In order to edit the content directly in a Portal on Dynamics 365, you need your user (specifically the contact record related to your User record) to have a Web Role with editing privileges.
This can be confusing, because this security setting is set on the Contact and not the User. Portals concern themselves with Contact logins first, and although the Employee Self-Service (ESS) Portal leverages the Azure Active Directory, it still looks for the role on the Contact record.
There isn’t a nice easy way (that I was able to find) to manage web roles for users, and it is all done through Invitations. Again, this is confusing because Users for the ESS don’t need invitations. They just log in if they have a Dynamics 365 license. Nevertheless, we need to go through the motions in order to get the Web Role assigned.
First, create a normal Dynamics 365 User:
I now have a User but no Contact:
We can create our Contact by just letting John log in once:
And that will create their Contact record automatically (related directly to their User record):
Now go the the Contact record and click ‘Create Invitation’ at the top:
First thing click ‘Save’ on the Invitation form in order to create an Invitation record for this Contact:
And then in the ‘Assign to Web Roles’ box just add them to ‘Administrators’:
Then go to the ‘…’ button, and select ‘Other Activities’
And then click ‘Invite Redemption’:
In the following Dialog Box, just enter the Contact record and any username and click ‘Save’:
Now go back to the John Smith’s Portal session and refresh the browser. The toolbar will now appear:
All of this wasn’t very obvious from the documentation at all, and I would hope in future that Microsoft will add an option to manage Web Roles directly on the Contact record. It is possible I missed an easier to do this, and if I find it then I will update this article accordingly.