🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MB-800 Domain 1
Domain 1 — Module 4 of 8 50%
4 of 28 overall

MB-800 Study Guide

Domain 1: Set Up Business Central

  • Welcome to Business Central Free
  • Creating & Configuring Companies Free
  • Data Migration & Opening Balances Free
  • Users, Profiles & Security Free
  • Core Setup Essentials Free
  • Dimensions Deep Dive Free
  • Approval Workflows Free
  • M365 & Power Platform Integrations Free

Domain 2: Configure Financials

  • General Ledger Setup
  • Currencies, Deferrals & Exchange Rates
  • Chart of Accounts & Financial Reporting
  • Posting Groups Demystified
  • Journals & Bank Accounts
  • Accounts Payable
  • Accounts Receivable
  • Fixed Assets & Depreciation

Domain 3: Configure Sales and Purchasing

  • Inventory Foundations
  • Inventory Costing & Ledger Flow
  • Sales & Purchase Master Data
  • Pricing & Discounts

Domain 4: Perform Business Central Operations

  • Navigating & Customising Pages
  • Working with Data: Excel, OneDrive & Analysis
  • Purchase Processing
  • Sales Processing
  • Financial Documents
  • Payment Processing
  • Reconciliation, Allocations & FX Adjustments
  • Fixed Asset Transactions

MB-800 Study Guide

Domain 1: Set Up Business Central

  • Welcome to Business Central Free
  • Creating & Configuring Companies Free
  • Data Migration & Opening Balances Free
  • Users, Profiles & Security Free
  • Core Setup Essentials Free
  • Dimensions Deep Dive Free
  • Approval Workflows Free
  • M365 & Power Platform Integrations Free

Domain 2: Configure Financials

  • General Ledger Setup
  • Currencies, Deferrals & Exchange Rates
  • Chart of Accounts & Financial Reporting
  • Posting Groups Demystified
  • Journals & Bank Accounts
  • Accounts Payable
  • Accounts Receivable
  • Fixed Assets & Depreciation

Domain 3: Configure Sales and Purchasing

  • Inventory Foundations
  • Inventory Costing & Ledger Flow
  • Sales & Purchase Master Data
  • Pricing & Discounts

Domain 4: Perform Business Central Operations

  • Navigating & Customising Pages
  • Working with Data: Excel, OneDrive & Analysis
  • Purchase Processing
  • Sales Processing
  • Financial Documents
  • Payment Processing
  • Reconciliation, Allocations & FX Adjustments
  • Fixed Asset Transactions
Domain 1: Set Up Business Central Free ⏱ ~15 min read

Users, Profiles & Security

Business Central security is built on profiles, users, permission sets, and security groups. Learn how to control who sees what — from basic user setup to security filters and auditing.

How security works in Business Central

☕ Simple explanation

Security in Business Central works like a hotel.

Your profile is your room type (suite, standard, budget) — it determines what your room looks like when you walk in (your Role Centre). Your permissions are your key card — they control which doors you can open (which pages, tables, and actions you can access). A security group is like a VIP list — everyone on the list gets the same key card privileges.

Sam at Nordic Manufacturing doesn’t want the shop floor supervisors accessing financial journals. He gives them a profile with an operations Role Centre and permissions that only allow inventory and production pages.

Business Central security has four layers:

  1. Authentication — handled by Microsoft Entra ID (users must have an Entra account)
  2. Licensing — the licence type (Essentials, Premium, Team Member) sets the maximum access ceiling
  3. User profiles — determine the Role Centre (home page) and default experience
  4. Permissions — granular control over tables, pages, reports, and actions via permission sets

Additionally, security filters restrict access to specific records within a table (e.g., Olivia can see only her department’s journal entries), and security auditing logs who did what and when.

User profiles

A profile defines which Role Centre a user sees when they log in. It’s the “job template” that determines the default experience.

ProfileRole CentreTypical User
Business ManagerExecutive dashboard, KPIs, cash flowCEO, CFO, general manager
AccountantChart of accounts, journals, bank reconFinance team
Sales Order ProcessorSales orders, customers, shipmentsSales team
Purchasing AgentPurchase orders, vendors, receiptsProcurement team
Warehouse WorkerInventory picks, put-aways, movementsWarehouse staff

Creating and managing profiles

  1. Open Profiles (Roles) page (Tell Me > “Profiles”)
  2. Select New to create a custom profile
  3. Assign a Role Centre Page ID — this determines the home page
  4. Set as Default Profile if it should apply to all new users
  5. Enable/disable Show in Role Explorer to control visibility

Key concept: Profiles control the experience (what you see). Permission sets control the access (what you can do). A user can have the Accountant profile but limited permissions that prevent posting journals.

Setting up users

Users in Business Central are linked to Microsoft Entra ID accounts. You don’t create identities in BC — you assign BC access to existing Entra users.

Steps Sam follows to add a new user at Nordic Manufacturing:

  1. Open Users page (Tell Me > “Users”)
  2. Select Update Users from Microsoft 365 (syncs Entra accounts)
  3. Find the user and assign:
    • User Name — their Entra UPN (email address)
    • Licence Type — automatically detected from M365 licence assignment
    • Profile — which Role Centre they see
    • Permission Sets — what they’re allowed to do
  4. Optionally set Authentication Email and Contact Email
💡 Exam tip: User creation flow

The exam expects you to know:

  • Users are synced from Microsoft Entra ID — not created directly in BC
  • The licence must be assigned in the Microsoft 365 admin center FIRST
  • The user must sign in at least once for their BC user record to be fully initialised
  • You can also create users manually, but the recommended approach is the M365 sync

Permissions and permission sets

Permissions are the core of Business Central security. They control exactly what a user can read, insert, modify, or delete.

