USTO M ER
C USTO M ER
Due Date , , , Due Date See below.

Importance, Low
Importance.

links. Customer
engagement apps can
lines of text.

Activity Status and
Status Reason.
Notes
when a task has Due Time set in customer engagement apps, it will be synchronized to reminder time in
Outlook.
Entity: Recurring Appointment

C USTO M ER
Body , , , Description Outlook and

links. Customer
engagement apps can
lines of text.

Importance, Low
Importance.
Location , , , Location
Organizer Organizer See Notes below.
Recurrence Pattern Recurrence Pattern
Show Time As Appointment Status Computed by Activity

Status and Status
Reason.
Notes
Appointment, and Service Activity. In server-side sync, a service activity created in customer engagement
apps will result in filling in the Exchange Organizer field with the person who synchronizes this
appointment.
Entity: Service Activity

C USTO M ER
C USTO M ER
Appointment Time Appointment Time Aggregation of Start

Time, End Time,
Duration, All Day
Event, etc.

Importance, Low
Importance.
Location Location
Notes Description Outlook and

links. Customer
engagement apps can
lines of text.
Organizer Organizer See Notes below.
Show Time As Appointment Status Computed by Activity

Status and Status
Reason.
Subject Subject
Notes
Appointment, and Service Activity; in server-side sync, a service activity created in customer engagement
apps will result in filling in the Exchange Organizer field with the person who synchronizes this
appointment.
Entity: Task
C USTO M ER
% Complete , , , Percent Complete

C USTO M ER

Importance, Low
Importance.

links. Customer
engagement apps can
lines of text.
Start Date , , , Start Date See Notes below.

Activity Status and
Status Reason.
Notes
3. Star t Date: When a task is created and tracked in Outlook, the system assigns the task a reminder time.
Reminder information is not synced from Outlook to customer engagement apps. However, when a task has
Due Time set, it will be synchronized to Reminder Time in Outlook.
See also
View the fields that are synchronized between
customer engagement apps and Outlook
In Microsoft Dynamics CRM 2015 for Outlook or later, you can view the appointments, contacts, and tasks fields
that are synchronized between customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), and
Outlook so you can see where the data is coming from. You can also determine whether the fields:
Are synchronized one way (from Outlook to customer engagement apps or from customer engagement
apps to Outlook)
Are synchronized two way (from Outlook to customer engagement apps and from customer engagement
apps to Outlook)
Aren't synchronized
For example, if the fields are synchronized one way, from customer engagement apps to Outlook, you can
update the field in Outlook and save the change, but your changes won't be synced with customer
engagement apps, and will be overwritten if the same field value is changed in customer engagement apps.
So if fields are synced one way, there's no need to change the value in the synchronized field.
View the synchronized fields

1. In the web app, in the upper-right corner of the screen, click the Settings button > Options .
2. In the Set Personal Options dialog box, choose the Synchronization tab.
3. Choose synchronized fields .
4. In the Synchronization Settings for Outlook or Exchange dialog box, click the Synchronization
Fields tab.
5. In the Entity Type list, select the record type you want to view.
Outlook fields are displayed on the left and the corresponding customer engagement apps fields are
displayed on the right. The blue arrows show the sync direction:
T H IS IN DIC ATO R SH O W S T H AT T H E F IEL DS
Are synced one way from Outlook to customer

engagement apps
Are synced one way from customer engagement apps to

Outlook
Are synced two way
Aren't synced
NOTE
Field synchronization direction can be impacted by security settings configured by your system administrator. For
example, if you don't have read privileges for a field, it won't be synchronized in Outlook even if the field is configured
for two-way synchronization. To determine whether you have read privileges for a field, click the View in Dynamics
365 apps button to open the record. If you see the Lock icon, you can't access the field.
See also
Outlook
What fields can be synchronized between customer engagement apps and Outlook or Exchange?
Control field synchronization between customer engagement apps and Outlook or Exchange (admins)
How security affects synchronization between customer engagement apps and Outlook or Exchange
Frequently asked questions about synchronizing
records between customer engagement apps and
Microsoft Outlook
What's the best way to use Outlook and customer engagement apps
together?
There are three ways to use model-driven apps in customer engagement apps (Dynamics 365 Sales, Dynamics
Automation), and Outlook together:
Dynamics 365 App for Outlook
Microsoft Exchange folder tracking
Use Dynamics 365 App for Outlook paired with server-side synchronization to view customer
engagement apps data in Outlook and track Outlook records in customer engagement apps. You can use
Dynamics 365 App for Outlook together with Microsoft Outlook on the web, the Outlook desktop
application, or with Outlook mobile. With Dynamics 365 App for Outlook, customer engagement apps
information appears next to a user’s Outlook email messages or appointments. For example, people can
preview information about contacts and leads stored in customer engagement apps and add contacts
directly from an email message. They can also link email, appointment, and contact records to new or
existing records, such as opportunity, account, or case records. To use Dynamics 365 App for Outlook, you
must synchronize email with server-side synchronization. More information: Integrate your email system
How often are records synchronized through server-side sync?

If you synchronize records with server-side synchronization, the process is dynamic and unique for each user’s
mailbox. The synchronization algorithm ensures that mailboxes are synced according to dynamic parameters
such as the number of email messages and the activity within the mailbox. Normally, email synchronization
occurs every 5 minutes. When a mailbox has many email messages, the interval can be reduced dynamically to 2
minutes. If the mailbox is less active, the interval can be increased up to 12 minutes. Generally speaking, you can
assume that a mailbox will be synced at least once every 12 minutes.
However, when you use Dynamics 365 App for Outlook to track or set the regarding record for an email or
appointment, synchronization happens immediately in most scenarios for received emails and sent
appointments. If the immediate synchronization in Dynamics 365 App for Outlook fails, we leverage server-side
synchronization to create or update the activity record.
Where can I find information on troubleshooting server-side

synchronization issues?
You can find information on troubleshooting and known issues here: Troubleshooting and things to know about
Do security permissions affect synchronization?
Yes. If a system administrator has implemented security for particular fields or records, it can affect the data
that’s synchronized.
Privacy notices
If you use Dynamics 365, when you use server-side sync, Dynamics 365 contacts and activities (including emails,
appointments, contacts, and tasks) are synchronized to your specified email system (such as Exchange).
An administrator can configure server-side sync functionality to specify which users have the ability to send
emails or appointments from Dynamics 365 or synchronize activities and contacts between Dynamics 365 and
the user’s mailbox. Both the administrator and end users can further customize filter criteria, and administrators
can even define which entity fields synchronize.
Dynamics 365 (online) to ensure that the information remains current between the two. Outlook Sync
downloads only the relevant Dynamics 365 record IDs to use when a user attempts to track and set regarding an
Outlook item. The company data is not stored on the device.
To use Microsoft Dynamics 365 for Outlook, you are required to sign in by using your credentials (an email
address and password). You may choose to save this information locally so that you are not prompted for your
credentials each time you open Outlook. If you do choose to save this information locally, Dynamics 365 for
Outlook will automatically connect to Microsoft Dynamics 365 (online) every time you open Outlook.
After the first time you sign in and use Dynamics 365 for Outlook, the connection between your computer and
Dynamics 365 (online) will always be open when you have access to the Internet. You may choose to turn off the
connection between your computer and Dynamics 365 only by using a configuration setting, but if you do turn
off the connection, Dynamics 365 for Outlook may exhibit decreased performance.
If you use Dynamics 365 for Outlook to track email, the email thread will be visible to users in your organization
who have permission to view it.
For every email you receive, Dynamics 365 for Outlook will send Dynamics 365 (online) the sender’s email
address, the recipient’s email address, and the subject line of the message. This allows Dynamics 365 (online) to
validate whether or not a particular mail should be stored by the Dynamics 365 (online) service. When you track
an item, a copy of that item will be maintained by the Dynamics 365 service and will be visible to other users in
your organization who have the appropriate permissions. When you untrack an item, that copy is automatically
deleted from Dynamics 365 (online) only if you own the item.
See also
Integrate your email system
Set personal options that affect tracking and synchronization between customer engagement apps and Outlook
or Exchange
Set personal options that affect tracking and
synchronization between customer engagement apps
and Outlook or Exchange
You can use the Set Personal Options dialog box in customer engagement apps (Dynamics 365 Sales, Dynamics
Automation), to set many options that affect tracking and synchronization.
To open the Set Personal Options dialog box:
Select the Settings button in the upper-right corner of the screen, and then select Options .
The following table summarizes the tracking and synchronization options available in the Set Personal
Options dialog box. The Available column indicates whether the option is available in customer
engagement apps. This column also indicates if the option is available for Outlook synchronization, server-
side synchronization (also known as "Exchange synchronization"), or both. More information: Frequently
asked questions about synchronizing records between customer engagement apps and Microsoft Outlook
TO O N T H IS TA B IN T H IS SEC T IO N SEE T H IS O P T IO N AVA IL A B L E
View or modify the Synchronization Synchronize items View or manage the - From customer
online with Outlook or filters that determine engagement apps
synchronization filters Exchange the records that are - For Outlook sync or
used to determine synchronized to your server-side sync
the records copied to Outlook or Exchange
your local hard drive folders.
More information:
Choose the records to
synchronize between
customer
engagement apps
and Outlook or
Exchange
View or modify the Synchronization Manage your offline Manage your offline - From customer
offline filters and take your filters to determine engagement apps
synchronization filters information offline in what data you need - For Outlook sync or
used to determine Dynamics 365 for with you when you server-side sync
the records copied to Outlook go offline.
your local hard drive
when you go offline
View the fields that Synchronization View or manage the - From customer
are synchronized synchronized fields engagement apps
between Outlook and of Outlook or - For Outlook sync or
customer Exchange items, server-side sync
engagement apps including
appointments,
contacts, and tasks.
Overwrite the names Synchronization Update the company Update Company - For Outlook sync or
in the Outlook field for Outlook fields with parent server-side sync
contacts Company contacts account names
field with the parent
account from
contacts
Set the Synchronization Set synchronization Set this computer to - For Outlook sync
synchronization client client be the client to only. Note: This
that synchronizes perform option only appears
records between synchronization when you have
Outlook and between Outlook and multiple Outlook
customer your primary clients that are
engagement apps organization connected to the
same organization.
Set the Synchronization Schedule automatic Synchronize the items - For Outlook sync
synchronization synchronization with in my Outlook folders only
interval for Outlook every
synchronizing items
Enable customer Email Select how Microsoft Allow customer From Dynamics 365
engagement apps to Dynamics 365 for engagement apps to for Outlook only
send email using Outlook should send email using
Dynamics 365 for integrate email with Microsoft Dynamics
Outlook customer 365 for Outlook
engagement apps
Track incoming email Email Select how Microsoft Check incoming email From Dynamics 365
automatically Dynamics 365 for in Outlook and for Outlook only
Outlook should determine whether an
integrate email with email should be linked
customer and saved as a record.
engagement apps
Track incoming email Email Select the email Track From customer
automatically messages to track engagement apps
Track incoming email Email Select the email Configure Folder - From customer
automatically messages to track Tracking Rules engagement apps
- For server-side sync
More information: only
Track Outlook email
by moving it to a
tracked Exchange
folder
Automatically create Email Automatically create Create From customer

contact or lead records in Dynamics engagement apps
records if the sender 365 apps
of the email message
or meeting invitation
doesn't already have
a record in customer
engagement apps
Select how email Address Book Select how email All options From Dynamics 365
recipients are recipients are for Outlook only
matched to records reconciled with
records
Set the Local Data Set how often to Update local data From Dynamics 365
synchronization update local data every for Outlook only
interval for updating
your local data when Note: You may not be
you go offline able to change the
interval if your
administrator has
restricted changes.
Select how duplicate Local Data Select how duplicate Enable duplicate From Dynamics 365
records should be records should be detection during for Outlook only
handled when going handled during offline to online
from offline to online synchronization synchronization
Privacy notices
To use Microsoft Dynamics 365 for Outlook, you are required to sign in by using your credentials (an email
address and password). You may choose to save this information locally so that you are not prompted for your
credentials each time you open Outlook. If you do choose to save this information locally, Dynamics 365 for
Outlook will automatically connect to Microsoft Dynamics 365 (online) every time you open Outlook.
After the first time you sign in and use Dynamics 365 for Outlook, the connection between your computer and
Dynamics 365 (online) will always be open when you have access to the Internet. You may choose to turn off the
connection between your computer and Dynamics 365 only by using a configuration setting, but if you do turn off
the connection, Dynamics 365 for Outlook may exhibit decreased performance.
If you use Dynamics 365 for Outlook to track email, the email thread will be visible to users in your organization
who have permission to view it.
For every email you receive, Dynamics 365 for Outlook will send Dynamics 365 (online) the sender’s email
address, the recipient’s email address, and the subject line of the message. This allows Dynamics 365 (online) to
validate whether or not a particular mail should be stored by the Dynamics 365 (online) service. When you track
an item, a copy of that item will be maintained by the Dynamics 365 service and will be visible to other users in
your organization who have the appropriate permissions. When you untrack an item, that copy is automatically
deleted from Dynamics 365 (online) only if you own the item.
Dynamics 365 (online) to ensure that the information remains current between the two. Outlook Sync downloads
only the relevant Dynamics 365 record IDs to use when a user attempts to track and set regarding an Outlook
item. The company data is not stored on the device.
See also
Outlook
Monitor email processing errors
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), generate alerts if errors occur
while email is being processed. An error can be classified based on the nature of the error and on whether the error
is for an email, a mailbox, or an email server profile.
The following table lists the distinction between permanent and transient errors.
P ERM A N EN T ERRO RS T RA N SIEN T ERRO RS
These are of permanent nature and can occur when the These are of temporary nature and may get fixed
transient errors aren't fixed after a few attempts. automatically after a few attempts.
When these errors occur, email processing for the affected These errors don't necessarily require a corrective action by a
mailboxes is stopped. These require a corrective action by the user, but we recommend that you look at these.
mailbox owner or an administrator.
The administrators and users are alerted on their alert walls to The administrators and users are notified on the alerts wall
take action and start email processing. about these errors but no action is required for these errors.
The following table will help you distinguish between email-level, mailbox-level, and email server profile-level
errors and whether a corrective action is needed.
EM A IL - L EVEL ERRO RS M A IL B O X- L EVEL ERRO RS EM A IL SERVER P RO F IL E- L EVEL ERRO RS
These are errors specific to an email These are error specific to a mailbox. These errors may occur for one or more
message. mailboxes.
These don't have impact on the The owner of the mailbox is notified on The owner of the associated email
processing of other email. the alerts wall and the owner is server profile is notified on the alerts
required to take a corrective action. wall and the owner is required to take a
corrective action.
The alerts for these are displayed in the The alert is also displayed in the The owners of the mailbox that are
alerts section of the email form. respective mailbox form. affected are also notified on the alerts
wall but no action is required by them.
View alerts
The alerts are shown on the Alerts wall or the Alerts section in the mailbox or email server profile records. The
following table shows how to view the alerts and the actions you can take on these alerts.
TO DO T H IS
TO DO T H IS
View all alerts In the web app, go to Sales > Aler ts .
- To delete all alerts at once, click or tap the Delete all alerts
icon on the alerts wall.
- To view just errors, warnings, or information, click or tap
Errors , Warnings , or Information respectively.
If you are also synchronizing appointments, contacts, and

tasks through server-side synchronization, you'll see alerts for
the following:
- When one or more duplicate records are found in customer

engagement apps when saving a record from Exchange to
- When a scheduling conflict is found when saving an
appointment from Exchange to customer engagement apps
because a mailbox is unavailable at the time.
- When previously linked items are found for a specific
mailbox.
You'll be prompted to take actions on the errors about the

appointment, contacts, and tasks synchronization.
View alerts specific to mailbox 1. In the Power Platform admin center, select an environment.
3. Open a mailbox record, and on the left navigation bar,
under Common , click or tap Aler ts .
View alerts specific to an email server profile 1. In the Power Platform admin center, select an environment.
3. Open an email server profile record, and on the left
navigation bar, under Common , click or tap Aler ts .
NOTE
If you don't wish to get alerts, you can disable them from the System Settings dialog box – Email tab by clearing the check
boxes for alerts.
See also
Why does the email message I sent have a "Pending
Send" status?
If you create an email message in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), and
click the Send button, the message will not be sent unless email integration has been correctly configured and
enabled for sending email from customer engagement apps. If the status of the email appears as "Pending Send"
and is not sent, contact your administrator. More information: Find your administrator or support person
If you are the administrator, verify that the user who sent the email is enabled for sending email. To do this:
3. Change the view to Active Mailboxes.
4. Select the mailbox record for the user who sent the email, and then click the Edit button.
5. Verify the user is correctly configured and enabled for sending email:
If the user's mailbox record is configured to use server-side synchronization for outgoing email, verify the
user's email address is approved and is also tested and enabled. For more information about configuring
server-side synchronization, see set up server-side synchronization of email, appointments, contacts, and
tasks.
See also
Integrate your email system
Use Email message filtering and correlation to
specify which emails are tracked
Server-side synchronization, Microsoft Dynamics 365 for Outlook, or the Email Router can automatically create
email activities in customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics
365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), which are based on
received email messages. This type of automation is known as email message tracking. Users can select a filtering
option that determines what email messages will be tracked. Filtering is set on the Email tab of the Set Personal
Options dialog box in the client applications. Users can set the following options:
All email messages . All email messages received by the user are tracked (will have activities created).
Email messages in response to email . Only replies to email messages that have already been tracked
will be saved as email activities. This option uses smart matching, a correlation method that uses the
existing properties contained in the email to relate email messages to activities.
Email messages from Leads, Contacts, and Accounts . Only email messages sent from leads,
contacts, and accounts in the database are saved as activities.
Email messages from records that are email enabled . Email messages are tracked from any record
type that contains an email address, including customized record types (entities).
By default, the Email messages in response to email option is enabled. Correlation occurs after an email
message is filtered. System administrators can turn off all message tracking for a particular user by setting
Incoming Email under Synchronization Method to None on the Mailbox form.
Email correlation is set on the Email tab of the System Settings page and can be enabled or disabled for the
entire organization. Customer engagement apps uses two kinds of correlation, tracking tokens and smart
matching. By default, both correlation types are enabled.
IMPORTANT
Tracking tokens are the only supported correlation method that can be used when you use Dynamics 365 for Outlook
connected to an SMTP server and send email to a non-Exchange recipient. In this situation, if tracking tokens are not
enabled, then correlation events, such as the automatically creating records based on the regarding object, may not work.
How customer engagement apps uses conversations to track emails

Use Exchange conversations to increase the probability for email identification and matching. Exchange groups
together related email and assigns them an id (conversation id), to identify emails that are part of one
conversation.
2. Select Settings > Email > Email tracking .
3. In the Configure folder-level tracking and email correlation area, turn on Use correlation .
If enabled, this option uses the conversation id to identify all the emails that replied to a tracked email.
How customer engagement apps associates email addresses with
records
When customer engagement apps tracks an email, it associates the email address to a record within customer
engagement apps. The contents of the email From field can only be associated with one record. If there are
duplicate records within customer engagement apps with the same email address, the contents of the email
From field will resolve to the first active record in the following order:
1. SystemUser
2. Contact
3. Account
4. Lead
5. Equipment
6. Team
7. Business unit
8. Email-enabled entities (for example: Queues, custom, etc.)
In the email To field, all of the records of email-enabled entities with the email address will be listed.
How customer engagement apps use tracking tokens

Tracking tokens increase the probability for email identification and matching. You can use the tracking token
feature to improve email message tracking. A tracking token is an alphanumeric string generated by customer
engagement apps and appended to the end of an email subject line. It matches email activities with email
messages.
Tracking tokens add an additional correlation component to smart matching. When customer engagement apps
generates an outgoing email activity, a resulting email response arriving in the Dynamics 365 apps system is then
correlated to the originating activity.
By default, the tracking token feature is turned on.
Tracking token structure
By default, customer engagement apps uses the following token structure, that consists of a 4 character prefix
and a 7 digit identifier.
The following table lists tracking token parts and descriptions.
PA RT DESC RIP T IO N
Prefix Configurable from 1-20 characters. The default value is

Dynamics 365 apps:. The prefix can be unique for each
organization or environment. For example, in a multi-tenant
deployment of customer engagement apps, we recommend
that each organization configure and use a unique prefix.
PA RT DESC RIP T IO N
Deployment base tracking number Configurable from 0-2,147,483,647. Default value is 0. Can
be used as an identifier for a specific environment.
User number digit range Configurable from 1-9. The default range is three (3) digits.
This value determines how many digits to use when customer
engagement apps generates the numeric identifier for the
user who generated the email activity.
Incremental message counter digit range Configurable from 1-9. Default range is three (3) digits. This
value determines how many digits to use when customer
engagement apps generates the numeric identifier for the
email activity (not the individual messages that the activity
contains). If you use the default value to generate a token
with a three-digit number, it will increment the number
through 999, and then restart the number at 000. You can
use a larger order of digits to reduce the possibility of
assigning duplicate tokens to active email threads.
Although we don't recommend it because it can significantly reduce the probability for accurate email activity to
email message correlation, you can turn tacking tokens off. To enable, disable, or configure tracking tokens, do the
following:
1. Go to Settings > Administration > System Settings .
2. Click the Email tab.
3. In the Configure email correlation area you can disable, enable, or change the default tracking token
structure.
What is smart matching?

When an incoming email message is processed by the Email Router, the system extracts information associated
with the email message subject, sender address, and recipients' addresses that link the email activity to other
records. This correlation process, also known as smart matching, uses the following criteria to match received
email message information to email activities:
Subject matching . Prefixes, such as RE: or Re:, and letter case are ignored. For example, email message
subjects with Re: hello and Hello would be considered a match.
Sender and recipient matching . The system calculates the number of exact sender and recipient email
addresses in common.
When the matching process is complete, the system selects the owner and the object of the incoming email
message.
By default, smart matching is turned on.
NOTE
You can disable, enable, and tune smart-matching settings in the System Settings dialog box – Email tab.
See also
Although individual mailboxes are recommended on new setup, you can still use a forward mailbox to poll one or
more mailboxes for incoming email messages, and then determine what actions customer engagement apps
Dynamics 365 Project Service Automation), will take based on the email message, such as create or update
records in the system. You can configure server-side synchronization or the Email Router to monitor either of the
following:
A mailbox for each user or queue (recommended).
A forward mailbox. This is a single, central mailbox.
Important considerations
Forward mailbox functionality in Server-Side Synchronization was initially made available in previous versions of
Dynamics 365 to ease customer migration from the E-mail Router to Server-Side Synchronization if the pre-
existing environment was previously setup to use forward mailbox functionality.
However, using forward mailboxes as a long term solution is no longer recommended due to the following
reasons:
Performance : Forward Mailboxes are designed to process all e-mails for multiple mailboxes in your
organization. When Server Side Sync processes a forward mailbox, all of the received emails that have
arrived in the forward mailbox since the last synchronization cycle are processed by a single backend
server node. As a result, each synchronization cycle may take longer to complete, which can delay the rate
at which emails are delivered into the system. When using individual mailboxes, each mailbox is evenly
distributed across multiple backend servers and threads, which achieves much higher scalability and
ensures that each mailbox can be processed in a more timely fashion.
Throttling limits : Email service throttling limits, such as those imposed by Exchange or POP services, are
more likely to be hit. Throttling limits are defined at the mailbox level. Since a forward mailbox handles
email for multiple mailboxes, this requires a higher load of traffic on the email service to synchronize
emails from all forwarding parties, which may subject the forward mailbox to throttling. When using
individual mailboxes, throttling limits are much less likely to be encountered as throttling limits are
enforced on a per mailbox basis.
Fault tolerance : Since forward mailboxes were designed to synchronize emails for multiple users or
queues, this can potentially introduce a single point of failure should the mailbox experience connectivity or
runtime errors. As a result, these errors may potentially block or significantly delay incoming email
message synchronization for multiple users or queues. Business critical support queues or other high
priority Dynamics 365 mailboxes should not be configured for Forward Mailbox for this reason. When
using individual mailboxes, each mailbox is processed independently. As a result, any connectivity or
runtime errors will only affect the specific mailbox.
For the above reasons, forward mailboxes are supported, but not recommended, and should be avoided for new
setup. Customers that have an existing Forward Mailbox configuration are encouraged to migrate to individual
mailboxes to have the best and most reliable email synchronization experience.
IMPORTANT
To use a forward mailbox with a deployment that interfaces with a POP3-compliant email system, the email system must
be able to forward email messages as attachments.
For POP3 e-mail servers and Exchange Online, you cannot use the Rule Deployment Wizard. Instead, you must create
the rules manually.
You can configure users and queues in different ways within the same deployment. For example, you may want to
configure some user or queue mailboxes to be monitored directly on one email server, and configure others to use
a forward mailbox on a different email server.
Monitor a forward mailbox

When you use forward mailbox monitoring, incoming email messages are processed by Microsoft Exchange
Server or the POP3 server and customer engagement apps in the following sequence:
1. An email message is received by a user or queue mailbox, on either the Exchange Server or the POP3
server.
2. A rule in the user's mailbox sends a copy of the message, as an attachment, to the forward mailbox.
3. Customer engagement apps (by using server-side synchronization or Email Router) retrieve the message
from the forward mailbox and creates the appropriate records.
See also
Recover from Exchange Server failure
The process to restore a Microsoft Exchange Server computer that is used by customer engagement apps
Dynamics 365 Project Service Automation), depends on how that environment of Exchange Server is being used.
The only time apps-related data exists on Exchange Server occurs when you use a forward mailbox with the
Microsoft Dynamics CRM Email Router or server-side synchronization. Customer engagement apps don’t directly
use Exchange Server mailboxes.
NOTE
This topic applies to Email Router which has been deprecated and was removed in version 9.0. We strongly recommend that
you migrate all email routing functionality to use the server-side synchronization feature.
Restore Exchange Server in a Common Data Service environment

1. Restore Exchange Server.
2. If the Email Router was installed on the computer that is running Exchange Server (not recommended),
reinstall the Email Router.
3. Restore the Microsoft.Crm.Tools.EmailAgent.xml file. By default, this file is located in the C:\Program
Files\Microsoft Customer Engagement Email\Service folder on the computer where the Email Router is
installed. If this file isn’t available, you must reconfigure the profiles, settings, users, queue, and forward-
mailbox information by running the Email Router Configuration Manager.
For more information about Exchange Server 2016 backup and recovery, see Backup, restore, and disaster
recovery.
For more information about Exchange Server 2013 backup and recovery, see Backup, restore, and disaster
recovery.
For more information about Exchange Server 2010 backup and recovery, see Understanding Backup, Restore and
Disaster Recovery.
See also
Manage Bing Maps for your organization
Learn how you can manage Bing Maps for your entire organization. When Bing Maps is turned on, people see a
map of a customer's location when they view contacts, leads, or accounts.
IMPORTANT
Customer Engagement (on-premises) organizations may need to enter a Bing Maps Enterprise Key to use the maps feature.
Go to the Bing Maps licensing page for details on how to get a key.
Turn Bing Maps on or off for your organization

2. Go to Environments > [select an environment] > Settings > Product > Features .
3. Under Embedded content , turn on Bing Maps .
4. Select Save .
Languages supported for viewing Bing Maps

The following table contains a list of all languages supported for viewing Bing maps. If the language is listed, the
Bing map is shown on the form, such as account, contact or lead, in your language. If the language is not listed, the
map is not shown on the form. Instead, the link Click here to view the map is provided on the form. When you
choose this link, you are taken directly to Bing Maps. Bing Maps are not available in all countries, regions, or
languages. You may not be able to see the map in your language, if it is not supported by Bing Maps. For a list of
supported languages, countries and regions, see Bing Maps documentation.
L A N GUA GE C ULT URE C O DE
Czech cs-CZ
Danish da-DK
Dutch (Netherlands) nl-BE
Dutch (Netherlands) nl-NL
English (Australia) en-AU
Canada (English) en-CA
English (India) en-IN
English (United Kingdom) en-GB
English (United States) en-US

L A N GUA GE C ULT URE C O DE
Finnish fi-FI
French (France) fr-FR
French (Canada) fr-CA
German (Germany) de-DE
Italian (Italy) it-IT
Japanese ja-JP
Norwegian (Bokmål) nb-NO
Portuguese (Brazil) pt-BR
Portuguese (Portugal) pt-PT
Spanish (Spain) es-ES
Spanish (United States) es-US
Spanish (Mexico) es-MX
Swedish (Sweden) sv-SE
Privacy notice
If you use Microsoft Dynamics 365, the Bing Maps feature automatically sends the address over the Internet to the
Bing Maps service to display an online map of the address within Dynamics 365. If you click on the Bing Maps
within Dynamics 365, you will be redirected to www.bing.com/maps. Your use of Bing Maps is also governed by the
Bing Maps End User Terms of Use.
Your administrator can turn the Bing Maps feature on or off in the Settings > Product > Features area. Turning
the Bing Maps app off disables the feature within Dynamics 365.
Information sent to Bing Maps is subject to Microsoft Privacy and Cookies.
See also
Enable Power Automate integration to automate
processes
Microsoft Power Automate lets you create automated processes between your favorite apps and services. The
ability to run flows from within customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
such as Dynamics 365 Sales and Customer Service, make it simple for users to combine a broad spectrum of
services that can be initiated from within Dynamics 365 apps, such as messaging, social engagement, and
document routing services.
Environments use the same environment in which the environment resides. For more information about Power
Automate environments, see Using environments within Power Automate
The Power Automate integration feature is not available in the following service or geographic regions.
Germany
Once the Power Automate integration feature is enabled, the following privileges are added in the Miscellaneous
section of the Customization tab for security roles.
Name: prvFlow
Name: prvFlow
Prerequisites
A Power Automate connection for customer engagement apps (recommended). More information:
Connectors
One or more flows created in the Power Automate environment to use with customer engagement apps.
More information: Create a flow by using customer engagement apps
Enable or disable Power Automate in your organization

By default, all security roles allow users to run flows on the records that they have access to.
To enable or disable Power Automate integration in your organization, follow these steps.
2. Select Settings > Product > Behavior .
3. Under Display behavior , select Show Power Automate on forms and in the site map to enable or
disable Power Automate.
4. Select Save .
TIP
The Power Automate menu only list flows that begin with the When a record is selected Common Data Service trigger and
contain at least one trigger or action that references that entity.
See also
Create and edit web resources
Use Power BI
Power BI works with model-driven apps in Common Data Service to provide a self-service analytics solution. The
Power BI service automatically refreshes the data displayed. With Power BI Desktop or Office Excel Power Query for
authoring reports and Power BI for sharing dashboards and refreshing data from model-driven apps or Dynamics
365 apps, such as Dynamics 365 Sales and Dynamics 365 Customer Service. Integrating Power BI with Common
Data Service provides the personnel in your organization a powerful way to work with data.
Enable Power BI visualization embedding

Before users can embed Power BI visualizations on personal dashboards, the organization-wide setting must be
enabled.
NOTE
This feature was first introduced in CRM Online 2016 Update 1.
By default, Power BI visualization embedding is disabled and must be enabled before users can embed them in personal
dashboards.
Enable Power BI visualizations in an environment

3. Under Embedded content set Power BI visualization embedding to On to enable or Off to disable.
4. Select Save .
Add Power BI tiles and dashboards in a model-driven app

To learn more about how to add Power BI tiles to personal dashboards, see Embed Power BI tiles on your personal
dashboard .
To learn more about how to add Power BI dashboards to personal dashboards, see Add a Power BI dashboard on
your personal dashboard.
See also
Use Power BI with Common Data Service data
Install, update, or remove a preferred solution
You can now manage your solutions in the Power Platform admin center. See Environment-level view of apps.
Add Microsoft 365 Online services
Integrating Microsoft 365 with customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), is a great
way to enhance your customer relationship management with the power of cloud services: easier maintenance,
broader availability, and better coordination across multiple devices.
The following topics provide information on how to integrate Exchange Online, SharePoint Online, and Skype into
NOTE
For full Microsoft 365 feature integration with Dynamics 365 and Customer Engagement (on-premises), you'll need Microsoft
365 Enterprise E3 or later. Skype for Business PSTN calling and conferencing requires Microsoft 365 Enterprise E5. Other
Microsoft 365 plans are not supported. For more information on licensing and pricing, see:
With both customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), and Microsoft Exchange Online
hosted as online services, connecting the two is a simpler, more straightforward configuration.
TIP
Check out the following video: Connect to Exchange Online using server-side sync.
IMPORTANT
This feature requires that you have an Microsoft 365 subscription or a subscription to an online service such as SharePoint
Online or Exchange Online. For more information, see What is Microsoft 365 and how does it relate to Dynamics 365
(online)?
Get Exchange ready

To use Exchange Online with customer engagement apps, you must have an Exchange Online subscription that
comes as part of an Microsoft 365 subscription or that can be subscribed to separately. For information on
Exchange Online, see:
Exchange Online
Exchange Online Service Description
Microsoft 365 and Office 365 service descriptions
TIP
To make sure you've got a good connection to Exchange Online, run the Microsoft Remote Connectivity Analyzer. For
Verify you have the profile: Microsoft Exchange Online

If you have an Exchange Online subscription in the same tenant as your subscription, customer engagement apps
create a default profile for the email connection: Microsoft Exchange Online . To verify this profile:
3. Select Active Email Ser ver Profiles and check that the Microsoft Exchange Online profile is in the list.
If the Microsoft Exchange Online profile is missing, verify you have an Exchange Online subscription and
that it exists in the same tenant as your subscription.
4. If there are multiple profiles, select the Microsoft Exchange Online profile and set it as default.

