Skip to content
PowerPlatformGirl
Back to articles
Xrm Toolbox Tricks

I Used XrmToolBox + AI to Clean Up Security Roles Without Losing My Mind

Security role cleanup always sounds simple until you export everything and realize you are now staring at a pile of roles that all look vaguely related and mildly threatening. This time, instead of manually comparing every privilege and access level, I used XrmToolBox to export the role details and AI to help me spot overlap, likely consolidation opportunities, and the places where a real human still needed to make the call.

June 2, 202610
Share
I Used XrmToolBox + AI to Clean Up Security Roles Without Losing My Mind

What This Tool Process Is For

This process is for reviewing Dynamics 365 security roles faster by combining XrmToolBox exports with AI analysis. It helps you identify roles that may be duplicates, near-duplicates, or candidates for consolidation without manually comparing every line yourself.

When to Use It

Use this when:

  • your environment has too many security roles
  • you suspect duplicate or overlapping roles
  • you need a cleaner way to start a security cleanup conversation
  • you want to find likely consolidation opportunities before bringing people into a review

Do not use it when:

  • you want AI to make final security decisions for you
  • you have not validated which roles are still assigned or still needed
  • you are planning to merge roles without testing the impact first

AI is excellent at helping you find patterns. It is not your security approval board.

Pre-Flight Checklist

Before you start:

  • export the security role details from the correct environment
  • make sure the export includes Role Name, Privilege Name, and Access Level
  • keep the exported files together in one folder
  • decide what “similar enough to review” means before you begin
  • be ready to validate the findings with a real business owner or system admin

Future You will thank you if the file names are clean before you feed anything into AI.

Step-by-Step

1. Export the roles from XrmToolBox

I used XrmToolBox to export the security roles into Excel files. The goal was not to manually compare them myself. The goal was to get the data out in a structured format so I could hand the repetitive comparison work to AI.

2. Feed the exports into AI

Once I had the files, I uploaded them and asked AI to compare the roles based on:

  • exact permission overlap
  • privilege overlap
  • access-level differences
  • likely consolidation opportunities

That saved me from manually reading through role after role trying to figure out whether two names that sounded similar were actually similar.

3. Ask for usable outputs, not just observations

This part matters more than people think. If you only ask AI, “Which roles look similar?” you will get noise. I asked it to organize the results into something reviewable, including:

  • strongest merge candidates
  • recommended consolidation reviews
  • roles that should stay separate
  • groups that needed manual decisions
  • a simplified role-by-role summary

That turned the output from “interesting” into “actually useful.”

4. Test small first

Start with the smallest and most obvious overlaps first. Add-on roles and app-specific roles are usually easier to review than broad base roles.

Do not be a hero and start by merging the biggest roles first. Ask me how I know.

5. Turn the findings into a team-friendly deliverable

The final step was turning the AI output into a workbook the team could actually review. That included:

  • a detailed analysis workbook
  • an executive summary workbook
  • a match overview workbook showing each role’s closest match and percentages

That part is important because people do not want a transcript of your AI session. They want something they can open, scan, and discuss.

Prompts That Helped

Here are the kinds of prompts that made this process better.

Prompt 1: Set the goal clearly

Inside this zip are multiple Excel files with different security roles. My goal is to consolidate this list of security roles. I want to find roles that are similar by 80% or more so I could combine them.

Prompt 2: Ask for a useful output format

Organize this in a way in an Excel where it gives us columns like Role A, Role B, Role C, and underneath show the percentage match and the closest ones.

Prompt 3: Push for decisions, not just matches

Can you add recommendations for what should merge, what should be reviewed, and what should stay separate?

Prompt 4: Simplify for leadership

I want this to all be very clear on what we should merge which groups into what.

Prompt 5: Create visibility for the full picture

Give me a separate Excel document that shows all of the percentage matches in the same structure as the role decisions tab so we have full visibility into what all the matches were.

What made the prompts work:

  • I gave AI the actual source files
  • I gave it a threshold, 80%+
  • I told it how I wanted the output organized
  • I kept refining the result until it was easier to review

That is the part people skip. Better prompts usually come from one good first pass and two or three cleanup passes.

