Personalized Community is here!
Quickly customize your community to find the content you seek.
Microsoft Customer Co-creation
Help impact how the tools and services you rely on are developed. Microsoft Customer Co-creation connects you directly with our engineers so you can provide feedback before a single line of code is written. Interested? Learn more at Microsoft Customer Co-creation
2021 Release Wave 1Discover the latest updates and new features to Dynamics 365 planned April 2021 through September 2021.
Release overview guides and videos Release Plan | Preview 2021 Release Wave 1 Timeline
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance and Operations TechTalks | Customer Engagement TechTalks | Upcoming TechTalks | All TechTalks
Our Supply Chain department is using a custom model-driven app in support of their process for framework agreements management. Their request is to grant the stakeholders (Office management, Facility management, project calculators, etc.) access to the app with read-only permissions and restricted view permission to the related document folders in SharePoint Online. Some of those people don’t have access to Dynamics 365 and are not available as user in Dynamics 365.
My goal is to offer some kind of self service user management to the key user(s) of the Supply Chain department that should take care of the following:
First deliverable, granting access to the system, can only be done in an indirect way. The idea is to let the key user add users to an Azure AD “group” and use the same group in a Team in Dynamics 365 and assign the custom “Readers” security role to it.There are different options for self service group membership in Azure AD by making the key user owner of an:
I prefer to use the Mail-enabled Security Group (I don’t like the overhead of an Offce 365 Group) that has the following advantages:
So I create My First Mail-enabled Security Group in Azure AD.
Then I create a Team in Dynamics 365 of the type ‘AAD Security Group’ and use the Azure AD Object Id of the My First Mail-enabled Security Group, and assign it to the relevant Business Unit. Last I assign the custom “Readers” security role to this Team.
Now this will only work for/give access to users that are enabled in Dynamics 365, so they should be licensed and be(come) a member of the Azure AD Security Group that gives access to the Dynamics 365 instance. So the users should be added to that Azure AD Security Group.Nested or multiple security groups are not supported, so please vote for this idea by Marc Gerner: Support for nested or multiple security groups.
Assigning licenses to users can be automated by group membership in Azure Active Directory but for the moment I’m not going to use this in our case; that’s something to implement in the near future. For now this is (still) an action for/by the IT department.
Next step is to add users to the Azure AD Security Group, that gives access to the Dynamics 365 instance, with the help of Power Automate flow. I’m going to use the Azure AD connector and 3 of its actions in this flow. I’ve added the account of the connection as owner of the Azure AD Security Group.
Here is the overview of the flow:
This flow will start by a scheduled trigger and will get all group members of the mail-enabled security group “Readers” that is managed by the key user.
For every group member the membership of the “grant access to instance” Azure AD security group “Users” is checked. The guid of this security group is set in the Initialize variable action.
If the user is no member then it’s added to the security group “Users”.
This will make the user (re)enabled in Dynamics 365, and get access to the app via the Team privileges.In SharePoint we have a document library for every supplier and the folder Agreements has unique permissions to give the stakeholders read-only access to these folders only.
In part 2 I will show how to Power Automate the assignment to the relevant Business Unit once the user is (re)enabled in Dynamics 365, and to send an invite to the “enabled” user with the link to the model-driven app.
The post Self Service User Management (part 1) appeared first on There's Something About Dynamics 365.
Business Applications communities