Set server-side synchronization to be the default configuration method for newly created users.
Ser ver Profile : Microsoft Exchange Online
Appointments, Contacts, and Tasks : Server-Side Synchronization
4. Select Save .
All new users will have these settings applied to their mailbox.
Configure mailboxes
New users will have their mailboxes configured automatically with the settings you made in the prior section. For
existing users added prior to the above settings, you must set the Server Profile and the delivery method for email,
Choose one of the following methods:
3. Select all the mailboxes that you want to associate with the Microsoft Exchange Online profile, select Apply
4. In the Change Multiple Records form, under Synchronization Method , set Ser ver Profile to
Microsoft Exchange Online .
7. Select Change .
Approve email
To approve emails for customer engagement apps, a user requires:
1. The Approve Email Addresses for Users or Queues privilege.
2. The permissions as described in the table below.
Require admin approval?
Decide which approach you want your organization to follow for mailbox approval.
Permission model
The following table describes the permissions required to approve emails.
Terminology
Yes : can approve email
No : cannot approve email
n/a : not applicable
NOTE
This permission model is being gradually rolled out and will be available once it is deployed to your region. Check the version
number provided below for when the change will be provided.
SEC URIT Y RO L ES / B OT H RO L ES B OT H RO L ES SY ST EM SERVIC E EXC H A N GLO B A L

A P P L IC AT IO N S IN USE REQ UIRED: REQ UIRED: A DM IN A DM IN GE A DM IN
GLO B A L A DM IN EXC H A N GE A DM IN A DM IN
AND AND
SY ST EM A DM IN SY ST EM A DM IN
Custom Exchang 2 Yes 2 Yes No No No No
er e Online
engage
ment Exchang 3 Yes 3 Yes 3 No No n/a n/a
apps e On-
premise
s
Custom Exchang n/a n/a 1 Yes n/a n/a n/a

er e Online
Engage
ment Exchang n/a n/a 1 Yes n/a n/a n/a
(on- e On-
premise premise
s) s
1 We recommend you include your Exchange admin in custom business processes your organization follows for
this configuration.
2 We are updating for customer engagement apps/Exchange Online, for version 9.1.0.5805 or later.
3 We will be updating for customer engagement apps/Exchange On-premises. Check back for version information.
To determine your version, sign in and in the upper-right corner of the screen, select the Settings button ( ) >
About .
Require and configure mailbox approval
Follow these steps to approve email addresses for users and queues. By default, admins, as described in the
Permission model table, are required to approve emails.
Add Approve Email Addresses for Users or Queues privilege
To approve emails, a Dynamics user requires the Approve Email Addresses for Users or Queues privilege. A
system admin can assign the Approve Email Addresses for Users or Queues privilege to any security role
and assign the security role to any user.
To manually assign the Approve Email Addresses for Users or Queues privilege to a security role:
3. Select a security role, and then select the Business Management tab.
4. Under Miscellaneous Privileges , set the privilege level for Approve Email Addresses for Users or
Queues .
Approve mailboxes
4. Select OK .
Remove requirement to approve mailboxes
Admins, as described in the Permission model table, can change the settings so mailbox approval is not required.
3. Under Security and permissions , Process emails only for approved users and Process emails
only for approved queues to Off . These settings are enabled by default.
4. Select Save .

3. Select the mailboxes you want to test, and then select Test & Enable Mailbox .
To see alerts for an individual mailbox, open the mailbox and then under Common , select Aler ts .
generated when the configuration is successfully completed for a mailbox. This alert is shown to the
mailbox owner.
synchronization.
Make sure you've got a good connection to Exchange Online by running the Microsoft Remote Connectivity
Analyzer. For information on what tests to run, see Test mail flow with the Remote Connectivity Analyzer.
TIP

server profile
3. Select the Microsoft Exchange Online profile, and then select Test & Enable Mailboxes .
mailboxes associated with the Microsoft Exchange Online profile. For the mailboxes configured with server-
side synchronization for synchronizing appointments, tasks, and contacts, it also checks to make sure
they're configured properly.
TIP
See also
Test mail flow by validating your connectors
Set up customer engagement apps to use SharePoint
Online
When you use SharePoint Online with customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
you can:
Create, upload, view, and delete documents stored in SharePoint from within customer engagement apps.
Use the SharePoint document management abilities within customer engagement apps, such as checking
the document in and out and changing document properties.
Enable non-customer engagement apps users, such as customers who want to review a bid, to directly
access the SharePoint documents, provided they have the appropriate permissions.
IMPORTANT
This topic is for organizations who wish to deploy for the first time or upgrade to server-based SharePoint integration. After
you enable server-based SharePoint integration, you can't revert to the previous client-based authentication method.
TIP
Check out the following video: Connect to SharePoint Online
To set up customer engagement apps to use SharePoint Online, complete the following steps.
Assign user permissions to the Team SharePoint site

Your customer engagement apps and Microsoft 365 users are not automatically allowed access to your SharePoint
sites. You must work within the SharePoint site to assign specific permission levels to individual users or groups.
Assign users to the Team site
2. Open the Microsoft 365 app launcher, and then select SharePoint .
3. On the left-side menu, select Team Site .
4. On the Home page, select SHARE (upper-right corner).
5. To view the default permissions for your team site, select lots of people .
6. By default, all users in your Microsoft 365 organization are able to add and edit documents on the Team
SharePoint site. To invite others, choose Invite people and add people external to your organization to
share documents.
For more information about SharePoint permissions, see Introduction: Control user access with permissions
Configure customer engagement apps for SharePoint document

management
If you are a new organization and have not yet deployed document management, see Configure a new
organization.
If your organization is already using document management with Microsoft Dynamics CRM List Component, you
must switch to server-based SharePoint integration. More information: Switching from the list component or
changing the deployment
IMPORTANT
Server-based SharePoint integration uses the entity display name to build the SharePoint library. When you upgrade to
server-based SharePoint integration, be sure to check that the display names in your document library on SharePoint match
the entity display names. More information: "Validation Error" when you try to configure server-based SharePoint
integration for Microsoft Dynamics CRM Online and SharePoint Online.
These names should match.
Configure a new organization
If your organization has not deployed document management, when a System Administrator logs in an alert
message will be displayed to enable server-based SharePoint integration.
NOTE
If you don't see the alert and have not previously enabled server-based SharePoint integration, clear your browser cache or
open customer engagement apps using Internet Explorer with InPrivate browsing to have the alert display again. Once you
configure server-based integration, the alert will no longer appear.

2. Select Settings > Integration > Document management settings , and then select Enable ser ver-
based SharePoint integration .
3. In the Enable Server-based SharePoint Integration alert select Next .
4. Choose Online for where your SharePoint sites are located, and then choose Next .
5. If your customer engagement apps are not connected to a SharePoint online site, enter the URL (for
example https://contoso.sharepoint.com) of your SharePoint site that you will use for auto folder creation,
and then choose Next .
TIP
To see your SharePoint site collections, in the Microsoft 365 admin center, select Admin centers > SharePoint ,
and then select site collections .
6. The URL will be checked for being a valid SharePoint online site and for existing in the same Microsoft 365
tenant as your organization. After enabling server-based SharePoint integration you can't go back to the
previous client-side integration. Choose Enable .
Next steps
Once server-based SharePoint integration is enabled you will need to enable the entities you want available for
document management integration. More information: Enable document management on entities
Once server-based SharePoint integration is enabled you can also enable integration with OneNote and OneDrive.
More information: Set up OneNote integration and Enable OneDrive for Business (online)
Using Document Management

You are now ready to add document storage locations to the entities you enabled above and start managing
documents. Begin by opening a document management-enabled record (for example, Contact).
1. Browse to your web application.
2. Choose an account, such as the Adventure Works sample account.
3. On the nav bar, select the down arrow next to the account name, and then select Documents .
4. Select Upload , and then browse to a document to upload to the new folder in your Microsoft
365SharePoint Online Team site.
5. Select a folder location, and then select Ok .
6. To see the document in your Microsoft 365SharePoint Online Team site, select to the left of the document
name (you'll see a check mark), and then select Open Location .
7. Select Site Contents to see all the document libraries created for the managed entities you selected.
The entities you selected to be managed by Document Management appear as document libraries (for
example: Account, Article, Case, Lead, Opportunity, Product, Quote, and Sales Literature).
Known issue
SharePoint Online has introduced a new feature that enables a SharePoint or global administrator in Microsoft
365 to block or limit access to SharePoint and OneDrive content from unmanaged devices. For more information,
see Control access from unmanaged devices.
You can set access at three levels:
1. Allow full access from desktop apps, mobile apps and the web
2. Allow limited, web-only access
3. Block access
For "Block Access" level, only devices that satisfy the AD trust policy defined by the SharePoint or global admin can
open SharePoint site and perform operations.
Impact on customer engagement apps and SharePoint Online integration
When SharePoint Online is configured for "Block Access", customer engagement apps receives a 401
UnAuthorized response from SharePoint Online for all operations triggered using server-to-server integration.
This is because SharePoint Online rejects the AppAssertedUser token (the claims-based token which is used for
server-to-server authentication between customer engagement apps and SharePoint Online).
Work around
As a workaround, you can set the unmanaged devices policy to "Allow full access from desktop apps, mobile apps,
and the web" on SharePoint Online.
1. Sign in to https://admin.microsoft.com as a global or SharePoint admin. If you see a message that you don't
have permission to access the page, you don't have Microsoft 365 administrator permissions in your
organization.
2. In the left pane, select Admin centers > SharePoint .
3. In the SharePoint admin center, select access control in the left pane.
4. Under Unmanaged devices , select Allow full access from desktop apps, mobile apps, and the
web .
5. Select Ok .
Information transmitted between customer engagement apps and

SharePoint when you use server-based SharePoint integration
When you use the document management feature in customer engagement apps by using server-based
SharePoint integration, the following information is transmitted between customer engagement apps and
SharePoint:
Entity name for the entity that is used to create folders in SharePoint, such as Account, Article, or Lead. To
configure the entities that are integrated, go to Settings > Document Management > Document
Management Settings .
See also
If your organization uses Skype for Business (formerly known as Lync) or Skype, you can take advantage of
connectivity features like click-to-call or checking user availability from within model-driven apps in Dynamics 365,
such as Dynamics 365 Sales and Customer Service, or Microsoft Dynamics 365 for Outlook.
Using Skype for Business with model-driven apps in Dynamics 365

When you use Skype for Business and Dynamics 365 apps together, you can use Skype for Business) presence and
click-to-call from within Dynamics 365 apps.
Your organization must have a Skype for Business Online license.
Client requirements and configuration
To use click-to-call, Skype for Business must be selected as the telephony provider. You can set this by
selecting an environment in the Power Platform admin center, and then select Settings > Product >
Features . Under Communications review the Skype settings.
By default, Skype for Business presence is enabled in model-driven apps in Dynamics 365. System
administrators can enable or disable presence in model-driven apps in Dynamics 365. To do this, set Skype
presence to On or Off .
Each user must have the Skype for Business client installed and running on their PC.
For Skype for Business presence, users must have https://*.dynamics.com added to their web browsers
trusted sites list in Internet options in Internet Explorer.
Supported devices and web browsers when you use Skype for Business with model-driven apps in Dynamics 365
M O B IL E A P P O R W EB B RO W SER SK Y P E F O R B USIN ESS C L IC K - TO - C A L L SK Y P E F O R B USIN ESS P RESEN C E
Dynamics 365 for iPad Yes No
Dynamics 365 for Android Yes No
Windows-based tablets Yes No
Internet Explorer Yes Yes
Google Chrome Yes No
Mozilla Firefox Yes No
Apple Safari Yes No
Using Skype with model-driven apps in Dynamics 365

When you use Skype and model-driven apps in Dynamics 365 together, you can use Skype click-to-call from within
model-driven apps in Dynamics 365.
Client requirements and configuration
Each user must have the Skype for Windows desktop client or the Skype for Windows 8 app installed and
running on their PC or Windows 8 device.
Skype must be selected as the telephony provider. Select an environment in the Power Platform admin
center, and then select Settings > Product > Features . Under Communications set Set the telephony
provider to Use Skype for Business .
Supported devices and web browsers when you use Skype with model-driven apps in Dynamics 365
M O B IL E A P P O R W EB B RO W SER SK Y P E C L IC K - TO - C A L L
Dynamics 365 for iPad Yes
Dynamics 365 for Android on Android tablets Yes
Windows-based tablets Yes
Internet Explorer Yes
Google Chrome Yes*
Mozilla Firefox Yes**
Apple Safari Yes
* The Skype Click-to-call plugin must be installed on the Chrome browser and enabled. More information: How do I
enable Skype Click to Call in Chrome?
Additionally, Skype click-to-call is supported with Dynamics 365 for Windows 8, Dynamics 365 for Windows 8.1,
and Windows 10.
See also
Set up model-driven apps in Dynamics 365 to use Skype or Skype for Business
Requirements
Set up customer engagement apps to use Skype or
Skype for Business
When you use Skype for Business and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
your organization can benefit from these capabilities:
Real-time communications with customers, colleagues, and team members without leaving customer
engagement apps. Click or tap a person's phone number to call them.
Track meetings as Activities.
Get Presence information for members of the same email domain you are signed in with in Skype for
Business.
Set up Skype in customer engagement apps

3. Under Communications verify that Skype presence is set to On and Set the telephony provider is set
to Use Skype for Business .
5. On the Microsoft 365 admin center page, click or tap Admin > Skype for Business > organization .
6. Choose the general tab. Review and set the presence privacy mode.
NOTE
Presence information is shown for members of the same email domain you are signed in to with Skype for Business.
For example, if you are signed in with someone@contoso.com, you will see presence for other @contoso.com users.
Instruct users to add the following as trusted sites in their browser:
https://*.dynamics.com
https://*.lync.com
https://*.sharepoint.com
https://login.microsoftonline.com
7. Choose the external communications tab. Review and set the external access and public IM
connectivity settings.
Tracking Skype
Now that Skype is setup, your Skype calls are tracked as activities.
See also
Skype for Business help
Deploy Microsoft 365 groups Dynamics 365 (online)
Microsoft 365 Groups, available with Dynamics 365 apps, provides a new environment for collaboration with
Microsoft 365 users who don't use customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
such as Dynamics 365 Sales and Customer Service. For example, use Microsoft 365 Groups when a sales team has
a major opportunity requiring input from several people who don't have access to customer engagement apps.
Microsoft 365 Groups provides a single location to share documents, conversations, meetings, and notes. You can
enable Microsoft 365 Groups for any entity.
TIP
Check out the following for a quick introduction to Microsoft 365 Groups:
Video: Introducing Groups in Microsoft 365.
Learn more about groups
Requirements
The following are required to use Microsoft 365 Groups with customer engagement apps:
This feature requires that you have an Microsoft 365 subscription or a subscription to an online service such
as SharePoint Online or Exchange Online.
To use document storage with Microsoft 365 Groups, you will need SharePoint Online and access to the
group OneNote notebook.
Exchange Online
To use document storage with Microsoft 365 Groups, you will need SharePoint Online and access to the
group OneNote notebook.
Provision Microsoft 365 groups

Microsoft 365 Groups is a solution you provision from your Microsoft 365 admin center.
NOTE
Users must have an Exchange Online mailbox set up to use Microsoft 365 Groups. Exchange Online is already properly
configured for organizations as a part of Microsoft 365. You also need to enable server-based SharePoint integration to see
documents in an Microsoft 365 Group; you don't have to use SharePoint integration, only set up the connection to
SharePoint Online. Server-based SharePoint integration is also required to enable the group OneNote notebook.
More information: Set up customer engagement apps to use SharePoint Online

2. Select Resources > Dynamics 365 apps .
3. Select Office365Groups and then select Install .
Once installation of the solution has completed, you can configure Microsoft 365 Groups.
NOTE
When you install a solution, your site is taken offline in maintenance mode for a short time. We recommend you install the
solution when it's least disruptive to users.
Check required privileges

The security privilege, ISV Extensions , is required to use Microsoft 365 Groups. You can add or remove this
privilege from custom or default security roles to meet your business needs. If a user doesn't have this privilege,
they won't be able to see the Microsoft 365 Groups item in a record's navigation menu.
1. Sign in to the Power Platform admin center as an admin (Service admin, Global admin, or Delegated admin).
4. Choose the security role to check and then select the Customization tab.
5. In the Miscellaneous Privileges section, review the ISV Extensions privilege setting. If the security role
doesn't have the ISV Extensions privilege, select it to set it to Organization.
Configure Microsoft 365 groups

Once you provision Microsoft 365 Groups, you can enable them for any entity. Security group membership is
associated with the entity. You configure Microsoft 365 Groups in customer engagement apps.
1. In the web app, go to Settings > Microsoft 365 groups . You may need to first select the Gear icon ( ) >
Advanced settings .
2. On the Microsoft 365 Groups Integration Settings page, select Add entity and choose an entity
from the drop-down list. Repeat this step for each entity you want to enable, including custom entities.
3. Optionally, you can select Auto-create for an entity to have a new group automatically created when a new
record for that entity is created. However, we recommend you choose this option only for entities that
typically require large groups to collaborate.
4. When you have added all the entities you want to enable for Microsoft 365 Groups, select Publish All .
All of your pending system customizations will be published, including those you may have saved but not
published in another area.
You're now ready to use Microsoft 365 Groups. See Collaborate with your colleagues using Microsoft 365 groups.
Use the Microsoft 365 Connectors for Groups

Use the Microsoft 365 Connectors for Groups to connect new or existing Microsoft 365 Groups with customer
engagement apps so the group is notified when new activities are posted. To set it up, follow these steps:
TIP
Check out the following Blog: Dynamics CRM Online connector for Microsoft 365 groups
1. Sign in to your Microsoft 365 Outlook.

2. Create or choose a Microsoft 365 Group.
3. Select Connect your apps .
4. Scroll down to Dynamics 365 , and then select Add .

5. If you have access to more than one environment, choose which environment to connect to this Microsoft
365 Group. If you only have access to one environment, this step will be skipped and you will advance to the
next step.
6. Choose the record you want to connect this Microsoft 365 Group to, and then select Save .
Once connected, the connector shows up at the top of the connection list with a summary of connected
records.
To delete a connected record, select View , and then select Remove .

NOTE
Note the following about the Microsoft 365 Connectors for Groups:
Only account, lead, and opportunity records are supported.
You can connect up to five records.
Only task type activities are sent to the group as connector cards.
The activity appears as a new conversation in a card format in the Group.
The fields in the card shown in the Group conversation are not customizable.
Nothing is required in customer engagement apps to make the connector work.
For sensitive information, you should connect your record to a private group where only approved members can view
contents. For public groups, everyone in the org has access to view contents. See "Public and private Microsoft 365
groups" in Learn more about groups.
Privacy notice
When a user leverages the Microsoft 365 groups feature to connect an Office Group to customer engagement
apps, data (including new conversations and documents) will be stored on the Exchange and/or SharePoint system
and shared with the members of that Office Group, even if they are not licensed or authorized users. Users will only
be able to share the data that they have access to, and Administrators can limit the data that is shared by limiting
the access privileges of their users.
See also
Collaborate with your colleagues using Microsoft 365 groups
CRM Blog: Dynamics CRM Online connector for Microsoft 365 groups
Set up customer engagement apps to use Exchange Online
Enable viewing profile cards
Microsoft's people experience is centered around profile cards that have been around in Microsoft Outlook and
other Office apps and services on the web. When you select someone's name or picture in Outlook or other Office
apps, you can find information related to them on their profile card. The profile card is also sometimes referred to
as contact card or people card. Profile cards are available on contacts and users in any Unified Interface app.
NOTE
If multi-factor authentication has been enabled for Microsoft 365 services and not enabled for customer engagement apps
(Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics
365 Project Service Automation), profile cards will not be rendered for users in Unified Interface.
The profile card feature involves a network call to the Microsoft 365 service to display the card. Please make sure that
following endpoints are reachable, by configuring and updating network perimeter devices such as firewalls and proxy
servers.
*.loki.delve.office.com
loki.delve.office.com
loki.delve-gcc.office.com
lpcres.delve.office.com
Port: TCP:443
To view the complete endpoint requirements for connectivity from a user's machine to Microsoft 365 for profile cards to be
displayed in Unified Interface, see Microsoft 365 URLs and IP address ranges ID 130.
Prerequisites
The following settings/environment are required for profile cards to be enabled in customer engagement apps.
1. Microsoft 365 (Exchange Online)
2. Unified Interface Build 9.1.0.4626 or higher
3. Enable Admin setting
a. In the web app, navigate to Settings > Administration > System Settings
b. Select the General tab.
c. For Enable users to view contact cards , select Yes , and then OK .
For information on how to use profile cards, see View the profile card for a contact or user.
Gather your thoughts, ideas, plans and research in one single place with OneNote in customer engagement apps
When you turn on OneNote integration in customer engagement apps, you have the benefits of using OneNote to
take or review customer notes from within your records.
You can configure OneNote in customer engagement apps when you're also using SharePoint Online. You must
have a subscription to Microsoft 365 to use OneNote in customer engagement apps.
Step 1: Turn on server-based SharePoint integration

Before you can enable OneNote integration, you need to turn on server-based SharePoint integration.
Make sure you have the System Administrator security role or equivalent permissions in Microsoft Dynamics 365.
Or, make sure that you have Read and Write privileges on all record types that are customizable.
Step 2: Turn on OneNote integration

When server-based SharePoint integration is turned on, OneNote integration is listed in Document
Management .
4. Follow the instructions in the wizard to turn on OneNote integration for selected entities. Choose entities
that need a full notebook per record. Only entities that are already enabled for document management are
listed. Select Finish .
5. You can also enable OneNote integration for an entity from the customization form, as long as document
management has been enabled for that entity.
6. A OneNote notebook is automatically created for a record the first time you select the OneNote tab in the
activities area in customer engagement apps. After the dedicated OneNote notebook is created for that
record, you can view and navigate to that notebook from any Dynamics 365 apps client.
More information: Use OneNote
To turn off OneNote integration
4. In the OneNote Integration Setting dialog box, clear the check boxes for all entities, and then select
Finish .
See also
Use OneNote
OneNote FAQs
Turn on server-based SharePoint integration
This feature was introduced in CRM Online 2016 Update.

Users can create and manage private documents with OneDrive for Business. Those documents can be accessed in
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), after the system administrator has
enabled OneDrive for Business.
Requirements
NOTE
This topic applies to organizations deploying online versions of OneDrive for Business and customer engagement apps. For
information on integrating OneDrive for Business on-premises with Dynamics 365 apps, or an online/on-premises mix of
these products, see: Enable OneDrive for Business (on-premises).
The following are required to use OneDrive for Business with customer engagement apps:
Set up customer engagement apps to use SharePoint Online.
A OneDrive for Business license for each user. More information: What is OneDrive for Business?
A SharePoint license for each user. Users with a SharePoint license can use OneDrive for Business. For
SharePoint Online, Microsoft 365 subscriptions come with SharePoint Online licenses.
For full Microsoft 365 feature integration with Dynamics 365 and Customer Engagement (on-premises),
you'll need Microsoft 365 Enterprise E3 or later. Skype for Business PSTN calling and conferencing requires
Microsoft 365 Enterprise E5. Other Microsoft 365 plans are not supported. For more information on
licensing and pricing, see:
Before using OneDrive for Business in customer engagement apps, the administrator and end users should
access OneDrive for Business through the web interface. For example, if you're using SharePoint Online, go
to https://admin.microsoft.com > app launcher > OneDrive . The site and other information
required by customer engagement apps to enable OneDrive for Business integration gets created only
when the site is accessed.

You can enable OneDrive for Business as follows.

You can toggle availability of OneDrive in customer engagement apps for end users through the OneDrive for
Business privilege.
3. Select a security role, and then select the Core Records tab.
See also
Users can create and manage private documents with OneDrive for Business. Those documents can be accessed
within after the system administrator has enabled OneDrive for Business.
Requirements
The following are required to use OneDrive for Business with Dynamics 365 Server.
NOTE
This topic applies to organizations deploying on-premises versions of OneDrive for Business and customer engagement
apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and
Dynamics 365 Project Service Automation), or an online/on-premises mix of these products. For information on integrating
OneDrive for Business online with customer engagement apps, see: Enable OneDrive for Business.
Set up SharePoint integration and have at least one team site.

Set up permission on the root SharePoint team site for all users who will use OneDrive for Business in
customer engagement apps. More information: Plan sites and manage users
For SharePoint on-premises, enable the Search service to access shared documents from other users. It is
enabled by default on SharePoint Online but not on SharePoint on-premises. More information: Create and
configure a Search service application in SharePoint Server 2013

You enable OneDrive for Business as follows:
If you're running SharePoint Ser ver on-premises , on the Windows Server where SharePoint Server is
running, open the SharePoint Management Shell and run the following commands to set up permissions
between SharePoint and Dynamics 365 Server.
NOTE
You might have already set up permissions and can skip the following if you completed the steps in Configure server-based
authentication with customer engagement apps and SharePoint on-premises.
Add-Pssnapin *

$ClientId = "00000007-0000-0000-c000-000000000000"
$wellKnownApp= New-Object -TypeName "Microsoft.SharePoint.Administration.SPWellKnownAppPrincipal" -

ArgumentList ($ClientId, $PermissionXml)

You can toggle availability of OneDrive for end users through the OneDrive for Business privilege.
3. Choose a security role, and then select the Core Records tab.
NOTE
This privilege is visible in the Security Roles dialog only after OneDrive for Business is enabled.
See also
Use OneDrive for Business to manage your private documents
SharePoint Online and OneDrive for Business: software boundaries and limits
Connect to Yammer
Yammer gives colleagues at your organization a central place to have conversations, create and edit documents,
and share information without sending a single email or attending any meetings.
After you set up your organization to work with Yammer, employees will see posts in a newsfeed on their customer
engagement apps dashboard whenever people update customer info, and they'll be able to join in the conversation
with their own posts.
Connect your organization to Yammer

Prerequisites
Before your organization can use Yammer in customer engagement apps (Dynamics 365 Sales, Dynamics
Service Automation), your organization needs to buy Yammer enterprise licenses.
Yammer integration is only available for customer engagement apps.
Make sure you have the System Administrator security role or equivalent permissions in Microsoft
Dynamics 365.
You'll also need to have verified system administrator privileges for your organization's Yammer account.
Install the most recent product updates for customer engagement apps.
Meet browser and system requirements.
Connect to Yammer
1. Sign up for a Yammer Enterprise account, and note the name of the network you receive. More information:
4. Select Settings > Integration > Yammer .
5. Read the disclaimer, and then choose Continue .
6. Choose Authorize Microsoft Dynamics 365 Online to connect to Yammer .
7. Sign in to your enterprise Yammer account using your administrator credentials.
8. Follow the on-screen instructions to accept the Yammer terms of service, note which Yammer network has
been set up for you, and connect your organization to it. After your organization is connected, you'll see a
confirmation message at the bottom of the screen.
NOTE
Customer engagement apps only support connecting to the primary Yammer network. Connecting to External
Networks in Yammer is not supported.
9. If desired, stay signed in to your Yammer account and set your organization's preferences for Yammer posts.
Set your organization's preferences for Yammer posts (optional)
1. Make sure you're signed in to your enterprise Yammer account using your administrator credentials.
2. If desired, select whether Yammer posts are public (everyone sees customer engagement apps posts in the
newsfeed, or private (people must "follow" a record to see posts about that record in the newsfeed).
3. If desired, select the default group where you would like posts to appear.
4. If desired, select which record types trigger automatic posts to the Yammer newsfeed.
Enable entities for Yammer

Once you've connected customer engagement apps to Yammer, you need to specify which entities are enabled for
use with Yammer. Enabled entities can be followed by users
2. Choose Activity Feeds Configuration > Post Configurations
3. Choose the entity, and then choose Activate .
4. Confirm the activation, and then choose More Commands (…) > Publish All Customizations
What triggers automatic posts to the Yammer newsfeed?

IMPORTANT
As of June 26, 2018, Yammer deprecated the Activity stream and its related APIs so auto-posts can no longer be enabled.
For more information, see Open Graph Actions & Activity stories.
When connecting with a federated Yammer
If you have configured Yammer to use single sign-on, you'll need to generate and use a temporary password to
connect to Yammer.
1. Sign in to Yammer with the single sign-on credentials.
2. Choose More commands (…) > Apps
3. Scroll to the bottom of the page to the All Apps section.
4. Choose the Yammer tab, and then choose an app like Windows Phone. The app must support generating a
temporary password.
5. Complete the process to obtain a temporary user name and password.
6. Use the temporary user name and password to complete the customer engagement apps to Yammer
connection configuration.
Add Yammer sites to the browser as trusted
Add your Yammer sites to your browser as trusted. For example, for customer engagement apps, add the following:
https://*.yammer.com
https://*.assets-yammer.com
Privacy notice
By enabling Yammer, you consent to share your data with an external system. Data that is imported from external
systems into Microsoft Dynamics 365 (online) is subject to Microsoft Privacy and Cookies.
See also
Use this information to help you plan and optimize application performance with customer engagement apps
We recommend that you not run operations that require intensive database transactions concurrently. Similarly,
don’t run operations that require intensive database transactions during normal business hours when users are
most likely to access the system.
Operations that require intensive database transactions examples:
Enabling one or more language packs
Solution import, upgrade, delete, or export
Install or upgrade apps from Microsoft AppSource or the Dynamics 365 admin center
Publishing customizations
Large bulk record operations, such as a business unit change when the business unit has a very large number of
records associated
See also
The primary characteristics of a network that affect the performance of customer engagement apps (Dynamics 365
Project Service Automation), or Dynamics 365 for Outlook, are bandwidth and latency.
Bandwidth is the width or capacity of a specific communications channel.
Latency is the time required for a signal to travel from one point on a network to another, and is a fixed cost
between two points.
One of the main causes of poor performance of customer engagement apps is the latency of the network over
which the clients connect to the organization. Lower latencies (measured in milliseconds) generally provide better
levels of performance.
Notice that, even if the latency of a network connection is low, bandwidth can become a performance degradation
factor if there are many resources sharing the network connection, for example, to download large files or send
and receive email.
Networks with high bandwidth don't guarantee low latency. For example, a network path traversing a satellite link
often has high latency, even though throughput is very high. It's common for a network round trip traversing a
satellite link to have five or more seconds of latency. An application designed to send a request, wait for a reply,
send another request, wait for another reply, and so on, will wait at least five seconds for each packet exchange,
regardless of the speed of the server.
How to check latency

Customer engagement apps includes a basic diagnostic tool that analyzes the client-to-organization connectivity
and produces a report. To run the Diagnostics tool, follow these steps.
1. On the user's computer or device, start a web browser, and sign in to an organization.
2. Enter the following URL, https://myorg.crm.dynamics.com/tools/diagnostics/diag.aspx, where
myorg.crm.dynamics.com is the URL of your organization.
3. Click Run .
The report displays a table with test and benchmark information. Of particular importance is the Latency Test
row value. This value is an average of twenty individual test runs. Generally, the lower the number, the better the
performance of the client. Although users may receive a satisfactory experience by using connections with more
latency, for best application performance we recommend that the value be 150 ms (milliseconds) or less.
Best practices for improving application performance

Maximize how quickly your forms load. More information: Optimize form performance
Make sure you aren't using legacy form rendering, which can make forms take significantly longer to load.
More information: System Settings dialog box - General tab
See also
Data query performance
To improve query performance, index management is executed automatically using Azure SQL Database automatic
tuning. Subsequently, there’s no need to manually configure recommendations to create or drop indexes in
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), or Azure SQL Database. More
information: Automatic tuning in Azure SQL Database
See also
Compliance and data privacy
Microsoft is committed to the highest levels of trust, transparency, standards conformance, and regulatory
compliance. Microsoft’s broad suite of cloud products and services are all built from the ground up to address the
most rigorous security and privacy demands of our customers.
To help your organization comply with national, regional, and industry-specific requirements governing the
collection and use of individuals’ data, Microsoft provides the most comprehensive set of compliance offerings
(including certifications and attestations) of any cloud service provider. There are also tools for administrators to
support your organization’s efforts. In this part of the document we will cover in more detail the resources
available to help you determine and achieve your own organization requirements.
Trust Center
The Microsoft Trust Center (https://www.microsoft.com/trustcenter) is a centralized resource for obtaining
information on Microsoft’s portfolio of products. This includes information on security, privacy, compliance, and
transparency. While this content may contain some subset of this information for Power Apps, it is important to
always refer to the Microsoft Trust Center for the most up to date authoritative information.
For quick reference, you can find the Trust Center Information for the Microsoft Power Platform here
https://www.microsoft.com/TrustCenter/CloudServices/business-application-platform/default.aspx This will include
information on Power Apps, Microsoft Power Automate and Power BI.
Data Location
Microsoft operates multiple data centers world-wide that support the Microsoft Power platform applications. When
your organization establishes a tenant, it establishes the default geographical (geo) location. In addition, when
creating environments to support applications and contain Common Data Service data the environments can be
targeted for a specific geo. A current list of the geos for the Microsoft Power Platform can be found here
https://www.microsoft.com/TrustCenter/CloudServices/business-application-platform/data-location
To support continuity of operations, Microsoft may replicate data to other regions within a geo, but the data will not
move outside the geo to support data resiliency. This supports the ability to fail over or recover more rapidly in the
event of a severe outage. There are some reasonable exceptions to keeping data in the specific geo that are listed
on the above site primary focused on legal and support. It’s also important to note, that you or your users can take
actions that expose data outside of the geo. Other services can also be configured to access the data and expose it
outside of the geo. By default, authorized users can access the platform and your applications and data from
anywhere in the world where there is connectivity.
Data Protection
Data as it is in transit between user devices and the Microsoft datacenters are secured. Connections established
between customers and Microsoft datacenters are encrypted, and all public endpoints are secured using industry-
standard TLS. TLS effectively establishes a security-enhanced browser to server connection to help ensure data
confidentiality and integrity between desktops and datacenters. API access from the customer endpoint to the
server is also similarly protected. Currently, TLS 1.2 (or higher) is required for accessing the server endpoints.
Data transferred through the on-premises data gateway is also encrypted. Data that users upload is typically sent to
Azure Blob storage, and all metadata and artifacts for the system itself are stored in an Azure SQL database and
Azure Table storage.
All environments of the Common Data Service database use SQL Server Transparent Data Encryption (TDE) to
perform real-time encryption of data when written to disk, also known as encryption at rest.
By default, Microsoft stores and manages the database encryption keys for your environments so you don’t have
to. The manage keys feature in the Power Platform admin center gives administrators the ability to self-manage the
database encryption keys that are associated with environments of Dynamics 365 (online). You can read more
about managing your own keys here but generally it is recommended have Microsoft manage the keys unless you
have a specific business need to maintain your own.
Resources to manage GDPR Compliance

