Skip to main content

Notifications

Announcements

No record found.

Microsoft Dynamics CRM forum
Unanswered

Force Sync users using PowerShell

Posted on by

Hello!

Based on the documentation on https://learn.microsoft.com/en-us/power-platform/admin/troubleshooting-user-needs-read-write-access-organization#adding-or-refreshing-users-on-demand we can force sync users on Demand. This might seem helpful on certain situations:

  • We have a large number of users that we need to sync and we can't wait for PPAC to trigger
  • A high number of users are being added to the security groups and we need provide access immediately, and we can't go on a one-by-one basis on PPAC

Without delays, this is a sample script that can be used for this purpose:

$EnvironmentName = 'EnvironmentID'
$groupName='display name of the group'

#Get environment
$Environment = Get-AdminPowerAppEnvironment -EnvironmentName $EnvironmentName
if($Environment)
{
  #AzureAD part. Connect to azure and retrieve enabled users
  Connect-AzureAD

  #Using SecurityGroups
  $Group = Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }
  $users = Get-AzureADGroupMember -ObjectId $group.ObjectId

  #Querying directly the AzureAD
  $users = Get-AzureADUser -all $true | where {$_.accountenabled -eq $true}
  $users
  
  #iterating through the array of users
  foreach ($user in $users)
  {
    #Force sync on each user
    Add-AdminPowerAppsSyncUser -EnvironmentName $Environment.EnvironmentName -PrincipalObjectId $user.ObjectId
  }
}

If we know the EnvironmentID, we can trigger the sync by running the add-adminpowerappsyncuser documented on https://learn.microsoft.com/en-us/powershell/module/microsoft.powerapps.administration.powershell/add-adminpowerappssyncuser?view=pa-ps-latest  the other part, would require to connect to AzureAD.  ON this scripts, I'm using 2 possibilities:

- Getting all users on the Domain that are active, through the command get-azureaduser.  By using the parameter -all $true, I'm ensuring I'm querying the whole directory and retrieving all elements (and not batches of 5000 for example).  I'm also using a where condition to specify to retrieve only enabled users.

- Getting all users on an AzureAD SecurityGroup.  For this scenario, First I need the security group name (original parameter).   After running the Get-azureadGroup (with a condition to retrieve the one with the exact same name), I can run a second command to get all members of this security group:  get-azureadGroupMember that receives as a parameter the ObjectID of the security group.

The beauty of this approach is that:

  1. I can build my own script to force sync users on demand
  2. I can add some custom logic for example, to write a log to indicate when was the user processed, or send email notification once it completes
  3. I can add some additional lines, to make validations (if user exists, if there are users that fulfill the condition, etc)
  4. If there's any error, I can capture it and investigate (or provide it to Microsoft on a Support case)

Regards,

Helpful resources

Quick Links

Replay now available! Dynamics 365 Community Call (CRM Edition)

Catch up on the first D365 Community Call held on 7/10

Community Spotlight of the Month

Kudos to Saurav Dhyani!

Congratulations to the June Top 10 community leaders!

These stars go above and beyond . . .

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 288,420 Super User

#2
Martin Dráb Profile Picture

Martin Dráb 225,672 Super User

#3
nmaenpaa Profile Picture

nmaenpaa 101,148

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans