Dynamics 365 is one of the few Microsoft products where the license follows the function a user performs, not the seat they hold. A base license plus attach licenses, full users versus Team Members, device versus named user, and the strict definition of what a Team Member is allowed to touch all combine into a model that is easy to deploy past and almost impossible to track by intuition. Microsoft reads the actual usage from the tenant, maps it to the role each license grants, and presents the difference as overuse. A Team Member who edits a record outside the permitted scenarios, or a user assigned a base license they never needed, both surface as findings. The buyer side defense reconstructs real usage against the entitlement each license grants before the auditor frames the gap, work that across the practice supports the 79% average audit exposure reduction.
Dynamics 365 licensing is built around use rights tied to what a user actually does inside the application. A full user license such as Sales Enterprise or Customer Service Enterprise grants broad create, read, update, and delete rights across that application. A Team Members license is a far cheaper light use license restricted to a specific, defined set of read mostly scenarios. Base and attach pricing lets a user hold one full application at base price and additional applications at a reduced attach price. Get any of these mappings wrong and the estate runs users at a license level below what their actual activity requires, which is precisely what overuse means here.
Dynamics exposure starts with understanding the license tiers, because each grants a different scope of use and the audit maps every user to the tier their activity demands.
The Team Members license is the single largest source of Dynamics overuse because its permitted scenarios are far narrower than most estates assume. It allows limited record reading, a defined set of self service scenarios, and specific light tasks, but it does not allow operating the core sales, service, or finance processes. A Team Member who creates or edits records outside the permitted list is, in licensing terms, using a full user application on a light use license. The tenant records the activity, and the audit maps it to the full license the function actually required.
Microsoft prices Team Members at a fraction of a full user license, which is exactly why estates over assign it and over use it. The temptation to put occasional users on the cheap license is strong, the restrictions are documented in dense use rights language few administrators read, and the platform does not block a Team Member from doing more than the license allows. Microsoft pushes here because the misuse is common, the value per reclassified user is high, and the activity is fully recorded in the application telemetry it can read.
Team Members are limited in how they interact with custom entities and custom applications built on the platform. Organizations that built custom Dynamics applications and licensed the users as Team Members frequently exceed the permitted custom entity scenarios. The audit examines custom application usage by Team Members and flags users whose activity in those custom builds requires a full user license rather than the light use tier.
Base and attach pricing requires that a user holds a qualifying base license before any attach license applies. Estates that assigned attach priced applications to users who never held the qualifying base, or that mismatched base and attach across applications, carry exposure on the misapplied discount. The audit reconstructs the base and attach assignment per user and recalculates any application licensed at attach price without the required base.
Dynamics non production and sandbox environments are not automatically free of licensing. Users who access sandbox or test environments to perform real work, rather than pure development, can require the same licensing as production. Estates that treated all non production access as unlicensed carry exposure where that access amounted to operational use, and the audit examines environment access patterns to find it.
Multiplexing is the largest hidden mechanic in Dynamics. When a custom portal, an integration, a middleware layer, or a pooled service account sits between human users and Dynamics, the licensing requirement still flows to the humans whose actions the intermediary carries out. A web form that writes leads into Dynamics through a single service account does not reduce the requirement to one license; every external or internal person whose data the intermediary processes may need coverage. Estates that built integrations assuming the service account was the licensed identity discover at audit that the human population behind it was the real count, which connects directly to the indirect access questions in the broader audit defense review.
Dynamics 365 runs on Dataverse, the same data layer that underpins Power Platform, so a Dynamics finding often arrives alongside a capacity finding. Database, file, and log storage in Dataverse draw on a tenant pool seeded by the license mix, and a mature Dynamics deployment with years of records can run well past the included capacity. The overlap with Power Platform overage means the same Dataverse capacity can appear in two places, and the reconstruction has to attribute it correctly so the customer is not counted twice for the same storage.
The defense posture is to reconstruct what each user actually does in Dynamics and map that activity to the lowest license tier that genuinely covers it. Team Members usage is tested against the permitted scenarios, base and attach assignments are reconciled, and multiplexed populations are quantified. Establishing the correct tier per user on the buyer's evidence is what prevents the auditor from reclassifying the whole Team Members population to full users by assertion.
The reconstruction pulls the Dynamics audit logs and usage telemetry and builds a per user activity profile: which entities each user touched, whether they created or edited records, which applications and custom entities they used, and which environments they accessed. That profile is tested against the permitted scenarios for each license tier.
The output documents, for every user, the lowest license that genuinely covers their activity, so a Team Members assignment that holds is defended with evidence and one that does not is corrected before the auditor reclassifies it.
With usage mapped, the remediation moves genuine light users to Team Members and confirmed full users to the right application, fixes base and attach mismatches, and covers any multiplexed population explicitly. Sandbox access is classified as development or operational use.
The renewal is the moment to set the Dynamics license mix to the reconstructed reality and to negotiate the base and attach structure deliberately. The EA renewal framework structures the Dynamics position so the tier mapping holds through the term.
The practice runs a Dynamics 365 usage engagement that rebuilds per user activity and maps it to the correct license tier into a defensible position across the estate.
The engagement produces a documented Dynamics position covering each user, their actual activity, the license tier that activity requires, the base and attach structure, and any multiplexed population. The position is the basis for any compliance review and the foundation for the Dynamics commercial structure at the next renewal.
Three questions that recur once the usage mapping begins.
Far less than most estates assume. Team Members permits reading most data, a defined set of self service scenarios, and specific light tasks, but it does not permit operating the core sales, service, or finance processes or freely using custom applications. Any create or edit activity outside the permitted list requires a full user license. Because the platform does not block the activity, the only reliable test is to reconstruct what each Team Members user actually did and compare it to the permitted scenarios.
No. Under the multiplexing rules the license requirement flows to the humans whose actions an intermediary carries out, not to the service account itself. A portal, integration, or middleware layer that writes to Dynamics through a single account does not collapse the count to one. Every person whose data that intermediary processes may need coverage, and the audit reconstructs the human population behind the account rather than accepting the account as the licensed identity.
By assigning an attach priced application to a user who never held the qualifying base license. Attach pricing is a discount that only applies on top of a base license for that user. Estates that mixed and matched applications, or that licensed someone at attach price with no base, lose the discount on audit and pay the difference. The reconstruction confirms a qualifying base exists for every attach license before the structure is accepted.
The worksheet the practice uses to map per user Dynamics activity to the correct license tier, with the Team Members scenarios, base and attach rules, and multiplexing tests built in.
Two analyst calls. We rebuild per user activity across the Dynamics estate, map every user to the right license tier, and close the gaps while they are still cheap. Full audit defense practice.