Microsoft Dynamics 365 | Integration, Dataverse...

How to dynamically update user's Business unit and Security Roles?

(0) Share

Report

Posted on by Dave Wi

Hello,

I have couple of Group Teams associated with Azure AD.

My requirement is as follows:

Whenever the user is added/removed from AD group, identify associated user's CDS team's "Security Role" and "Business Unit" and remove that security role from user and assign org level business unit to that user.

For example as indicated in following table:

Azure AD Group	Users	User's Security Role at Environment Level	User's CDS Group Teams	User's CDS BU	Demo Group Team 1's Security Role	Demo Group Team 1's Business Unit
Demo AD Group 1	Demo User 1	CDS User Role + Environment Maker Role	Demo Group Team 1 + Org Team	Org BU	Demo Security Role 1	Demo BU 1

When "Demo User 1" is added in "Demo AD Group 1" in AAD, then "Demo User 1" should be updated with Demo Group Team 1's Security Role and Demo Group Team 1's Business unit.
When "Demo User 1" is deleted in "Demo AD Group 1" in AAD, then "Demo User 1" should be removed with Demo Group Team 1's Security Role and assign org level Business unit.

How can I implement above two actions dynamically?

Thanks,

I have the same question (0)

All responses (6)

Answers (0)

Suggested answer

PerezAguiar Microsoft Employee on at

Like (0)

Report

Hey Dave.

There's a similar functionality using AAD Security Groups within a Dynamics instance. If you assign a security role to an AAD Security Group, members will receive the same role:

Unfortunately this is only available using the "Classic Interface" and not the UI and has several limitations (nested security groups are not supported for example).
The other option is to use Powershell (a job that runs every hour or every day for example). You have a Powershell AddOn on Sean's Github (https://github.com/seanmcne/Microsoft.Xrm.Data.PowerShell.Samples/tree/master/UserOperations) with similar scenarios:

Hope it helps!

Was this reply helpful? Yes No
Dave Wi on at

Like (0)

Report

Hi,

I think, we can not assign "Security Role" to "AAD group" but we can assign to "Team" in CDS.

and Team, does not reflect it's security role for its member for sure, at least that's how I have noticed and experienced.

Is there any specific configuration I need to set up for Team/Security role so that whenever new user is added, It would adopt team's security role?

Do you suggest to change the role/BU of user dynamically via PowerShell whenever new user is added into the team?

Thanks,

Was this reply helpful? Yes No
Dawidvh on at

Like (0)

Report

We should be able to allocate roles to a Dynamics team, that is linked though an Azure AD Object Id to a security or Office Group. This doesn't seem to be working though currently, although I am very sure this has worked before. Can anyone else confirm that this is working for them currently?

Was this reply helpful? Yes No
PerezAguiar Microsoft Employee on at

Like (0)

Report

HI.

- You can assign roles to Teams in Dynamics, where the team is related to an Azure AD Security Group. Team members won't show in dynamics until they login the next time and they receive security roles as long as the Security Roles are related to Teams and not User

- Of course, you can use a powershell to assign/remove users from Security groups in AD and at the same time, connect to Dynamics and remove/assign the appropriate security role. But this is a separated process that uses the API/POwershell and is not related to mapping Dynamics teams to Azure AD Groups.

Was this reply helpful? Yes No
Ronald Hulshof on at

Like (1)

Report

Were you able to find a solution on how to dynamically set the user's Business Unit based on its AAD Group memberships? I can probably do this with a Power Automate flow, but I cannot imagine that would be Microsoft's best practice? Any ideas?

Was this reply helpful? Yes No
Ragnar Hilmarsson 3,427 on at

Like (0)

Report

appsource.microsoft.com/.../arango.arangoum

Was this reply helpful? Yes No