The European Union General Data Protection Regulation (GDPR) is one of the newest privacy regulations enacted
that gives rights to people to manage their personal data. In this section we will look at some of the tools and
resources available for the Microsoft Power Platform to assist administrators in their efforts to comply with GDPR.
Some of these resources and tools may also helpful to assist you in other data privacy related tasks not directly
related to GDPR. A complete discussion of GDPR is beyond the scope of this content, however in this section we will
focus on the tools and resources to support your efforts. Additionally, Microsoft has a section on the trust center
dedicated to GDPR resources and information that can be helpful. You can find that here
https://www.microsoft.com/TrustCenter/Privacy/gdpr/default.aspx
First, let’s review at some of GDPR’s terminology that matters in this context:
T ERM REL EVA N C E
Data Subject GDPR identifies people as data subjects. It is their personal

data that might have been collected by your organization
either in the employment of the person or some interaction
collecting their personal data
Data Controller Organizations that collect and process data for their own
purposes
Data Processor Organizations that process data on behalf of others
Personal Data Any information relating to an identified or identifiable natural

person.
As an administrator one of the key activities in support of GDPR will be related to Data Subject Rights (DSR)
requests. These are formal requests from a Data Subject to a Data Controller (likely your organization) to act on
their personal data in your systems. GDPR gives rights to Data Subjects to obtain copies, request corrections,
restrict processing of the data, delete the data and to receive copies in an electronic format so it could be moved to
another Data Controller.
The following links point to detailed information to help you respond to DSR requests depending on the features
your organization is using.
P L AT F O RM F EAT URE A REA L IN K TO DETA IL ED RESP O N SE ST EP S
Power Apps Responding to Data Subject Rights (DSR) requests to export

Common Data Service Responding to Data Subject Rights (DSR) requests for
Power Automate https://docs.microsoft.com/flow/gdpr-dsr-summary

P L AT F O RM F EAT URE A REA L IN K TO DETA IL ED RESP O N SE ST EP S
Microsoft Accounts (MSAs) https://docs.microsoft.com/flow/gdpr-dsr-summary-msa
Customer engagement apps https://docs.microsoft.com/microsoft-365/compliance/gdpr-

dsr-dynamics365
Microsoft 365 Security and Compliance Center

You may also find Microsoft Compliance Manager helpful to manage your compliance efforts across Microsoft
cloud services in a single place. More details about Compliance Manager can be found here
https://aka.ms/compliancemanager .
Power Automate Audit Log Events

In the compliance center Audit Log Search administrators can now search and view Power Automate events. Events
include Created flow, Edited flow, Deleted flow, Edited Permissions, Deleted Permissions, Started a paid trial,
Renewed a paid trial. Using the portal you can choose what you want to search and a time window.
From the resulting query results when you drill down into an item you get a details page with the following type of
information.
The real good information comes from clicking on the More Information and drilling down into the real detail page:
Audit data is retained for 90 days. You can do CDSV exports of the data allowing you to move it into Excel or
PowerBI for further analysis. You can find a complete walkthrough of using the audit information here
https://flow.microsoft.com/blog/security-and-compliance-center/
Responding to DSR requests for system-generated
logs in Power Apps, Power Automate, and Common
Data Service
Microsoft gives you the ability to access, export, and delete system-generated logs that may be deemed personal
under the European Union (EU) General Data Protection Regulation (GDPR) broad definition of personal data.
Examples of system-generated logs that may be deemed personal under GDPR include:
Product and service usage data, such as user activity logs
User search requests and query data
Data generated by product and services as a product of system functionality and interaction by users or other
systems
Note that the ability to restrict or rectify data in system-generated logs is not supported. Data in system-generated
logs constitutes factual actions conducted within the Microsoft cloud, and diagnostic data—including modifications
to such data—would compromise the historical record of actions and increase fraud and security risks.
Prerequisites
This article focuses on responding to DSR requests for system-generated logs in managed and unmanaged
tenants. To determine whether or not you belong to a managed or unmanaged tenant, please see the Determining
Tenant Type section below.
Accessing and exporting system-generated logs for Managed Tenants

Administrators can access system-generated logs associated with a user's use of Power Apps, Power Automate, and
Common Data Service services and applications.
To access and export system-generated logs, do the following:
1. Go to the Microsoft Service Trust Portal and sign in using Global admin credentials.
2. From the Privacy drop-down list at the top of the page, select Data Subject Request .
3. On the Data Subject Request page, under System Generated Logs , select Data Log Expor t . The Data
Log Export displays and shows a list of export data requests submitted by your organization.
4. To create a new request for a user, click Create Expor t Data Request .
After you create a new request, the request is listed on the Data Log Expor t page, where you can track its
status. After a request is complete, you can click a link to access the system-generated logs, which will be
exported to your organization's Azure storage location within 30 days of creating the request. The data will
be saved in common, machine-readable file formats such as XML, CSV, or JSON. If you don't have an Azure
account and Azure storage location, you'll need to create an Azure account and/or Azure storage location for
your organization so that the Data Log Export tool can export the system-generated logs. For more
information, see Introduction to Azure Storage.
The following table summarizes accessing and exporting system-generated logs for managed tenants:
Q UEST IO N A N SW ER
How long does the Microsoft Data Log Export tool take to This depends on several factors. In most cases it should
complete a request? complete in one or two days, but it can take up to 30 days.
What format will the output be in? The output will be in the form of structured, machine-readable
files such as XML, CSV, or JSON.
Who has access to the Data Log Export tool to submit access Global admin will have access to the GDPR Log Manager tool.
requests for system-generated logs?
What data does the Data Log Export tool return? The Data Log Export tool returns system-generated logs that
Microsoft stores. Exported data spans across various Microsoft
services including Microsoft 365, Azure, Dynamics, Power
Apps, Power Automate, and Common Data Service.
How is data returned to the user? Data will be exported to your organization's Azure storage
location; it will be up to administrators in your organization to
determine how they will show/return this data to users.
What will data in system-generated logs look like? Example of a system-generated log record in JSON format:
[{
"DateTime": "2017-04- 28T12:09:29-07:00",
"AppName": "SharePoint",
"Action": "OpenFile", "IP": "154.192.13.131",
"DevicePlatform": "Windows 1.0.1607"
}]
NOTE
For security and audit purposes, some features do not allow you to export or delete system-generated logs in order to
maintain the integrity of personal information.
Deleting system-generated logs for Managed Tenants

To delete system-generated logs retrieved through an access request, you must remove the user from the service
and permanently delete his or her Azure Active Directory account. For instructions on how to permanently delete a
user, see the Deleting a user section in the Azure Data Subject Request GDPR documentation that can be found
on the Microsoft 365 Service Trust Portal. It's important to note that permanently deleting a user account is
irreversible once initiated.
Permanently deleting a user account removes the user's data from system-generated logs for Power Apps, Power
Automate, and Common Data Service services within 30 days.
Accessing and exporting system-generated logs for Unmanaged

Tenants
Users can access system-generated logs associated with their use of Power Apps, Power Automate, and Common
Data Service services and applications.
To access and export system-generated logs, do the following:
1. Go to the Work and School Privacy portal.
2. On the My data requests page, a user can request a data export by clicking on the New expor t request
button.
3. Upon clicking this button, you will be asked for to confirm your request. Click Yes to continue.
4. New export requests may take up to 1 month to complete. During this time, you will see a status of Running .
5. Once complete, the Date Completed column will be populated and a link to your system-generated logs will
be provided.
6. Click on this link to download your data. You can use a text editor to view this data.
7. Also note, the Expir y date for this content is being populated within the Expiry Date column. You have up until
this time to retrieve your system-generated logs.
The following table summarizes accessing and exporting system-generated logs for unmanaged tenants:
Q UEST IO N A N SW ER
How long does the Microsoft Data Log Export tool take to This depends on several factors. In most cases it should
complete a request? complete in one or two days, but it can take up to 30 days.
What format will the output be in? The output will be in the form of structured, machine-readable
files such as XML, CSV, or JSON.
Who has access to the Data Log Export tool to submit access Users who are a member of an unmanaged tenant have
requests for system-generated logs? access to submit requests.
What data does the Data Export tool return? The Data Export tool returns system-generated logs that
Microsoft stores. Exported data spans across various Microsoft
services including Microsoft 365, Azure, Dynamics, Power
Apps, Power Automate, and Common Data Service.
How is data returned to the user? Data will be exported to a Microsoft website where a link will
be securely provided to the user who made the DSR request.
What will data in system-generated logs look like? Example of a system-generated log record in JSON format:
[{
"DateTime": "2017-04- 28T12:09:29-07:00",
"AppName": "SharePoint",
"Action": "OpenFile", "IP": "154.192.13.131",
"DevicePlatform": "Windows 1.0.1607"
}]
NOTE
For security and audit purposes, some features do not allow you to export or delete system-generated logs in order to
maintain the integrity of personal information.
Deleting system-generated logs for Unmanaged Tenants

To delete system-generated logs retrieved through an access request, you must close your account, which will
delete your system-generated logs and remove your data in Power Apps, Power Automate, and Common Data
Service services within 30 days.
To delete system-generated logs, do the following:
1. Go to the Work and School Privacy portal.
2. On the My data requests page, a user can request the deletion of their data by clicking on the Close account
button.
3. Upon clicking this button, you will be asked for to confirm your request. Click Yes to continue.
4. Once the account has been closed, you will not have access to Power Apps, Power Automate, and Common Data
Service.
Determining Tenant Type

To determine whether or not you are a user of a managed or unmanaged tenant, perform the following actions:
1. Open the following URL in a browser, making sure to replace your email address in the
URL:https://login.microsoftonline.com/common/userrealm/name@contoso.com?api-version=2.1.
2. If you are a member of an unmanaged tenant then you will see an "IsViral": true in the response.
{
...
"Login": "name@unmanagedcontoso.com",
"DomainName": "unmanagedcontoso.com",
"IsViral": **true**,
...
}
3. Otherwise, you belong to a managed tenant.

Responding to Data Subject Rights (DSR) requests for
Data Integration for Common Data Service customer
data
Introduction to DSR requests

The European Union (EU) General Data Protection Regulation (GDPR) gives rights to people (known in the
regulation as data subjects) to manage the personal data that's been collected by an employer or other type of
agency or organization (known as the data controller or just controller). Personal data is defined very broadly under
the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects the
right to do the following, as it pertains to their personal data:
Obtain copies
Request corrections
Restrict processing
Delete it
Receive it in electronic format so it can be moved to another controller
A formal request by a data subject to a controller to take an action on his or her personal data is called a Data
Subject Rights (DSR) request.
This article describes how Microsoft is preparing for the GDPR, and also provides examples of steps you can take to
support GDPR compliance when using Data Integration for Admins via the administrator portal in Common Data
Service . You'll learn how to use Microsoft products, services, and administrative tools to help controller customers
find, access, and act on personal data in the Microsoft cloud in response to DSR requests.
Searching for and identifying personal data
Data Integration for Admins in Common Data Service allows any user of the integrator application to view their
data by using the data integration tab at:
https://admin.powerapps.com/dataintegration
The data stored for the user is shown in the portal. All projects are visible on the projects tab:
All connection sets are visible on the connection sets tab:
All Templates are visible on the Templates tab:

Securing and controlling access to personal information
In the Data Integration for Admins in Common Data Service, data stored by the data integration application can
only be accessed through the administrator portal.
Deleting personal data

In Data Integration for Admins in Common Data Service user-authored data, projects, and connection sets can be
deleted by the user the data is associated with. To delete their personal data, users can log on to the administrator
portal: https://admin.powerapps.com
Users can delete projects by navigating to the projects tab and clicking on the ellipses next to the project, and then
selecting the delete option:
Users can delete templates by navigating to the templates tab and clicking the ellipses next to the template, and
then selecting the delete option:
Users can delete connection sets by navigating to the connection sets tab and clicking on the ellipses next to the
connection set, and then selecting the delete option:
Exporting personal data

In Data Integration for Admins in Common Data Service, user-authored data can be exported by the user the data is
associated with. To export their personal data, users can log on to the administrator portal:
https://admin.powerapps.com
To export projects or projects with execution history, users can navigate to the projects tab and click the ellipses
next to the project, and then select the desired export option:
To export templates, users can navigate to the templates tab and click on the ellipses next to the template, and then
select the export option:
To export connection sets, users can navigate to the connection set tab and click on the ellipses next to the
connection set, and then select the export option:
Responding to Data Subject Rights (DSR) requests for
Introduction to DSR Requests

agency or organization (known as the data controller or just controller). Personal data is defined very broadly under
the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects the
right to do the following, as it pertains to their personal data:
Obtain copies
Request corrections
Restrict processing
Delete it
This article describes how Microsoft is preparing for the GDPR, and also provides examples of steps you can take to
support GDPR compliance when using Power Apps, Power Automate, and Common Data Service. You'll learn how
to use Microsoft products, services, and administrative tools to help controller customers find, access, and act on
personal data in the Microsoft cloud in response to DSR requests.
The following actions are covered in this article:
Discover — Use search and discovery tools to more easily find customer data that may be the subject of a
DSR request. Once potentially responsive documents are collected, you can perform one or more of the
following DSR actions to respond to the request. Alternatively, you may determine that the request doesn't
meet your organization's guidelines for responding to DSR requests.
Access — Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of that
data available to the data subject.
Rectify — Make changes or implement other requested actions on the personal data, where applicable.
Restrict — Restrict the processing of personal data, either by removing licenses for various online services
or turning off the desired services where possible. You can also remove data from the Microsoft cloud and
retain it on-premises or at another location.
Delete — Permanently remove personal data that resides in the Microsoft cloud.
Expor t — Provide an electronic copy (in a machine-readable format) of personal data to the data subject.
Discover
The first step in responding to a DSR request is to find the personal data that is the subject of the request. This first
step—finding and reviewing the personal data at issue—will help you determine whether a DSR request meets
your organization's requirements for honoring or declining a DSR request. For example, after finding and reviewing
the personal data at issue, you may determine the request doesn't meet your organization's requirements because
doing so may adversely affect the rights and freedoms of others.
Step 1: Find personal data for the user in Power Apps
Below is a summary of the types of Power Apps resources that contain personal data for a specific user.
RESO URC ES C O N TA IN IN G P ERSO N A L DATA P URP O SE
Environment An environment is a space to store, manage, and share your

organization's business data, apps, and flows. Learn more
Environment permissions Users are assigned to environments roles to be granted maker

and administrative privileges within an environment. Learn
more
Canvas app Cross-platform business apps that can be built from a power
of a blank canvas and connected to over 200 data sources.
Learn more
Canvas-app permissions Canvas apps can be shared with users within an organization.
Learn more
Connection Used by connectors and allow for connectivity to APIs,

systems, databases, etc. Learn more
Connection permissions Certain types of connections can be shared with users within
an organization. Learn more
Custom connector Custom connectors that a user has created to provide access
to a data source not offered through one of the Power Apps
standard connectors. Learn more
Custom-connector permissions Custom connectors can be shared with users within an

organization. Learn more
Power Apps user and user-app settings Power Apps stores several user preferences and settings that
are used to deliver the Power Apps runtime and portal
experiences.
Power Apps notifications Power Apps sends several types of notifications to users
including when an app is shared with them and when a
Common Data Service export operation has completed.
Gateway Gateways are on-premises data gateways that can be installed

by a user to transfer data quickly and securely between Power
Apps and a data source that isn't in the cloud. Learn more
Gateway permissions Gateways can be shared with users within an organization.

Learn more
Model-driven apps and model-driven app permissions Model-driven app design is a component-focused approach to
app development. Model-driven apps and their user access
permissions are stored as data within the Common Data
Service database. Learn more
Power Apps offers the following experiences to find personal data for a specific user:
Website access : Power Apps site and Microsoft 365 Service Trust Portal
PowerShell access : Power Apps cmdlets (for app creators and administrators) and On-premises gateway
cmdlets
For detailed steps on how you can use these experiences to find personal data for a specific user for each of these
types of resources, see Responding to Data Subject Rights (DSR) requests to export Power Apps customer data.
After you find the data, you can then perform the specific action to satisfy the request by the data subject.
Step 2: Find personal data for the user in Power Automate
Power Apps licenses always include Power Automate capabilities. In addition to being included in Power Apps
licenses, Power Automate is also available as a standalone service.
For guidance on how to discover personal data stored by the Power Automate service, see Responding to GDPR
Data Subject Requests for Power Automate.
IMPORTANT
It is recommended that admins complete this step for a Power Apps user
Step 3: Find personal data for the user in environments of Common Data Service
Certain Power Apps licenses, including the Power Apps Community Plan, give the ability for users within your
organization to create environments of Common Data Service and to create and build apps on Common Data
Service. The Power Apps Community Plan is a free license that allows users to try out Common Data Service in an
individual environment. See the Power Apps Pricing page for which capabilities are included in each Power Apps
license.
For guidance on how to discover personal data stored by Common Data Service, see Responding to Data Subject
Rights (DSR) requests for customer data in Common Data Service.
IMPORTANT
It is recommended that admins complete this step for a Power Apps user.
Rectify
If a data subject asks you to rectify the personal data that resides in your organization's data, you and your
organization must determine whether it's appropriate to honor the request. Rectifying data may include editing,
redacting, or removing personal data from a document or other type of item.
You can use Azure Active Directory to manage the identities (personal data) of your users within Power Apps.
Enterprise customers can manage DSR rectify requests by using the limited editing features within a given
Microsoft service. As a data processor, Microsoft does not offer the ability to correct system-generated logs,
because they reflect factual activities and constitute a historical record of events within Microsoft services. See
GDPR: Data Subject Requests (DSRs) for details.
Restrict
Data subjects may request that you restrict processing of their personal data. We provide both pre-existing
application programming interfaces (APIs) and user interfaces (UIs). These experiences provide the enterprise
customer's Power Platform admin the capability to manage such DSRs through a combination of data export and
data deletion. A customer may request:
Export an electronic copy of the personal data of the user, including:
account(s)
system-generated logs
associated logs
Delete the account and associated data residing within Microsoft systems.
Export
The "right of data portability" allows a data subject to request a copy of his or her personal data in an electronic
format (that's a "structured, commonly used, machine read-able and interoperable format") that may be
transmitted to another data controller.
See Responding to Data Subject Rights (DSR) requests to export Power Apps customer data for details.
Delete
The "right to erasure" by the removal of personal data from an organization's customer data is a key protection in
the GDPR. Removing personal data includes system-generated logs but not audit-log information.
Power Apps allows users to build line-of-business applications that are a critical part of your organization's day-to-
day operations. When a user leaves your organization, you will need to manually review and determine whether to
delete certain data and resources that they have created. Other customer data will be automatically deleted
whenever the user's account is deleted from Azure Active Directory.
See Responding to Data Subject Rights (DSR) requests to delete Power Apps customer data for details.
Responding to Data Subject Rights (DSR) requests to
export Power Apps customer data
The "right of data portability" allows a data subject to request a copy of his or her personal data in an electronic
format (that is, a structured, commonly used, machine readable and interoperable format) that may be transmitted
to another data controller:
Website access: Power Apps portal, Power Apps Admin center, and Microsoft 365 Service Trust Portal
PowerShell access: Power Apps App creator cmdlets, Admin cmdlets and On-premises gateway cmdlets
Below is a summary of the types of personal data that Power Apps can store for a specific user and which
experiences you can use to find and export it.
RESO URC ES C O N TA IN IN G P ERSO N A L

DATA W EB SIT E A C C ESS P O W ERSH EL L A C C ESS
Environment Power Apps Admin center Power Apps cmdlets
Environment permissions** Power Apps Admin center Power Apps cmdlets
Canvas App Power Apps Admin center Power Apps cmdlets

Power Apps Portal
Canvas App permissions Power Apps Admin center Power Apps cmdlets
Power Apps Portal
Gateway Power Apps Portal*** On-premises gateway cmdlets
Gateway permissions Power Apps Portal***
Custom connector App creator: Available

Admin: Available
Custom connector permissions App creator: Available

Admin: Available
Connection App creator: Available

Admin: Available
Connection permissions App creator: Available

Admin: Available
Power Apps user settings, user-app App creator: Available

settings, and notifications Admin: Available
** With the introduction of Common Data Service, if a database is created within the environment,
environment permissions and model-driven app permissions are stored as records within the Common Data
Service database environment. For guidance on how to respond to DSR requests for users that use Common
Data Service, see Responding to Data Subject Rights (DSR) requests for Common Data Service customer data.
*** An administrator can access these resources from the Power Apps portal only if the owner of the resource
has explicitly granted him or her access. If the administrator has not been granted access, he or she will need
to leverage the Power Apps Admin PowerShell cdmlets.
Prerequisites
For users
Any user with a valid Power Apps license can perform the user operations outlined in this document using the
Power Apps portal or App creator cmdlets.
For admins
To perform the administration operations outlined in this document using the Power Apps Admin center, Power
Automate Admin Center, or Power Apps Admin PowerShell cdmlets, you'll need the following:
A paid Power Apps plan or a Power Apps trial. You can sign-up for a 30-day trial at
https://make.powerapps.com/trial. Trial licenses can be renewed if they've expired.
Microsoft 365 Global admin or Azure Active Directory Global Administrator permissions if you need to
search through another user's resources. (Note that Environment Admins only have access to those
environments and environment resources for which they have permissions.)
Step 1: Export personal data contained within environments created by

the user
Power Apps Admin center
Administrators can export all environments created by a specific user from the Power Apps Admin center by
following these steps:
1. From the Power Apps Admin center, select each environment in your organization.
2. If the environment was created by the user from the DSR request, go to the Details page, copy the details,
and then paste them into a document editor, such as Microsoft Word.
PowerShell cmdlets for app creators
Users can export the environments they have access to in Power Apps by using the Get-
PowerAppsEnvironment function in the Power Apps App creator PowerShell cmdlets:
Get-PowerAppsEnvironment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"
PowerShell cmdlets for admins

Administrators can export all of the environments that have been created by a user by using the Get-
AdminEnvironment function in the Power Apps Admin PowerShell cdmlets:
$userId = "7557f390-5f70-4c93-8bc4-8c2faabd2ca0"
Get-AdminEnvironment -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"
Step 2: Export the user's environment permissions

Users can be assigned permissions (such as Environment Admin, Environment Maker, etc.) in an environment,
which are stored in Power Apps as a role assignment. With the introduction of Common Data Service, if a database
is created within the environment, the role assignments are stored as records within the Common Data Service
database environment. For more information, see Administer environments within Power Apps.
For environments without a Common Data Service database
Administrators can export a user's environment permissions from the Power Apps Admin center by following
these steps:
1. From the Power Apps Admin center, select each environment in your organization. You must be an
Microsoft 365 Global admin or an Azure Active Directory Global Administrator to be able to review all
environments created within your organization.
2. Select Security .
If your environment does not have a Common Data Service database, you'll see a section for Environment
Roles.
3. Select both Environment Admin and Environment Maker separately, and then using the search bar,
search for the user's name.
4. If the user has access to either role, go to the Users page, copy the details, and then paste them into a
document editor, such as Microsoft Word.
Administrators can export all environment role assignments for a user across all environments without a Common
Data Service database by using the Get-AdminEnvironmentRoleAssignment function in the Power Apps
Admin PowerShell cdmlets:
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminEnvironmentRoleAssignment -UserId $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"
IMPORTANT
This function only works for environments that do not have a Common Data Service database environment.
For environments with a Common Data Service database

With the introduction of the Common Data Service, if a database is created within the environment, role
assignments are stored as records within the Common Data Service database environment. For information on
how to remove personal data from a Common Data Service database environment, see Common Data Service
User personal data removal.
Step 3: Export personal data contained within canvas apps created by

the user
Power Apps portal
A user can export an app from the Power Apps portal. For step-by-step instructions on how to export a canvas
app, see Exporting a canvas app.
An administrator can export apps created by a user starting from the Power Apps Admin center by following these
steps:
2. Select Resources , and then select Apps .

3. Using the search bar, search for the user's name, which brings up any apps that user created within this
environment:
4. Select Share for each of the apps created by that user and give yourself Can edit access to the app:
5. Once you have access to each of the user's apps you can export a canvas app from the Power Apps portal.
For step-by-step instructions on how to export an app, see Exporting a canvas app.
Administrators can export apps created by a user by using the Get-AdminApp function in the Power Apps Admin
PowerShell cdmlets:
Get-AdminApp -Owner $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"
Step 4: Export the user's permissions to canvas apps

Whenever an app is shared with a user, Power Apps stores a record called a role assignment that describes the
user's permissions (CanEdit or CanUser) to the application. For more information, see Share an app.
Users can export the app role assignments for all apps that they have access to by using the Get-
RoleAssignment function in the Power Apps App creator PowerShell cmdlets:
Get-AppRoleAssignment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Administrators can export app roles assignments for a user from the Power Apps Admin center by following these
steps:
2. For each environment, select Resources , and then select Apps .
3. Select Share for each of the apps in the environment.
4. If the user has access to the app, go to the app's Share page, copy the details, and then paste them into a
document editor, such as Microsoft Word.
Administrators can export all app role assignments for a user across all apps in their tenant by using the Get-
AdminAppRoleAssignment function in the Power Apps Admin PowerShell cdmlets:
Get-AdminAppRoleAssignment -UserId $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"
Step 5: Export personal data contained within connections created by

the user
Connections are used in conjunction with connectors when establishing connectivity with other APIs and SaaS
systems. Connections include references to the user who created them and, as a result, can be deleted to remove
any references to the user.
Users can export all of the connections they have access to by using the Get-Connection function in the Power
Apps App creator PowerShell cmdlets:
Get-Connection | ConvertTo-Json | out-file -FilePath "UserDetails.json"

Administrators can export all connections created by the user using the Get-AdminConnection function in the
Power Apps Admin PowerShell cdmlets:
Get-AdminConnection -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 6: Export the user's permissions to shared connections
Users can export the connection role assignments for all connections that they have access to by using the Get-
ConnectionRoleAssignment function in the Power Apps App creator PowerShell cmdlets:
Get-ConnectionRoleAssignment | ConvertTo-Json | Out-file -FilePath "UserDetails.json"

Administrators can export all connection role assignments for a user using the Get-
AdminConnectionRoleAssignment function in the Power Apps Admin PowerShell cdmlets:
Get-AdminConnectionRoleAssignment -PrincipalObjectId $userId | ConvertTo-Json | Out-File -FilePath
"UserDetails.json"
Step 7: Export personal data contained within custom connectors

created by the user
Custom Connectors supplement the existing out-of-box connectors and allow for connectivity to other APIs, SaaS,
and custom-developed systems.
Power Apps App creator PowerShell cmdlets
Users can export all custom connectors they've created by using the Get-Connector function in the Power Apps
App creator PowerShell cmdlets:
Get-Connector -FilterNonCustomConnectors | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Administrators can export all custom connectors created by a user using the Get-AdminConnector function in
the Power Apps Admin PowerShell cdmlets:
Get-AdminConnector -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"
Step 8: Export the user's permissions to custom connectors

Users can export all connector role assignments for the custom connectors to which they have access by using the
Get-ConnectorRoleAssignment function in the Power Apps App creator PowerShell cmdlets:
Get-ConnectorRoleAssignment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Administrators can export all custom connector role assignments for a user using the Get-
AdminConnectorRoleAssignment function in the Power Apps Admin PowerShell cdmlets:
Get-AdminConnectorRoleAssignment -PrincipalObjectId $userId | ConvertTo-Json | Out-File -FilePath
"UserDetails.json"
Step 9: Export Power Apps Notifications, User Settings, and User-App

Settings
Power Apps sends several types of notifications to users, including when an app is shared with them and when a
Common Data Service export operation has completed. A user's notification history is visible to them within the
Power Apps portal.
Power Apps also stores several different user preferences and settings that are used to deliver the Power Apps
runtime and portal experiences, including when a user last opened an application, pinned an app, etc.
Users can export their own Power Apps notifications, user settings, and user-app settings using the Get-
AdminPowerAppsUserDetails function in the Power Apps App creator PowerShell cmdlets:
Get-AdminPowerAppsUserDetails -WriteToFile -OutputFilePath "UserDetails.json"

Administrators can export the Power Apps notifications, user settings, and user-app settings for a user using the
Get-AdminPowerAppsUserDetails function in the Power Apps Admin PowerShell cdmlets:
Get-AdminPowerAppsUserDetails -WriteToFile -OutputFilePath "UserDetails.json" -UserPrincipalName
name@microsoft.com
Step 10: Export personal data contained for a user-stored gateway or in

the user's gateway permissions
Power Apps Portal
Users can export the personal data stored within the gateway service from the Power Apps portal by following
these steps:
1. From the Power Apps portal, within the default environment for your tenant, select Gateways , and then
select Details for each gateway to which you have access.
2. On the Details page, if the gateway details contain any personal data, copy the details, and then paste them
into a document editor, such as Microsoft Word.
3. Select Share , copy the contents of the page, and then paste it into a document editor, such as Microsoft
Word.
Gateway PowerShell cmdlets
There are also PowerShell cmdlets that allow you to retrieve, manage, and delete your personal gateways. For
more information, see On-premises gateway cmdlets.
Administrators
See What is an on-premises data gateway? for guidance around managing gateways for your organization.
Step 11: Export the user's personal data in Power Automate

licenses, Power Automate is also available as a standalone service. For guidance on how to respond to DSR
requests for users that use the Power Automate service, see Responding to GDPR Data Subject Requests for Power
Automate.
IMPORTANT
We recommend that administrators complete this step for Power Apps users.
Step 12: Export the user's personal data in Common Data Service
environments
Anyone with a Power Apps license, provided there is 1GB available database capacity, can create Common Data
Service environments and create and build apps on Common Data Service; this includes the Power Apps
Community Plan, which is a free license that allows users to try out Common Data Service in an individual
environment. To see which Common Data Service capabilities are included in each Power Apps license, see the
Power Apps Pricing page.
For guidance on how to respond to DSR requests for users that use Common Data Service, see Responding to
Data Subject Rights (DSR) requests for Common Data Service customer data.
IMPORTANT
We recommend that administrators complete this step for Power Apps users.
Responding to Data Subject Rights (DSR) requests to
delete Power Apps customer data
The "right to erasure" by the removal of personal data from an organization's customer data is a key protection in
the European Union (EU) General Data Protection Regulation (GDPR). Removing personal data includes removing
system-generated logs but not audit log information.
Power Apps allows users to build line-of-business applications that are a critical part of your organization's day-to-
day operations. When a user leaves your organization, you'll need to manually review and determine whether to
delete certain data and resources that the user created. Other personal data will be automatically deleted whenever
the user's account is deleted from Azure Active Directory.
Here is the breakdown between which personal data will be automatically deleted and which data will require your
manual review and deletion:
A UTO M AT IC A L LY DEL ET ED W H EN T H E USER IS DEL ET ED

REQ UIRES M A N UA L REVIEW A N D DEL ET IO N F RO M A Z URE A C T IVE DIREC TO RY
Environment** Gateway
Environment permissions*** Gateway permissions
Canvas app** Power Apps notifications
Canvas-app permissions Power Apps user settings
Connection** Power Apps user-app settings
Connection permissions
Custom connector**
Custom-connector permissions
** Each of these resources contains "Created By" and "Modified By" records that include personal data. For security
reasons, these records will be retained until the resource is deleted.
*** For environments that include a Common Data Service database, environment permissions (that is, which users
are assigned to the Environment Maker and Admin roles) are stored as records in that database. For guidance on
how to respond to DSRs for users of Common Data Service, see Responding to Data Subject Rights (DSR) requests
for Common Data Service customer data.
For the data and resources that require manual review, Power Apps offers the following experiences to reassign (if
necessary) or delete personal data for a specific user:
Website access: Power Apps site, Power Apps Admin center, and Microsoft 365 Service Trust Portal
PowerShell access: Power Apps cmdlets for app creators and administrators and cmdlets for on-premises
gateways.
Here is the breakdown of which experiences are available to delete each type of resource that can contain personal
data:
RESO URC ES C O N TA IN IN G P ERSO N A L

DATA W EB SIT E A C C ESS P O W ERSH EL L A C C ESS
Environment Power Apps Admin center Power Apps cmdlets
Environment permissions** Power Apps Admin center Power Apps cmdlets
Canvas app Power Apps Admin center Power Apps cmdlets

Power Apps
Canvas-app permissions Power Apps Admin center Power Apps cmdlets
Connection App creator: Available

Admin: Available
Connection permissions App creator: Available

Admin: Available
Custom connector App creator: Available

Admin: Available
Custom-connector permissions App creator: Available

Admin: Available
** With the introduction of Common Data Service, if a database is created within the environment, environment
permissions and model-driven app permissions are stored as records within the environment of that database. For
guidance on how to respond to DSRs for users of Common Data Service, see Responding to Data Subject Rights
(DSR) requests for Common Data Service customer data.
Prerequisites
For users
Any user with a valid Power Apps license can perform the user operations outlined in this document using the
Power Apps or PowerShell cmdlets for app creators.
Unmanaged tenant
If you are a member of an unmanaged tenant, meaning that your Azure AD tenant does not have global
administrator, then you will still be able to follow the steps outlined in this art to remove your own personal data.
However, since there is no global administrator for your tenant you will need to follow the instructions outlined in
Step 11: Delete the user from Azure Active Directory below to delete your own account from the tenant.
In order to determine if you are a member of an unmanaged tenant please follow these steps:
1. Open the following URL in a browser, making sure to replace your email address in the URL:
https://login.microsoftonline.com/common/userrealm/name@contoso.com?api-version=2.1
2. If you are a member of an unmanaged tenant then you will see an "IsViral": true in the response.
{
...
"Login": "name@unmanagedcontoso.com",
"DomainName": "unmanagedcontoso.com",
"IsViral": true,
...
}
3. Otherwise, you belong to a managed tenant .

