Tip #652: Promote to admin explained

Chosen OneI’ve already seen some articles about “Promote To Admin” button, new in Microsoft Dynamics CRM 2016 Update 1, explaining in details how this button makes admin life easier by allowing quickly grant a user System Administrator role.

All of the articles miss one important function that this button allows you to do. The functionality we’ve been wanting for years.

PROMOTE TO ADMIN button allows authorized users to impersonate end-user roles

(What does “authorized” mean here? Keep reading)

If you have system administrator role, try the following:

  1. Ensure that there are other system administrators in the systems. In case something goes wrong and you remove all of your privileges, they will be able to bail you out.
  2. Grant yourself a self-sufficient role or combination of roles. By self-sufficient I mean a role that allows you to logon and operate Dynamics CRM as a user. For example, Customer Service Representative gives you access to the UI and CRM goodies while Survey User, part of the Voice of The Customer solution, is an additive role that is not self-sufficient and won’t let you to logon.
  3. Remove System Administrator role. You will get a warning about the world end, ignore. (You did ensure that there are other system administrators in the system, right?)
    System administrator warning
  4. Hit Ctrl-F5 to fully refresh the browser session. You are now Customer Service Representative or whatever role you have granted. Boom!
  5. Promote to admin buttonWhen done playing with the role, go to Settings > Security > Users, select yourself and press Promote To Admin. You’re back to system administration. Badaboom!

That’s how all new trials are tailored when you select a specific role during the trial provisioning.

Under the hood

There is a new privilege Promote User to Microsoft Dynamics CRM Administrator Role (prvPromoteToAdmin in nerd-speak).
Promote to admin privilege
Note that it’s not enabled for System Administrator role.

Support User roleSo how does this privilege stays with the original user? It’s granted via hidden role Support User which you can find using Advanced Find.

Warning: Use this massive knowledge at your own risk and don’t drink and administer the system.

9 thoughts on “Tip #652: Promote to admin explained

  1. David Mochrie says:

    Very interesting.

    So am I correct I saying that for CRM online, for you to be allocated the ‘Support User’ role, you need to have a specific role other than ‘User’ allocated in O365? If so, what are the Office 365 roles that will grant you the ‘Support User’ role in CRM?

    Also, what about on prem? How does a user get allocated the ‘Support user’ role in that set up?

    • The original purpose of the Support User was to allow for the customized trial experience where you’d come in into CRM as a “Salesperson” immediately following the provisioning. The person provisioning CRM would be assigned support role + CSR (or whatever else depending on the experience selection). So all I can say right now is that the administrator provisioning CRM would have this role assigned. Perhaps, CRM Service Administrator O365 role would give this ability as well. Also, we should be able to assign the hidden role using Powershell or code, however CRM may or may not allow that.

      I also got a word that the experience for sandbox organizations may differ – didn’t have a chance to try it. As far as on-premises is concerned, that would an easy one to test, wouldn’t it?

      • Matt Johnson says:

        I tried a few things to get this role assigned to another user other than the O365 global admin that set up the org.
        1) Create an add on role and enable the “Promote user to Microsoft Dynamics CRM administrator role”. It doesn’t let you turn this option of saying you don’t have the rights.
        2) Use XRMToolbox to assign the “Support User” role to a user. It appears to work but then doesn’t give the user the desired permission.

        So as far as I can tell the only person who can get this feature is an O365 global admin. I may well be proved wrong and I was trying this on a new trial.

        • Matt, couple points

          1. In addition to Support User role, user needs to have Sys Admin role otherwise it’d be elevation of privileges.
          2. I’m curious if CRM Service Administrator role in O365 will suffice to “enable” this privilege to work


          • Alan O says:

            I tested with a user who has the O365 ‘Dynamics 365 service administrator’ role and the CRM System Administrator security role. This still wouldn’t permit me to use the ‘Promote to Admin’ button. Looks like this is locked down to the global admin.

  2. […] I needed to do some solution installation here, the first thing I had to do was to promote myself to the Admin role. That’s something you’d never need to do outside of the trial experience, as being the […]

  3. Jordan Fulford says:

    There is a workaround to this issue. Find the hidden “Support User” role and make a copy. Assign the copied role to yourself. You’ll now be able to remove System Administrator role and then promote yourself back to Admin.

    Confirmed with current version (9.1) to be working.

  4. Martin says:

    I experience that for Users on the non-top Business Unit, clicking “Promote to Admin” errors with insufficient privileges.
    Works well for Users on the top BU.

  5. Jonas Wauters says:

    Anyone has found a workaround for when you are not part of the non-top business unit? That indeed gives you an error: “Cannot associate security role because the security role’s Business Unit is not the same as the user’s Business Unit”.

Leave a Reply

Your email address will not be published. Required fields are marked *