Share
ReportHello!
Based on the documentation on https://learn.microsoft.com/en-us/power-platform/admin/troubleshooting-user-needs-read-write-access-organization#adding-or-refreshing-users-on-demand we can force sync users on Demand. This might seem helpful on certain situations:
- We have a large number of users that we need to sync and we can't wait for PPAC to trigger
- A high number of users are being added to the security groups and we need provide access immediately, and we can't go on a one-by-one basis on PPAC
Without delays, this is a sample script that can be used for this purpose:
$EnvironmentName = 'EnvironmentID'
$groupName='display name of the group'
#Get environment
$Environment = Get-AdminPowerAppEnvironment -EnvironmentName $EnvironmentName
if($Environment)
{
#AzureAD part. Connect to azure and retrieve enabled users
Connect-AzureAD
#Using SecurityGroups
$Group = Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }
$users = Get-AzureADGroupMember -ObjectId $group.ObjectId
#Querying directly the AzureAD
$users = Get-AzureADUser -all $true | where {$_.accountenabled -eq $true}
$users
#iterating through the array of users
foreach ($user in $users)
{
#Force sync on each user
Add-AdminPowerAppsSyncUser -EnvironmentName $Environment.EnvironmentName -PrincipalObjectId $user.ObjectId
}
}
If we know the EnvironmentID, we can trigger the sync by running the add-adminpowerappsyncuser documented on https://learn.microsoft.com/en-us/powershell/module/microsoft.powerapps.administration.powershell/add-adminpowerappssyncuser?view=pa-ps-latest the other part, would require to connect to AzureAD. ON this scripts, I'm using 2 possibilities:
- Getting all users on the Domain that are active, through the command get-azureaduser. By using the parameter -all $true, I'm ensuring I'm querying the whole directory and retrieving all elements (and not batches of 5000 for example). I'm also using a where condition to specify to retrieve only enabled users.
- Getting all users on an AzureAD SecurityGroup. For this scenario, First I need the security group name (original parameter). After running the Get-azureadGroup (with a condition to retrieve the one with the exact same name), I can run a second command to get all members of this security group: get-azureadGroupMember that receives as a parameter the ObjectID of the security group.
The beauty of this approach is that:
- I can build my own script to force sync users on demand
- I can add some custom logic for example, to write a log to indicate when was the user processed, or send email notification once it completes
- I can add some additional lines, to make validations (if user exists, if there are users that fulfill the condition, etc)
- If there's any error, I can capture it and investigate (or provide it to Microsoft on a Support case)
Regards,
All responses (
Answers (
180
