Microsoft Dynamics 365 | Integration, Dataverse...

Using AD or AAD to set Security and Business Unit

(0) Share

Report

Posted on by Community Member

Interested in using AD groups to manage security roles for our users, but was wondering if there is a similar setup to also assign the BU value.

Currently, our security is setup Role-based (i.e. Sales Person, Sales Manager, etc) but we have to split it up into our various BU's, multiplying the number of roles. So now the "Sales Person" role becomes "Sales Person - NA", "Sales Person - LA", "Sales Person - EMEA" and so on.

Am I stuck having to duplicate this similar model if I want to migrate to AD groups to manage security roles?

I have the same question (0)

All responses (7)

Answers (0)

Suggested answer

Steven RH JIANG on at

Like (0)

Report

Please correct me in case of any misunderstanding.

1. Inside Dynamics CRM, we can create an AAD Office Group team, and it's mapping to an Azure AD group

2. Inside Dynamics CRM, for this newly created team, we can assign both security role and BU

3. Any member of this team will inherit the security role and BU assigned to the team

So if you can create all Azure AD groups, i.e. 'Sales Person - NA', 'Sales Person - LA', 'Sales Person - EMEA' inside Azure AD properly. And then create corresponding 'AAD Office Group' teams inside CRM. It shall achieve your goal, Isn't it?

For example, you add user A to both Azure AD groups, 'Sales Person - NA', 'Sales Person - LA', User A will get 'Sales Person' role in both NA and LA automatically.

Was this reply helpful? Yes No
gert-jan.terschure 200 on at

Like (0)

Report

In our case we loaded all AD Groups required as "AAD Security Group Teams" and then assigned these to the owning business unit in Dynamics. If you use a naming convention in AAD, this can easily be automated as the "Teams" entity is exposed in the CDS odata entity.

After the AD-Groups have been imported, you then assign the appropriate roles to the newly created teams. If you use the same naming convention, this again can easily be automated as roles are also exposed via the odata api.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thanks for this information! very helpful.

Is there any way we could separate the BU assignment and Security role assignment? I.e. one Azure AD Group for "Sales Person" and another AAD for "NA" ? Reason for this would be to reduce duplication of role/bu assignments as we would have dozens of different business unit assignments across many different security roles we manage?

We will using a Identity provider to automate the group assignment, and the logic to determine BU and Security role would be more simplified if we just assigned separate groups for the regional BU and then the security role

Was this reply helpful? Yes No
gert-jan.terschure 200 on at

Like (0)

Report

I wouldn't recommend it. It would mean losing granular control. Take this example:

User X is member of the role "Sales Managers" .

User X is member of the role "Business Unit A".

User X needs to have access to "Business Unit B". In the setup you propose, User X would immediately be "Sales Manager" in "Business Unit B".

As Team and AAD group creation is automated, I wouldn't worry about having a long list of groups. In fact, it's more secure as it gives a more granular control over the security as users can suddenly be in different roles in different business units.

Was this reply helpful? Yes No
R4isin 7 on at

Like (1)

Report

Hello,

Are you sure about your third point ?

.==> Any member of this team will inherit the security role and "BU assigned to the team"

I try to assign security roles and BU to users following their Security Groups from Azure. So I create a ADD Security Group Team in Dynamics 365 and link it with the Security Group from Azure (via the object Id)
For now, It's a success for the security roles but the users stay on the root BU even if the AAD Security Group has a different BU :/

I guess that the only possibility is to handle this via power automate or code....

I also see that there is a latency when a User is removed from the Azure Secuirty Group (he still present in the ADD Security Group Team in Dynamics 365) but I don't know exactly how much time takes this synchronization.

Kr,

Julien C.

Was this reply helpful? Yes No
DynamicsPO_ZH 5 on at

Like (0)

Report

Hello,

I am also trying to allocate users to different BUs using AAD Security Groups but have experiences the same as Julien.

Despite the team being assigned to a specific BU, users added via this team get assigned to the root BU instead.

Are there any means to overcome this without custom automation?

Especially since I'm wondering: when I programmatically change the users BU, he will also lose his security roles again, doesn't he?

Thanks and best regards

Sascha

Was this reply helpful? Yes No
AriaConsulting 2 on at

Like (0)

Report

Sascha,

Would you be able to connect to your instance using Power Query against the table/entity "role" using a query value of "= Source{[Name="roles",Signature="table"]}[Data]" and send me the file? I have an idea but need better data than I have in my SBX to work with to see if there might be a way.

Was this reply helpful? Yes No