For administrators
To perform the administrative operations outlined in this document using the Power Apps Admin center, Power
Automate admin center, or PowerShell cmdlets for Power Apps administrators, you'll need the following:
A paid Power Apps plan or a Power Apps plan trial. You can sign-up for a 30-day trial at
https://make.powerapps.com/trial. Trial licenses can be renewed if they've expired.
Microsoft 365 Global admin or Azure Active Directory Global Administrator permissions if you need to
search through another user's resources. (Note that Environment Admins only have access to those
environments and environment resources for which they have permissions.)
Step 1: Delete or reassign all environments created by the user

As an administrator, you have two decisions to make when processing a DSR delete request for each environment
that the user created:
1. If you determine that the environment is not being used by anyone else in your organization, you can
choose to delete the environment.
2. If you determine that the environment is still required, you can choose not to delete the environment and
add yourself (or another user in your organization) as an Environment Admin.
IMPORTANT
Deleting an environment will permanently delete all resources within the environment, including all apps, flows, connections,
etc. So please review the contents of an environment before deletion.
Give access to a user's environments from the Power Apps Admin center
An admin can grant administrative access to an environment created by a specific user from the Power Apps
Admin center by following these steps:
2. If the environment was created by the user from the DSR request, select Security , and proceed with the
steps outlined in Administer environments to give admin privileges to yourself or another user in your
organization.
Delete environments created by a user from the Power Apps Admin center
An admin can review and delete environments created by a specific user from the Power Apps Admin center by
2. If the environment was created by the user from the DSR request, select Delete and then proceed with the
steps to delete the environment:
Give access to a user's environments using PowerShell

An administrator can assign themselves (or another user within their organization) access to all environments
created by a user by using the Set-AdminEnvironmentRoleAssignment function in the PowerShell cmdlets for
Power Apps administrators:
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
$myUserId = $global:currentSession.UserId
#Assign yourself as an admin to each environment created by the user

Get-AdminEnvironment -CreatedBy $deleteDsrUserId | Set-AdminEnvironmentRoleAssignment -RoleName
EnvironmentAdmin -PrincipalType User -PrincipalObjectId $myUserId
#Retrieve the environment role assignments to confirm

Get-AdminEnvironment -CreatedBy $deleteDsrUserId | Get-AdminEnvironmentRoleAssignment
IMPORTANT
This function works only in environments that do not have an environment of a database in Common Data Service.
Delete environments created by a user using PowerShell

An administrator can delete all environments created by a user by using the Remove-AdminEnvironment
function in the PowerShell cmdlets for Power Apps administrators:
# Retrieve all environments created by the user and then delete them
Get-AdminEnvironment -CreatedBy $deleteDsrUserId | Remove-AdminEnvironment
Step 2: Delete the user's permissions to all other environments

Users can be assigned permissions (such as Environment Admin and Environment Maker) in an environment,
which are stored in the Power Apps service as a "role assignment." With the introduction of Common Data Service,
if a database is created within the environment, these "role assignments" are stored as records within the
environment of that database. For more information, see Administer environments.
For environments without a Common Data Service database
An administrator can delete a user's environment permissions starting from the Power Apps Admin center by
You must be an Microsoft 365 Global admin or an Azure Active Directory Global Administrator to be able to
review all environments that have been created within your organization.
2. Select Security .
If your environment does not have a Common Data Service database, you will see a section for
Environment Roles.
3. Within Environment Roles , select both Environment Admin and Environment Maker separately and,
using the search bar, search for the user's name.
4. If the user has access to either role, from within the Users screen, remove their permission, and select Save .
PowerShell
An administrator can delete all environment role assignments for a user across all environments without a
Common Data Service database by using the Remove-AdminEnvironmentRoleAssignment function in the
PowerShell cmdlets for Power Apps administrators:
#find all environment role assignments for the user for environments without a Common Data Service environment
and delete them
Get-AdminEnvironmentRoleAssignment -UserId $deleteDsrUserId | Remove-AdminEnvironmentRoleAssignment
IMPORTANT
This function works only for environments that do not have an environment of a Common Data Service database.
For environments WITH a Common Data Service database

With the introduction of the Common Data Service, if a database is created within the environment, these "role
assignments" are stored as records within the environment of that database. Please refer to the following
documentation on how to remove personal data from an environment of a database in Common Data Service:
Common Data Service User personal data removal
Step 3: Delete or reassign all canvas apps owned by a user

Reassign a user's canvas apps using the Power Apps Admin PowerShell cmdlets
If an admin decides not to delete a user's canvas apps, they can reassign the apps owned by a user by using the
Set-AdminAppOwner function in the Power Apps Admin PowerShell cdmlets:
$newAppOwnerUserId = "72c272b8-14c3-4f7a-95f7-a76f65c9ccd8"
#find all apps owned by the DSR user and assigns them a new owner
Get-AdminApp -Owner $deleteDsrUserId | Set-AdminAppOwner -AppOwner $newAppOwnerUserId
Delete a user's canvas app using the Power Apps site

A user can delete an app from the Power Apps site. For the full steps on how to delete an app, please see deleting
an app.
Delete a user's canvas app using the Power Apps Admin center
An admin can delete apps created by a user starting from the Power Apps Admin center by following these steps:
You must be a Microsoft 365 Global admin or an Azure Active Directory Global Administrator to be able to
2. Select Resources > Apps .
3. Using the search bar, search for the user's name, which will bring up any apps that have been created by that
user within this environment:
4. Select Details for each of the apps owned by the user:

5. Select Delete to delete each app:
Delete a user's canvas app using the Power Apps Admin PowerShell cmdlets
If an admin decides to delete all canvas apps owned by a user, they can do so using the Remove-AdminApp
function in the Power Apps Admin PowerShell cmdlets:
#find all apps owned by the DSR user and deletes them
Get-AdminApp -Owner "0ecb1fcc-6782-4e46-a4c4-738c1d3accea" | Remove-AdminApp
Step 4: Delete the user's permissions to canvas apps

Whenever an app is shared with a user, Power Apps stores a record called a "role assignment" that describes the
user's permissions (CanEdit or CanUse) to the application. For more information, see the Share an app article.
NOTE
An app's role assignments will be deleted when the app is deleted.
NOTE
The app owner's role assignment can only be deleted by assigning a new owner for the app.

An admin can delete app-role assignments for a user starting from the Power Apps Admin center by following
these steps:
You must be an Microsoft 365 Global admin or an Azure Active Directory Global Administrator to be able to
2. For each environment select Resources > Apps .
3. Select Share for each of the apps in the environment:
4. If the user has access to the app, from within the app's Share screen, remove their permission and select
Save .
An admin can delete all of a user's canvas-app role assignments by using the Remove-
AdminAppRoleAssignmnet function in the Power Apps Admin PowerShell cmdlets:
#find all app role assignments for the DSR user and deletes them
Get-AdminAppRoleAssignment -UserId $deleteDsrUserId | Remove-AdminAppRoleAssignment
Step 5: Delete connections created by a user

Connections are used in conjunction with connectors when establishing connectivity with other APIs and SaaS
systems. Connections do include references to the user who created them and, as a result, can be deleted to
remove any references to the user.
A user can delete all of their connections by using the Remove-Connection function in the PowerShell cmdlets for
app creators:
#Retrieves all connections for the calling user and deletes them
Get-Connection | Remove-Connection
PowerShell cmdlets for Power Apps administrators

An admin can delete all of a user's connections by using the Remove-AdminConnection function in the Power
Apps Admin PowerShell cmdlets:
#Retrieves all connections for the DSR user and deletes them
Get-AdminConnection -CreatedBy $deleteDsrUserId | Remove-AdminConnection
Step 6: Delete the user's permissions to shared connections
A user can delete all of their connection role assignments for shared connections by using the Remove-
ConnectionRoleAssignment function in the PowerShell cmdlets for app creators:
#Retrieves all connection role assignments for the calling users and deletes them
Get-ConnectionRoleAssignment | Remove-ConnectionRoleAssignment
NOTE
Owner role assignments cannot be deleted without deleting the connection resource.

An admin can delete all of a user's connection role assignments by using the Remove-
AdminConnectionRoleAssignment function in the Power Apps Admin PowerShell cmdlets:
#Retrieves all connection role assignments for the DSR user and deletes them
Get-AdminConnectionRoleAssignment -PrincipalObjectId $deleteDsrUserId | Remove-AdminConnectionRoleAssignment
Step 7: Delete custom connectors created by the user

Custom Connectors supplement the existing out of box connectors and allow for connectivity to other APIs, SaaS
and custom-developed systems. You may want to transfer Custom Connector ownership to other users in the
organization or delete the Custom Connector.
A user can delete all of their custom connectors by using the Remove-Connector function in the PowerShell
cmdlets for app creators:
#Retrieves all custom connectors for the calling user and deletes them
Get-Connector -FilterNonCustomConnectors | Remove-Connector

An admin can delete all custom connectors created by a user using the Remove-AdminConnector function in the
Power Apps Admin PowerShell cmdlets:
#Retrieves all custom connectors created by the DSR user and deletes them
Get-AdminConnector -CreatedBy $deleteDsrUserId | Remove-AdminConnector
Step 8: Delete the user's permissions to shared custom connectors

A user can delete all of their connector role assignments for shared custom connectors with the Remove-
ConnectorRoleAssignment function in the PowerShell cmdlets for app creators:
#Retrieves all connector role assignments for the calling users and deletes them
Get-ConnectorRoleAssignment | Remove-ConnectorRoleAssignment
NOTE
Owner role assignments cannot be deleted without deleting the connection resource.

An admin can delete all custom connector role assignments for a user using the Remove-
AdminConnectorRoleAssignment function in the Power Apps Admin PowerShell cmdlets:
#Retrieves all custom connector role assignments for the DSR user and deletes them
Get-AdminConnectorRoleAssignment -PrincipalObjectId $deleteDsrUserId | Remove-AdminConnectorRoleAssignment
Step 9: Delete the user's personal data in Power Automate

licenses, Power Automate is also available as a standalone service. For guidance on how to respond to DSRs for
users who use the Power Automate service, see Responding to GDPR Data Subject Requests for Power Automate.
IMPORTANT
Step 10: Delete the user's personal data in environments of Common

Data Service
Certain Power Apps licenses, including the Power Apps Community Plan, give the ability for users within your
organization to create environments of Common Data Service and to create and build apps on Common Data
Service. The Power Apps Community Plan is a free license that allows users to try out Common Data Service in an
individual environment. See the Power Apps pricing page for which capabilities are included in each Power Apps
license.
For guidance on how to respond to DSRs for users who use Common Data Service, see Responding to Data
Subject Rights (DSR) requests for Common Data Service customer data.
IMPORTANT
Step 11: Delete the user from Azure Active Directory

Once the above steps have been complete the final step is to delete the user's account for Azure Active Directory.
Managed tenant
As an admin of a managed Azure AD tenant you can delete the user's account by following the steps outlined in the
Azure Data Subject Request GDPR documentation that can be found on the Microsoft 365 Service Trust Portal.
Unmanaged tenant
If you are a member of an unmanaged tenant then you will need to follow these steps in order to delete your
account from your Azure AD tenant:
NOTE
Please see the Unmanaged tenant section above to see how to detect if you are a member of an unmanaged or managed
tenant.
1. Sign in with your Azure AD account.

2. Select Close account and follow the instructions to delete your account from your Azure AD tenant.
Responding to Data Subject Rights (DSR) requests
for Common Data Service customer data
Introduction to DSR requests

agency or organization (known as the data controller or just controller). Personal data is defined very broadly
under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data
subjects the right to do the following, as it pertains to their personal data:
Obtain copies
Request corrections
Restrict processing
Delete it
This article describes how Microsoft is preparing for the GDPR, and also provides examples of steps you can take
to support GDPR compliance when using Power Apps, Power Automate, and Common Data Service. You'll learn
how to use Microsoft products, services, and administrative tools to help controller customers find, access, and
act on personal data in the Microsoft cloud in response to DSR requests.
The following actions are covered in this article:
Discover — Use search and discovery tools to more easily find customer data that may be the subject of a
DSR request. Once potentially responsive documents are collected, you can perform one or more of the
following DSR actions to respond to the request. Alternatively, you may determine that the request doesn't
meet your organization's guidelines for responding to DSR requests.
Access — Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of that
data available to the data subject.
Rectify — Make changes or implement other requested actions on the personal data, where applicable.
Restrict — Restrict the processing of personal data, either by removing licenses for various online
services or turning off the desired services where possible. You can also remove data from the Microsoft
cloud and retain it on-premises or at another location.
Delete — Permanently remove personal data that resides in the Microsoft cloud.
Expor t — Provide an electronic copy (in a machine-readable format) of personal data to the data subject.

IMPORTANT
Applies to both Common Data Service and the previous version of Common Data Service.
Common Data Service and the previous version of Common Data Service have separate processes for interacting
with personal data.
You can identify which type of Common Data Service environment you have by logging into Power Apps and
1. In the Environment drop-down list, select your environment.
2. In the navigation pane, select Data , and then select Entities .
Your environment is Common Data Service if you see the following entities listed:
Your environment is the previous version of Common Data Service if you see the following entities listed:
After you determine which type of Common Data Service environment you have, follow the steps in the following
sections to identify personal data.
NOTE
You may have some environments in Common Data Service and others in the previous version of Common Data Service,
so you'll need to repeat the processes outlined below for each environment in your organization.
User personal data in Common Data Service
Prerequisites
You must create users in the Microsoft 365 admin center and assign them an appropriate user license and
security role before they can access and use Common Data Service.
Standard user personal data (for example, UserName, UserID, Phone, Email, and Address) is kept and maintained
in the Microsoft 365 admin center. System administrators can update this personal data only in the Microsoft 365
admin center, and the data is then automatically synced to the Common Data Service system User entity in all
environments. System administrators can also create custom attributes to capture additional user personal data
within the Common Data Service system User entity, and then manually maintain and manage these attributes.
To avoid interruption to business applications that may be critical to your organization's operations, a user's
records are not automatically removed from the Common Data Service system User entity when that user is
deleted from within the Microsoft 365 admin center. The user's status is set to Disabled in Common Data Service,
but a Common Data Service System Administrator must locate and remove the user's personal data from
Common Data Service within the application.
Only Global admin and Common Data Service System Administrators can perform the discover, rectify, export,
and delete actions listed below.
Discover
System Administrators can create multiple Common Data Service environments. These environments can be
used for trial, development, or production purposes. Each of these environments has a copy of the system User
entity with any custom attributes that may have been added by the system administrator, as well as the user
personal data synced from the Microsoft 365 admin center.
System administrators can find a list of all the Common Data Service environments by navigating to the Power
You can find personal data from Common Data Service users within the following resources:
RESO URC E P URP O SE W EB SIT E A C C ESS P RO GRA M M AT IC A C C ESS
Entity record Known as the system User Power Platform admin Through the Web API
entity, it stores a user's center
personal data.
Audit history Allows customers to identify Power Platform admin Through the Web API
resources that users center
created, accessed, changed,
or deleted at an entity level.
User
User personal data is stored in the Azure Active Directory and is automatically synced to all Common Data
Service environments. System administrators cannot update this personal data directly in Common Data Service
while the user is active—they must update the data from within the Microsoft 365 admin center. System
administrators can add personal data (for example, custom attributes) directly to Common Data Service, but they
must manually manage this data.
To find a user and his or her personal data, go to the Power Platform admin center and do the following:
1. Select Environments , and then select an environment from the list.
2. Select Open environment .
3. Go to Settings > Security > Users .
4. Enter the name of the user in the Search box, and then select Search .
5. To view the user's personal data, double-click or double-tap the user's name.
Audit history
When audit tracking is enabled for an entity in Common Data Service, a user's personal data is logged in the
audit history along with the actions that the user performs.
Rectify
You can use Azure Active Directory to manage the identities (personal data) of your users within Common Data
Service. Enterprise customers can manage DSR rectify requests by using the limited editing features within a
given Microsoft service. As a data processor, Microsoft does not offer the ability to correct system-generated logs,
because they reflect factual activities and constitute a historical record of events within Microsoft services. See
GDPR: Data Subject Requests (DSRs) for details.
Once a user record is deleted from Azure Active Directory, System Administrators can then remove any
remaining personal data related to that user (such as custom attributes) from all the environments.
Export
System user
You can export a user's personal data stored in the system User entity to Excel from the user list within the
administration center.
From the Power Platform admin center, do the following:
3. Go to Settings > Security , and then select Enabled Users View .
4. Select Expor t to Excel .
Audit history
You can take screenshots of the audit history from within the administration center.
3. Go to Settings > Audit and logs , and then select Audit Summar y View .
4. Locate the user audit record, and then press Alt+PrtScn to take the screenshot.
5. Save the screenshot to a file, which you can then send to the DSR requestor.
Delete
User
To avoid interruption to business applications that may be critical to your organization's operations, a user's
records are not automatically removed from the Common Data Service system User entity when that user is
deleted from within the Microsoft 365 admin center. The user's status is set to Disabled in Common Data Service,
but a Common Data Service System Administrator must locate and remove the user's personal data from
Common Data Service within the application.
Remove a user's personal data from the user's Summary page
When a user record is deleted from the Azure Active Directory, the following message is displayed on the user's
Summary page:
This user's information is no longer managed by Office 365. You can update this record to respond to DSR
requests by removing or replacing all personal data associated with this user.
3. Go to Settings > Security > Users , and then select Disabled Users View .
4. Enter the name of the user in the Search box, and then select Search .
5. Double-click the user's name in the search results list.
6. On the user's Summary page, remove all personal data, and then select Save .
Remove a user's personal data by using Excel
3. Go to Settings > Security > Users , and then select Disabled Users View .
4. Create and download an Excel template file from the user's personal data. For step-by-step instructions,
see Create a new Excel template.
5. Open the downloaded Excel template file, remove the user's personal data, and then save the file.
6. Return to the Disabled Users View page and select Impor t Data .
7. Select the Excel template file in the Upload data file dialog box and make all the necessary changes in
the Map Fields window.
Remove audit history from the Audit Summary View page
3. Go to Settings > Audit and logs , and then select Audit Summar y View .
4. Locate the user's change history, select the check box next to the row(s), and then select Delete Change
Histor y .
Personal data stored in databases of Common Data Service

Prerequisites
You may be storing personal data from individuals (such as your own customers) within your Common Data
Service entities.
Common Data Service System Administrators are responsible for maintaining an inventory of where personal
data is being stored within various entities for each individual so that he or she can locate that data in response to
any DSR requests.
Personal data can then be exported, rectified, or deleted in an entity using the in-product functionality.
Discover
When Common Data Service System Administrators receive a DSR request from an individual, they must identify
which environments/Common Data Service environments contain personal data for that individual. Personal data
is typically stored in key entities (for example, Account, Contact, Lead, Opportunity, etc.), but it's your
responsibility to develop policies and procedures for maintaining an inventory of where you store each
individual's personal data so you're prepared to respond to DSR requests.
Using an inventory, Common Data Service System Administrators can configure the search entities and fields and
then access the Common Data Service environment to discover personal data. For more information, see
Configure Relevance Search.
3. Select Relevance Search .
4. Enter the individual's personal data in the search box, and then select Search .
Rectify
Common Data Service System Administrators can update an individual's personal data by using the list of results
from the Relevance Search. However, an individual's personal data may also be stored in other custom entities.
Common Data Service System Administrators are responsible for maintaining an inventory of these other
custom entities and making the appropriate updates to an individual's personal data.
From the Relevance Search results, do the following:
1. Select an item that contains the individual's personal data.
2. Update the individual's personal data where appropriate, and then select Save .
Export
You can take a screenshot of the data and share it with your DSR requestor.
3. Select Relevance Search .
4. Enter the individual's personal data in the search box, and then select Search .
5. Double-click the item in the search results list.
6. Press Alt+PrtScn to take the screenshot.
7. Save the screenshot to a file, which you can then send to the DSR requestor.
Delete
Common Data Service System Administrators can delete an individual's personal data from records where that
data is stored. The Common Data Service System Administrator can choose to either delete the record where the
personal data is stored, or remove the contents of the personal data from the record.
NOTE
Common Data Service administrators can customize an environment to prevent a record from being deleted from an
entity. If configured in this way, you'll have to remove the contents of the personal data from the record rather than delete
the record itself.
From the Relevance Search results, to the following:

1. Select an item that contains the individual's personal data.
2. In the ribbon, select Delete . (Note that Delete is disabled if the record cannot be deleted).
Personal data stored in databases of the previous version of Common
Data Service
Prerequisites
You may be storing personal data from individuals (such as your own customers) within your Common Data
Service entities.
Common Data Service System Administrators are responsible for maintaining an inventory of where personal
data is being stored within various entities for each individual so that he or she can locate that data in response to
any DSR requests.
Personal data can then be exported, rectified, or deleted in an entity using the in-product functionality.
Discover
When Common Data Service System Administrators receives a DSR request from an individual, they must
identify which environments/Common Data Service environments contain personal data from that individual.
Personal data is typically stored in key entities (for example, Account, Contact, Lead, Opportunity, etc.), but it's
your responsibility to develop policies and procedures for maintaining an inventory of where you store each
individual's personal data so you're prepared to respond to DSR requests.
You can find personal data from users of the previous version of Common Data Service within the following
resources:
RESO URC E P URP O SE W EB SIT E A C C ESS P RO GRA M M AT IC A C C ESS
Entity records Captures business Power Apps No

transactions in the
respective business entity.
Entity records
An individual's personal data can be stored in any business entity.
This version of the Common Data Service contains its own database schema and infrastructure. It has its own
entities, and you manage these entities in Power Apps.
To see a list of your entities, do the following:
1. In the Environment drop-down list, select your environment.
3. From the list of entities, select an entity (for example, the Account entity), as shown below.
4. Select the Data tab. A list of records for the entity displays.
5. Select Expor t data .

6. When the export is complete, select Open in Excel , and then select Enable editing .
7. Select the search button, enter the individual's personal data in the search box, and then select Search .
8. Using your inventory list, repeat the above steps for each of the business entities to discover all of the
individual's personal data.
Rectify
You can use Azure Active Directory to manage the identities (personal data) of your users within the previous
version of Common Data Service. Enterprise customers can manage DSR rectify requests by using the limited
editing features within a given Microsoft service. As a data processor, Microsoft does not offer the ability to
correct system-generated logs, because they reflect factual activities and constitute a historical record of events
within Microsoft services. See GDPR: Data Subject Requests (DSRs) for details.
To rectify personal data that resides in the Common Data Service environment, you can export the entity data into
an Excel spreadsheet, update it, and then import the updates back to the database.
Common Data Service System Administrators are responsible for identifying all entities that contain personal
data for an individual and repeating the following steps for each of those entities.
From Power Apps, do the following:
2. From the list of entities, select an entity (for example, the Account entity), as shown below.
6. In the menu bar, select File , select Save As , and then select a location in which to save the file.
7. Make the necessary personal data updates and save the spreadsheet.
8. In Power Apps, go back to the Data tab of the entity, and then select Impor t data .
9. Select Search , and then select and open the Excel spreadsheet that you just updated.
10. Select Impor t .
Export
You can export personal data from each entity into an Excel spreadsheet and view it.
2. From the list of entities, select the entity that you want to export and view (for example, the Account entity),
as shown below.

The export operation runs in the background and you'll be notified when it's complete.
5. To view the exported data, select Open in Excel .
Delete
You can delete personal data that's stored in entities by using the Export/Import data feature.
Common Data Service System Administrators are responsible for identifying all entities that contain personal
data for an individual and repeating the following steps for each of those entities.
2. From the list of entities, select the entity from which you want to remove personal data (for example, the
Account entity), as shown below.
6. In the menu bar, select File , select Save As , and then select a location in which to save the file.
7. Delete the rows containing the personal data that you want to remove from the entity and save the
spreadsheet.
8. In Power Apps, go back to the Data tab of the entity, and then select Impor t data .
9. Select Search , and then select and open the Excel spreadsheet that you just updated.
10. Select Impor t .
In response to the unique and evolving requirements of the United States public sector, Microsoft has created
Power Apps US Government, which consists of several plans for US government organizations. This section
provides an overview of features that are specific to Power Apps US Government. It is recommended that you read
this supplementary section alongside the Power Apps documentation, which covers information about the general
Power Apps service description. For brevity, this service is commonly referred to as Power Apps Government
Community Cloud (GCC) or Power Apps Government Community Cloud – High (GCC High).
The Power Apps US Government service description is designed to serve as an overlay to the general Power Apps
service description. It defines the unique commitments of this service and the differences from Power Apps
offerings that have been available to our customers since October 2016.
About Power Apps US Government environments and plans

Power Apps US Government plans are monthly subscriptions and can be licensed to an unlimited number of users.
The Power Apps GCC environment provides compliance with federal requirements for cloud services, including
FedRAMP High, DoD DISA IL2, and requirements for criminal justice systems (CJI data types).
In addition to the features and capabilities of Power Apps, organizations that use Power Apps US Government
benefit from the following features unique to Power Apps US Government:
Your organization's customer content is physically segregated from customer content in Microsoft's commercial
Power Apps services.
Your organization's customer content is stored within the United States.
Access to your organization's customer content is restricted to screened Microsoft personnel.
Power Apps US Government complies with certifications and accreditations that are required for US public
sector customers.
Beginning September, 2019, eligible customers may now choose to deploy Power Apps US Government to the
"GCC High" environment, which enables single sign-on and seamless integration with Microsoft 365 GCC High
deployments. Microsoft has designed the platform and our operational procedures to meet the requirements
aligning with the DISA SRG IL4 compliance framework. We anticipate our US Department of Defense contractor
customer base and other Federal agencies currently leveraging Microsoft 365 GCC High to use the Power Apps US
Government GCC High deployment option, which enables and requires the customer to leverage Azure AD
Government for customer identities, in contrast to GCC which leverages Public Azure AD. For our US Department
of Defense contractor customer base, Microsoft operates the service in a manner that enables these customers to
meet ITAR commitment and DFARS acquisition regulations, as documented and required by their contracts with the
US Department of Defense.
Customer eligibility
Power Apps US Government is available to (1) US federal, state, local, tribal, and territorial government entities and
(2) other entities that handle data that is subject to government regulations and requirements and where use of
Power Apps US Government is appropriate to meet these requirements, subject to validation of eligibility.
Validation of eligibility by Microsoft will include confirmation of handling data subject to International Traffic in
Arms Regulations (ITAR), law enforcement data subject to the FBI's Criminal Justice Information Services (CJIS)
policy, or other government-regulated or controlled data. Validation might require sponsorship by a government
entity with specific requirements for the handling of data.
Entities with questions about eligibility for Power Apps US Government should consult their account team. Upon
renewal of a customer's contract for Power Apps US Government, revalidation of eligibility is required.
Power Apps US Government plans

Access to Power Apps US Government plans is restricted to the following offerings; each plan is offered as a
monthly subscription and can be licensed to an unlimited number of users:
Power Apps per app plan for Government
Power Apps per user plan for Government
In addition to the standalone plans, Power Apps and Power Automate capabilities are also included in certain
Microsoft 365 US Government and Dynamics 365 US Government plans, allowing customers to extend and
customize Microsoft 365 and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, and Dynamics 365 Project Service Automation).
Additional information about the differences in functionality between these groups of licenses is described in more
detail on the Power Apps licensing information page. Power Apps US Government is available through the Volume
Licensing and Cloud Solution Provider purchasing channels. The Cloud Solution Provider program is not currently
available for GCC High customers.
What is customer data and customer content?

Customer data, as defined in the Online Services Terms, means all data, including all text, sound, video, or image
files, and software, that are provided to Microsoft by, or on behalf of, customers through the use of the Online
Service. Customer content refers to a specific subset of customer data that has been directly created by users, such
as content stored in databases through entries in the Common Data Service entities (for example, contact
information). Content is generally considered confidential information and in normal service operation is not sent
over the internet without encryption.
For more information on Power Apps protection of customer data, see the Microsoft Online Services Trust Center.
Data segregation for Government Community Cloud

When provisioned as part of Power Apps US Government, the Power Apps service is offered in accordance with the
National Institute of Standards and Technology (NIST) Special Publication 800-145.
In addition to the logical separation of customer content at the application layer, the Power Apps US Government
service provides your organization with a secondary layer of physical segregation for customer content by using
infrastructure that is separate from the infrastructure used for commercial Power Apps customers. This includes
using Azure services in the Azure Government cloud. To learn more, see Azure Government.
Customer content located within the United States

Power Apps US Government services are provided from datacenters physically located in the United States. Power
Apps US Government customer content is stored at rest in datacenters physically located only in the United States.
Restricted data access by administrators

Access to Power Apps US Government customer content by Microsoft administrators is restricted to personnel who
are US citizens. These personnel undergo background investigations in accordance with relevant government
standards.
Power Apps support and service engineering staff do not have standing access to customer content hosted in
Power Apps US Government. Any staff who request temporary permission elevation which would grant access to
customer content must first have passed the following background checks.
M IC RO SO F T P ERSO N N EL SC REEN IN G A N D B A C KGRO UN D

C H EC K S 1 DESC RIP T IO N
U.S. Citizenship Verification of U.S. citizenship
Employment History Check Verification of seven (7) year employment history
Education Verification Verification of highest degree attained
Social Security Number (SSN) Search Verification that the provided SSN is valid
Criminal History Check A seven (7) year criminal record check for felony and
misdemeanor offenses at the state, county, and local level and
at the federal level
Office of Foreign Assets Control List (OFAC) Validation against the Department of Treasury list of groups
with whom U.S. persons are not allowed to engage in trade or
financial transactions
Bureau of Industry and Security List (BIS) Validation against the Department of Commerce list of
individuals and entities barred from engaging in export
activities
Office of Defense Trade Controls Debarred Persons List (DDTC) Validation against the Department of State list of individuals
and entities barred from engaging in export activities related
to the defense industry
Fingerprinting Check Fingerprint background check against FBI databases
CJIS Background Screening State-adjudicated review of federal and state criminal history
by state CSA appointed authority within each state that has
signed up for the Microsoft CJIS IA program
1 Applies only to personnel with temporary or standing access to customer content hosted in Power Apps US
Government (GCC).
Certifications and accreditations

Power Apps US Government is designed to support the Federal Risk and Authorization Management Program
(FedRAMP) accreditation at a High Impact level. This infers alignment to DoD DISA IL2. FedRAMP artifacts are
available for review by federal customers who are required to comply with FedRAMP. Federal agencies can review
these artifacts in support of their review to grant an Authority to Operate (ATO).
NOTE
Power Apps has been authorized as a service within the Azure Government FedRAMP ATO. More information, including how
to access the FedRAMP documents, can be found in the FedRAMP Marketplace:
https://marketplace.fedramp.gov/#!/product/azure-government-includes-dynamics-365?
sort=productName&productNameSearch=azure%20government
Power Apps US Government has features designed to support customer's CJIS Policy requirements for law
enforcement agencies. Please visit the Power Apps US Government products page in Trust Center for more detailed
information related to certifications and accreditations.
Microsoft has designed the platform and our operational procedures to meet the requirements aligning with the
DISA SRG IL4 compliance framework. We anticipate our US Department of Defense contractor customer base and
other Federal agencies currently leveraging Microsoft 365 GCC High to use the Power Apps US Government GCC
High deployment option, which enables and requires the customer to leverage Azure AD Government for customer
identities, in contrast to GCC which leverages Public Azure AD. For our US Department of Defense contractor
customer base, Microsoft operates the service in a manner that enables these customers to meet ITAR commitment
and DFARS acquisition regulations.
Power Apps US Government and other Microsoft services

Power Apps US Government includes several features that allow users to connect to and integrate with other
Microsoft enterprise service offerings such as Microsoft 365 US Government, Dynamics 365 US Government, and
Microsoft Power Automate US Government. Power Apps US Government is deployed within Microsoft datacenters
in a manner consistent with a multi-tenant, public cloud deployment model; however, client applications including
but not limited to the web-user client, Power Apps mobile applications any third-party client application that
connects to Power Apps US Government are not part of Power Apps US Government's accreditation boundary and
government customers are responsible for managing them.
Power Apps US Government leverages the Microsoft 365 customer administrator UI for customer administration
and billing—Power Apps US Government maintains the actual resources, information flow, and data management,
while relying on Microsoft 365 to provide the visual styles that are presented to the customer administrator
through their management console. For purposes of FedRAMP ATO inheritance, Power Apps US Government
leverages Azure (including Azure Government) ATOs for infrastructure and platform services, respectively.
If you adopt the use of Active Directory Federation Services (AD FS) 2.0 and set up policies to help ensure your
users connect to the services through single sign-on, any customer content that is temporarily cached will be
located in the United States.
Power Apps US Government and third-party services

Power Apps US Government provides the ability to integrate third-party applications into the service through
connectors. These third-party applications and services might involve storing, transmitting, and processing your
organization's customer data on third-party systems that are outside of the Power Apps US Government
infrastructure and therefore are not covered by the Power Apps US Government compliance and data protection
commitments.
We recommend that you review the privacy and compliance statements provided by the third parties when
assessing the appropriate use of these services for your organization.
Power Apps US Government and Azure services