Common Gotchas

Similar names do not mean similar access

Two roles can sound nearly identical and still differ in the exact permissions that matter.

High privilege overlap can hide access-level differences

A role may use mostly the same privileges but grant different access levels. That is a review item, not an automatic merge.

Small roles can look fully contained in larger roles

Sometimes that is a great merge candidate. Sometimes it means the smaller role exists for a very specific reason.

AI is there to speed up comparison, not replace judgment

This process helps surface likely opportunities. It does not remove the need for testing and validation.

Consultant law #12: if security cleanup feels too easy, you probably have not found the edge case yet.

Validation Checklist

Before acting on any suggestion:

  • confirm which users are assigned to each role
  • confirm whether the role is still actively used
  • review any access-level differences
  • validate the purpose of the role with the business or admin team
  • test changes in a non-production environment
  • confirm the target role actually covers the same need

If you cannot explain why a role exists today, do not merge it tomorrow.

Real Scenario

In this case, I exported multiple Dynamics 365 security roles using XrmToolBox and used AI to compare them for overlap. That helped me quickly identify strong merge candidates, highlight a few role pairs that clearly needed review, and leave the rest alone instead of dragging the team through a manual line-by-line comparison exercise.

That is the sweet spot for this kind of AI use case. It removes the tedious comparison work so you can spend your time on the decisions that actually need a consultant brain.

Why This Matters

Security role sprawl creates confusion fast:

  • harder user setup
  • harder troubleshooting
  • slower audits
  • more inconsistent role assignments
  • less confidence in the security model

Using XrmToolBox plus AI gave me a faster way to get visibility into the mess and turn it into something actionable.

Closing Thought

I would absolutely use this approach again. XrmToolBox gets the data out, AI helps organize and compare it, and the consultant still does the important part: validating what should actually change.

That is the part I like most. AI did not replace the work. It removed the most annoying part of the work.

Tags

#data#tips#xrmtoolbox#metadata#documentation#security#ai

Get new articles in your inbox

Subscribe on Substack

No spam. Unsubscribe anytime.

Related articles

You might also find these helpful

The Bulletproof Way to Bulk Fulfill Sales Orders via Dataverse Web API
Power Automate

The Bulletproof Way to Bulk Fulfill Sales Orders via Dataverse Web API

This article is a “surgical precision” Power Automate pattern for when the normal Dataverse connector isn’t reliable enough—especially on legacy records. It uses the HTTP action + raw Dataverse Web API authenticated via an Azure App Registration to run a bound action (like FulfillSalesOrder) only against a strictly controlled list of records from an Excel table. The key idea: Excel drives the scope, the flow includes a 1-to-1 match safety valve, and you validate via HTTP status codes and the Dynamics UI so you can bulk-clean records without collateral damage.

Mar 4, 202612
Customer Voice + D365: Automate Case Surveys, Score Responses, and Flag Negatives
Power Automate

Customer Voice + D365: Automate Case Surveys, Score Responses, and Flag Negatives

This guide is a reusable pattern for connecting Customer Voice + Dynamics 365 Customer Service so survey feedback becomes actionable work. It shows how to automatically send a survey when a Case is created, then parse the response JSON, score specific questions, and write a clear Positive/Negative “Survey Outcome” back onto the Case. The result: support teams can triage unhappy customers directly from Dynamics (no dashboard hopping), with guardrails for exclusions, ALM-friendly question mappings, and safe “no false negatives” scoring.

Mar 2, 202612
Why We Used a Console App to Update 1.3 Million Records (And When You Should Too)
Dataverse

Why We Used a Console App to Update 1.3 Million Records (And When You Should Too)

When your update count hits seven digits, the question stops being “can we do this?” and becomes “what’s the safest way to do this once?” This article explains why a console app using the Dataverse SDK is often the most controlled option for high-volume updates—especially when you need deterministic mapping logic, safe reruns, batching/throttling control, and the ability to update inactive records—plus a practical “test small first” pattern and validation steps to prove it worked.

Feb 24, 202610