Multiple Users Losing Security Roles due to expiration AD Account

(0) Share

Report

Posted on by Community Member Microsoft Employee

Hello,

I am a Junior Profile in the CRM Domain, Thanks in advance or the directions and help

I am facing an issue with some users (8 users) that cannot access CRM as of 13 Jan because they lost their security Roles,

After checking we found that all these users had their accounts on AD expired.

I wanted to know if this is the cause or it's not related,

Also i it's the cause what is the Trigger in CRM, Is there like a Process that detects if the Users Account on AD is expired and removes the roles ?

Thank you,

Nabil

All responses (5)

Answers (1)

Community Member Microsoft Employee on at

Like (0)

Report

RE: Multiple Users Losing Security Roles due to expiration AD Account

Hello Philip,

Thank you for the clarification, i believe that's exactly what happend,

Well noted for the on premise, i thought i has Synch too

Regards,

Nabil
Verified answer

PhilipK 611 on at

Like (0)

Report

RE: Multiple Users Losing Security Roles due to expiration AD Account

Hi Nabil.

On-premise has no active(on schedule) "syncing" with Active directory, it does however query AD for a user when it's added to the organization, but after that it does not keep track of the state of the user in AD e.g. Disabled or change of other properties.
Security Roles in CRM is related to Business Unit(I assume that what you was referring to with "Divisions") and if a user changes business unit the enabled security roles are reset, hence needs to be set for those under that Business Unit.

In D365 Online however there is an active sync between AD and the users that would either be enabled(licensed and if used, a member of a specified AD/AAD security group) or disabled.

Best regards.

Philip
Suggested answer

Community Member Microsoft Employee on at

Like (1)

Report

RE: Multiple Users Losing Security Roles due to expiration AD Account

Thanks Steve and Kumar for the feedbacks,

Bipin Kumar We use On Premise Version, if i'm not mistaking the same behavior exist in CRM on Premise --> If the user's account is expired in AD that means that it's deactivated in CRM, in other words it loses roles too

For the Solution, we found Out that someone has hanged a Parent Division in PROD without telling anyone, which made the users attached to it lose their roles, now roles have to be re-assigned

Could a Mod mark this as answered, as I'm not able from my side, Thanks,

Regards,

Nabil
Suggested answer

Bipin D365 28,961 Moderator on at

Like (0)

Report

RE: Multiple Users Losing Security Roles due to expiration AD Account

Hello,

Are you using On-premise version of Dynamics CRM?

Have you tried checking Audit history of the user whose roles are remove to know which account has been used to remove roles?

I know a background job runs in CRM online which check for the user license in Azure AD and if licese is remove from the user then User status will be marked as disabled in dynamics crm but this is not applicable for CRM On-premise version.

Please mark my answer verified if this is helpful!

Regards,

Bipin Kumar

Follow my Blog: xrmdynamicscrm.wordpress.com/
Community Member Microsoft Employee on at

Like (0)

Report

RE: Multiple Users Losing Security Roles due to expiration AD Account

Hi Nabil Louardi,

A quick question: Are those Users' type Guest?

Community site session details

Multiple Users Losing Security Roles due to expiration AD Account

Helpful resources

Quick Links

Announcing Our 2025 Season 1 Super Users!

Vahid Ghafarpour – Community Spotlight

Tip: Become a User Group leader!

Leaderboard

Featured topics

Product updates

Community site session details

Multiple Users Losing Security Roles due to expiration AD Account

Helpful resources

Quick Links

Announcing Our 2025 Season 1 Super Users!

Vahid Ghafarpour – Community Spotlight

Tip: Become a User Group leader!

Subscribe to this forum!

Select categories

Leaderboard

Featured topics

Product updates