Dynamics Community Forum Thread Details

Hello!

Based on the documentation on https://learn.microsoft.com/en-us/power-platform/admin/troubleshooting-user-needs-read-write-access-organization#adding-or-refreshing-users-on-demand we can force sync users on Demand. This might seem helpful on certain situations:

We have a large number of users that we need to sync and we can't wait for PPAC to trigger
A high number of users are being added to the security groups and we need provide access immediately, and we can't go on a one-by-one basis on PPAC

Without delays, this is a sample script that can be used for this purpose:

$EnvironmentName = 'EnvironmentID'
$groupName='display name of the group'

#Get environment
$Environment = Get-AdminPowerAppEnvironment -EnvironmentName $EnvironmentName
if($Environment)
{
  #AzureAD part. Connect to azure and retrieve enabled users
  Connect-AzureAD

  #Using SecurityGroups
  $Group = Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }
  $users = Get-AzureADGroupMember -ObjectId $group.ObjectId

  #Querying directly the AzureAD
  $users = Get-AzureADUser -all $true | where {$_.accountenabled -eq $true}
  $users
  
  #iterating through the array of users
  foreach ($user in $users)
  {
    #Force sync on each user
    Add-AdminPowerAppsSyncUser -EnvironmentName $Environment.EnvironmentName -PrincipalObjectId $user.ObjectId
  }
}

If we know the EnvironmentID, we can trigger the sync by running the add-adminpowerappsyncuser documented on https://learn.microsoft.com/en-us/powershell/module/microsoft.powerapps.administration.powershell/add-adminpowerappssyncuser?view=pa-ps-latest the other part, would require to connect to AzureAD. ON this scripts, I'm using 2 possibilities:

- Getting all users on the Domain that are active, through the command get-azureaduser. By using the parameter -all $true, I'm ensuring I'm querying the whole directory and retrieving all elements (and not batches of 5000 for example). I'm also using a where condition to specify to retrieve only enabled users.

- Getting all users on an AzureAD SecurityGroup. For this scenario, First I need the security group name (original parameter). After running the Get-azureadGroup (with a condition to retrieve the one with the exact same name), I can run a second command to get all members of this security group: get-azureadGroupMember that receives as a parameter the ObjectID of the security group.

The beauty of this approach is that:

I can build my own script to force sync users on demand
I can add some custom logic for example, to write a log to indicate when was the user processed, or send email notification once it completes
I can add some additional lines, to make validations (if user exists, if there are users that fulfill the condition, etc)
If there's any error, I can capture it and investigate (or provide it to Microsoft on a Support case)

Regards,

Community site session details

Force Sync users using PowerShell

Helpful resources

News and Announcements

Quick Links

Responsible AI policies

Abhilash Warrier – Community Spotlight

Congratulations to the September Top 10 Community Leaders!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

Featured topics

Product updates