The Power Apps US Government services are deployed to Microsoft Azure Government. Azure Active Directory
(Azure AD) is not part of the Power Apps US Government accreditation boundary, but takes a reliance on a
customer's Azure AD tenant for customer tenant and identity functions, including authentication, federated
authentication, and licensing.
When a user of an organization employing AD FS attempts to access Power Apps US Government, the user is
redirected to a login page hosted on the organization's AD FS server. The user provides his or her credentials to
their organization's AD FS server. The organization's AD FS server attempts to authenticate the credentials using the
organization's Active Directory infrastructure.
If authentication is successful, the organization's AD FS server issues a SAML (Security Assertion Markup
Language) ticket that contains information about the user's identity and group membership.
The customer's AD FS server signs this ticket using one half of an asymmetric key pair and then it sends the ticket
to Azure AD via encrypted Transport Layer Security (TLS). Azure AD validates the signature using the other half of
the asymmetric key pair and then grants access based on the ticket.
The user's identity and group membership information remain encrypted in Azure AD. In other words, only limited
user-identifiable information is stored in Azure AD.
You can find full details of the Azure AD security architecture and control implementation in the Azure SSP. End-
users do not interact directly with Azure AD.
Power Apps US Government service URLs

You use a different set of URLs to access Power Apps US Government environments, as shown in the following
table (the commercial URLs are also shown for contextual reference, in case they are more readily familiar to you).
C O M M ERC IA L VERSIO N URL US GO VERN M EN T VERSIO N URL
https://make.powerapps.com https://make.gov.powerapps.us (GCC)

https://make.high.powerapps.us (GCC High)
https://create.powerapps.com https://make.gov.powerapps.us (GCC)

https://make.high.powerapps.us (GCC High)
https://flow.microsoft.com/connectors https://gov.flow.microsoft.us/connectors
https://high.flow.microsoft.us/connectors (GCC High)
https://admin.powerplatform.microsoft.com https://gcc.admin.powerplatform.microsoft.us
https://high.admin.powerplatform.microsoft.us (GCC High)
For those customers that implement network restrictions, please ensure access to the following domains are made
available to your end-users' access points:
GCC Customers:
*.microsoft.us
*.powerapps.us
*.azure-apihub.us
*.azure.us
*. usgovcloudapi.net
*.microsoftonline.com
*. microsoft.com
*.windows.net
*. azureedge.net
*. azure.net
*.crm9.dynamics.com
*.dynamics365portals.us
Please also refer to the Required IP Ranges to enable access to Common Data Service environments that users and
administrators may create within your tenant:
https://www.microsoft.com/download/confirmation.aspx?id=57063 (Focus on AzureCloud.usgovtexas and
AzureCloud.usgovvirginia)
GCC High Customers:
*.microsoft.us
*.powerapps.us
*.azure-apihub.us
*.azure.us
*. usgovcloudapi.net
*.microsoftonline.us
*. azureedge.net
*. azure.net
*.crm.microsoftdynamics.us
*.high.dynamics365portals.us
Please also refer to the Required IP Ranges to enable access to Common Data Service environments that users and
administrators may create within your tenant:
https://www.microsoft.com/download/confirmation.aspx?id=57063 (Focus on AzureCloud.usgovtexas and
AzureCloud.usgovvirginia)
Regional Discovery Service is deprecated

Effective March 2, 2020, the regional Discovery Service will be deprecated. More information: Regional Discovery
Service is deprecated
Connectivity between Power Apps US Government and public Azure

Cloud Services
Azure is distributed among multiple clouds. By default, tenants are allowed to open firewall rules to a cloud-specific
environment, but cross-cloud networking is different and requires opening specific firewall rules to communicate
between services. If you are a Power Apps customer, and you have existing SQL environments in the Azure public
cloud that you need to access, you must open specific firewall rules in SQL to the Azure Government cloud IP
space, for the following datacenters:
USGov Virginia
USGov Texas
Please refer to the Azure IP Ranges and Service Tags – US Government Cloud document, focusing attention on
AzureCloud.usgovtexas and AzureCloud.usgovvirginia. Also note that these are the IP ranges required in order for
your end users to have access to the service URLs.
Configure mobile clients

To sign in with the Power Apps mobile client requires a few extra configuration steps.
1. On the sign-in page, select the gear icon in the lower-right corner.
2. Select Region settings.
3. Select one of the following:
GCC: US Government GCC
GCC Hight: US Government GCC High
4. Select OK .
5. On the sign-in page, select Sign in .
The mobile application will now use the US Government Cloud domain.
On-premises data gateway configuration

Install an on-premises data gateway to transfer data quickly and securely between a canvas app that's built in
Power Apps and a data source that isn't in the cloud, such as an on-premises SQL Server database or an on-
premises SharePoint site.
If your organization (tenant) has already configured and successfully connected the on-premises data gateway for
Power BI US Government, then the process and configuration your organization executed to enable that will also
enable on-premises connectivity for Power Apps. However, if you are unable to connect to your tenant, you might
need to go through a process to add your tenant to an approved list, which will enable this capability for your
tenant. Should this occur, please open a support ticket to address your needs. The support team will follow an
established process to address your request.
Power Apps US Government feature limitations

Some of the features available in the commercial version of Power Apps are not available to Power Apps US
Government customers. The Power Apps team is actively working on making the following features available to US
Government customers and will update this article when these features become available:
Embed in Power BI.
Ability to add apps to Teams using the Add to Teams button.
Connectors: The most popular connectors in use in our commercial service (based on usage telemetry) have
been published; if there is a connector available in the commercial offering that you do not see deployed,
please contact support, and we will review your request. Note that third-party connectors will not be added
to GCC High. Features are being investigated with the Digital Loss Prevention (DLP) administration
functionality that will enable Connectors to be added “blocked by default.” Until this is possible, third-party
connectors pose a measurable threat to organizations relying on the GCC High environment to maintain
requisite data exfiltration controls.
AI Builder.
Requesting support
Having a problem with your service? You can create a support request to get the issue resolved.
More information: Contact Technical Support
See also
Microsoft Power Automate US Government
UI Flows
Datacenter regions
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), are being hosted in datacenters
in more and more regions. After customer engagement apps become available in a new region, the following
apply:
For new organizations, the datacenter will be aligned with the country/region you selected during sign-up.
For existing organizations, Microsoft will soon accommodate migrations to datacenters in the new region
when requested by the customer as long as the organization meets certain business requirements.
The following table lists the newest datacenter regions. Checkout the interactive data map: Where is my data?
DATA C EN T ER REGIO N S SERVIC E A REA IN F O RM AT IO N
Canada Canada About Microsoft Cloud Canada
Germany Germany About Microsoft Cloud Germany
India India About Microsoft Cloud India
Japan Japan About Microsoft Cloud Japan
Oceania Australia, New Zealand, Fiji About Microsoft Cloud Australia
US GCC/United States United States Dynamics 365 US Government

US GCC High/United States
Migration process
This is the overall process for migrating to a new datacenter.
Depending on the type of transition, you may be required to go through more steps.
See also
Products by region
About the Microsoft Cloud Australia datacenter
If you’re an existing Power Apps customer with a billing address mapping to a new data center region, review the
information in this topic to understand the move process.
Australia GEO expansion announcement

What is Microsoft announcing?
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), are currently available in 130
markets and 44 languages enabling us to sell side-by-side with Microsoft 365 in the majority of the markets
worldwide. With the inclusion of datacenters in Japan (recently announced) and Australia, both targeting Q1
CY2015, our global customers will be served by 17 datacenters covering 6 global regions around the world.
This marks an important step for customers and partners on our cloud journey to serve our customers in Australia,
New Zealand, and Oceania (Australia GEO). By bringing customer engagement apps to the local region, we’ll be
able to serve our customers more effectively and with better performance while also ensuring compliance with
local requirements.
What prompted Microsoft to undertake this geographic expansion?
In order to better serve customer needs for data residency and reduced latency, we continually evaluate where we
should expand availability around the world. We are committed to long-term investment in customer engagement
apps and expansion over time.
This global expansion will enable us to deliver on the promise of increasing sales productivity while allowing our
customers to sell effectively, market smarter, and provide care everywhere to offer amazing experiences to their
customers.
What are the future geographic expansion plans for customer engagement apps?
Geographic expansion of customer engagement apps is a high priority and we’re constantly evaluating market
needs. While we have no additional information or specifics on future plans to announce at this time, we will
update if and when we have something to share.
Datacenter overview
Where are the datacenters located in the Australia Geo?
The Australia Geo will consist of datacenters in the Australia East Region (New South Wales) and the Australia
Southeast Region (Victoria).
What does this announcement mean for customers in the Australia Geo?
Microsoft is committed to meeting the growing demand for reliable and connected devices and services for our
customers around the globe. We have heard loud and clear that our customers in the Australia Geo need locally
delivered services. The growth of customer engagement apps in the Australia Geo means we can better serve the
needs of these customers in three ways:
Most customer data will be kept within Australia, except for Azure Active Directory data*, helping customers
meet data residency requirements.
Customers who deploy applications to the new Australia datacenters enjoy improved performance within
the Australia Geo as network latency is reduced.
Our expansion in the Australia Geo also provides customers with the same level of high availability and
redundancy as with our datacenters in other countries/regions. Customers in Australia, New Zealand, and
Oceania will enjoy the benefit of a financially backed 99.9% service level agreement (SLA) and redundancy
both inside of the primary datacenter where they are deployed as well as to the secondary datacenter in the
Australia geography to help ensure ongoing uptime and protect against a major disaster in a single region.
*The Australia Geo will be considered a separate Geo subject to the same data location commitments we make for
other Geos. For the definition of customer data and details on our data flow maps in Geo, see the Dynamics Trust
Center.
What region will be used for replication of data for the Australia Geo?
Services deployed in the Australia East Region will replicate data to the Australia Southeast Region and vice-versa.
For the Australia East and Southeast Region datacenters, access to provisioning resources in these datacenters is
limited, as described here:
For Web Direct, access to the datacenters is based on the country/region set in your Common Data Service
account.
If the account country/region is Australia, New Zealand or Fiji, Common Data Service resources will
be provisioned in the Australia East and Southeast Region datacenters.
If the account country/region is not Australia, New Zealand, or Fiji, the customer will not be able to
provision services in the Australia East and Southeast Region datacenters. To do so a customer needs
to try or purchase customer engagement apps (such as Dynamics 365 Sales and Customer Service)
for an organization located in Australia, New Zealand or Fiji. The customer can create another Web
direct account for organizations located in Australia, New Zealand and Fiji, with a billing address in
any these regions, if they wish to select and deploy services in the Australia East and Southeast
Region datacenters.
For Volume Licensing (VL) customers, access to the datacenters is based on the country/region in which the
volume license agreement was signed.
If the VL agreement was signed in Australia, New Zealand, or Fiji, the customer will be able to use
services in the Australia East and Southeast region datacenters. Accounts added to the VL agreement
will be enabled to use customer engagement apps in the Australia East and Southeast Region
datacenters.
VL customers can also create a secondary deployment in Australia, New Zealand, or Fiji under an
existing VL agreement by either signing an enrollment in Australia, New Zealand, or Fiji or by
applying for a multi-tenant amendment through the local Licensing Specialist.
Web direct and VL customers in Australia will still have the ability to deploy environments in datacenters
outside of Australia – however, you must have a tenant already provisioned in Australia. Under this multi-
tenant/multi-geo scenario, AU GST will still be applied to environments deployed in other regions.
How do I find what country or region my account is under?
1. Sign in to https://admin.microsoft.com.
2. In the upper-right corner of Microsoft 365 admin center, choose your organization.
3. On the Company profile page, your account country/region is listed under Countr y or region .
Service overview
Will multi-geo environments be available to customers in Australia?
Multi-geo environments will be supported for Australian customers as long as the tenant is first provisioned
in Australia. For customers who aren’t located in Australia but want to provision an environment within the
Australia datacenter, they must first purchase a tenant for an organization located in Australia and then the
tenant will be able to get provisioned in Australia.
Availability of multi-geo environment support will be limited in the initial rollout to a fixed number of
eligible customers upon request, and we will continue to expand over time.
Will the standard SLA be offered at general availability launch?
Yes, on the date of general availability, the standard 99.9 % financially backed service level agreement (SLA) will
apply, just as it does in our other regions around the world. Note: the SLA doesn’t cover Microsoft Social
Engagement.
What rules govern New Zealand or Oceania customers who want to license affiliates located in Australia?
A New Zealand and Oceania customer may not place orders under its existing agreement for any affiliate located in
Australia, nor grant any affiliate located in Australia administrative rights to manage subscriptions, if the customer
elects to access and use services delivered from datacenters located in Australia. An affiliate located in Australia
that wants to access and use Online Services delivered from our datacenters located in Australia must enter into its
own subscription under its separate Microsoft Online Services Agreement.
Will Microsoft Dynamics Marketing, Social Engagement, and Parature be available in the Australia datacenters?
These services will be available for purchase in the local market but will be delivered outside of the Australia
Datacenters at this time. Note: customer engagement apps leverage Azure Active Directory and Multi-Factor
Authentication, which don’t offer a region choice to customers.
Will customer engagement apps be available on Azure Infrastructure as a Service (IaaS ) in Australia?
At this time, customer engagement apps are only available for Dev/Test scenarios and isn’t supported for
production use cases. Developers can leverage their MSDN subscription and Azure credits for dev/test scenarios.
Note: we recently announced intent to support customer engagement apps on Azure IaaS but we’re dependent on
Azure Premium Storage availability in each geography. Azure’s Limited Public Preview will only be available in the
U.S. and part of Europe.
Where can I find more about security, data privacy, and compliance?
The Microsoft Dynamics 365 Trust Center will be updated as needed when the Australia Datacenters launch into
general availability.
What app data be in Australia datacenters at general availability?
We’ll store all customer data, including backups, within the Australia Datacenter. For any Microsoft 365 services
that are running in conjunction with customer engagement apps those services will follow the data storage rules
for Microsoft 365.
Will customer engagement apps be Information Security Registered Assessors Program (IRAP) certified when
the datacenters are live in Australia?
We’re actively investigating IRAP requirements and how they relate specifically to customer engagement apps and
we’ll share more information at a later date.
Where can I find out more about the physical infrastructure for customer engagement apps?
Microsoft Cloud Infrastructure and Operations (MCIO) powers the Microsoft cloud services. MCIO focuses on
smart growth, high reliability, operational excellence, cost-effectiveness, environmental sustainability, and a
trustworthy online experience for customers and partners worldwide.
MCIO delivers the core infrastructure and foundational technologies for Microsoft's 200+ online businesses
including Bing, Outlook.com, MSN, Microsoft 365, Xbox Live, and customer engagement apps. The infrastructure is
comprised of a large global portfolio of datacenters, servers, content distribution networks, edge computing nodes,
and fiber optic networks.
Migration
I have applications and data in an existing Microsoft datacenter. Will I be able to move those resources to the
Australia datacenters?
For Web direct customers, if the account country/region is Australia, New Zealand, or Fiji, the customer will be
eligible to have their environments moved to the Australia East and Southeast region datacenters.
The account country/region can be found in the Microsoft 365 admin center.
2. In the upper-right corner of Microsoft 365 admin center, choose your organization.
If the account country/region is outside Australia, New Zealand, or Fiji, you’ll need to create another Web
direct account with a billing address in Australia, New Zealand, or Oceania. Once the new account and
tenant are created, you can then request the move of their environment and data from other regions into
the Australia region by contacting Support. For more information, see How do I request my environment to
be moved to the Australia datacenter? Microsoft reserves the right to make a unilateral decision to migrate
accounts based on multiple conditions.
If you’re a volume license customer and the volume license agreement was signed in Australia, New
Zealand, or Oceania, you’ll be eligible to move applications and data to the Australia East and Southeast
region datacenters and deploy services there.
Accounts added to the volume license agreement are eligible to move applications and data to the Australia
East and Southeast region datacenters and deploy services there.
To provision a tenant in the Australia datacenter, if you have a volume license enrollment outside the
Australia datacenter you will need to sign an enrollment in Australia, New Zealand, or Oceania and then
migrate existing environments to the Australia datacenter.
To move your tenants, environments, and data to the Australia regions, you should contact Support for
additional information regarding migrating your environments. For more information, see How do I request
my environment to be moved to the Australia datacenter? Microsoft reserves the right to make a unilateral
decision to migrate accounts based on multiple conditions.
For additional guidance regarding multiple tenants and multiple environments, see Multiple online
environments or tenants.
How do I request my environment to be moved to the Australia datacenter?
You can request a move to the new Australian datacenter by submitting a technical support incident through the
2. Go to Suppor t > Ser vice Requests > +
3. Choose More > Dynamics 365 Online
4. For Feature , select Data Management . For Symptom , select Data Center migration request .
5. Fill in the rest of the information to submit a service request.
A support engineer will assist you in verifying required prerequisites and provide guidance throughout the
move process.
How will Microsoft engage with me on the migration?
Once you have been scheduled for migration, a member of the Microsoft Support team will work directly with you
to discuss scheduling and any other issues that may come up during the migration.
If I have both Microsoft 365 services and customer engagement apps, how will migration be handled?
The migration of each service will be handled separately. For customer engagement apps, you’ll be able to choose
their migration date and time. Microsoft will work with you to schedule the migration. For Microsoft 365
scheduling and migration, see Moving core data to new Microsoft 365 datacenter geos.
Can I move Microsoft 365 and customer engagement apps at the same time?
The move process for each service is handled separately but the move can be scheduled to coincide with the
Microsoft 365 admin center move if requested.
Pricing and licensing

Will all versions of customer engagement apps be available?
Customers will be able to purchase all licenses that are currently available in market today. Please see local
availability at Microsoft Dynamics CRM Solutions. Global pricing can be found at Microsoft Dynamics Pricing List
How will a customer who has an existing volume license (VL ) agreement outside of Australia be billed if they
add a new tenant to their agreement that resides in Australia?
The additional seats will be invoiced at the same rate on the customer’s invoice. The business desk will need to
provide a multi-tenant amendment to provide an additional tenant in Australia.
Will customers who purchase Dynamics CRM Online and an additional service such as Parature, Dynamics
Marketing, or Microsoft Social Engagement be taxed differently per service?
Microsoft has a datacenter footprint that varies according to each online service offered. The customer
engagement apps will be provisioned and available from datacenters located within Australia, which makes those
services subject to some taxes that do not necessarily apply to tenants located and provisioned outside Australia.
Microsoft Social Engagement has their own datacenter footprint; they’re offered from to customers in Australia
from datacenters outside of Australia. Therefore, these online services are subject to a different tax treatment.
Tax and billing

Will there be any changes on my bill?
New Zealand and Fiji customers will see no changes on their invoices.
For Australia customers, from the general availability date when services become available from Microsoft
Australia datacenters, Microsoft will charge all Australian customers an additional amount equal to the Australian
GST for services and will issue tax invoices. This change will occur because Australian GST is payable on taxable
supplies of goods and services provided and offered in Australia.
My tenant has not moved to Australia datacenter, why am I being charged Australia Goods and Service Tax
(GST )?
There are various factors that must be considered to determine whether GST is payable on the supply. Australian
GST is payable on taxable supplies of goods and services provided and offered in Australia.
Trials
If I started a trial outside of Australia and before general availability, will I be moved to the Australia datacenter
after general availability?
No. Trials will remain in the geography where they were initiated. You may choose to start a new trial that would be
provisioned in the Australia datacenter.
If I choose to convert a trial to a paid subscription, where the trial was created in a geographic region outside of
Australia prior to general availability, will my subscription tenant and environment be moved to the Australia
datacenter?
No. If you choose to convert a trial that was created in a geographic region outside of Australia before general
availability, your trial will be converted and billed in the geography where it was initiated. Australia GST does not
apply.
If the trial was originally deployed in Australia and converted to a paid subscription, you’ll charged Australia GST.
If you decide you want your environment to be in the Australia datacenter, you’ll need to follow the migration steps
outlined previously. Once you’re moved to Australia, the appropriate billing and tax will be applied.
If a customer creates a trial in the Australia datacenter after general availability, will they be taxed for the trial?
No. Trials are free for 30 days.
Can I create a trial in the Australia datacenter before general availability?
No. You can’t create a trial or move a production environment before general availability.
See also
Office 365 and Dynamics CRM Online now available from datacenters in Australia
New datacenter regions
About the Microsoft Cloud Canada datacenter
New Microsoft Cloud Services in Canada

We’re announcing the general availability of customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation), served from new datacenter regions in Toronto and Quebec City, joining Azure and Microsoft 365 in
providing the trusted Microsoft Cloud in Canada.
Built on foundational principles of security, privacy and control, compliance, and transparency, the Microsoft Cloud
delivers trusted cloud services to enable people and organizations to achieve more. Providing flexible platform and
productivity solutions - Azure, Microsoft 365, and now customer engagement apps - the local Microsoft Cloud is
designed to fuel innovation and accelerate Canada’s digital transformation.
What is the benefit to customers?
The new local Microsoft Cloud enables data residency for customers in Canada, bringing enterprise-grade
reliability and performance to regulated industries and other businesses. This includes data replication in multiple
regions within Canada for business continuity, reduced network distance, and the option of a private connection to
the cloud with Azure ExpressRoute. The Microsoft Cloud in Canada comes with the same deep commitment to high
availability as our other regions, including a financially backed service level agreement of 99.9%.
For customer engagement apps, data residency means that most customer data will be kept within Canada, except
for Azure Active Directory data. For the definition of customer data and details on our data flow maps in Geo, see
the Microsoft Trust Center.
Where are the Microsoft Cloud Canada regions?
The Canada Geo will consist of datacenters in Toronto and Quebec City.
2. In the upper-right corner of the Microsoft 365 admin center menu bar, click your organization.
Common Data Service service overview

Will multi-geo environments be available to customers in Canada?
Yes, multi-geo environments will be supported for Canada. Multi-geo environments are designed for companies
with offices in multiple countries or regions who want to keep core customer data within those countries or
regions. Availability of multi-geo environment support will be limited in the initial rollout to a fixed number of
eligible customers. We'll continue to expand this capacity over time. Read more on how to create and edit multi-
geo environments.
Will the standard Common Data Service service level agreements be offered?
Yes, the standard service level agreements (SLAs) will apply to the Canada regions, just as they do in our other
regions around the world.
NOTE
The SLA for doesn't cover Microsoft Social Engagement.
Will Microsoft Dynamics Marketing, Social Engagement, and Parature be available in the Canada datacenters?
These services are available for purchase in Canada, however, these services are provisioned regionally at this time.
What is the customer experience if I use both Dynamics CRM Online from the Canada regions while using
Microsoft Dynamics Marketing, Microsoft Social Engagement, and Parature from other regions?
The customer experience will be unchanged, the workloads for the other services will simply be provisioned from
other regions.
When will ExpressRoute be available in Canada for customer engagement apps customers, and through which
partners?
ExpressRoute is currently available in Canada. View a current list of ExpressRoute locations and partners. Microsoft
is currently working to enable customers to use ExpressRoute with customer engagement apps from the Canada
regions.
You can find more information at the Microsoft Trust Center.
Where can I find out more about the physical infrastructure?
These services are hosted in the Microsoft cloud infrastructure comprising more than 100 globally distributed
datacenters, edge computing nodes, and service operations centers. This infrastructure is supported by one of the
world’s largest multi-terabit global networks, with an extensive dark fiber footprint that connects them all.
Microsoft provides cloud services to customers 24x7x365, and the Microsoft Cloud Infrastructure and Operations
team designs, builds, operates and helps secure every facet of the infrastructure. Since opening our first datacenter
in 1989, we’ve invested more than $15 billion on our infrastructure and remain focused on delivering reliable,
scalable, and secure online services.
Migration
You may request migration to the Canada datacenter by submitting a technical support request. If you’re an
existing customer with a billing address mapping to Canada, review the information in this topic to understand the
move process.
How do I request my environment to be moved to Canada?
You can request a move to the new Canada datacenter by submitting a technical support request through the
Dynamics 365 admin center or by calling Microsoft Support. Please select the Data Management topic and Data
Center Migration Request sub-topic to ensure your request receives the best possible routing. A support engineer
will assist you in verifying required prerequisites and provide guidance throughout the move process.
*Customers will be required to go through more steps depending on the type of transition.
If I am scheduled for an update to CRM Online 2015 Update or CRM Online 2015 Update 1, will Microsoft apply
the update at the same time as their migration to the Canada datacenter?
You must be updated to Microsoft Dynamics CRM Online 2015 Update or later prior to migrating to the Canada
datacenter. Customers can schedule their update.
The migration of each service will be handled separately. For Dynamics 365 (online), you’ll be able to choose their
migration date and time. Microsoft will work with you to schedule the migration. For Microsoft 365 scheduling and
migration, see Moving core data to new Microsoft 365 datacenter geos.
The move process for each service is handled separately. The move can be requested to coincide with the Microsoft
365 admin center move.
If my content is stored in the Canada datacenters, can I access my content for work from locations outside of
Canada?
Yes. If you're outside of Canada and sign in as an authenticated user, you'll be able to access the relevant data.
Licensing and pricing

Customers will be able to purchase all licenses that are currently available in the market today. Please see local
availability at Microsoft Dynamics CRM Solutions. Global pricing can be found at Microsoft Dynamics Pricing List.
How will a customer who has an existing volume license agreement outside of Canada be billed if they add a
new tenant to their agreement that resides in Canada?
provide a multi-tenant amendment to provide an additional tenant in Canada.
If I started a trial outside of Canada and before general availability, will I be moved to the Canada datacenter
after general availability?
No. Trials will remain in the geography where they were initiated. You may choose to start a new trial that will
provision in the Canada datacenter.
Canada prior to general availability, will my subscription tenant and environment be moved to the Canada
datacenter?
No. If you choose to convert a trial that was created in a geographic region outside of Canada before general
availability, your trial will be converted and billed in the geography where it was initiated. If the trial was originally
deployed in Canada and converted to a paid subscription, it will continue to be deployed in Canada.
If a customer creates a trial in the Canada datacenter after general availability, will they be taxed for the trial?
See also
Office 365 datacenters now available in Canada
Customer engagement apps - operated by 21Vianet
in China
Common Data Service services operated by 21Vianet is designed to comply with regulatory requirements in
China. The services are a physically separated environment of cloud services operated and transacted currently by
a local operator, Shanghai Blue Cloud Technology Co., Ltd (“21Vianet”). This is a wholly owned subsidiary of Beijing
21Vianet Broadband Data Center Co., Ltd. located in mainland China.
Microsoft strives to maintain functional parity between our commercially available service and customer
365 Marketing, and Dynamics 365 Project Service Automation), - operated by 21Vianet in China. However, there
are notable exceptions to this affected by dependent service or partner-solution availability, market priorities, or
compliance regulations.
Provisioning
Customers in China have two options from which to select how they want to access customer engagement apps.
Services operated by 21Vianet in China - 21Vianet operates and offers Common Data Service services in
China. This option provides a consistent customer engagement apps experience that is the same as global
offerings. This option also meets the demands of customers who prefer to use online services provided by a
local company that stores their data within China. These services are subject to Chinese laws.
Services operated by Microsoft – This option is for customers that prefer to use services managed and
delivered by Microsoft. For all new customers and existing customers, if the customer purchases Microsoft
Azure, customer engagement apps, and Office using an Enterprise Agreement, Microsoft 365 and/or
customer engagement apps can co-exist on the tenant.
For information on provisioning environments, see Create and manage environments in the Power Platform admin
center.
Features not available

Due to certain technological dependencies, the following features listed will not be available for general availability
of Common Data Service services operated by 21Vianet. For information about future feature availability, see
Business applications and platform release notes.
Manage your documents using SharePoint isn’t supported with Common Data Service services operated by
21Vianet.
Search for records in an app or Categorized Search used for searching records across multiple entities
will be unavailable.
Microsoft 365 Groups feature used for shared workspace for emails, conversations, files, and events in
Common Data Service services will be unavailable.
Online Management API (Admin API) enables customers to create and manage the Common Data Service
environments using REST API will be unavailable.
Company News Timeline provides valuable insights from the latest news about tenant customers on the
phone or tablet. This feature will be unavailable.
Global Discovery Service API which programmatically enables customer applications to discover user
organization (also known as environment) and find environments across regions will not be available.
The service health Organization Insights feature will be unavailable.
Portals for the Common Data Service services will be unavailable.
Dynamics 365 for phones and tablets will be unavailable.
The following Microsoft AppSource hosted solutions for the Common Data Service services will not be
available:
Data Export Service
Connector for LinkedIn Lead Gen Forms
Gamification
DXC Health360 Care Coordination
Voice of the Customer solution used for sending surveys to customers and get their valuable feedback will
not be available.
Live Assist for Microsoft Dynamics 365 Powered by CaféX is an integrated omnichannel solution for
Common Data Service services that will not be available.
The following Customer Service features will be unavailable:
Knowledge Base Search
Similar Cases Search
The following Field Service features will be unavailable:
Dynamics 365 Remote Assist
Push Notifications
Geofencing
Resource Scheduling Optimization (RSO)
Connected Field Service (CFS) for Azure IoT Central
Connected Field Service (CFS) for Azure IoT Hub
Field Service Mobile App
The following Sales features will be unavailable:
LinkedIn’s Organization Chart feature
Integrate LinkedIn Sales Navigator solutions
Forecasting
Dynamics 365 Sales Insights
The following components of Dynamics 365 Plan are unavailable.
Project Service Automation
Marketing (for >10 users)
Microsoft Social Engagement
Additional resources
Apps Operated by 21Vianet Support
Finance and Operations operated by 21Vianet
Support site for 21Vianet (in Chinese)
Privacy statement (Dynamics 365 隐私声明)
Service Level agreement(世纪互联在线服务的服务级别协议)
Legal information (Dynamics 365 法律信息)
Service terms for Lifecycle services
OSPT (世纪互联在线服务的服务级别协议)
Azure Docs (in Chinese)
Azure China 21Vianet
Power Apps operated by 21Vianet and Power
Automate operated by 21Vianet
Overview
Microsoft Power BI, Microsoft Power BI Premium, Microsoft Power BI Embedded, Microsoft Dynamics 365
Customer Service, Microsoft Dynamics 365 Sales, Microsoft Dynamics 365 Field Service, Microsoft Dynamics 365
Finance, and Microsoft Dynamics 365 Supply Chain Management online services operated by 21Vianet are already
available in China. Microsoft Power Apps and Microsoft Power Automate are now available to serve customers in
regulated industries and commercial organizations that do business with entities in China and require local data
residency.
Microsoft Dynamics 365 (Dynamics 365 Customer Service, Dynamics 365 Sales, Dynamics 365 Field Service,
Dynamics 365 Finance, and Dynamics 365 Supply Chain Management) and Microsoft Power Platform (Microsoft
Power BI, Power BI Premium, Power BI Embedded, Power Apps, and Power Automate) online services collectively
known as “Business Applications” operated by 21Vianet are a physically separated instance of cloud services
operated and transacted by a local operator, Shanghai Blue Cloud Technology Co., Ltd (“21Vianet”). This is a wholly
owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd. located in mainland China.
The deployment of the Business applications family of online services operated by 21Vianet in China is built on the
foundational principles of security, privacy, compliance, transparency, and reliability, offering organizations a
complete cloud infrastructure and platform, as well as familiar productivity and business application tools. This
means that customer data is stored at rest within China except as noted in the Trust Center.
Microsoft strives to maintain functional parity between our commercially available service and online services
operated by 21Vianet in China. However, there are notable exceptions to this, which are affected by dependent
service or partner-solution availability, market priorities, or compliance regulations.
For more information about these exceptions or for questions about service availability in China, contact support.
Feature availability information

Due to certain technical dependencies, the following features listed will not be available for general availability of
Power Apps operated by 21Vianet and Power Automate operated by 21Vianet. For information about future feature
availability, see Business applications and platform release plans.
Power Apps operated by 21Vianet and Power Automate operated by 21Vianet plans
Access to Power Apps operated by 21Vianet and Power Automate operated by 21Vianet plans is restricted to the
offerings described in the following section; each plan is offered as a monthly subscription and can be licensed to
an unlimited number of users:
Power Apps per app plan
Power Apps plan
Power Apps and Flow capacity
Power Automate per business process plan
Power Automate plan
In addition to the standalone plans, Power Automate and Power Apps capabilities are also included in certain
Microsoft 365 and Dynamics 365 plans allowing customers to extend and customize Microsoft 365 and Dynamics
365 with Power Automate and Power Apps capabilities. This functionality will be enabled in a quarter following
general availability of standalone plans.
Power Apps and Power Automate include several features that allow users to connect to and work with other
Microsoft enterprise service offerings such as Microsoft 365, Dynamics 365, and Power Apps. Power Apps and
Power Automate within datacenters exist in a manner consistent with a multitenant, public cloud deployment
model. Power Automate operated by 21Vianet utilizes the Microsoft 365 customer administrator User Interface for
customer administration and billing.
Power Apps and Power Automate maintain the actual resources, information flow, and data management, while
relying on Microsoft 365 to provide the visual styles that are presented to the customer administrator through their
management console.
Power Apps and Power Automate will not have the ability to integrate third-party applications into the service
through Connectors.
Power Apps operated by 21Vianet and Power Automate operated by 21Vianet
When a user of an organization employing Active Directory Federation Services (AD FS) attempts to access Power
Automate, the user is redirected to a login page hosted on the organization’s AD FS server. The user provides
credentials to their organization's AD FS server. The organization's AD FS server attempts to authenticate the
credentials using the organization’s Azure Active Directory (Azure AD) infrastructure. If authentication is successful,
the organization’s AD FS server issues a SAML (Security Assertion Markup Language) ticket that contains
information about the user’s identity and group membership.
The customer’s AD FS server signs this ticket using one half of an asymmetric key pair and then it sends the ticket
to Azure AD via encrypted Transport Layer Security (TLS). Azure AD validates the signature using the other half of
the asymmetric key pair and then geo-redundant storage (GRS) access based on the ticket. The user's identity and
group membership information remain encrypted in Azure AD. In other words, only limited user-identifiable
information is stored in Azure AD. You can find full details of the Azure AD security architecture and control
implementation in Azure self-service password (SSP).
The Azure AD account management services are hosted on physical servers managed by the Microsoft Global
Foundation Services (GFS). Network access to these servers is controlled by GFS-managed network devices using
rules set by Azure. Users do not interact directly with Azure AD.
Power Automate features not available
UI flows (Planned for end of calendar year.)
AI Builder, a separate add-on offering for Power Platform.
Power Automate mobile application
Submitting templates
been published; if there is a connector available in the commercial offering that you do not see deployed, please
contact support, and we will review your request.
Power Apps features not available
Embed in Microsoft Teams as Microsoft Teams is not yet available in China.
Power Apps solution checker (Planned for end of calendar year 2020.)
Power Query (Planned for end of calendar year 2020.)
Dataflows in Power Apps (Planned for end of calendar year 2020.)
Export to Azure Data Lake (aka Athena)
Dual-write from Common Data Service to Dynamics 365 Finance and Operations apps
Common Data Service analytics (Planned for end of calendar year 2020.)
AI Builder, a separate add-on offering for Power Platform.
been published; if there is a connector available in the commercial offering that you do not see deployed, please
contact support, and we will review your request.
Legal terms landing page
Online Services Terms (世纪互联在线服务的服务级别协议)
Service Level Agreement
Privacy statement
Support for customer engagement apps - operated
by 21Vianet in China
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), provide many self-service
support options and support through 21Vianet in China.
Self-help resources
Dynamics 365 documentation
Model-driven apps operated by 21Vianet in China
Presales support
Presales support telephone number: +86 400-886-6134
Pre-sales support for model-driven apps provides assistance on subscription features and benefits, plan
comparisons, pricing and licensing, and helps to identify the right solution to meet your business needs. In
addition, pre-sales support can help you find a Partner, and purchase and sign up for a trial. You can call during
local business hours, Monday through Friday. Pre-sales support can be accessed using the same phone number for
technical support.
Billing and subscription management support through 21Vianet

