Teams based security structure in quite common. There are many times I wonder can’t we able to automate the role assignment in Dataverse when the user is added to the AD Groups in Azure AD. Here is the answer for that auto sync of access from Azure AD Group to Dataverse.
Traditionally we know Dataverse got Access and Owner Teams, Azure AD group Team is much similar to Owner Team and they also can own records and can have security roles assigned to it. The main difference is that it is synced with the Azure AD Group i.e. you don’t need to manually assign the security role for the users in Dataverse once the users are part of the AD Group. The sync happens between the AD and Dataverse once the user tries to login and the user carries the role that is assigned to that Team in Dataverse.
Manage group teams – Power Platform | Microsoft Docs
Steps to create a Azure AD Group
Prerequisites:
- An Azure Active Directory (Azure AD) Group is required for each group team.
- Obtain the Azure AD Group’s ObjectID from your https://portal.azure.com site.
- In the web app, go to Settings (
) > Advanced Settings. - Select Settings > Security. In Microsoft Dynamics 365 for Outlook, go to Settings > System > Security.
- Select Teams.
- On the Actions toolbar, select New button.
- Enter a team name.
- Select a business unit.
- Enter an administrator.
- Select Team Type (a drop-down list is displayed).
- Select AAD Security or Office group (this must match the Azure AD Group type).
- Enter the respective Azure AD ObjectID of the Azure AD Security or Office group.
- Select Membership Type, and then one of the following:
- Members and guests
- Members
- Owners
- Guests
The Azure AD group members from the selected membership type will be mapped to the group team when the member accesses the system.
- Select Save.If you don’t select the business unit to which the team will belong, by default, the root business unit is selected. The root business unit is the first business unit created for an organization.
My Trial 
Hi and thanks for the post.
I am trying to continue from here and have a webhook registred to fire whenever an AAD user has been added to the AAD group team. Afaik this happens when the user connects to the environment just in time.
I have tried out to use the message “Associate” and “AddMembersTeam” Messages to trigger the webhook. Unfortunately it only works when I manually add an user, but not when it happens through the AAD group.
LikeLike
Hi and thanks for the post.
I am trying to continue from here and have a webhook registred to fire whenever an AAD user has been added to the AAD group team. Afaik this happens when the user connects to the environment just in time.
I have tried out to use the message “Associate” and “AddMembersTeam” Messages to trigger the webhook. Unfortunately it only works when I manually add an user, but not when it happens through the AAD group.
LikeLike
Yes if the AAD group is a Dynamics group, i.e. based on a query of any sort the association or add member trigger won’t fire. This can be achieved using the Azure AD Monitor log. The log can be read with messages like add-member and remove member, using that log message you can fire a flow or logic app to perform your desire action that is needed.
LikeLike
Thank your for your reply, really helpful!
Do you know if there is any workaround from having to use the azure AD monitor log?
I.e. is there a following step within dataverse that can be used to fire the logic like an AddPriviliges?
LikeLike
There isn’t any steps or connector available to capture the trigger. Is the AD group that you are using is a static group wherein you are adding user manually during your onboarding then you can fire the triggers from the Azure AD front not in the Dynamics end. Because AAD teams membership is completely different compare to the traditional teams. In AAD group teams, you only see the membership activated when the user first login. Even if you add the user in the relevant group in AD it won’t immediately happens in Dynamics.
LikeLike