The views and opinions expressed in this blog are those solely of the author(s) and do not necessarily reflect Microsoft’s current policy, position, or branding. For official announcements and guidance on Dynamics 365 apps and services, please visit the Microsoft Dynamics 365 Blog.
‘Better Together’ Integration forum available
We're launching a how-to forum where you can learn and engage about how Dynamics 365 integrates with other Power Platform products.
Read about Better Together forum
2020 release wave 1Discover the latest updates and new features to Dynamics 365 planned through September 2020
Release overview guides and videos Release Plan | Preview 2020 Release Wave 1 TimelineWatch the 2020 Release Wave 1 virtual launch event
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance TechTalks | Customer Engagement TechTalks | Upcoming TechTalks
Our Supply Chain department is using a custom model-driven app in support of their process for framework agreements management. Their request is to grant the stakeholders (Office management, Facility management, project calculators, etc.) access to the app with read-only permissions and restricted view permission to the related document folders in SharePoint Online. Some of those people don’t have access to Dynamics 365 and are not available as user in Dynamics 365.
My goal is to offer some kind of self service user management to the key user(s) of the Supply Chain department that should take care of the following:
First deliverable, granting access to the system, can only be done in an indirect way. The idea is to let the key user add users to an Azure AD “group” and use the same group in a Team in Dynamics 365 and assign the custom “Readers” security role to it.There are different options for self service group membership in Azure AD by making the key user owner of an:
I prefer to use the Mail-enabled Security Group (I don’t like the overhead of an Offce 365 Group) that has the following advantages:
So I create My First Mail-enabled Security Group in Azure AD.
Then I create a Team in Dynamics 365 of the type ‘AAD Security Group’ and use the Azure AD Object Id of the My First Mail-enabled Security Group, and assign it to the relevant Business Unit. Last I assign the custom “Readers” security role to this Team.
Now this will only work for/give access to users that are enabled in Dynamics 365, so they should be licensed and be(come) a member of the Azure AD Security Group that gives access to the Dynamics 365 instance. So the users should be added to that Azure AD Security Group.Nested or multiple security groups are not supported, so please vote for this idea by Marc Gerner: Support for nested or multiple security groups.
Assigning licenses to users can be automated by group membership in Azure Active Directory but for the moment I’m not going to use this in our case; that’s something to implement in the near future. For now this is (still) an action for/by the IT department.
Next step is to add users to the Azure AD Security Group, that gives access to the Dynamics 365 instance, with the help of Power Automate flow. I’m going to use the Azure AD connector and 3 of its actions in this flow. I’ve added the account of the connection as owner of the Azure AD Security Group.
Here is the overview of the flow:
This flow will start by a scheduled trigger and will get all group members of the mail-enabled security group “Readers” that is managed by the key user.
For every group member the membership of the “grant access to instance” Azure AD security group “Users” is checked. The guid of this security group is set in the Initialize variable action.
If the user is no member then it’s added to the security group “Users”.
This will make the user (re)enabled in Dynamics 365, and get access to the app via the Team privileges.In SharePoint we have a document library for every supplier and the folder Agreements has unique permissions to give the stakeholders read-only access to these folders only.
In part 2 I will show how to Power Automate the assignment to the relevant Business Unit once the user is (re)enabled in Dynamics 365, and to send an invite to the “enabled” user with the link to the model-driven app.
The post Self Service User Management (part 1) appeared first on There's Something About Dynamics 365.
Business Applications communities