Have you noticed that some security roles have been assigned to your Dynamics 365 users unexpectedly? During the last year, we’ve had a couple of incidents due to the same. Some of the predefined security roles were assigned by the system and this was breaking our initial design. Now there is a solution for this.
We noticed the issue because the CTI telephony plugin based on CIF (Channel Integration Framework) disappeared for our users. The security model implemented in this deployment is based on teams. Users are not assigned security roles directly but via teams, Azure AD group teams specifically. If a security role is assigned directly to the user, CIF seems to give it priority, ignoring the roles provided by the corresponding teams where the users is part of.
As part of the new licensing model, the system has been adding or removing roles from users based on their licenses or solutions installed. This can be convinient if you don’t have any requirement (as we did), however, it can also “open a gap” in your model.
The two roles that we noticed were the “Basic User” and the “Customer Service App” role. Based on the auditing, we could confirm they were assigned by the system user “CDSUserManagement” (CDSUserManagement@onmicrosoft.com).
The good news is that Microsoft now provides a process to opt-out of the automatic role assignment. Basically you need to raise a Service Request using the Power Platform administration portal. You can turn off this feature at the environment or tenant level, whatever suits your requirements best.