Assistance for billing and subscription management issues is available online or by telephone Monday through
Friday during local business hours, 9:00 to 18:00 China Standard Time (CST). Billing and subscription management
support can be accessed using the same phone number and online service request process as with technical
support. The billing and subscription support telephone number is +86 400-089-0365 and the online portal is
Here are some examples of billing and subscription management issues:
Signing up for a trial or purchasing a subscription.
Converting from a trial subscription to a paid subscription.
Understanding the bill.
Renewing a subscription.
Adding or removing licenses.
Canceling a paid subscription.
Assisted technical support through 21Vianet

If you experience a technical issue with your deployment, report it to 21Vianet through the Microsoft 365 Portal or
by calling the support hotline at +86 400-089-0365. Technical support hours of operations are Monday through
Friday during local business hours, 9:00 to 18:00 China Standard Time (CST).
A service request (SR) is handled within hours depending on the severity of its impact to your business:
Critical business impact - You will receive an initial response within 1 hour or less, and a support
representative will work continuously, all day, until the problem is resolved. You will be expected to allocate
appropriate resources to work on the request until the problem is resolved and provide accurate contact
information to the support personnel handling your case.
Non-critical business impact - You will receive an initial response within 8 hours or less. You will be expected
to provide accurate contact information to the support personnel handling your case.
Get Premier support

If you run mission-critical solutions, Premier support offers additional value:
Proven advisory services designed to maximize your Dynamics 365 investment.
A designated service delivery manager committed to improving your Dynamics 365 experience.
Top priority reactive support to help ensure service continuity.
For details about purchasing Premier support, contact your Microsoft Account team. If you have a Premier support
plan you can contact support via My Premier Online.
Model-driven apps operated by 21Vianet in China
Dynamics 365 Finance and Operations operated by 21Vianet
Dynamics 365 support site for 21Vianet (in Chinese)
Dynamics 365 Privacy statement (Dynamics 365 隐私声明)
Dynamics 365 Service Level agreement (世纪互联在线服务的服务级别协议)
Dynamics 365 Legal information (Dynamics 365 法律信息)
Service terms for Dynamics 365 Lifecycle services
OSPT of Dynamics 365 (世纪互联在线服务的服务级别协议)
Azure Docs (in Chinese)
Azure China 21Vianet
About Microsoft Cloud France
As of July 2019, customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365
Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), Finance and Supply Chain
Management, Power Apps, and Power Automate are available in France’s datacenters. This new deployment option
serves customers in regulated industry and commercial organizations that do business with entities in France that
require local data residency. Power BI has been available since March 2019.
The deployment of the Common Data Service services in France, are built upon the foundational principles of
security, privacy, compliance, transparency, and reliability, offering French organizations a complete cloud
infrastructure and platform, as well as familiar productivity and business application tools. All of this means that
customer data stays resident within France.
Microsoft strives to maintain functional parity between our commercially available service and customer
engagement apps offerings in France. However, there are few exceptions affected by dependent service or partner-
solution availability, market priorities, or compliance regulations. For more information about these exceptions or
for questions about services in France, contact Microsoft Dynamics Online support.
About the Microsoft Cloud Germany datacenter
Microsoft Dynamics 365 Germany address the needs of the most regulated customers in Germany, the European
Union (EU), and the European Free Trade Association (EFTA). The German datacenter delivers services that bring
together the best of Microsoft in productivity, collaboration, intelligence and platform to grow, evolve and
transform your business.
NOTE
Due to the unique nature of Microsoft Dynamics 365 Germany, there are some features that have not yet been enabled. The
key sales, marketing, and service features for customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer
Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), will be the
same as in other regions. However, there may be external factors that are made available in other clouds, but will not be
available to German cloud customers at this time.
Please check back for the latest information.
German Data Residency

Customer Data will be stored at rest in two independent, geographically dispersed datacenter locations in
Germany. Replication of Customer Data across these German datacenters ensures data remains in Germany even
in backup, business continuity, and disaster recovery scenarios.
Customer Data means all data that are provided to Microsoft by, or on behalf of the customer through the use of
customer engagement apps (such as Dynamics 365 Sales and Customer Service).
Note the following:
Customer Data is stored at rest in Germany
Access control is through a German Data Trustee.
All security and compliance capabilities of customer engagement apps (such as Dynamics 365 Sales and
Customer Service), are included.
German Data Trustee

The German Data Trustee controls access to Customer Data by anyone except the customer or the customer’s end
users. This means that access to Customer Data or the infrastructure on which Customer Data resides for
performing operational tasks must be granted and supervised by the German Data Trustee, or else directly by the
customer.
The German Data Trustee may also perform non-data specific tasks related to day-to-day datacenter operations.
Germany Service Delivery

The following describe current and planned service availability. We will continue to add more services as they
become available.
Germany offers the following online services:
Microsoft Dynamics 365 for Sales
Dynamics 365 for Customer Service
Dynamics 365 Plan
Dynamics 365 Plan is a user subscription that includes Microsoft Dynamics 365 for Sales, Dynamics 365 for
Customer Service, Field Service, Project Service Automation, and Team Members. Please note that Dynamics 365
for Field Service and Dynamics 365 for Project Service Automation cause location data to be transmitted to Bing
Maps outside of Germany.
Coming soon:
Azure ExpressRoute
Some online services or add-ons are not yet offered, such as:
Online ser vices:
Dynamics 365 for Finance and Operations
Dynamics for Financials
Microsoft Flow
Microsoft Social Engagement
Add-ons and Integration
Dynamics 365 - Gamification
Mobile offline synchronization
Relevance Search
Azure Machine Learning integration
Bing Maps integration
Microsoft 365 Groups integration
Power BI integration
Compliancy and certifications

Microsoft Dynamics 365 Germany is built in adherence to the cloud security and compliance standards and
commitments of customer engagement apps (such as Dynamics 365 Sales and Customer Service).
Microsoft Dynamics 365 Germany is planned to be covered under existing audits.
Uses the same security and controls
Includes ISO 27001, 27018, and SOC 1 and 2
Data centers undergo audits like any other expansion.
The additional Data Trustee controls in Microsoft Dynamics 365 Germany will be evaluated by independent
assessors as part of our annual ISO and SOC.
Microsoft Dynamics 365 Germany includes client software applications that are installed and run on an end user’s
device (“client software applications”), such as Dynamics 365 for Outlook, Dynamics 365 for phones and Dynamics
365 for tablets, and the Unified Service Desk for Dynamics 365. Client software applications do not operate
exclusively in German data centers and may enable an end user to access online services that are not German
Online Services. For purposes of your agreement with Microsoft, client software applications are not German
Online Services. German Data Residency commitments and access control by German Data Trustee apply only to
the German Online Services.
Apps available in a Microsoft app store are provided by either Microsoft or a third-party app publisher and these
are subject to a separate privacy statement and terms and conditions. Data provided through the use of a Microsoft
app store and any app may be accessible to Microsoft or the third-party app publisher, as applicable, and
transferred to, stored, and processed in the United States or any other country or region where Microsoft or the
app publisher and their affiliates or service providers maintain facilities. Please work with the app publisher to
make sure it meets requirements for your Microsoft Dynamics 365 Germany deployment.
Privacy notice
Mapping functions for Dynamics 365 Customer Engagement Plan
Field Service and Project Service Automation have key functions that rely on location. For example, the location of
Service Accounts (which define where services or tasks take place) or the starting/ending location of Resources
(people performing services or tasks). In order for the system to show these on a map - or to calculate distances
between points - it's necessary to use a mapping service (in this case Bing Maps).
Following is the workflow to and from the Bing Maps service:
F RO M DY N A M IC S 365 B IN G M A P S RET URN S N OT E
Address (account or resource) Latitude and longitude of the address This is referred to as "geo-coding" of an
(location) address.
Set of locations (latitude/longitude) Distance between locations This can be used to find optimal routes
for resources or to calculate travel
times.
F RO M DY N A M IC S 365 B IN G M A P S RET URN S N OT E
Set of locations (latitude/longitude) Map view with the locations as pins on This is used to view the accounts and
the map resources in a map view.
NOTE
Aside from the data referenced above, no other data is sent to the Bing Maps service.
See also
Microsoft Azure Germany
Migrate customer data to the new "Local" German regions
About the Microsoft Cloud India datacenter
New Microsoft Cloud Services in India

We’re announcing the general availability of customer engagement apps (Dynamics 365 Sales, Dynamics 365
Automation), served from new datacenter regions in Pune and Chennai, joining Azure and Microsoft 365 in
providing the trusted Microsoft Cloud in India.
Built on foundational principles of security, privacy and control, compliance, and transparency, the Microsoft Cloud
delivers trusted cloud services to enable people and organizations to achieve more. Providing flexible platform and
productivity solutions Azure, Microsoft 365, and now customer engagement apps, the local Microsoft Cloud is
designed to fuel innovation and accelerate India’s digital transformation.
What is the benefit to customers?
The new local Microsoft Cloud enables data residency for customers in India, bringing enterprise-grade reliability
and performance to regulated industries and other businesses. This includes data replication in multiple regions
within India for business continuity, reduced network distance, and the option of a private connection to the cloud
with Azure ExpressRoute. The Microsoft Cloud in India comes with the same deep commitment to high availability
as our other regions, including a financially backed service level agreement of 99.9%.
For customer engagement apps, data residency means that most customer data will be kept within India, except for
Azure Active Directory data. For the definition of customer data and details on our data flow maps in Geo, see the
Microsoft Trust Center.
Where are the Microsoft Cloud India regions?
The India Geo will consist of datacenters in Central India (Pune) and South India (Chennai).
2. In the upper-right corner of the Microsoft 365 admin center menu bar, click your organization.
Service overview
Will multi-geo environments be available to customers in India?
Yes, multi-geo environments will be supported for India as long as the tenant is provisioned in India. For customers
not located in India who want to provision an environment within the India datacenter, they must first purchase a
tenant for an organization located in India and then the tenant can be provisioned in India.
Availability of multi-geo environment support will be limited in the initial rollout to a fixed number of eligible
customers. We'll continue to expand this capacity over time. Read more on how to create and edit multi-geo
environments.
Will the standard service level agreements be offered?
Yes, the standard service level agreements (SLAs) will apply to the India regions, just as they do in our other
regions around the world.
NOTE
The SLA doesn't cover Microsoft Social Engagement.
Will Microsoft Dynamics Marketing, Social Engagement, and Parature be available in the India datacenters?
These services are available for purchase in India, however, these services are provisioned regionally at this time.
What is the customer experience if I use both Dynamics CRM Online from the India regions while using
Microsoft Dynamics Marketing, Microsoft Social Engagement, and Parature from other regions?
The customer experience will be unchanged, the workloads for the other services will simply be provisioned from
other regions.
When will ExpressRoute be available in India for customers, and through which partners?
ExpressRoute is currently available in India. View a current list of ExpressRoute locations and partners. Microsoft is
currently working to enable customers to use ExpressRoute with customer engagement apps from the India
regions.
You can find more information at the Microsoft Trust Center.
Where can I find out more about the physical infrastructure?
These services are hosted in the Microsoft cloud infrastructure comprising more than 100 globally distributed
datacenters, edge computing nodes, and service operations centers. This infrastructure is supported by one of the
world’s largest multi-terabit global networks, with an extensive dark fiber footprint that connects them all.
Microsoft provides cloud services to customers 24x7x365, and the Microsoft Cloud Infrastructure and Operations
team designs, builds, operates and helps secure every facet of the infrastructure. Since opening our first datacenter
in 1989, we’ve invested more than $15 billion on our infrastructure and remain focused on delivering reliable,
scalable, and secure online services.
Migration
You may request migration to the India datacenter by submitting a technical support request. If you’re an existing
customer with a billing address mapping to India, review the information in this topic to understand the move
process.
How do I request my environment to be moved to India?
You can request a move to the new India datacenter by submitting a technical support request through the
Dynamics 365 admin center or by calling Microsoft Support. Please select the Data Management topic and Data
Center Migration Request sub-topic to ensure your request receives the best possible routing. A support engineer
will assist you in verifying required prerequisites and provide guidance throughout the move process.
*Customers will be required to go through more steps depending on the type of transition.
If I am scheduled for an update to CRM Online 2015 Update or CRM Online 2015 Update 1, will Microsoft apply
the update at the same time as their migration to the India datacenter?
You must be updated to Microsoft Dynamics CRM Online 2015 Update or later prior to migrating to the India
The migration of each service will be handled separately. For customer engagement apps, you’ll be able to choose
their migration date and time. Microsoft will work with you to schedule the migration. For Microsoft 365
scheduling and migration, see Moving core data to new Microsoft 365 datacenter geos.
The move process for each service is handled separately. The move can be requested to coincide with the Microsoft
365 admin center move.
If my content is stored in the India datacenters, can I access my content for work from locations outside of
India?
Yes. If you're outside of India and sign in as an authenticated user, you'll be able to access the relevant data.
Licensing and pricing

Customers will be able to purchase all licenses that are currently available in the market today. Please see local
availability at Microsoft Dynamics CRM Solutions. Global pricing can be found at Microsoft Dynamics Pricing List.
How will a customer who has an existing volume license agreement outside of India be billed if they add a new
tenant to their agreement that resides in India?
provide a multi-tenant amendment to provide an additional tenant in India.
If I started a trial outside of India and before general availability, will I be moved to the India datacenter after
general availability?
No. Trials will remain in the geography where they were initiated. You may choose to start a new trial that will
provision in the India datacenter.
India prior to general availability, will my subscription tenant and environment be moved to the India
datacenter?
No. If you choose to convert a trial that was created in a geographic region outside of India before general
availability, your trial will be converted and billed in the geography where it was initiated. If the trial was originally
deployed in India and converted to a paid subscription, it will continue to be deployed in India.
If a customer creates a trial in the India datacenter after general availability, will they be taxed for the trial?
See also
Announcing the availability of Office 365 from local datacenters in India
About the Microsoft Cloud Japan datacenter
If you’re an existing customer with a billing address mapping to a new data center region, review the information
in this topic to understand the move process:
Japan GEO expansion announcement

Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), are now available as a service
within the Japan datacenters.
In addition, customer engagement apps are currently available in 130 markets and 44 languages enabling us to
sell side-by-side with Microsoft 365 in the majority of the markets worldwide. With the inclusion of Japan, our
global customers will now be served from datacenters in 5 global regions around the world.
This marks an important step for on our cloud journey to serve our customers and partners in Japan (Japan GEO).
By bringing customer engagement apps to the local region we will be able to serve our customers more effectively
and with better performance while also ensuring compliance with local requirements.
What prompted Microsoft to undertake this geographic expansion?
In order to better serve customer needs for data residency and reduced latency, we continually evaluate where we
should expand availability around the world. We are committed to long-term investment in customer engagement
apps and expansion over time.
Customer engagement apps (such as Dynamics 365 Sales and Customer Service), are currently available in 130
markets and 44 languages enabling us to sell side-by-side with Office365 in the majority of the markets around
the globe.
This global expansion will enable us to deliver on the promise of increasing sales productivity while allowing our
customers to sell effectively, market smarter, and provide care everywhere to offer amazing experiences to their
customers.
What are the future geographic expansion plans?
Geographic expansion is a high priority and we’re constantly evaluating market needs. While we have no
additional information or specifics on future plans to announce at this time, we will update if and when we have
something to share.
Datacenter overview
Where are the datacenters located in the Japan Geo?
The Japan Geo will consist of datacenters in the Japan East and Japan West.
Will the standard SLA be offered at general availability launch?
Yes, on the date of general availability, the standard 99.9% financially backed SLA will apply, just as it does in our
other regions around the world. Note: the SLA does not cover Microsoft Social Engagement.
Do existing customers have the choice to keep their service from being moved to the Japan Datacenters?
Existing customers will remain in the datacenters where they are currently deployed unless they request to be
moved. Microsoft reserves the right to make a unilateral decision to migrate accounts based on multiple
conditions. All new customers purchasing customer engagement apps (such as Dynamics 365 Sales and Customer
Service), in Japan will be provisioned within the Japan datacenter.
How do I request my environment to be moved to the Japan datacenter?
You can request a move to the new Japan datacenter by submitting a technical support incident through the
2. Go to Suppor t > Ser vice Requests > +
3. Choose More > Dynamics 365 Online
4. For Feature , select Data Management . For Symptom , select Data Center migration request .
5. Fill in the rest of the information to submit a service request.
A support engineer will assist you in verifying required prerequisites and provide guidance throughout the move
process.
If I am scheduled for an update to Microsoft Dynamics CRM Online 2015 Update or CRM Online 2015 Update 1,
will Microsoft apply the update at the same time as their migration to the Japan datacenter?
You must be updated to Microsoft Dynamics CRM Online 2015 Update or later before migrating to the Japan
The move of each service will be handled separately and customers will be fully supported even if one service has
been moved and the other has not. Customers will be able to choose their move date and time. Microsoft will work
with the customer to schedule the move. For Microsoft 365, customers will be notified through the message center
about the move timeline, but the large number of existing customers means that individual scheduling is not
possible. For Microsoft 365 scheduling and migration, see Moving core data to new Microsoft 365 datacenter geos.
The move process for each service is handled separately, but the move can be scheduled to coincide with the
Microsoft 365 admin center move if requested.
Will multi-geo environments be available to customers in Japan?
Multi-geo environments will be supported for Japan. Availability of multi-geo environment support will be limited
in the initial rollout to a fixed number of eligible customers upon request, and we’ll continue to expand over time.
For additional guidance regarding multiple tenants and multiple environments, see Multiple online environments
or tenants. This link will be updated with the Microsoft Dynamics CRM Online 2015 Update launch.
How will this affect users or partners?
Regardless of where customer engagement apps are provisioned, you’ll have the ability to determine which of
your users will have access to those services based on how you configure customer engagement apps.
Will customer engagement apps be available on Azure Infrastructure as a Service (IaaS ) in Japan?
At this time customer engagement apps are only available for dev/test scenarios and isn’t supported for
production use cases. Developers can leverage their MSDN subscription and Azure credits for dev/test scenarios.
Note: we recently announced intent to support customer engagement apps on Azure IaaS but we are dependent
on Azure Premium Storage availability being available in each geographic region. Azure’s Limited Public Preview
will only be available in the U.S. and part of Europe. We do not have any additional information regarding other
geos or general availability at this time.
The Trust Center will be updated as needed when the Japan datacenters launch into general availability. To see the
current version of the Trust Center, see: Microsoft Trust Center.
Will Microsoft Dynamics Marketing, Social Engagement, and Parature, from Microsoft be available in the Japan
datacenters?
These services will be available for purchase in the local market but will be delivered outside of the Japan
datacenters at this time. Note: customer engagement apps leverages Azure Active Directory and Multi-Factor
Authentication, which don’t offer a region choice to customers.
Pricing
How will billing be handled for customers whose environments are moved from an existing tenant located
outside of Japan to a new tenant in Japan?
Billing is related to the country/region where the customer signs up for the Common Data Service service, not
where the service is deployed.
Will all versions be available?
You’ll be able to purchase all licenses that are currently available in the market today. For more information, see:
Pricing List.
See also
Office 365 now available from datacenters in Japan
In response to the unique and evolving requirements of the United States public sector, Microsoft has created
Microsoft Dynamics 365 US Government that is available to qualified government entities in the United States. On
October 11, 2016, Microsoft announced the next generation of intelligent business applications in the cloud under
the brand Microsoft Dynamics 365. To this end, Microsoft Dynamics 365 US Government entails a continuity of the
protected environment that was originally branded Microsoft CRM Online Government where the protections
afforded to the government community cloud under the new brand are now represented by four discrete
functions: Sales, Customer Service, Field Service, and Project Service Automation. This section provides an
overview of features that are specific to Microsoft Dynamics 365 US Government. It is important to note that the
following Microsoft Dynamics 365 apps do not provide the compliance commitments or acquisition regulations
documented in this Service Description:
Microsoft Dynamics 365 Business Central
Microsoft Dynamics 365 Marketing
Microsoft Dynamics 365 Finance and Operations
Microsoft Dynamics 365 Retail
Microsoft Dynamics 365 Talent
Microsoft Dynamics 365 Customer Service Insights
Microsoft Dynamics 365 Market Insights
Microsoft Dynamics 365 Sales
About Dynamics 365 US Government environments and plans

Dynamics 365 US Government has been Generally Available to customers through deployment into the
Government Community Cloud (GCC) since January, 2015. Among other compliance commitments and reviews as
documented in the Microsoft Trust Center, the service has received several agency Authority to Operate (ATOs)
since that time. It was the first Cloud Solution Provider (CSP) to achieve a FedRAMP Joint Application Board
Provisional Authority to Operate (JAB P-ATO) through the JAB Accelerated Process. In March, 2018, the service
impact level was granted a FedRAMP JAB High P-ATO.
Beginning April, 2019, eligible customers may now choose to deploy Dynamics 365 US Government to the “GCC
High” environment, which enables single sign-on and seamless integration with Microsoft 365 GCC High
deployments. Microsoft has designed the platform and our operational procedures to meet the requirements
aligning with the DISA SRG IL4 compliance framework. We anticipate our US Department of Defense contractor
customer base and other Federal agencies currently leveraging Microsoft 365 GCC High to use the Dynamics 365
US Government GCC High deployment option, which enables and requires the customer to leverage Azure AD
Government for customer identities, in contrast to GCC which leverages Public Azure AD. For our US Department
of Defense contractor customer base, Microsoft operates the service in a manner that enables these customers to
meet ITAR commitment and DFARS acquisition regulations, as documented and required by their contracts with
the US Department of Defense.
Dynamics 365 US Government plans are available to qualified government and private entities, limited to (i)
United States (US) federal, state, local, tribal, and territorial government entities; (ii) private entities using Dynamics
365 US Government to provide solutions to a government entity or a qualified member of the cloud community;
and (iii) private entities with customer data subject to government regulations for which the use of Dynamics 365
US Government is the appropriate service to meet the regulatory requirements. Access to Dynamics 365 US
Government plans is restricted to the offerings described below, each plan is offered as a monthly subscription and
can be licensed to an unlimited number of users:
Dynamics 365 US Government – GCC User Subscription Licenses
Dynamics 365 Customer Engagement Plan GCC (existing enrollments only)
Dynamics 365 Field Service GCC
Dynamics 365 Case Management GCC
Dynamics 365 Customer Service GCC
Dynamics 365 Customer Service Professional GCC
Dynamics 365 Sales GCC
Dynamics 365 Sales Professional GCC
Dynamics 365 Project Service GCC
Dynamics 365 Team Member GCC
Dynamics 365 ProDirect Support GCC
Dynamics 365 Enhanced Support GCC
Dynamics 365 Remote Assist GCC
Dynamics 365 US Government – GCC AddOns
Additional Portal for Government
Additional Portal Page Views for Government
Additional production Instance for Government
Additional Non-production Instance for Government
Additional Database Storage for Government
Dynamics 365 US Government – GCC High User Subscription Licenses
Dynamics 365 Customer Engagement Plan GCC High (existing enrollments only)
Dynamics 365 Field Service GCC High
Dynamics 365 Case Management GCC High
Dynamics 365 Customer Service GCC High
Dynamics 365 Customer Service Professional GCC High
Dynamics 365 Sales GCC High
Dynamics 365 Sales Professional GCC High
Dynamics 365 Project Service GCC High
Dynamics 365 Team Member GCC High
Dynamics 365 ProDirect Support GCC High
Dynamics 365 Enhanced Support GCC High
Dynamics 365 Remote Assist GCC High
Dynamics 365 US Government – GCC High AddOns
Additional Portal for Government – GCC High
Additional Portal Page Views for Government – GCC High
Additional production Instance for Government – GCC High
Additional Non-production Instance for Government – GCC High
Subscription Availability
Eligible customers can purchase the above SKUs through the following purchasing channels:
GCC: Volume Licensing (VL) and Cloud Solution Provider (CSP)
GCC High: Volume Licensing (VL)
GCC SKUs currently included in an Enterprise Agreement (EA) can also be obtained through Reservation either
through a qualified reseller or through the Volume Licensing Service Center (VLSC). When a reservation is placed,
the requested subscription is added to the established customer Tenant that same day, and the customer is billed a
prorated amount based on the currently established Enterprise Agreement from the first of the month following
activation of the reservation as part of the next anniversary or renewal payment cycle. Reservations are currently
not available for GCC High subscriptions. For GCC High, please follow the standard addon ordering process with
your reseller.
Orders placed for GCC High must be followed-up with a request to the Microsoft GCC High order processing team
using the following online form: https://aka.ms/m365usgovtenantrequest. Please work with your reseller or
Microsoft account manager for more information and guidance.
What is “customer data” and “customer content?”

This section describes Dynamics 365 Government commitments that apply to customer content and to customer
data.
Customer data, as defined in the Online Service Terms, means all data, including all text, sound, video, or image
files, and software, that are provided to Microsoft by, or on behalf of, Customer through use of the Online Service.
Customer content refers to a specific subset of customer data that has been directly created by users, such as
content stored in databases through entries in Dynamics 365 entities (e.g. contact information). Content is
generally considered confidential information, and in normal service operation, is not sent over the Internet
without encryption.
For more information on the Dynamics 365 protection of customer data, see the Microsoft Online Services Trust
Center.
Data segregation for Government Community Cloud

When provisioned as part of Dynamics 365 Government, the Dynamics 365 service is offered in accordance with
the National Institute of Standards and Technology (NIST) Special Publication 800-145.
In addition to the logical separation of customer content at the application layer, the Dynamics 365 Government
service provides your organization with a secondary layer of physical segregation for customer content by using
infrastructure that is separate from the infrastructure used for commercial Dynamics 365 customers. This includes
using Azure services in Azure’s Government Cloud. To learn more, see Azure Government.
Customer content located within the United States

Dynamics 365 US Government services are provided from datacenters physically located in the United States.
Customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service,
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation) customer content is stored at rest in
datacenters physically located only in the US.
Restricted data access by administrators

Access to Dynamics 365 US Government customer content by Microsoft administrators is restricted to personnel
who are US citizens. These personnel undergo background investigations in accordance with relevant government
standards.
Dynamics 365 support and service engineering staff do not have standing access to customer content hosted in
Dynamics 365 US Government. Any staff who request temporary permission elevation which would grant access
to customer content must first have passed the following background checks.
M IC RO SO F T P ERSO N N EL SC REEN IN G A N D B A C KGRO UN D
C H EC K S 1 DESC RIP T IO N
U.S. Citizenship Verification of U.S. citizenship
Employment History Check Verification of seven (7) year employment history
Education Verification Verification of highest degree attained
Social Security Number (SSN) Search Verification that the provided SSN is valid
Criminal History Check A seven (7) year criminal record check for felony and
misdemeanor offenses at the state, county, and local level and
at the federal level
Office of Foreign Assets Control List (OFAC) Validation against the Department of Treasury list of groups
with whom U.S. persons are not allowed to engage in trade or
financial transactions
Bureau of Industry and Security List (BIS) Validation against the Department of Commerce list of
individuals and entities barred from engaging in export
activities
Office of Defense Trade Controls Debarred Persons List (DDTC) Validation against the Department of State list of individuals
and entities barred from engaging in export activities related
to the defense industry
Fingerprinting Check Fingerprint background check against FBI databases
CJIS Background Screening2 State-adjudicated review of federal and state criminal history
by state CSA appointed authority within each state that has
signed up for the Microsoft CJIS IA program
1Applies only to personnel with temporary or standing access to customer content hosted in Dynamics 365 US
Government (GCC & GCC High).
2 Applies only to personnel with temporary or standing access to customer content hosted in Dynamics 365 US
Government (GCC).
Certifications and accreditations

Dynamics 365 US Government is designed to support the Federal Risk and Authorization Management Program
(FedRAMP) accreditation at a High Impact level. FedRAMP artifacts are available for review by federal customers
who are required to comply with FedRAMP. Federal agencies can review these artifacts in support of their review
to grant an Authority to Operate (ATO).
NOTE
Dynamics 365 has been authorized as a service within the Azure Government FedRAMP ATO. More information, including
how to access the FedRAMP documents, can be found in the FedRAMP Marketplace:
https://marketplace.fedramp.gov/#!/product/azure-government-includes-dynamics-365?
sort=productName&productNameSearch=azure%20government
Dynamics 365 US Government has features designed to support customer’s CJIS Policy requirements for law
enforcement agencies. Please visit the Power Platform Trust Center for more detailed information related to
certifications and accreditations.
Microsoft has designed the platform and our operational procedures to meet the requirements aligning with the
DISA SRG IL4 compliance framework. We anticipate our US Department of Defense contractor customer base and
other Federal agencies currently leveraging Microsoft 365 GCC High to use the Dynamics 365 US Government
GCC High deployment option, which enables and requires the customer to leverage Azure AD Government for
customer identities, in contrast to GCC which leverages Public Azure AD. For our US Department of Defense
contractor customer base, Microsoft operates the service in a manner that enables these customers to meet ITAR
commitment and DFARS acquisition regulations
Dynamics 365 US Government and other Microsoft services

Dynamics 365 US Government includes several features that allow users to address customer calls through Skype
for Business, email editing for sales materials and, in general, integration with other Microsoft enterprise service
offerings such as Microsoft 365 for Government. Dynamics 365 US Government is deployed within Microsoft
datacenters in a manner consistent with a multi-tenant, public cloud deployment model; however, client
applications including but not limited to the web-user client, Dynamics 365 for tablets, Dynamics 365 for phones,
Dynamics 365 for Outlook, Unified Service Desk for Dynamics 365 and any third-party client application that
connects to Dynamics 365 US Government are not part of Dynamics 365 US Government's accreditation
boundary and government customers are responsible for managing them.
Dynamics 365 US Government leverages the Microsoft 365 customer administrator UI for customer
administration and billing. Dynamic 365 US Government maintains the actual resources, information flow, and
data management, while relying on Microsoft 365 to provide the visual styles that are presented to the customer
administrator through their management console. For purposes of FedRAMP ATO inheritance, Dynamics 365 US
Government leverages Azure (including Azure Government) ATOs for infrastructure and platform services,
respectively.
Dynamics 365 US Government and third-party services

Customer engagement apps provide the ability to integrate third-party applications into the service. These third-
party applications and services might involve storing, transmitting, and processing your organization’s customer
data on third-party systems that are outside of the customer engagement apps Engagement infrastructure and
therefore are not covered by the customer engagement apps compliance and data protection commitments. We
recommend that you review the privacy and compliance statements provided by the third parties when assessing
the appropriate use of these services for your organization.
Dynamics 365 US Government and Azure Services

Azure Active Directory (Azure AD) and Azure Active Directory Government (Azure AD Government) are not part of
the Dynamics 365 US Government accreditation boundary. Government customers are responsible for using ADFS
to uniquely identify and authenticate their organizational users. Notwithstanding, it is important to note that Azure
AD and Azure AD Government provide critical functionality to both Dynamics 365 US Government and ADFS,
whose dependencies are described in detailed in the Dynamics 365 US Government SSP (Service Security Plan).
When a user of an organization employing ADFS attempts to access Dynamics 365 for Customer Engagement, the
user is redirected to a login page hosted on the organization’s ADFS server. The user provides his or her
credentials to their organization's ADFS server, which attempts to authenticate the credentials using the
organization’s existing Active Directory infrastructure. If the credentials are authenticated, the organization’s ADFS
server issues a SAML (Security Assertion Markup Language) ticket containing information about the user’s identity
and group membership. The customer ADFS server signs this ticket using one half of an asymmetric key pair and
it sends the ticket to Azure AD via encrypted TLS. Azure AD validates the signature using the other half of the
asymmetric key pair and grants access based on the ticket. The user's identity and group membership information
remain in an encrypted fashion in Azure AD; in other words, limited user-identifiable information is stored in Azure
AD. Full details of the Azure AD security architecture and control implementation can be found in the Azure SSP
and Azure Government SSP. Users do not interact directly with Azure AD.
Dynamics 365 US Government URLs

