Force Sync Users From Entra Security Group To Dataverse Team
An Entra security group linked to a Dataverse Team can be used to grant access to Power Platform Environments, apps, and automations all at once. The challenge is User will not appear in the Dataverse Team unless they have logged into the environment at least once. We can solve this by building a flow to force sync users and also update the Dataverse Team members when new users are added to an Entra Security group.
Table of Contents
• Introduction: The Force Sync User Power Automate Flow
• Choose An Entra Security Group & Add A Member
• Create An Entra Security Group Based Dataverse Security Team
• Inspect The Dataverse Security Team Members
• Trigger A Flow When An Entra Security Group Member Is Added
• Force Sync User When Added To Entra Security Group
• Sync Entra Security Group Members To The Security Team
• Test The Flow By Adding A Security Group Member
• Completed Flow Code: Force Sync Users
Introduction: The Force Sync User Power Automate Flow
The Engineering Team uses an Entra Security Group to manage access to their Power Platform environment, Power Apps, and Power Automate flows.
When a new team member is added to the Entra Security group the linked Security Team in the Power Platform Environment automatically adds the user and assigns security roles. A flow is triggered in the background to add the user to the environment.
Choose An Entra Security Group & Add A Member
We want to add a user to the Power Platform environment when a new member is added to an Entra Security Group. Go to the Azure Portal and open the Groups service. Select an existing group or add a new group.
Then add a new member to the group.
Create An Entra Security Group Based Dataverse Security Team
A Dataverse Security Team can be linked to an Entra Security Group. When a new member is added to the Security Group they are also synced to the Security team if their user account was previously added to the environment.
Go to the Power Platform Admin Center and open the Environments page. Select an environment and then browse to the Teams page. It will show all a list of all Teams in the environment. Create a new Team.
Choose a Team Type of Microsoft Entra ID Security Group and select the group name matching your Entra Security Group.
Give members of the Security Team any security roles needed for using apps and automations in the environment. Press Save to create the Team.
Inspect The Dataverse Security Team Members
The new Security Team we created does not show any Team Members even though it is linked to the Entra Security Group we setup. Why doesn’t the User appear? It is because the User is not yet added to the environment.
Go to the List of Users for the environment and look for the Team Member. As expected they do not appear. We could add the User manually but instead we should create an automated process where the User is added at the same time they are assigned to the Entra Security Group.
Trigger A Flow When An Entra Security Group Member Is Added
Go to Power Automate and create a new Instant Flow. Choose the Office 365 Groups – When A Group Member Is Added Or Removed trigger. Surprisingly, this trigger will work even though we created an Entra Security Group, not an Office 365 Group.
Select the Entra Security Group in the flow trigger.
Force Sync User When Added To Entra Security Group
The trigger will start the flow when a group member is added or removed. We only want to force sync users when a group member is added.
Insert a Condition action into the flow. Set the left side of condition to the @removed dynamic value from the trigger. Choose the comparison operator “is equal to” and leave the right side empty.
Then add a Power Platform For Admins – Force Sync User action to the If no block. Choose the Power Platform environment and fill-in the ObjectId with the User Id from the flow trigger.
Sync Entra Security Group Members To The Security Team
After the Force Sync User action adds the User to the Power Platform environment we want to immediately sync them to the Security Team. Add a Dataverse – Perform A Bound Action and select the table name Teams. Pick the bound action named SyncGroupMembersToTeam.
The Row ID is the unique identifier of the Security Team. To obtain this value, open the Security Team in Power Platform Admin center and copy& paste the id parameter included in the web address.
Test The Flow By Adding A Security Group Member
The flow is now completed. Turn on the flow and then go to the Entra Security Group within the Azure Portal. Add a member to the Security Group.
A few minutes later, the flow will start, the user is force synced to the environment and the Dataverse security team.
The newly added User now shows as a member of the Dataverse security team.
Completed Flow Code: Force Sync Users
For reference, here is a screenshot of the entire flow.
Did You Enjoy This Article? 😺
Subscribe to get new Power Apps & Power Automate articles sent to your inbox each week for FREE
Questions?
If you have any questions or feedback about Force Sync Users From Entra Security Group To Dataverse Team please leave a message in the comments section below. You can post using your email address and are not required to create an account to join the discussion.
Matt, was there reason why you didn’t add logic when user was removed from AD group? Does the force sync user work when user is removed.
Sanjeev,
Yes, it’s because we don’t need to force remove the user. When they are removed from the AD group they will become deactivated and lose permissions. It’s the initial add that requires force sync and nothing more.
You can check out the other piece of the strategy in this article:
https://www.matthewdevaney.com/share-a-model-driven-app-with-an-entra-security-group/
We had a use-case where a Team isn’t access-related (it’s used to filter a view on the Users table), so we do need to force the removal of the user.
I found the SyncGroupMembersToTeam bound action didn’t work for this, but RemoveMembersTeam did. This expects an array of systemuser objects as the Members parameter, so I obtain a single-item array with a List Rows action, (filtering on azureactivedirectoryobjectid), and select only systemuserid (this is the only column needed, and some others cause an error to be thrown).
If I already have a group and a team that are out of sync, what is the method to loop through the users of the group and force the sync?
Matt, you describe that the user only appear once they log in to the environment. I understand that thats a pity and for someone checking the dv team he might get confused because in the entra id sg the user is added.
My question is: Besides this asymmetry of information. Are there any technical issues that might occur. My assumption is yes, please see below.
I remember a case we had where the users of our app did not even have “basic” and “app oppener” roles assigend to them in an environment. We provided those roles using a DV Team. We experienced that some users when initially launching the app did have some issues since our app used an instant flow that is triggered from the user in an app and should run in the context of the user (run-only permission). This flow did not work for some users when the initially opend the app. We did conclude, that the users when they initially logged in did not get the “Basic” and “App Opener” permissions.
We fixed it that we gave the DV Team that has the same name as the environment where all users are members the stated permissions. The issues never occured again. We did this because our sync flow for sycining entra id sg and dv team did not work…
Hi Matt, do you know of an alternative to the Power Platform For Admins – Force Sync User action? Perhaps another Dataverse unbound action or using the web API? We’re currently using this action in an automated workflow, but it occasionally fails to fetch a refresh token, forcing us to manually re-authenticate the connection.
Hey Matthew! Great post and coming in at a great time as we are experiencing some entra group sync issues because we have new environments where we are deploying solutions with custom connectors and the users need a SR in order to use the connector. Anyways, I have implemented this solution, but once i run it, everything appears to work, but i check the team and it is still empty, we should expect to see the users in the team once the flow runs, correct? Anyway to verify?