To automatically synchronize the status of Office 365 (O365) users with Dynamics 365 (D365), ensuring that disabled accounts in O365 are also disabled in D365, you can implement a streamlined approach using the Azure Active Directory (AAD) and Power Automate. Here's a step-by-step guide to automate this process:
Option 1: Use Power Automate to Synchronize User Status
1. Set Up the Power Automate Flow
Trigger: Use the When a user is updated trigger in the Azure AD connector to detect changes in user accounts.
Action:
Check if the accountEnabled attribute is false.
If so, update the corresponding user record in D365 to disable the user.
Steps:
1. Log in to Power Automate.
2. Create a new flow:
Trigger: Azure AD - When a user is updated.
Condition: Check if accountEnabled is set to false.
Action: Use the Dataverse connector to update the user record in D365, setting the IsDisabled attribute to true.
2. Example Flow Design
Trigger: Azure AD - When a user is updated.
Condition: accountEnabled equals false.
Action:
Find the corresponding user in D365 using the email address or username.
Update the SystemUser table:
Set isDisabled to true.
Option 2: Use Azure AD Dynamic Groups with D365
1. Create a Dynamic Group in Azure AD
Use Azure AD dynamic membership rules to group disabled accounts automatically.
Example Rule:
(accountEnabled -eq false)
This rule dynamically adds disabled O365 accounts to the group.
2. Sync the Group with D365
Integrate the Azure AD group with Dynamics 365 using Azure AD Connect.
Map the group’s disabled status to update the corresponding SystemUser records in D365.
Option 3: Custom Plugin in D365
1. Write a Plugin to Periodically Check User Status
Develop a plugin in D365 that queries Azure AD for the accountEnabled status of all application users.
Automatically disable users in D365 if their O365 accounts are disabled.
2. Steps:
Use Azure AD Graph API or Microsoft Graph API to fetch user account status.
Match user principal names (UPNs) between Azure AD and D365.
Update the IsDisabled property of the SystemUser entity in D365.
Option 4: Scheduled Job Using Microsoft Graph API
1. Create a Scheduled Script
Write a script (e.g., using PowerShell or C#) that:
Queries Microsoft Graph API for disabled users.
Updates their corresponding records in D365 via Dataverse API.
2. Steps:
Query Disabled Users in Azure AD:
Use the following Graph API endpoint:
GET https://graph.microsoft.com/v1.0/users?$filter=accountEnabled eq false
Update Users in D365:
Use the Dataverse Web API to update the SystemUser table:
PATCH [Organization URI]/api/data/v9.2/systemusers(systemuserid)
{
"isdisabled": true
}
3. Schedule the Script
Use Azure Automation or Task Scheduler to run the script periodically.
Configurations to Take
1. Ensure Proper Permissions:
Grant appropriate API permissions in Azure AD for the application accessing the user data.
Permissions required:
User.Read.All (Graph API).
Directory.Read.All (Graph API).
2. Enable User Synchronization in Azure AD Connect:
Ensure Azure AD Connect is configured to synchronize user attributes to D365.
3. Monitor and Audit Changes:
Set up logging to track which users were disabled and when.
Use D365 system jobs to review automated updates.
Summary of Recommended Approach
For simplicity and scalability:
Best Option: Use Power Automate to synchronize user status in real time.
Alternative: Create a scheduled job using the Microsoft Graph API.