You use a different set of URLs to access Dynamics 365 US Government environments, as documented here:
Dynamics 365 Instance Administration (“Instance Picker”)
GCC: https://port.crm9.dynamics.com/G/Instances/InstancePicker.aspx
GCC High: https://port.crm.microsoftdynamics.us/G/Instances/InstancePicker.aspx
Instances
GCC: *.crm9.dynamics.com
GCC High: *.crm.microsoftdynamics.us
Discovery Service (Deprecated)
GCC: https://disco.crm9.dynamics.com/XRMServices/2011/Discovery.svc
GCC High: https://disco.crm.microsoftdynamics.us/XRMServices/2011/Discovery.svc
Discovery (OData V4) RESTful API
GCC:
(Deprecated) Discovery URL: https://disco.crm9.dynamics.com/api/discovery/v9.1/
Global discovery URL: https://globaldisco.crm9.dynamics.com/api/discovery/v2.0/
GCC High:
(Deprecated) Discovery URL: https://disco.crm.microsoftdynamics.us/api/discovery/v9.1/
Instance WebAPI
GCC High: https://*.api.crm9.dynamics.com/api/data/v9.1/
GCC High: https://*.api.crm.microsoftdynamics.us/api/data/v9.1/
Organization Service
GCC: https://*.api.crm9.dynamics.com/XRMServices/2011/Organization.svc
GCC High: https://*.api.crm.microsoftdynamics.us/XRMServices/2011/Organization.svc
Microsoft Dynamics Portals
GCC: https://*.dynamics365portals.us
GCC High: https://*.high.dynamics365portals.us

Effective March 2, 2020, the regional Discovery Service will be deprecated. More information: Regional Discovery
Service is deprecated.
See also
Power Apps US Government
Power Automate US Government
Microsoft strives to maintain functional parity between our commercially available service and that which is
servicing Dynamics 365 U.S. Government - referred to as Dynamics 365 GCC and GCC High. Please refer to the
Global Geographic Availability tool to see where the Dynamics 365 Apps and Offers are available throughout the
world, including approximate timelines on when they will be available.
At this time, preview features in the commercial offering are not available to Dynamics 365 US Government
Community Cloud (GCC) and GCC High customers. This is intentional, as the GCC and GCC High deployment
enable a community leveraging our generally available services, further protected with heightened compliance
demands of the U.S. Government and Government community customers.
There are certain experiences that are currently not available with Dynamics 365 GCC and GCC High. We continue
to evaluate these for incorporation into future releases. The following generally available features are not currently
available:
Activity Logging (Available CY2020-Q4)
AppSource (that is, the ability to install Applications directly from AppSource)
CAFEx Integration
Connected Field Service
Data Export Service - replaced by CDS to Azure Data Lake. Available CY2020 – Q4.
Gamification
Home.Dynamics.com and the app switcher
Insights, powered by InsideView
PowerBI “embedded” user dashboard experience
Relevance Search (Available CY2020-Q4)
Versium Predict
Teams Integration
There are a number of other business application apps and services that are not currently available as a service
operating within the GCC or GCC High at this time. They include:
Microsoft Dynamics 365 Marketing
Microsoft Dynamics 365 Talent
Microsoft Business Central
Microsoft Dynamics 365 Customer Insights (Available in GCC)
Microsoft Dynamics 365 AI for Customer Service Insights
Microsoft Dynamics 365 AI for Market Insights
Microsoft Dynamics 365 AI for Sales
Microsoft Dynamics 365 for Finance and Operations - Please note that while this is not available in GCC, it is
available to purchase and associate to a customer’s tenant running GCC services. This option is not available for
GCC High customers.
Microsoft Dynamics 365 for Retail - Please note that while this is not available in GCC, it is available to purchase
and associate to a customer’s tenant running GCC services. This option is not available for GCC High customers.
Network ports for Dynamics 365 Government

The following ports are open for outbound connections between Dynamics 365 Government and internet services.
80 HTTP
443 HTTPS
465 Secure SMTP
587 Secure SMTP
995 Secure POP3
993 Secure IMAP
Customizations or email configurations in Dynamics 365 GCC and GCC High can only use these ports.
See also
Microsoft Dynamics 365 US Government
Important changes coming
PowerBI for US Government Customers
Compliance Offerings
We continue to open new datacenter regions for business services, and to add datacenters to existing regions.
The Geo Migration feature will allow customers to move their environments in a single tenant from one region to
another. There are no user-interface changes or version changes as part of this move. In the case of an environment
residing in an Microsoft 365 environment in a single tenant, moving the Common Data Service environment
doesn't move the Microsoft 365 environment; they are separate services. Your environment will still appear in your
tenant alongside the Microsoft 365 environment.
IMPORTANT
Support for geo migration is limited and generally not available.
To request a regional migration, please contact your account manager or see Technical Support.
Geo migrations are not supported into or out of US GCC, US GCC High, or China.
The Dynamics 365 Marketing app does not support geo migration, due to component dependencies. For more
information, see Manage your Dynamics 365 Marketing instances.
Geo migration is not supported for Project Oakdale environments.
Impact of migrating
Moving an environment to a different region changes your tenant to be multiregional - enabling regional features
in the Dynamics 365 admin center.
The other significant change is to your organization URL. Each of the regional datacenters has a unique identifier in
the URL. When your organization is moved from one regional datacenter to another this identifier will change. For
example:
South America (LATAM/SAM) = .crm2.dynamics.com
Canada (CAN) = .crm3.dynamics.com
Europe, Middle East, Africa (EMEA) = .crm4.dynamics.com
Asia Pacific (APAC) = *.crm5.dynamics.com
Australia (OCE) = *.crm6.dynamics.com
Japan (JPN) = *.crm7.dynamics.com
India (IND) = *.crm8.dynamics.com
United Kingdom (UK) = *.crm11.dynamics.com
United Arab Emirates (UAE) = *.crm15.dynamics.com
More information: Direct sign in and Discover the URL for your organization using the Web API
For example, if your existing organization URL is https://myorg.crm5 .dynamics.com and you request it to be moved
to Australia, the new organization URL will be https://myorg.crm6 .dynamics.com.
You'll need to update any direct references to your organization URL.
NOTE
Organization URLs must be unique. If your organization name has already been reserved in the destination datacenter, it
won't be available. In the unlikely event this happens, we will work with you to decide how to proceed.
To see the datacenter regions, go to Where is my data? and then click Select Your Region .
The following topics have information that could be helpful to understand the move process:
About Microsoft Cloud Australia
About Microsoft Cloud Canada
About the Microsoft Cloud Germany datacenter
About Microsoft Cloud Japan
About Microsoft Cloud India
How the move works

You'll be provided with a list of prerequisites and post-requisites for your migration. The following table describes
what Microsoft does before, during, and after your move.
B EF O RE T H E M O VE DURIN G T H E M O VE A F T ER T H E M O VE
What Microsoft does Notification Cut-over Notification and support
Your support representative Cut-over times for each You will be alerted by email
or Account Manager will service depend on the or telephone when your
work with you to request a number of users and the environment is migrated to
move and scheduling. amount of data. This step the new datacenter.
can take 1 to 6 hours for
smaller organizations, but After your geo has migrated
may take up to 48 hours for you can perform the post
large organizations. The cut- requisite steps - primarily
over is done during the changing your new URLs
evening or over a weekend. with any associated plugins
or services.
There is a step that will
require your involvement,
which is to re-enter the
encryption key. This can
happen at a time that suits
you but the migration
process will be on hold until
you complete this action.
We will adhere to the terms of the Microsoft Online Services Service Level Agreement for all moves.
See also
Add a Partner of Record (POR) to your subscription
You can choose to work with a designated Microsoft partner who can provide the sales and technical expertise you
need to help set up, customize, deploy, and administer your Common Data Service environments. You can find a
designated Partner of Record (POR) on the Microsoft Partner Center site. Once you find a partner, request their
Microsoft Partner ID and designate them in the Microsoft 365 admin center.
Add a partner at time of purchase

NOTE
These steps assume you are using the new admin center user interface.
2. Select Billing > Purchase ser vices .
3. Scroll down and under Other categories that might interest you , select Dynamics 365 .
4. Select a subscription.
5. Select Buy .
6. At the top of the page, select Find a solution provider .
7. Go through the steps to select a partner, and then return to the subscription purchase page to complete the
subscription purchase process.
Add a partner to an existing subscription

NOTE
These steps assume you are using the new admin center user interface.
2. Go to Billing > Your products and select a subscription.
3. Under the subscription, select the Par tner tab.
4. Enter the Partner Network ID, and then select Add .
See also
Add, change, or delete a subscription advisor partner
For partners: Get the credit when your customers
subscribe
As a Dynamics 365 partner, you can help your customer sign up for a Microsoft Dynamics 365 subscription. You
can customize and set up their organization for them, and reduce their effort to get started. After signing up, you
can designate your company as the customer’s partner of record. As the partner of record, you can help to ensure
that your customer has a great trial experience and start them down the path toward success with Dynamics 365
apps.
This document describes in detail the tasks you must complete to sign up for Dynamics 365 apps on behalf of your
customer. It also describes the tasks a customer must do to remove your administrative privileges from the
customer's company to ensure that they won’t be charged for your access after the trial is complete.
Sign up for a free trial subscription

Using a Microsoft account, which can be your ID or your customer’s, sign up for a free trial of Dynamics 365 apps.
The free 30-day trial subscription includes 20 user licenses and 5 gigabytes (GB) of storage. You can activate your
customer’s trial subscription as a paying subscription at any time during the first 30 days. If you sign up for the trial
subscription using your customer's Microsoft account, you won't need to worry about transferring ownership of
the account later on.
For information on signing up for a trial, see Try Power Apps and Dynamics 365 apps.
IMPORTANT
When signing up for the free trial, note the following:
Make sure to select the correct country/region for your customer. The country/region is important for setting up your
customer's billing.
If the customer doesn’t have a billing address in the country/region you select, their account can’t be activated later.
When you accept the terms of service, you're accepting it on behalf of your customer and representing their
agreement to our terms.
Soon after you complete the sign up, you’ll be notified by email that the trial subscription is ready. You’ll also
receive email messages that provide help for new organizations during the first 30 days of their subscription.
Forward these email messages to your customer.
Designate yourself as the partner of record

After completing the trial sign up, designate your company as the partner of record who is responsible for the
customer. As the partner of record, you can help Microsoft provide our partners and customers with the best
service and support. After the trial subscription becomes a paid subscription, your partner company can also claim
the Software Advisor (CSA) fee for the subscription. For information about the CSA fee program, visit the Microsoft
Partner Network site.
If your customer has already signed up for a Microsoft Dynamics 365 subscription, or prefers to sign up for the trial
subscription themselves, they can still designate your company as the partner of record.
1. Go to the Partner of Record Designation page in CustomerSource.
2. Sign in with the same Microsoft account that you used to sign up for the trial subscription.
If this Microsoft account is associated with more than one Microsoft Dynamics 365 subscription, select your
customer’s organization.
3. Search for your partner company’s account, and then select Dynamics 365 as the product line from the
drop-down list.
TIP
You can search for your partner company by company name, phone number, or their 10-digit partner MBS
authorization number.
4. Select your company from the search results, and then click Associate .
Transfer ownership after completing the trial

After the trial period is complete and your customer is ready to start their subscription, there are a few steps you
need to complete in order to transfer ownership of the environment. If you signed up for the Microsoft Dynamics
365 subscription on behalf of the customer by using a Microsoft account other than your customer’s, call Customer
Service and support to request a transfer of ownership of the subscription to your customer and designate him or
her as the billing administrator of the customer’s organization. The billing administrator can take actions that have
financial implications to the Microsoft Dynamics 365 subscription, such as:
Upgrading to a different subscription
Upgrading to a different release
Purchasing additional licenses
Purchasing additional storage
TIP
If you used a Microsoft account that belongs to someone in your customer’s organization, or that can be transferred
to your customer, skip this task. Give the email address and its password to your customer.
To transfer the ownership of the trial subscription, you’ll need the following:
The email address of the person from your customer’s organization who will act as a system administrator
and the billing administrator for the subscription.
IMPORTANT
Each organization must have a billing administrator.
The Microsoft account that was used to sign up for the subscription.
The name of the company used to create the trial subscription.
You’ll need this name to identify your customer's company if there is more than one account registered at
the Microsoft Billing and Account Management site.
If the free trial subscription has already been activated to a paying subscription, you’ll also need the credit
card number used to pay for the subscription.
Add a system administrator
1. Sign in using the Microsoft account that you used to sign up for the trial.
2. Follow the steps in Create users and assign security roles to create a user and assign the system
administrator security role. This user will also function as the billing administrator.
3. Make sure the new billing administrator has successfully signed in to your organization before transferring
ownership.
Add an account delegate
1. Go to the Microsoft Billing and Account Management site.
2. Sign in with the same Microsoft account that you used to sign up your customer for the trial subscription.
3. Under Billing account over view , select the company account where you want to add a delegate.
4. Click View or add account delegates .
5. On the Manage account delegates page:
a. Click Add an account delegate .
b. Enter the Microsoft account of the new billing administrator.
c. Click Add delegate .
Request an ownership transfer
1. Contact Support.
2. Give the customer service representative the Microsoft account that was used to sign up for the subscription
and the account ID number.
3. Give the customer service representative the Microsoft account of the new billing administrator.
4. Ask the customer service representative to promote the new billing administrator to initial user, and primary
administrator.
IMPORTANT
Make sure that the new billing administrator has accepted the invitation to become a system administrator. The
Microsoft account that was used to sign up for the trial subscription will be demoted to an account delegate.
Remove the partner's administrative privileges

These tasks are optional. After you sign up your customer and register yourself as the partner of record, you will
have access to your customer's subscription and billing account for the subscription. The following tasks are
performed by the customer.
IMPORTANT
If you or your customer do not remove your privileges, the customer will be charged the standard monthly user fee for your
access.
If your customer wants to remove your access to the billing account for the subscription, they must complete the
following steps:
Remove partner access to the billing account
1. Go to the Microsoft Billing and Account Management site.
2. Sign in with the Microsoft account you use for the billing administrator at your company.
3. If the service name displayed under Billing account over view is not correct, select the account from the
menu that corresponds to the Microsoft Dynamics 365 subscription.
4. Click View or add account delegates .
5. Next to the names of account delegates you want to remove, click Remove .
6. In the next window, click Yes to confirm the removal.
IMPORTANT
We strongly recommend that at least two people in the organization have access to the Billing and Account
Management site. To add someone, click Add an account delegate , and then follow the online instructions.
TIP
To verify that the information on the personal information page is correct, click Go to Account Information .
If your customer wants to disable your access to the subscription, they must complete the following steps:
Disable partner access to the Microsoft Dynamics 365 subscription
1. Sign in to the Microsoft Dynamics 365 subscription with the Microsoft account you use for the billing
administrator at your company.
2. Follow the steps in Create users and assign security roles to disable the user from the partner company.
For partners: the Delegated Administrator
Admins can use their Microsoft 365 global administrator role to create and edit users, reset user passwords,
manage user licenses, manage domains, and assign admin permissions to other users in their organization, among
other things. However, if admins want someone else to do these administrative tasks, they can delegate this role to
an authorized partner. When admins authorize a partner to take on this role, the partner is referred to as a
delegated admin. A delegated admin can perform routine tasks such as adding users and resetting passwords, or
more complex tasks such as adding a domain. A delegated admin can have access to multiple tenants, which can
simplify and consolidate tenant management.
NOTE
The Delegated Administrator role does not allow access to make.powerapps.com.
The Delegated Admin user won't appear in standard provided views. You must create a custom view to see it.
To create a simple custom view to see the delegated admin user:
1. In the web app, go to Settings > Security > Users .
2. Choose Select a view ( ) and then choose Create Personal View .
3. Verify Users is selected in Look for .
4. Choose User > Contains Data , and then choose Results .
Delegated Admin will appear in the list of users.

How to get authorized as a delegated admin
Partners can be authorized to be delegated admins for a company in several ways:
1. A partner can offer the customer to become a delegated admin for their account by sending a link to the
delegated admin offer. The customer will need to accept and sign in with their Microsoft 365/customer
engagement apps (such as Dynamics 365 Sales and Customer Service) credentials.
2. A partner can send the customer a purchase offer link with delegated admin selected as part of the offer. The
customer will need to sign up for the offer and accept the delegated admin offer.
3. A partner can create a trial invitation link and invite the customer to the trial via a link in email or a link on
the partner's website. The trial invitation can include delegated admin if the prospect chooses to accept.
See also
Partners: Offer delegated administration
Partners: Add or delete a delegated admin
Administer Power Apps
Features from the Power Apps Admin center have moved to the Power Platform admin center. Power Apps
administrators can use the Power Platform admin center to manage environments and settings for Power Apps.
See also
What's the role of a Power Apps administrator?
Edit properties of an environment
Administrators can edit properties of an environment, such as the friendly name, URL, and the purpose. However,
environments that are being provisioned cannot be edited, and disabled environments must be enabled before
they can be edited.
Edit an environment
1. Go to the Power Platform admin center and sign in using administrator credentials.
3. Select Edit .
4. Select any of the following field values that you want to change.
Name . This is typically the name of your organization and is displayed in the customer engagement
apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics
365 Marketing, and Dynamics 365 Project Service Automation). After you save the change, it may
take up to 5 minutes for the friendly name to appear in the application.
URL . The URL is used to construct the URL for users to sign in to customer engagement apps. We
recommend that you limit the length of the URL name to reduce the overall length of the URL.
WARNING
There are important tasks that you must communicate to your users immediately following a URL name
change.
For users of the web application, send information that includes the new URL with instructions about
how to bookmark it.
For users of Dynamics 365 for Outlook, the following two tasks must be completed in the order
specified here:
a. Synchronize offline data . Dynamics 365 for Outlook users connected to this environment who
work offline must synchronize by using the previous URL. If you run the Configuration Wizard and
change the URL before completing this step, offline data may be lost.
b. Run the Configuration Wizard . After a URL name change is saved and any offline data is
synchronized, users of Dynamics 365 for Outlook must run the Configuration Wizard to update the
URL.
After a URL name change is saved, all users who access that environment must be notified of the
change. Users will be able to access the environment for up to 24 hours by using the previous URL.
After the 24-hour period has passed, the previous URL will not work.
Notice that interim URL names are discarded when there are multiple changes within 24 hours. For
example, consider the following situation:
The original URL of your environment is fourthcoffeesales.crm.dynamics.com.
Using the environment picker, you change the URL name from
fourthcoffeesales.crm.dynamics.com to fourthcoffeemktg.crm.dynamics.com.
Within 24 hours of the URL name change, you change the URL name again, this time from
fourthcoffeemktg.crm.dynamics.com to fourthcoffeesalesandmktg.crm.dynamics.com.
In this situation, the first URL name change to fourthcoffeemktg.crm.dynamics.com will be
immediately removed from the system. The new URL,
fourthcoffeesalesandmktg.crm.dynamics.com, will become active. Additionally, the original
URL, fourthcoffeesales.crm.dynamics.com, will be active for up to 24 hours.
Type . Change the environment type from production to sandbox or sandbox to production.
Purpose . Specify the purpose of the environment.
Edit Security group . This value is used to determine the security group that includes the users who
will have access to this environment. See Control user access to environments: security groups and
licenses.
IMPORTANT
If you do not specify a security group, all users who have a license will be added to this environment.
5. Select Save .
See also
Create and manage environments in the Power Apps
Admin center
Creating and managing environments is now done in the Power Platform admin center.
Working with environments and Microsoft Power
Apps
With Power Apps, you can work in different environments and easily switch among them. For an overview of
environments, see Environments overview, which explains in detail why you use environments and how you can
create and manage them. The scope of this article will cover the following topics on environment:
How to switch the environment on powerapps.com
How to create an app in the right environment
How to view an app in the right environment
Switch the environment

When you sign up and first sign in to Power Apps, it opens in a default environment, which you can identify in the
upper-right corner of the page.
Everyone in your organization can access the default environment. You can create apps in this environment and
share your apps with other users. You may also have access to other environments, whether you create them or
others do. You can switch environments by opening the environment list in the upper-right corner and then
selecting a different environment. This example shows switching from Microsoft to MyOwnEnv .
After you switch environments, the new environment shows all the apps to which you have access in that
environment.
Create apps in the right environment

You can create apps in an environment that you create or for which you've been given access. Creating your own
environment, however, requires a specific plan. Before you create an app, always make sure you select the
environment you want to app to be in . Otherwise, you will have to deal with moving apps between
environments.
To create an app in the right environment:
1. Sign in to Power Apps.
2. As the previous section describes, select the environment in which you would like to create your app.
3. Select Apps near the left edge, and then select Create an app .
View apps in the right environment

Whether you are working in powerapps.com or Power Apps Studio, the list of apps, connections, etc. that you see is
always filtered based on the environment that's selected in the dropdown. If you don't see the apps you're looking
for, always confirm whether the right environment is selected.
For more information about environments, see this overview.
Manage environments in the Power Apps Admin
center
Environment management is now done in the Power Platform admin center.

Troubleshooting: Unblock required URLs
The model-driven apps and customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service,
Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), use several
Microsoft URLs to help provide security, services, and features. However, your computer or your organization's
computer network may block access to some of these URLs. Blocking any of the required URLs will cause model-
driven apps and customer engagement apps to operate incorrectly or not at all.
You may see a network or server error message if your computer or your organization's network blocks the URLs
you need. The error message might look like one of these:
"The specified Dynamics 365 Server address (URL) is not responding. Ask your administrator to verify that
the server is turned on, and then try again."
"There is a problem communicating with the Dynamics 365 Server. The server might be unavailable."
You can unblock these URLs on your computer by adding them to a list of approved sites in your browser.
IMPORTANT
If the following procedure doesn't unblock the URLs required for model-driven apps and customer engagement apps, ask
your system administrator to unblock the URLs on the organization's network.
Unblock apps URLs in Internet Explorer

1. On the Explorer bar, click or tap the Tools icon (the white gear shape), and then click or tap Internet
options .
2. Click or tap the Security tab > Trusted sites > Sites .
3. In Add this website to the zone , type the URL for your organization. For example,
https://contoso.crm.dynamics.com
4. Click or tap Add > Close > OK .
For a list of other URLs you may need to add to unblock, see Internet accessible URLs required for Microsoft
Dynamics CRM Online
Power Apps Preview Program
Power Apps updates the platform and its capabilities every few days or weeks. The Power Apps Preview program is
a way to get early access to those upcoming functionalities and updates prior to availability in other regions (where
customer production apps are deployed).
With the Power Apps Preview program, you can:
Tr y out, learn, and dogfood upcoming functionalities : Many functionalities will be rolled out first in the
preview for a few days to get feedback. By participating in the Preview program, you can learn about new
functionalities sooner and provide feedback. Also, you will be ready to quickly take advantage of new
functionalities as soon as they reach regions where their production apps are created.
Enable business continuity by ensuring current apps will continue to work with the upcoming
updates (vNext) of Power Apps.
What in Power Apps is available for preview?

To access the preview functionalities across Power Apps, you need be in a preview environment. More details on
the preview environment are given in the next section. Currently we will be rolling out preview for the following
scenarios across Power Apps:
1. Creating apps : You can create canvas-based apps using the next version of Power Apps. This can be done by
creating apps in a preview environment. Current limitations include - model-driven apps can’t be built in the
preview program - we're working on it.
2. Managing apps : You can manage and share apps using Power Apps web portal. To access the preview
functionalities, all you need to do is to be in a preview environment; it will take you to the preview version of
Power Apps web portal.
3. Playing apps : You need to play the apps in a preview environment using the web player. When you do that,
you will be automatically taken to preview version of web player. Apps will play with the vNext version of the
Power Apps web player. Current limitations include - Power Apps Mobile for iOS, Android, and Windows are
currently not available for preview. Playing the apps created in the First Release environment might not work -
we're working on it.
How to get early access to the upcoming updates?

For Power Apps, all the apps and related resources are stored in an environment. Early access to all preview
functionalities are also available with an environment created in a region where the vNext (preview) is deployed.
For now, there is only one region, Preview (United States) , as shown in the image below:
Select the region for the environment as Preview (United States) and accept the consent for joining the Preview
Program to create the environment to get access to the next version (vNext) of Power Apps. All the apps and other
resources created in this environment are on the vNext version of the platform (SAAS).
How to learn about the latest updates?

You can get aware of the new functionalities which are available for preview at What’s new in Power Apps. The
functionalities which are just available in the preview have a ‘Preview’ tag.
Key scenarios to test with the preview program

1. Validate your production apps with the upcoming Power Apps updates (vNext)
You might like to verify your production apps, to be working fine with the next upcoming updates on Power
Apps. You can copy the apps from a production environment to an environment in First Release and play the
apps to test out the scenarios. Please note, all the other necessary resources like CustomAPI, Power
Automate, etc., will also need to be moved along with it. This should just create another copy of these apps
and required resources. You can start testing out the newer updates not just for playing an app, but also
while editing and managing the apps.
2. Tr ying out the new functionalities available in preview
We will be launching many new functionalities initially in the Preview (United States) region. You can try
out the new functionalities prior to their being available in rest of the regions (which might impact your
production environment).
How to provide feedback to the product team?

You can provide feedback on the Power Apps forum and/or contact support.
What are the known issues and limitations?

1. Power Apps por tals and clients which are not available in preview
There are certain functionalities, services and portals which are available in preview:
2. Using apps created in preview environments in production environments

PowerApps does not support opening apps saved in preview only versions of Power Apps in production
environments. Most versions of Power Apps will eventually move from preview into production, but how
and when this happens is influenced by many factors so it should not be relied on. We recommend you use
production environments to create or edit any app intended for use in a production environment.
3. Database cannot be created in Preview region
Currently, you cannot create a database with Common Data Service in an environment in Preview (United
States) region - we're working on it.
Administer Microsoft Power Automate
Microsoft Power Automate administrators can use the Power Platform admin center
(admin.powerplatform.microsoft.com) to manage an organization’s data policies and environments. Power
Automate admin content is available at Microsoft Power Automate documentation.
See also
Administer Power BI
Power BI administrators use the Power BI admin portal to manage a Power BI tenant, including the configuration of
governance policies, usage monitoring, and provisioning of licenses, capacities, and organizational resources.
Power BI admin content is available at What is Power BI administration?
See also
Administer customer engagement apps in Dynamics
365
Administrators can use the Power Platform admin center (https://admin.powerplatform.microsoft.com) to manage
certain settings for their environments (earlier called instances) that also have customer engagement apps installed
The content from the old admin guide is transitioning to the Power Platform admin guide as settings and features
migrate to the Power Platform admin center. Until the move to the Power Platform admin center is complete, you’ll
still be able to manage settings through your apps as usual.
For example, many of these admin settings in the legacy web client...
...are moving here.
Use links on this page to manage organization-wide settings. App-specific settings will remain in the respective
apps, and will be accessed through the respective app settings. More information about managing environment
settings in the Power Platform admin center: Manage environment settings
See also
Set up sales territories to organize business markets
by geographical area
Improve sales potential and revenues by creating territories for customer and market segments in customer
365 Marketing, and Dynamics 365 Project Service Automation). Then assign appropriate sales people to handle
the sales and revenue opportunities for those territories.
Sales territories improve the sales potential because the members of a territory are focused on the services or
sales within that territory. You can associate the financials directly with a territory and its members, which simplify
business analysis. Also, based on the sales territory type and size, you can define sales methodologies and the
training required for those locations.
Organizations can create a model and visualize their sales territories in a hierarchical format using out-of-the-box
territory hierarchical relationship.
IMPORTANT
For a new organization that provisions Dynamics 365 Sales, the territory hierarchical relationship will be available and
enabled by default.
For existing customers upgrading to the latest release, if the organization doesn't already have a hierarchical relationship
created for the Territory entity, the hierarchical relationship will be available and enabled. If the organization has a
hierarchical relationship created for territory, the new out-of-the-box territory hierarchical relationship will be available but
not enabled.
Create a sales territory (Sales Hub app)

1. Make sure that you have the Manager, Vice President, CEO-Business Manager, System Administrator, or
System Customizer security role or equivalent permissions.
2. In the web app, select the Site map icon , then select ellipsis , and
then select Sales Territories .
3. To create a new sales territory, on the command bar, select New .
4. In the sales territory form, fill in your information.
a. Name . Enter the geographical name for the territory such as the name of a city, country/region, or a state.
b. Manager . Enter the name of the user who is the manager for this territory. This person would typically
assign leads to salespeople.
IMPORTANT
You can't allocate the same user to multiple territories. If you need to assign a user to a larger area (more than one
existing territory), create a new territory that includes the existing territories, and then assign the user to that new
territory.
d. Parent . Select the Lookup icon to select a parent territory. The current territory will be added as a child
territory to the selected territory. For example, If you are creating sales territories California and
Washington, and you can add United States of America as a parent so that a parent-child relationship is
created between the sales territories and parent territory.
c. Description . Enter any details that you'd like to include for this territory, for example, "Sales territory
created for education and training."
5. When you're done, on the command bar, select Save .
6. Select the Related tab, and then select Members .
7. On the Members tab, select Add members .

8. In the Lookup Records pane, select the search icon, select a user record, and then select Add .
9. To add sub territories to this territory, select the Sub-territories tab, and select Add New Territor y .
Enter the necessary information and select Save . This territory will be added as a sub territory in the Sub-
territories grid.
10. Select Save .
Create a sales territory (Sales app)

Dynamics 365.
3. Choose Sales Territories .
4. On the command bar, choose New .
5. Fill in your information.
Name . Enter the geographical name for the territory such as the name of a city, country/region, or a
state.
Manager . Enter the name of the user who is the manager for this territory. This person would
typically assign leads to salespeople.
IMPORTANT
You can't allocate the same user to multiple territories. If you need to assign a user to a larger area (more
than one existing territory), create a new territory that includes the existing territories, and then assign the
user to that new territory.
Description . Enter any details that you'd like to include for this territory, for example, "Sales territory
created for education and training."
6. When you're done, on the command bar, choose Save or Save and Close .
7. To assign members to a sales territory, open the territory, and then in the left pane, under Common , choose
Members .
8. On the Users tab, in the Records group, choose Add Members .
9. In the Look Up Records dialog box, select a user, and then choose Add .
TIP
To make your salesperson's job easier, you can also set a default price list for a territory. More information: Define product
pricing with price lists and price list items
See also
Administrator and sales manager guide
Nurture sales from lead to order (Sales)
Define subjects to categorize cases, products, and
articles
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), include a subject organizational
structure that lets you mark and categorize service cases, knowledge base articles, products, and sales literature. By
using the subject hierarchy, you can classify service cases to quickly provide service to your customer. You can also
provide the appropriate sales literature. You'll also be able to better understand gaps in your sales literature,
evaluate service quality by subject area, and improve reporting on the performance of your products.
NOTE
With the version 9.1 release, subjects in service management are available in the Customer Service Hub based on the Unified
Interface experience. We recommend that you manage subjects using the new experience.
Create or edit a subject (Customer Service Hub)

1. In the Customer Service Hub app, go to Ser vice Management and select Case Settings > Subjects in
the sitemap to access subjects.
2. In the command bar:
Select Add subject to add a subject. A quick create dialog box is displayed. Enter Name and
Description for the subject.
You can choose default subject as parent in the Parent Subject drop-down. If you don't choose a
parent subject, then your subject begins from the same node as default subject.
Select a subject from the tree and select Edit subject to edit a subject
Select a subject from the tree and select Remove subject to delete a subject
Create or edit a subject (Customer Service app)

1. In the web app, go to Settings > Business Management . Select Subjects . You can also get there by going
to Settings > Ser vice Management > Subjects .
2. To add a subject, under Common Tasks , select Add a Subject .
-OR-
To edit a subject, in the Subject Tree , select a subject, and then under Common Tasks select Edit Selected
Subject .
3. In the Subject dialog box, enter the required information:
Title : Type a name for the subject. This is a required field.
Parent Subject : To search for and select a parent subject for the new subject, select the Lookup
button.
-OR-
To make the new subject a parent subject, leave the Parent Subject box empty.
Description : Type a descriptive statement about the subject.
4. Select OK .
See also
Enhanced service level agreements
Service level agreements (SLAs) are a formalized method to help organizations meet service levels when they
provide customer service and support. For example, an organization can have an SLA to complete the first
customer response within 48 business hours after a case is created. Another example is to escalate an unresolved
case after a specified duration, such as five business days. SLAs are used to define these different aspects of service.
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), include two kinds of SLAs,
standard and enhanced. Enhanced SLAs include the following features not available in standard SLAs:
Case-on-hold support
Auto-pause and resume of time calculation
Support for success actions
Creation of dashboards or reports based on the SLA KPI environment entity
Case-on-hold support
One feature of SLA tracking is the ability to control the case-on-hold status. For example, this functionality lets you
pause a case for a time when the case is on hold waiting for a response from the customer. Once the response is
received, the case is resumed.
System administrators turn on SLAs and select case hold functionality in the web app using Settings > Ser vice
Management > Ser vice Configuration Settings . Afterwards, CSR Managers can create SLAs using the
enhanced SLA type that allows pause and resume functionality. SLAs are created in Settings > Ser vice
Management .
More information: Define service level agreements (SLAs)
Considerations when you choose a SLA type

Because there are two types of SLAs that have different functionality, consider the following features before you
choose an SLA type. We recommend that you use only one type of SLA for an organization.
After you select an SLA type, either standard or enhanced, you cannot change the SLA type for any record
associated with the SLA.
Because standard and enhanced SLAs exist as separate entities with separate forms, views, and fields, the
following behaviors exist.
Case views cannot be sorted by enhanced SLA fields. To display enhanced SLA fields in Case views,
you can modify any of the Case views to display the fields from the enhanced SLA (which has the
entity name SLA KPI environment). Although you can sort on the fields that are part of the Case
entity, because the enhanced SLA fields are on a related entity, you cannot sort on columns that are
associated with the enhanced SLA fields.
Queue Item views do not display enhanced SLA fields. Although, Queue Item views display the
standard fields SLA (First Response By and Resolve By), because the enhanced SLA (SLA KPI
environment entity) is not directly related to the Queue Item entity, the columns associated with
enhanced SLAs cannot be displayed.
TIP
To monitor enhanced SLA details, consider creating custom dashboards based on the SLA KPI environment entity or custom
views using the Regarding (Case) relationship.
See also
Video: SLA Enhancements in Microsoft Dynamics CRM 2015
Enable languages
Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation) offer a rich, easy to configure
product catalog that will help your company sell products and services with greater efficiency. A sales operations
manager will be able to create the product catalog with fewer SKUs, bundle product and service, as an attractive
and cost effective offering, and define up-sell and cross-sell of products. In addition, the product catalog
configuration data can be migrated across systems. For example, after the product catalog configuration is fully
tested on the test server, you can move the configuration data to the production environment, without having to
recreate it. To migrate, you'll be using the Configuration Migration Tool: Manage configuration data. As an
administrator, you will be responsible for configuring and migrating the product catalog configuration data.
Configure product catalog

