Skip to main content



No record found.

Microsoft Dynamics CRM forum

Force Sync users using PowerShell

Posted on by


Based on the documentation on we can force sync users on Demand. This might seem helpful on certain situations:

  • We have a large number of users that we need to sync and we can't wait for PPAC to trigger
  • A high number of users are being added to the security groups and we need provide access immediately, and we can't go on a one-by-one basis on PPAC

Without delays, this is a sample script that can be used for this purpose:

$EnvironmentName = 'EnvironmentID'
$groupName='display name of the group'

#Get environment
$Environment = Get-AdminPowerAppEnvironment -EnvironmentName $EnvironmentName
  #AzureAD part. Connect to azure and retrieve enabled users

  #Using SecurityGroups
  $Group = Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }
  $users = Get-AzureADGroupMember -ObjectId $group.ObjectId

  #Querying directly the AzureAD
  $users = Get-AzureADUser -all $true | where {$_.accountenabled -eq $true}
  #iterating through the array of users
  foreach ($user in $users)
    #Force sync on each user
    Add-AdminPowerAppsSyncUser -EnvironmentName $Environment.EnvironmentName -PrincipalObjectId $user.ObjectId

If we know the EnvironmentID, we can trigger the sync by running the add-adminpowerappsyncuser documented on  the other part, would require to connect to AzureAD.  ON this scripts, I'm using 2 possibilities:

- Getting all users on the Domain that are active, through the command get-azureaduser.  By using the parameter -all $true, I'm ensuring I'm querying the whole directory and retrieving all elements (and not batches of 5000 for example).  I'm also using a where condition to specify to retrieve only enabled users.

- Getting all users on an AzureAD SecurityGroup.  For this scenario, First I need the security group name (original parameter).   After running the Get-azureadGroup (with a condition to retrieve the one with the exact same name), I can run a second command to get all members of this security group:  get-azureadGroupMember that receives as a parameter the ObjectID of the security group.

The beauty of this approach is that:

  1. I can build my own script to force sync users on demand
  2. I can add some custom logic for example, to write a log to indicate when was the user processed, or send email notification once it completes
  3. I can add some additional lines, to make validations (if user exists, if there are users that fulfill the condition, etc)
  4. If there's any error, I can capture it and investigate (or provide it to Microsoft on a Support case)


Helpful resources

Quick Links

Replay now available! Dynamics 365 Community Call (CRM Edition)

Catch up on the first D365 Community Call held on 7/10

Community Spotlight of the Month

Kudos to Saurav Dhyani!

Congratulations to the June Top 10 community leaders!

These stars go above and beyond . . .


André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 288,420 Super User

Martin Dráb Profile Picture

Martin Dráb 225,672 Super User

nmaenpaa Profile Picture

nmaenpaa 101,148


Featured topics

Product updates

Dynamics 365 release plans