Microsoft Power Platform · Dataverse Security Roles
Support User
Read-only access across most Dataverse tables for support and troubleshooting scenarios. Cannot modify data or schema.
Scope: Single Dataverse environment - read-only across most data for support
Permissions
- Read - User-level read across most Dataverse tables
- Read system jobs and async operations
- No write/delete - Cannot modify records
- No schema - Cannot create or modify tables/columns
Common use cases
- Support engineers diagnosing user issues
- Tier 2/3 helpdesk reviewing system jobs and workflow runs
- Customer service representatives investigating record state without modifying it
Best practices
- Use for read-only support personnel instead of granting full System Administrator
- Pair with the relevant app-specific custom role if write actions are sometimes needed
Security considerations
- Read access spans most of Dataverse including potentially sensitive tables - review which tables exist before assigning
Common questions
When should I assign the Support User role?
Assign Support User when you need to: Support engineers diagnosing user issues; Tier 2/3 helpdesk reviewing system jobs and workflow runs; and Customer service representatives investigating record state without modifying it. It is part of Microsoft Power Platform and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Support User role do?
The Support User role grants permissions including: Read - User-level read across most Dataverse tables; Read system jobs and async operations; No write/delete - Cannot modify records; and No schema - Cannot create or modify tables/columns. See the Permissions section above for the full list.
What are the security risks of the Support User role?
Key considerations when assigning Support User: Read access spans most of Dataverse including potentially sensitive tables - review which tables exist before assigning. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.