To configure the product catalog:
2. Choose System Settings , then choose the Sales tab.
In the Sales tab, set the appropriate values for the following settings and save the changes:
Create products in active state Select whether product records without a parent product
family record are created in an active or draft state.
In the current release, by default, all the product records

(product family, product, and bundle) are created in the
draft state. This setting ensures compatibility for your
applications working with the previous version where the
product records were created in an active state.
By default, its set to No in the new installations, and set to

Yes , for the upgrading systems.
Allow selection of default price list for oppor tunity Select whether the default price list for an opportunity is
via inbuilt rule automatically selected based on the territory relationship for
the price list and the current user who is creating the
opportunity.
By default, it's set to Yes .
Maximum number of products in a bundle Specify the maximum number of products that can be added
in a bundle.
Use system pricing calculation Select whether to use the system pricing engine to calculate
prices in opportunities, quotes, orders, and invoices or to use
custom pricing.
You can choose to use custom pricing logic instead of the

system pricing to calculate prices when you add products in
opportunities, quotes, orders, and invoices. To use custom
pricing, select No for this option. Additionally, you must
register a plug-in on the CalculatePrice message, provided
in the Web services, that contains your custom pricing code.
Every time you create or change the product information in
an opportunity, quote, order, or invoice, the custom code is
invoked instead of the system pricing engine to calculate the
prices. For more information, see Use custom pricing for
products.
Discount calculation method Select whether you want to calculate discounts at the line-
item level or at the per-unit level in each line item in an
opportunity, quote, order, or invoice.
By default, it's set to Line item .
Maximum number of proper ties that are allowed for a Specify the maximum number of properties that can be
product or bundle associated with a product or bundle.
Product properties are added to a product family record, and

all the child products and bundles under the product family
inherit the properties added to the parent product family. The
number specified in this setting comes into effect only when
you publish a product or a bundle with the associated
properties, and not at the time when you add the properties
to a draft product family record.
Migrate product catalog configuration data

To migrate the product catalog configuration data, use the Configuration Migration Tool. For more information on
how to use the tool, see: Manage configuration data.
You must select the following entities for migrating the product catalog configuration data:
Product
Product Relationship (not a mandatory entity, needed only for relationships)
Property
Property Association
Property Option Set Item
Notes (needed, if there are any notes for the product)
Currency
Price List
Price List Item
Unit
Unit Group
Territory (needed if there is a default price list configuration)
Connection (needed, if there is a default price list configuration)
Competitor (needed, if there are any competitors for product)
Sales Literature and Sales Literature Item (needed, if there is any sales literature for product)
Discount (not a mandatory entity, needed only for discounts when added to price lists)
Discount List (not a mandatory entity, needed only for discounts)
NOTE
During product catalog configuration data transfer, you may see a schema validation warning, saying that the data transfer
may be inconsistent. This is because you didn't include the Entitlement entity and the Entitlement Template entity in the
transfer. However, these entities are not required and you can disregard the warning. The product catalog configuration data
will be migrated correctly.
Certain conditions and restrictions apply during migration:

Only active and retired products can be exported or imported.
NOTE
Transferring bundle products isn't currently supported.
If importing of a product record fails because of a missing dependency, the related property records are not
imported. When importing the product hierarchy, if creation of a record fails because of a missing
dependency, the record's child hierarchy will not be imported.
If for exporting, you selected the product entity, without selecting other entities required for export, the
product records are exported without the associated properties.
If for exporting, you select only the property entities (Property, Property Associations and Property Option
Sets), without selecting the product entity, no data is exported.
For a product record, any new property created in the source system, will also be created in the target
system, after the import.
For a product record, the source data will override any changes in the property that also exists in the target
data, after the import.
For a product record, if a property exists in both systems, source and target, when the property is removed
from the source system, it is not removed from the target system, after the import.
See also
Product catalog entities
Rich text experience for appointment activities
When you enable the rich text experience, server-side synchronization and appointment activities support rich text.
With the rich text editor, appointment descriptions can contain rich text.
With rich text enabled you get the following benefits:

Create and synchronize appointments with rich text content in the description for an improved experience in
both web and the Unified Interface.
Include content from an HTML web page right into the description field or create your own custom markup
using the appointment editor. Appointments tracked from Outlook will also render rich text content in customer
engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service,
Dynamics 365 Marketing, and Dynamics 365 Project Service Automation).
Server-side synchronization synchronizes the rich-text HMTL content of appointment descriptions into customer
engagement apps.
IMPORTANT
To enable rich text, your version must be version 9.0, or a later version.
After enabling, if you choose to disable the setting, the appointment editor description field will reset to the plain-text field.
Previously synchronized appointments’ description will still contain rich-text HTML markup.
Although the rich text editor can be used with appointment activities, it can’t be used with recurring appointments. When an
appointment that contains rich text is converted to a recurring appointment, the description field for the activity is converted
to a plain-text field containing rich text content.
Enable the rich text editor for appointments

To enable the rich text editor on appointments, you need to configure the AppointmentRichEditorExperience
organization setting for your environment by running the PowerShell sample below.
The PowerShell cmdlets require the Microsoft.Xrm.Data.PowerShell module. The sample below includes the cmdlet
to install the module.
#Install the module

Install-Module Microsoft.Xrm.Data.PowerShell -Scope CurrentUser
# Connect to the organization

Connect-CrmOnPremDiscovery -InteractiveMode #(or Connect-CrmOnlineDiscovery -InteractiveMode)
# Retrieve the organization entity

$entities = $organizationEntity = Get-CrmRecords -conn $conn -EntityLogicalName organization -Fields
appointmentricheditorexperience -TopCount 1
$organizationEntity = $entities.CrmRecords[0]
Write-Host "Appointment RTE existing value: " $organizationEntity.appointmentricheditorexperience
# Set the appointmentricheditorexperience field

$organizationEntity.appointmentricheditorexperience = $true #(or $false)
# Update the record

Set-CrmRecord -conn $conn -CrmRecord $organizationEntity
$entities = $organizationEntity = Get-CrmRecords -conn $conn -EntityLogicalName organization -Fields
appointmentricheditorexperience -TopCount 1
$organizationEntity = $entities.CrmRecords[0]
Write-Host "Appointment RTE updated value: " $organizationEntity.appointmentricheditorexperience
See also
Create or edit an appointment
Videos and PowerPoint presentations
TO P IC VIDEO P O W ERP O IN T
Top 10 tips to securely roll out Video Deck

Microsoft Power Apps and Microsoft
Power Automate
What's new for Power Apps and Video Deck

Microsoft Dynamics 365 admins
Best practices for managing and Video Deck

automating (ALM)
Modernizing the way we update Video Deck

Dynamics 365, Power Apps, and
Common Data Service
Monitoring and supporting Power Apps Video Deck

at scale
How to get the best support for Power Video Deck

Apps, Power Automate, and Dynamics
365
Planning your enterprise deployment - Video Deck

Capacity Management
Best practices for setting up security Video Deck

and environments in the Power
Platform admin center
Important changes (deprecations) coming in Power
Apps, Power Automate, and customer engagement
apps
The announcements and deprecations described in this topic apply to Power Apps, Power Automate, and customer
engagement apps (Dynamics 365 Sales, Dynamics 365 Marketing, Dynamics 365 Field Service, and Dynamics 365
Project Service Automation).
Administrators and IT professionals should use this information to prepare for future releases. This article was first
published on June 27, 2017.
IMPORTANT
"Deprecated" means we intend to remove the feature or capability from a future major release. The feature or capability will
continue to work and is fully supported until it is officially removed. This deprecation notification can span a few years. After
removal, the feature or capability will no longer work. We are notifying you now so you have sufficient time to plan and
update your code before the feature or capability is removed.
Automatic record creation rules and SLA items in web client are
deprecated
Effective from October 01, 2020, the automatic record creation and update rules and service-level agreements
(SLAs) have been deprecated in the web client. For more information, see Deprecations in Customer Service.
TimeZoneRule entity and some attributes of TimeZoneDefinition entity

are deprecated
Effective September 24, 2020, the TimeZoneRule entity and the Bias and RetiredOrder attributes of the
TimeZoneDefinition entity are deprecated and will be removed in a future release. For all client-side time zone
calculations, use the LocalTimeFromUtcTime and UtcTimeFromLocalTime functions in Web API or the TimeZoneInfo
class in the .NET framework. More information: Blog: Deprecation of time zone entities in Common Data Service
Online management API PowerShell module is deprecated

Effective August 26, 2020, the online management API PowerShell module is deprecated. The online management
API PowerShell module will be updated in October, 2020 to point to newer underlying APIs and won’t receive
further updates. We recommend that you use the Power Apps administration module. More information: Get
started using the Power Apps admin module
Company News Timeline solution is deprecated

Effective July 10, 2020, the Company News Timeline solution, which delivers relevant news from Bing News about
customers and categorizes it in inline when you're looking at customer accounts will be deprecated. Until
September 10, 2020, Microsoft will continue to provide support for the feature, but won't release any additional
functionality beyond what is already present. Starting September 10, 2020, you will need to uninstall the solution
which will remove the news widget from the Account record pages.
1. To remove the solution, go to Advanced settings and select Solutions .
2. Select CompanyNewsTimeline and then select Delete .
As an alternative you can install news Power Apps component framework control. For more information, see Set up
and use the news control.
Dynamic 365 Sales bot is deprecated

Effective June 2, 2020, the Dynamics 365 Sales bot, a feature that enables users to retrieve sales information
through a bot within Dynamics 365 Sales app for Teams will be deprecated. Until July 31, 2020, Microsoft will
continue to provide support for the feature, but won't release any additional functionality beyond what is already
present. After July 31, 2020, you will no longer be able to receive responses to conversations. The bot won’t be
available for new customers; existing customers may still be able to access the bot from the Chat, however the bot
will not respond to questions.
It is our goal to deliver a powerful bot experience that allows users to retrieve and manage information. Based on
usage data and feedback from our customers, we will be working on a powerful, extensible set of capabilities and
features that will allow you to intuitively access and interact with sales information—among other entities—
through a bot interface. We will keep you updated on timing for when this will be available.
Dynamics 365 Connector is deprecated

Effective May 5, 2020 the Dynamics 365 connector used for Flows, Logic Apps and Canvas Apps is officially
deprecated. We recommend that you do not create new connections using this connector.
Rather than use the Dynamics 365 connector, the Common Data Service (Current Environment) connector should
be your first choice if you can use it. You may not be able to use the Common Data Service (Current Environment)
connector in every situation today because of the following limitations:
It is not available in Logic Apps.
It does not enable cross-tenant or cross environment connections.
It cannot be used for canvas apps that use the Power Apps for Windows client.
If you cannot use the Common Data Service (Current Environment) connector, you should use the Common Data
Service connector. This connector has all the capabilities of the Dynamics 365 connector, and includes several
improvements that increase reliability.
The Common Data Service (Current Environment) connector represents the future for connections using Common
Data Service. This includes Dynamics 365 apps using Common Data Service. Work is underway to make this
connector the only connector you will need. But at the current time, the previously mentioned limitations mean that
you can't use it in all places where the Dynamics 365 connector or Common Data Service Connector can be used
today.
At this time, there is no requirement to convert canvas apps, flows, or logic apps to stop using the Dynamics 365
connector because of the known blocking limitations. But you should stop creating new connections with the
Dynamics 365 connector and convert them if you can.
TYPE GUIDA N C E
Flows If you can convert existing Flows to use the Common Data
Service (Current Environment) connector we recommend you
do so.
TYPE GUIDA N C E
Logic Apps We recommend you stop creating new connections using the
Dynamics 365 connector and use the Common Data Service
Connector instead.
Canvas Apps Canvas apps created after November 2019 should not have
used the connector infrastructure by default. These apps
should automatically connect to the Common Data Service
instance within the same environment.
If you have an canvas app that used the Dynamics 365

connector, find information about how to convert them here:
Converting canvas apps with the Dynamics 365 connector.
Forward looking guidance

When the Common Data Service (Current Environment) connector represents a viable replacement for all
situations where the Dynamics 365 and Common Data Service connectors are used today, we intend to remove
both the current Dynamics 365 and Common Data Service connectors so that a single connector based on the
Common Data Service (Current Environment) connector will remain. At that time it will be required to convert any
Flows, Logic Apps and Canvas Apps still using the Dynamics 365 and Common Data Service connectors.
We will announce timelines as they are determined.
AI Builder text classification models are deprecated

Effective April 24, 2020, any text classification models created using AI Builder before this date will be deprecated.
Until May 15, 2020, these models will continue to function, and Microsoft will continue to provide support,
however some functionality may be disabled. After May 15, 2020, these models will no longer work.
Beginning April 24, 2020, customers will need to recreate their existing text classification models with the new
model versions. Any models created after this date will automatically use the new model versions and require no
further action.
After April 24, 2020, customers are encouraged to transition to the new model versions as soon as possible.
Dynamic 365 for Outlook is deprecated

Effective March 2020, the legacy Dynamics 365 for Outlook (also referred to as Outlook COM add-in) is
deprecated. Customers must transition to the modern Dynamics 365 App for Outlook before October 1, 2020.
Microsoft will continue to provide support, security and other critical updates to the Outlook COM Add-in until
October 1, 2020.
For further information and steps to make a smooth transition, download Dynamics 365 for Outlook (COM add-in)
Playbook
Dynamics 365 Home is deprecated

Effective March 2020, the home page for Dynamics 365 applications (https://home.dynamics.com) is deprecated
and won't be available after October 31, 2020. The Microsoft 365 apps page (https://www.office.com/apps) will
replace it and provide users with a single page for productivity and business applications.
Dynamics 365 Home users will see notification about the new location and recommendation to change browser
bookmarks starting October 1, 2020. After October 31, 2020, users navigating to https://home.dynamics.com will
automatically be redirected to https://www.office.com/apps with a business application filter applied.
More information: https://aka.ms/business-apps-discovery-docs
Form processing and object detection preview models in AI Builder are

deprecated
Effective March 5, 2020, any form processing and object detection models created using AI Builder before this date
will be deprecated. Until June 8, 2020, these models will continue to function, and Microsoft will continue to
provide support, however some functionality may be disabled. After June 8, 2020, these models will no longer
work.
Beginning March 5, 2020, customers will need to recreate their existing form processing and object detection
models with the new model versions. Any models created after this date will automatically use the new model
versions and require no further action.
After March 5, 2020, customers are encouraged to transition to the new model versions as soon as possible.
More information:
Transition to use a new form processing model version
Transition to use a new object detection model version
Old Common Data Service environment URL redirector service is

deprecated
When you access your Common Data Service environment for the first time or every time after you have signed
out from a prior session, you are directed to Azure AD for signing in. In the sign-in page URL, it contains a set of
internal values/codes that include a link to the URL redirector service. Upon successful login, the URL redirector
service directs you to your Common Data Service environment.
The old URL redirector service, cloudredirector.crm.dynamics.com, was replaced in September 2019 with the new
one, bn1--namcrlivesg614.crm.dynamics.com ( just an example; the URL will differ based on your environment
region). The old URL redirector service is deprecated, and will be removed on March 31, 2020 .
This change will impact you if you have created a bookmark of the sign-in page before September 2019 that
contained the link to the old URL redirector service. The users impacted by this change will see a notification
staring February 17, 2020 with instructions to resolve the issue. For detailed information about this issue and how
to resolve it, see https://support.microsoft.com/help/4541747.
Deprecation of Office365 authentication type and

OrganizationServiceProxy class for connecting to Common Data Service
Effective Feb 4, 2020, the WS-Trust authentication type that is used by custom clients to connect to Common Data
Service is deprecated. This change affects applications that utilize
Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy and Microsoft.Xrm.Tooling.Connector.CrmServiceClient classes
for the authentication type of "Office365".
We are making this change to remove a security protocol (WS-Trust) that is inherently insecure by current
encryption standards. While Microsoft has worked extremely hard to protect users who choose to use this
authentication type for the convenience of login process, it has become an increasing source of concern for
Microsoft security and identity protection systems. The WS-Trust security protocol, when used in conjunction with a
user account and password, implements an authentication flow that presents both the user Id and password to the
authenticating resource in 'clear text' form, relying solely on the transport encryption to provide security for the
initial leg of the authentication, until such point as the token service returns an authentication token to use.
Additionally, the WS-Trust protocol does not support modern forms of Multi-Factor Authentication and conditional
access controls to customer data.
With this change, the intent is to guide developers away from this authentication flow and help application
developers to utilize the capabilities of Azure Active Directory to secure and protect access to their applications and
customers in Common Data Service.
To allow for transition of customers and partner applications:
Effective October 2020, the authentication protocol will be retired for all new tenants.
Effective October 2020, the authentication protocol will not be available in all new regions.
Effective April 2021, the authentication protocol will be retired for all new environments within a tenant.
Effective April 2022, the authentication protocol will be retired for all new and existing environments within a
tenant.
More information: Use of Office365 authentication with the WS-Trust security protocol

Effective March 2, 2020, the regional Discovery Service will be deprecated. Until March 1, 2021, Microsoft will
continue to provide support, security, and other critical updates for the regional Discovery Service, but won't
release any additional functionality beyond what has already been announced. After March 1, 2021, the regional
Discovery Service won't be available.
Customers must transition to using the global OData V4 Discovery Service before March 1, 2021. More
information: Modify your code to use global Discovery Service.
Rules feature in canvas apps is deprecated

Effective October 14, 2019, the rules feature in canvas apps in Power Apps is deprecated. Few people have made
use of rules in their canvas apps. From feedback collected through research and discussions with makers of Power
Apps, the rules feature was confusing, and expressions were easier to learn, use, and debug. For more information
about the rules feature deprecation, see Blog: Canvas Rules feature deprecation.
Legacy web client is deprecated

As of September 2019, the legacy web client is deprecated. Customers must transition to Unified Interface before
December 1, 2020. Microsoft will continue to provide support, security and other critical updates to the legacy web
client until December 1, 2020 but won't release any additional functionality beyond what has already been
announced.
On December 1, 2020, the legacy web client will no longer be available. Organizations should make the transition
to the Unified Interface as soon as possible to take advantage of Microsoft’s ongoing investments in reliability,
performance, and functionality.
In the coming months, for those that have not already made the transition, we will be sending reminders and
scheduling updates to transition customers to Unified Interface prior to December 1, 2020. For further information
and steps to make a smooth transition, view our helpful resources and community site:
Unified Interface Community Group including a Blog and Forum
Getting Started Unified Interface Playbook
User Experience and Unified Interface transition whitepaper
Quick Start Guide – add Unified Interface App to existing environment
Quick Start Guide – set an environment to Unified Interface as default
Task flows are deprecated
Task flows are used to create a step-by-step data entry form for common tasks, such as after-meeting follow-ups.
Task flows are deprecated and will be removed by October 1, 2020. They will be replaced by the immersive
experience for business process flows that is planned for release. More information: Business process flow
immersive experiences
Process Dialogs are deprecated

You can use a process dialog to create an interactive step-by-step data entry form that requires user input to start
and run to completion. When you start the dialog process, a wizard-like interface is presented; users make
selections or enter data as they progress through each page of the wizard.
Process dialogs are deprecated and will be removed by December 1, 2020. Suggested replacement options include
Business Process Flows or Canvas Apps. More information: Replace dialogs with business process flows or canvas
apps
Legacy process-related attributes in entities are deprecated

The legacy process-related attributes (such as StageId , and TraversedPath ) on entities enabled for business
process flows are now deprecated. The SetProcess action for business process flows is also deprecated.
Manipulating these legacy process-related attributes for target entity records does not guarantee consistency of
the business process flow state, and is not a supported scenario. The recommended way is to use the attributes of
the business process flow entity. More information: Create, retrieve, update, and delete business process flow entity
records
Some client APIs are deprecated

The following client APIs are deprecated to reorganize the Xrm client API object model to better align with the need
of using the same client scripts without having to change them based on the context or the client (web client or the
new Unified Interface) where they run. You should plan to use the new client APIs mentioned in the Replacement
Client API column instead of the deprecated ones. The deprecated client APIs will continue to be available and
supported until they are officially removed from a future major release. A public announcement here in the
documentation, on the Dynamics 365 blog, and in many other places will be made at least six months before
removal.
DEP REC AT ED C L IEN T A P I REP L A C EM EN T C L IEN T A P I C O M M EN T S
Xrm.Page Forms : Use of the Xrm.Page object as a static

ExecutionContext.getFormContext access to the primary form context is
Commands : Send it as the still supported to maintain backward
PrimaryControl parameter compatibility with the existing scripts.
Based on the feedback, we understand
that the usage of Xrm.Page is high,
and it won't be removed as soon as
some other client API methods listed in
this section. We encourage you to use
the new way of getting form content
where possible. More information:
Client API form context
Although Xrm.Page is deprecated,
parent.Xrm.Page will continue to work
in case of HTML web resources
embedded in forms as this is the only
way to access the form context from the
HTML web resource.
Xrm.Page.context Xrm.Utility.getGlobalContext Allows access to the global context

without going through the form
context.
Xrm.Page.context.getQueryStringParam formContext.data.attributes The formContext.data.attributes API will

eters make retrieval of non-entity bound data
consistent across entity forms,
metadata-driven dialogs, and task-
based flows. The data will be a
combination of custom values sent
using the query string and what was
specified in the parameters in the
openForm method.
Xrm.Page.context.getTimeZoneOffsetMi globalContext.userSettings.getTimeZon Moved to globalContext.userSettings

nutes eOffsetMinutes
Xrm.Page.context.getUserId globalContext.userSettings.userId Moved to globalContext.userSettings
Xrm.Page.context.getUserLcid globalContext.userSettings.languageId Moved to globalContext.userSettings
Xrm.Page.context.getUserName globalContext.userSettings.userName Moved to globalContext.userSettings
Xrm.Page.context.getUserRoles globalContext.userSettings.securityRoles Moved to globalContext.userSettings
Xrm.Page.context.getIsAutoSaveEnabled globalContext.organizationSettings.isAu Moved to

toSaveEnabled globalContext.organizationSettings
Xrm.Page.context.getOrgLcid globalContext.organizationSettings.lang Moved to

uageId globalContext.organizationSettings
Xrm.Page.context.getOrgUniqueName globalContext.organizationSettings.uniq Moved to

ueName globalContext.organizationSettings
Xrm.Page.data.entity.getDataXml No change in the method, but use

"typename" instead of type for lookup
attributes.
GridRow.getData GridRow.data GridRow is essentially a form context.

This change unifies the interface of
GridRow with formContext.
GridRowData.getEntity GridRowData.entity GridRowData is form data. This change

unifies the interface of GridRowData
with formContextData.
Xrm.Mobile.offline Xrm.WebApi.offline Moved the offline-related methods

under Xrm.WebApi.offline
parent.Xrm Use one of the following: Earlier : An HTML web resource may
interact with the Xrm.Page or
a) Use a custom control created using Xrm.Utility objects within the form by
Power Apps component framework using parent.Xrm.Page or
instead of HTML web resources. parent.Xrm.Utility .
b) On forms, use the Now : parent.Xrm.* will work if the

getContentWindow method of the web HTML web resource is loaded in a form
resource control. container. It won't work for HTML web
resources that are stand alone, or
c) If the getContentWindow method referenced from the site map or any
doesn't work, you can use parent.Xrm other places.
to get to the Xrm object inside an
HTML web resource. If the HTML web NOTE : parent.Xrm will be removed
resource is opened in a new window after the removal of the
then you should use opener.Xrm ClientGlobalContext.js.aspx page;
instead. dates yet to be announced.
addOnKeyPress Use a custom control created using

Power Apps component framework
fireOnKeyPress Use a custom control created using

removeOnKeyPress Use a custom control created using

showAutoComplete Use a custom control created using

hideAutoComplete Use a custom control created using

Xrm.Utility.alertDialog Xrm.Navigation.openAlertDialog The new signature is consistent with

other APIs (openForm) and takes a new
set of parameters for flexibility.
Xrm.Utility.confirmDialog Xrm.Navigation.openConfirmDialog The new signature is consistent with

other APIs (openForm) and takes a new
set of parameters for flexibility.
Xrm.Utility.getBarcodeValue Xrm.Device.getBarcodeValue Moving device-related actions to

Xrm.Device
Xrm.Utility.getCurrentPosition Xrm.Device.getCurrentPosition Moving device-related actions to

Xrm.Device
Xrm.Utility.isActivityType Xrm.Utility.getEntityMetadata The isActivityType method is

synchronous so it was suitable for
ribbon rules. However, the replacement
method, getEntityMetadata, is
asynchronous, and is not suitable for
ribbon rules.
Xrm.Utility.openEntityForm Xrm.Navigation.openForm Moving navigation actions to

Xrm.Navigation
Xrm.Utility.openQuickCreate Xrm.Navigation.openForm Moving navigation actions to

Xrm.Navigation
Xrm.Utility.openWebResource Xrm.Navigation.openWebResource Moving navigation actions to

Xrm.Navigation
Note : This API returns VOID in Unified
Interface.
globalContext.organizationSettings.base globalContext.organizationSettings.base The replacement method lets you

CurrencyId Currency access the display name along with the
ID of transaction currency.
globalContext.userSettings.securityRoles globalContext.userSettings.Roles The replacement method lets you

access the display name along with the
ID of the security roles.
globalContext.userSettings.transactionC globalContext.userSettings.transactionC The replacement method lets you

urrencyId urrency access the display name along with the
ID of transaction currency.
getData and setData for Silverlight web None Silverlight is no longer supported. These
resources methods won't be available after
October, 2020.
formContext.data.entity.save formContext.data.save
ClientGlobalContext.js.aspx None The ClientGlobalContext.js.aspx page is

deprecated and scheduled to be
unavailable after October 1, 2021.
Alternative methods to access global
context information will be available
before April 1, 2021.
getObject getContentWindow
For information about the new client APIs, see Apply business logic using client scripting in model-driven apps
using JavaScript
EntityMetadata.IsInteractionCentricEnabled property is deprecated

All entities supported in the Unified Interface are now enabled for the interactive experience in the new Customer
Service Hub app. This implies that the EntityMetadata .IsInteractionCentricEnabled property, which indicates
whether an entity can be enabled for interactive experience, is no longer relevant. The corresponding setting for
this property in the Customization tool, Enable for interactive experience , is removed, and the
EntityMetadata .IsInteractionCentricEnabled property will be removed from the future version.
Voice of the Customer is deprecated

The Voice of the Customer solution is used to create and send surveys for collecting feedback.
As of July 1, 2019, the Voice of the Customer solution is deprecated. Users can create and distribute new surveys
and collect responses from live surveys till July 1, 2020.
A new solution, Dynamics 365 Customer Voice, is generally available to capture customer feedback using surveys.
Customers can learn more about Customer Voice here.
Dynamics 365 for Blackberry is deprecated
As of December 3, 2018, Microsoft Dynamics 365 for Blackberry App is deprecated and will be removed from the
iOS App Store on October 31, 2019. The mobile app is currently available on the iOS App Store and is designed for
Dynamics 365 customers that utilize Blackberry Mobile Application Management. See more details about the
Dynamics 365 for Blackberry app here: Secure your mobile data with Microsoft Dynamics 365 for Good. After
October 31, 2019, Microsoft Intune will be the only supported mobile application management solution for the
Dynamics 365 for phones application.
Microsoft will continue to provide security and other critical updates to the Dynamics 365 for Blackberry App until
October 31, 2019, but will not release any additional features or functionalities within the app. After October 31,
2019, the Dynamics 365 for Blackberry App will be removed from the App Store, and support will end.
What should you do?
If you are currently using the Dynamics 365 for Blackberry App together with Mobile Application Management for
Blackberry, plan to migrate to Dynamics 365 for phones by October 31, 2019. We encourage you to migrate as
soon as possible to take advantage of Microsoft's ongoing investments in the reliability, performance, and
functionality of the Dynamics 365 mobile app.
Usage of Parature knowledgebase as the knowledge management

solution is deprecated
Usage of Parature knowledgebase as the knowledge management solution is deprecated. This feature is replaced
by Knowledge Management features in Dynamics 365 Customer Service.
The Knowledge Solution setting in the Knowledge Base Management Settings dialog box, which provides a
connection to Parature will be removed in a future major release.
Project Service Finder app is deprecated

The Project Service Finder App, available for use with Dynamics 365 Project Service Automation, is deprecated. The
legacy application will be supported for associated legacy Project Service Automation releases in accordance with
Microsoft's Modern Lifecycle Policy. The functionality available through this app will be available in a future release
of Dynamics 365 Project Service Automation application.
Relationship Roles are deprecated

Relationship Roles (Settings > Business Management > Relationship Roles ) are deprecated and will be
removed in a future major release. This feature is replaced by Connection Roles . More information: Create
connections to view relationships between records.
Mail Merge is deprecated

In Dynamics CRM 2016 (version 8.0), we introduced server-side document generation using Word and Excel
templates. You can use these templates to provide standardized documents or customized data analysis for your
organization.
Mail merge from previous versions is deprecated. This includes the mail-merge Word add-in as well as mail-merge
templates (Settings > Templates > Mail Merge Templates ).
More information: Create Word and Excel templates
Announcements are deprecated

Announcements (Settings > Administration > Announcements ) are deprecated and will be removed in a
future major release.
Ready-to-use business processes available through Add Ready to Use

Business Processes setting are deprecated
Ready-to-use business processes available through the Add Ready-to-Use Business Processes setting (Settings >
Data Management > Add Ready-to-Use Business Processes ) are deprecated and will be removed in a future
major release. You can find ready-to-use business processes on Microsoft App Source.
Silverlight (XAP) web resource is deprecated

The Silverlight (XAP) web resource is deprecated on the web client, and is not supported on the Unified Interface.
Instead of Silverlight web resources, you must use custom controls created using the HTML web resources with
HTML5 to create UI components to visualize and interact with data.
Past deprecations
For information on past deprecations, see:
Important changes coming in future releases of Dynamics 365
Important changes coming in future releases of Dynamics 365 (Developers)
International availability of Power Platform
We are very excited to share the downloadable Infrastructure and availability PDF with you.
The purpose of this document is to provide comprehensive information about product availability and customer
data locations for the Power Platform family of applications. This document has information about the following:
Product availability
Data location
Language
Localization
The information will be updated periodically. Microsoft provides no license, express or implied, in this document.
Please review and respect the full disclaimer included in all printed and electronically distributed versions of this
document.

Power Platform Administration

Uploaded by

Copyright:

Available Formats

You might also like

Power Platform Administration

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Power Platform Administration

Uploaded by

Copyright:

Available Formats

Contents

Power Platform admin center capabilities

F EAT URE DESC RIP T IO N

Environments View, create, and manage your environments. Select an

Resources More information: View and manage resources

Data gateways More information: Set up data transfer between on-premises

Microsoft Azure Advanced Azure AD management tasks like conditional access

Limited Preview: Report outage

SPA N ISH , F REN C H ,

Do I get 24/7 support?

Customer Power Platform admin center

Finance and Lifecycle Services

Software Assurance Advantage/Advantag Premier Support Unified Support

Dynamics Support for Business Services Hub

What support is included with a support plan?

SERVIC E SUP P O RT P O RTA L

Finance and Operations (online and on-premises) Lifecycle Services

Dynamics Support for Business

SEVERIT Y L EVEL C USTO M ER'S SIT UAT IO N IN IT IA L RESP O N SE T IM E

Critical Critical business impact Unified Core/Advanced: < 1 hour, 24/7

Severity A Critical business impact Subscription: < 1 hour, 24/7

Severity B Moderate business impact Subscription: < 4 hours

Standard Standard business impact Unified Core: < 8 hours, 24/7

Severity C Minimum business impact Subscription: < 8 hours

How quickly will you resolve my support request?

Purchasing and billing

Support for Enterprise Agreement (EA)

Support for Premier

Support for Partner

There are two ways to find your organization ID and name.

Using Advanced Settings

2. Go to Settings > Customizations > Developer Resources .

Using the web app

The organization ID and unique name

Obtain a list of email to be notified

Send email notifications to multiple recipients

Scheduled system updates

How do I find out about Major release events?

REGIO N URL W IN DO W ( UTC )

OCE crm6.dynamics.com 11AM to 9PM

IND crm8.dynamics.com 7:30PM to 1AM

Service Update Release Schedule

Minor Service incidents

Service health dashboard

Dynamics 365 apps msdynamics365@microsoft.com

Dynamics 365 Business Central msdynamics365@microsoft.com

Dynamics 365 Marketing msdynamics365@microsoft.com

Dynamics 365 Market Insights marketinsights@microsoft.com

Dynamics 365 Finance & Operations msdyn365finops@microsoft.com

Microsoft Power Automate mspowerautomate@microsoft.com

Microsoft Power Apps mspowerapps@microsoft.com

Microsoft Power BI mspowerbi@microsoft.com

Communications for releases, package deployments, and awareness

Power BI will display with the following yellow banner:

Action requested communications

Power Apps/Power Automate for Microsoft 365

Create, run and share apps Yes

Run canvas apps in context of Microsoft 365 Yes

N O N USER L IC EN SES N UM B ER O F A P I REQ UEST S / 24 H O URS