Force Sync Users From Entra Security Group To Dataverse Team

An Entra security group linked to a Dataverse Team can be used to grant access to Power Platform Environments, apps, and automations all at once. The challenge is User will not appear in the Dataverse Team unless they have logged into the environment at least once. We can solve this by building a flow to force sync users and also update the Dataverse Team members when new users are added to an Entra Security group.

Table of Contents
• Introduction: The Force Sync User Power Automate Flow
• Choose An Entra Security Group & Add A Member
• Create An Entra Security Group Based Dataverse Security Team
• Inspect The Dataverse Security Team Members
• Trigger A Flow When An Entra Security Group Member Is Added
• Force Sync User When Added To Entra Security Group
• Sync Entra Security Group Members To The Security Team
• Test The Flow By Adding A Security Group Member
• Completed Flow Code: Force Sync Users

Introduction: The Force Sync User Power Automate Flow

The Engineering Team uses an Entra Security Group to manage access to their Power Platform environment, Power Apps, and Power Automate flows.

When a new team member is added to the Entra Security group the linked Security Team in the Power Platform Environment automatically adds the user and assigns security roles. A flow is triggered in the background to add the user to the environment.

Choose An Entra Security Group & Add A Member

We want to add a user to the Power Platform environment when a new member is added to an Entra Security Group. Go to the Azure Portal and open the Groups service. Select an existing group or add a new group.

Then add a new member to the group.

Create An Entra Security Group Based Dataverse Security Team

A Dataverse Security Team can be linked to an Entra Security Group. When a new member is added to the Security Group they are also synced to the Security team if their user account was previously added to the environment.

Go to the Power Platform Admin Center and open the Environments page. Select an environment and then browse to the Teams page. It will show all a list of all Teams in the environment. Create a new Team.

Choose a Team Type of Microsoft Entra ID Security Group and select the group name matching your Entra Security Group.

Give members of the Security Team any security roles needed for using apps and automations in the environment. Press Save to create the Team.

Inspect The Dataverse Security Team Members

The new Security Team we created does not show any Team Members even though it is linked to the Entra Security Group we setup. Why doesn’t the User appear? It is because the User is not yet added to the environment.

Go to the List of Users for the environment and look for the Team Member. As expected they do not appear. We could add the User manually but instead we should create an automated process where the User is added at the same time they are assigned to the Entra Security Group.

Trigger A Flow When An Entra Security Group Member Is Added

Go to Power Automate and create a new Instant Flow. Choose the Office 365 Groups – When A Group Member Is Added Or Removed trigger. Surprisingly, this trigger will work even though we created an Entra Security Group, not an Office 365 Group.

Select the Entra Security Group in the flow trigger.

Force Sync User When Added To Entra Security Group

The trigger will start the flow when a group member is added or removed. We only want to force sync users when a group member is added.

Insert a Condition action into the flow. Set the left side of condition to the @removed dynamic value from the trigger. Choose the comparison operator “is equal to” and leave the right side empty.

Then add a Power Platform For Admins – Force Sync User action to the If no block. Choose the Power Platform environment and fill-in the ObjectId with the User Id from the flow trigger.

Sync Entra Security Group Members To The Security Team

After the Force Sync User action adds the User to the Power Platform environment we want to immediately sync them to the Security Team. Add a Dataverse – Perform A Bound Action and select the table name Teams. Pick the bound action named SyncGroupMembersToTeam.

The Row ID is the unique identifier of the Security Team. To obtain this value, open the Security Team in Power Platform Admin center and copy& paste the id parameter included in the web address.

Test The Flow By Adding A Security Group Member

The flow is now completed. Turn on the flow and then go to the Entra Security Group within the Azure Portal. Add a member to the Security Group.

A few minutes later, the flow will start, the user is force synced to the environment and the Dataverse security team.

The newly added User now shows as a member of the Dataverse security team.

Completed Flow Code: Force Sync Users

For reference, here is a screenshot of the entire flow.

Questions?

If you have any questions or feedback about Force Sync Users From Entra Security Group To Dataverse Team please leave a message in the comments section below. You can post using your email address and are not required to create an account to join the discussion.