top of page
Writer's pictureMar Pedroche

Manage Dataverse security using Microsoft 365 security groups

Teams in Dataverse can be configured with a linked Azure AD security group or a Microsoft 365 group. This allows specific roles to be assigned to the team, granting users who are part of the group the privileges defined in the corresponding role. These teams, linked to the security group, operate similarly to the owner teams, allowing the assignment of ownership of records.


To create these teams, you must access the Power Platform administration center.


How to create Dataverse teams and associate them with a Microsoft 365 group?

From the administration center, select the desired environment and navigate to teams section.



After this, we click on create team. A window will appear where we must choose the following:

  1. Business unit: We will choose which business unit this team belongs to, if we do not have business units created we will choose the organization unit.

  2. Equipment type: In this case, we will choose the AAD security group or Microsoft 365 group (Office group).

  1. Group name: Name of the AAD group that must be previously created.

  2. Membership type: We can choose between members and guests, members only, owners only or guests only.


Once created, the corresponding roles should be assigned.


Limitations

Team members assigned to Azure AD groups are dynamically added and removed when they access the environment. Important, a user will not appear on the Dataverse environment until they have accessed the environment and will not appear in the systemusers table, despite being previously added to the Azure AD group.


If the user does not appear in the systemusers table it may affect certain search fields and see differences between the users in the Azure AD group and the Dataverse team.


How to resolve this limitation?

To resolve this limitation we can force users to sync using a Power Platform Admin connector in Power Automate where the target environment and Azure Object ID will be required.

If we want to match the users of a Microsoft 365 group and the Dataverse team without waiting for the user to log in to the environment, we can prepare a Power Automate like this:



Comentarios


bottom of page