web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / Security group on envi...
Customer experience | Sales, Customer Insights,...
Answered

Security group on environment level, but I want all employees as systemusers.

(4) ShareShare
ReportReport
Posted on by Sunilkumar 96

I have a Dataverse environment/app where I want to restrict access at the environment level using a security group. However, I still want all users in the organization to be synced as users (so that I can use lookups against the user table without needing a custom user table).

With a security group, users are only created as users once they log in for the first time. If I create the environment without a security group, all users are synced. I can add the security group afterward, but then new employees will not be added.

Is there a good solution to this problem?

Categories:
Microsoft Dynamics CRM
Dynamics 365 Sales
I have the same question (0)
  • Suggested answer
    Tom_Gioielli Profile Picture
    Tom_Gioielli 2,762 Super User 2025 Season 2 on at
    I'm not sure on an approach for the User table, but have you considered using the AAD User table for your lookup references instead? This is a virtual table that should include all possible users in your org, and would prevent the need to try and brute force everyone into the System User table (which is a bit of a black box and, as you have discovered, difficult to force it to contain all users).
     
  • Verified answer
    Daivat Vartak (v-9davar) Profile Picture
    Daivat Vartak (v-9d... 7,835 Super User 2025 Season 2 on at
    Hello Sunilkumar,
     

    You've identified a classic challenge in Dataverse environment security: balancing tight access control with the need for comprehensive user data for lookups. Here's a breakdown of the problem and potential solutions:

    The Problem:

    • Security Groups: When you secure a Dataverse environment with a security group, only users within that group who attempt to access the environment are provisioned as users in Dataverse. This limits access but hinders the ability to use lookups against all organization users.

    • No Security Group: Without a security group, all users are synced, providing comprehensive user data but granting potential access to the environment to everyone.

    • Adding Security Group Later: Adding a security group after initial sync doesn't address the ongoing issue of new employees not being automatically provisioned.

     

    Solutions and Workarounds:

    Power Automate User Provisioning:

     

    • How it Works: Create a Power Automate flow that triggers when a new user is created in Azure Active Directory (Azure AD).

    • Flow Steps:

      • Trigger: "When a user is created (V3)" in Azure AD.

      • Action: "Add user to an environment" (Dataverse connector).

      • Configure the action to add the new user to your Dataverse environment.

      • Configure action to assign a security role that has no access to data. 

    • Advantages:

      • Automates user provisioning, ensuring all users are created in Dataverse.

      • Allows you to maintain environment-level security with a security group. 

    • Considerations:

      • Requires Power Automate skills.

      • You will need to assign a security role that has no access to data, to prevent unathorized data access.

     

    Azure Logic Apps:

    • Azure Logic Apps can also be used to create a process similar to the Power Automate solution.

    • It is very similar to Power automate, but runs directly in azure.

     

    Recommendation:

    • The Power Automate user provisioning solution is generally the most practical and efficient. It allows you to automate user creation while maintaining environment-level security.

    • Make sure to create a security role that has absolutely no access to any data, and assign it to the users that are added by the power automate flow.
     
    If my answer was helpful, please click Like, and if it solved your problem, please mark it as verified to help other community members find more. If you have further questions, please feel free to contact me.
     
    My response was crafted with AI assistance and tailored to provide detailed and actionable guidance for your Microsoft Dynamics 365 query.
     
    Regards,
    Daivat Vartak

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
Tom_Gioielli Profile Picture

Tom_Gioielli 170 Super User 2025 Season 2

#2
#ManoVerse Profile Picture

#ManoVerse 61

#3
Gerardo Rentería García Profile Picture

Gerardo Rentería Ga... 52 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans