Skip to main content

Notifications

Announcements

No record found.

Microsoft Dynamics 365 | Integration, Dataverse...
Answered

How to disable D365 account once user has been disabled in Azure directory

(1) ShareShare
ReportReport
Posted on by 149
In our environment, O365 users are imported as application users in D365 upon the request.
However, once these users were left, their O365 account would be disabled but it didn't synchronize into D365.
Currently, we do it manually but so time-consumed.
 
Anybody can advise how to do it automatically and any configuration can be taken?
Categories:
  • Verified answer
    Amit Katariya007 Profile Picture
    Amit Katariya007 8,941 Super User 2024 Season 1 on at
    How to disable D365 account once user has been disabled in Azure directory
    To automatically synchronize the status of Office 365 (O365) users with Dynamics 365 (D365), ensuring that disabled accounts in O365 are also disabled in D365, you can implement a streamlined approach using the Azure Active Directory (AAD) and Power Automate. Here's a step-by-step guide to automate this process:
     
    Option 1: Use Power Automate to Synchronize User Status
    1. Set Up the Power Automate Flow
    Trigger: Use the When a user is updated trigger in the Azure AD connector to detect changes in user accounts.
     
    Action:
    Check if the accountEnabled attribute is false.
    If so, update the corresponding user record in D365 to disable the user.
     
    Steps:
    1. Log in to Power Automate.
    2. Create a new flow:
    Trigger: Azure AD - When a user is updated.
    Condition: Check if accountEnabled is set to false.
     
    Action: Use the Dataverse connector to update the user record in D365, setting the IsDisabled attribute to true.
     
    2. Example Flow Design
    Trigger: Azure AD - When a user is updated.
    Condition: accountEnabled equals false.
     
    Action:
     
    Find the corresponding user in D365 using the email address or username.
    Update the SystemUser table:
    Set isDisabled to true.
     
    Option 2: Use Azure AD Dynamic Groups with D365
    1. Create a Dynamic Group in Azure AD
    Use Azure AD dynamic membership rules to group disabled accounts automatically.
     
    Example Rule:
    (accountEnabled -eq false)
    This rule dynamically adds disabled O365 accounts to the group.
     
    2. Sync the Group with D365
    Integrate the Azure AD group with Dynamics 365 using Azure AD Connect.
    Map the group’s disabled status to update the corresponding SystemUser records in D365.
     
    Option 3: Custom Plugin in D365
    1. Write a Plugin to Periodically Check User Status
    Develop a plugin in D365 that queries Azure AD for the accountEnabled status of all application users.
    Automatically disable users in D365 if their O365 accounts are disabled.
     
    2. Steps:
    Use Azure AD Graph API or Microsoft Graph API to fetch user account status.
    Match user principal names (UPNs) between Azure AD and D365.
    Update the IsDisabled property of the SystemUser entity in D365.
     
     
    Option 4: Scheduled Job Using Microsoft Graph API
     
    1. Create a Scheduled Script
    Write a script (e.g., using PowerShell or C#) that:
    Queries Microsoft Graph API for disabled users.
    Updates their corresponding records in D365 via Dataverse API.
     
    2. Steps:
    Query Disabled Users in Azure AD:
    Use the following Graph API endpoint:
    GET https://graph.microsoft.com/v1.0/users?$filter=accountEnabled eq false
     
    Update Users in D365:
    Use the Dataverse Web API to update the SystemUser table:
    PATCH [Organization URI]/api/data/v9.2/systemusers(systemuserid)
    {
        "isdisabled": true
    }
     
    3. Schedule the Script
    Use Azure Automation or Task Scheduler to run the script periodically.
     
     
    Configurations to Take
     
    1. Ensure Proper Permissions:
    Grant appropriate API permissions in Azure AD for the application accessing the user data.
     
    Permissions required:
    User.Read.All (Graph API).
    Directory.Read.All (Graph API).
     
    2. Enable User Synchronization in Azure AD Connect:
    Ensure Azure AD Connect is configured to synchronize user attributes to D365.
     
    3. Monitor and Audit Changes:
    Set up logging to track which users were disabled and when.
    Use D365 system jobs to review automated updates.
     
    Summary of Recommended Approach
    For simplicity and scalability:
    Best Option: Use Power Automate to synchronize user status in real time.
    Alternative: Create a scheduled job using the Microsoft Graph API.
  • VaHiX Profile Picture
    VaHiX 3,582 on at
    How to disable D365 account once user has been disabled in Azure directory

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Congratulations 2024 Spotlight Honorees!

Kudos to all of our 2024 community stars! 🎉

Meet the Top 10 leaders for December!

Congratulations to our December super stars! 🥳

Get Started Blogging in the Community

Hosted or syndicated blogging is available! ✍️

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,602 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,340 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Product updates

Dynamics 365 release plans