How permissions are structured

Permission Set (container)
├── Object Permission 1 (Table Data: Customer — Read, Insert)
├── Object Permission 2 (Table Data: Sales Header — Read, Insert, Modify)
├── Object Permission 3 (Page: Customer Card — Execute)
└── Object Permission 4 (Report: Customer List — Execute)

Each permission specifies:

  • Object Type — Table Data, Table, Page, Report, Codeunit, System, Query
  • Object ID — which specific object
  • Access — Read, Insert, Modify, Delete, Execute (RIMDE)

System vs user-created permission sets

System vs user permission sets
TypeWho CreatesCan Be EditedExamples
SystemMicrosoft (shipped with BC)No — but can be copiedD365 BUS FULL ACCESS, D365 READ, D365 TEAM MEMBER
User-createdYour admin (Sam)YesNORDIC-AP-CLERK, NORDIC-SALES-FULL
ExtensionApp/extension publisherNo — but can be copiedPermission sets from installed apps
ℹ️ Best practice: Copy, don't edit system permission sets

System permission sets get updated with every Business Central release. If you edit them directly, your changes may be overwritten.

Sam’s approach:

  1. Copy the system permission set that’s closest to what you need
  2. Rename with a company prefix (e.g., NORDIC-AP-CLERK)
  3. Adjust permissions as needed
  4. Assign the custom set instead of the system one

Security groups

Security groups simplify permission management by grouping users who need the same access. Instead of assigning 5 permission sets to each of 20 users individually, Sam creates a group.

Without Security GroupsWith Security Groups
Assign permissions to User ACreate “Finance Team” group
Assign same permissions to User BAdd permission sets to the group
Assign same permissions to User C…Add users A, B, C to the group
Change = update every userChange = update the group once

Security groups can be synced from Microsoft Entra ID security groups or created natively in Business Central.

💡 Exam tip: Security groups vs Entra groups

Business Central supports two types of security groups:

  • Entra ID security groups — managed in Entra, synced to BC. Changes in Entra propagate automatically.
  • BC-native security groups — created and managed entirely within Business Central.

The exam may ask which approach is better for organisations already using Entra for identity management. Answer: Entra ID security groups — single source of truth, automatic sync, consistent with M365 governance.

Security filters

Security filters restrict access to specific records within a table. While permissions control which tables you can access, security filters control which rows you can see.

Example: Olivia wants Marcus (her AP clerk) to see only vendors assigned to the “DOMESTIC” dimension value. She applies a security filter:

  • Permission set: Read access on Vendor table
  • Security filter on Vendor table: Department Code = DOMESTIC

Now Marcus can only see domestic vendors. International vendors are invisible to him.

When to use security filters

Use CaseFilter On
Department-specific accessDimension values
Location-based accessLocation code
Salesperson-specific customer listsSalesperson code
Company-branch restrictionsResponsibility centre
ℹ️ Security filter limitations

Security filters have important limitations:

  • They apply to direct table access only — some reports and pages may bypass them
  • They can impact performance if applied too broadly (filtering on large tables)
  • They work at the permission set level — so different permission sets can have different filters
  • They don’t replace row-level security in the database — they’re an application-level control

Security auditing

Business Central includes a Change Log that tracks modifications to data. Sam enables it to maintain an audit trail.

Setting up the Change Log

  1. Open Change Log Setup (Tell Me > “Change Log Setup”)
  2. Enable the change log
  3. Select which tables to track:
    • All Fields — track every change to every field (heavy, use sparingly)
    • Some Fields — track specific fields only (recommended)
  4. Choose what to log: Insertion, Modification, Deletion

What the Change Log captures

Logged InformationExample
Who made the changeUser ID
When the change was madeDate and time
What changedTable name, field name, old value, new value
What type of changeInsert, Modify, Delete

Sam enables auditing on sensitive tables: GL Entries, User Setup, Permission Sets, and Customer/Vendor master data. He doesn’t audit everything — that would fill the database and slow performance.

Question

What's the difference between a profile and a permission set?

Click or press Enter to reveal answer

Answer

A profile determines the Role Centre (what you see). A permission set determines the access (what you can do). A user can have an Accountant profile but restricted permissions that prevent posting.

Click to flip back

Question

What is a security filter in Business Central?

Click or press Enter to reveal answer

Answer

A filter on a permission set that restricts access to specific records within a table. For example, limiting a user to see only vendors with Department Code = DOMESTIC.

Click to flip back

Question

How are users created in Business Central?

Click or press Enter to reveal answer

Answer

Users are synced from Microsoft Entra ID — not created directly in BC. The licence must be assigned in the M365 admin center first. Use 'Update Users from Microsoft 365' to sync.

Click to flip back

Question

What does the Change Log track?

Click or press Enter to reveal answer

Answer

Who made a change, when, what table/field was changed, the old and new values, and the type of change (insert, modify, delete). Used for security auditing and compliance.

Click to flip back

Knowledge check

Knowledge Check

Sam needs to give 15 warehouse workers at Nordic Manufacturing the same set of permissions: read/write access to inventory, locations, and item journals, but no access to financial data. What's the most efficient approach?

Knowledge Check

The CFO at Coastal Traders wants to know who changed a vendor's bank account details last week. Where does Sam look?

🎬 Video coming soon


Next up: Users are set up and secured. Now let’s configure the essential settings every company needs — company information, number series, reports, email, and job queues.

← Previous

Data Migration & Opening Balances

Next →

Core Setup Essentials

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.