When a Dynamics CRM implementation goes live, the most important task is to get the users on board with their new Dynamics CRM system. CRM Admins ensure that proper CRM security role is assigned to every user so that they can log in without any issue. However, assignment of  security role to the users is still a manual task. And when you have hundreds of users, there is a possibility that some users may get missed.

Dynamics CRM has a very useful view on the User entity called Users with no assigned security roles. This does a pretty good job in quickly identifying those users who have a valid license but do not have any security role.

However, the situation becomes challenging when you have blanket security roles, e.g. ClickDimensions User or Xperido User assigned to every user. And on top of that, each user should have at least one CRM specific security role, e.g. SalesPerson, Marketing Professional, etc.

How do you make sure that every user has at least one CRM security role on top of the blanket (or addin) security roles?

I would like to share a solution I have used to achieve this using FetchXml left outer join. The prerequisite for this query is that you need to find out the GUIDs of the blanket security roles that you want to exclude from your search criteria.

E.g. the below query return all users who do not have any security role assigned to them excluding Xperido User and ClickDimensions User.

You can run this fetchXml in XrmToolbox or save it as view (SavedQuery).