Adding a new user to Dynamics 365 CE is a ritual of looking up the user in the Office 365 admin center, adding the proper license, adding membership to the Azure AD security group(s) that gives access to the right instance(s). Then switching over to Dynamics 365 CE, opening the view ‘Users with no assigned security role’ via Settings > Security > Users. And then waiting and refreshing and repeating this until the new user pops up, which give me time to waste looking at the list of users.
But I’m surprised to see enabled users that are unknown to me as licensed for Dynamics 365. How can that be?
Looking up the unknown users showed me no license for Dynamics 365 CE but one for Microsoft Flow Free.
Whilst searching the internet for a clue I stumbled upon a blog post comment by Steve Platz who asked Microsoft about this issue. It seems that users are being synced into Dynamics 365 CE due to PowerApps / Flow / Common Data Services viral licenses in Office 365. OK, that figures.
This user was still member of the Azure AD security group that gives access to the instance of Dynamics 365 CE and was stripped of the license for Dynamics 365 CE some time ago. I removed the membership and the user got -finally- disabled in Dynamics 365 CE.
So how come these users show up? Well, I’ve noticed that some PowerApps Plan 2 Trials were activated in our tenant, so I guess that Microsoft has upgraded our environment to have the plumbing ready for the Common Data Service for Apps (CDS 2.0). Even when we are not yet upgraded to V9.0 of Dynamics 365 CE.
I believe I’ve read somewhere that the Office 365 users will be available in the User entity in the Common Data Service for Apps. At least at this moment when they have a relevant license like for Flow.
So to exclude these users from Dynamics 365 CE, you could/should use a Azure AD security group to secure the access to the instance and make sure those users are not a member of that group.
Learn more: Control user access to instances: security groups and licenses