Our Supply Chain department is using a custom model-driven app in support of their process for framework agreements management. Their request is to grant the stakeholders (Office management, Facility management, project calculators, etc.) access to the app with read-only permissions and restricted view permission to the related document folders in SharePoint Online. Some of those people don’t have access to Dynamics 365 and are not available as user in Dynamics 365.
My goal is to offer some kind of self service user management to the key user(s) of the Supply Chain department that should take care of the following:
- Key user should be able to “grant users access to the system”
- Assignment of license if missing
- Adding user(s) to the Azure AD security group that grants access to the Dynamics 365 instance
- Assignment to the relevant Business Unit once the user is (re)enabled in Dynamics 365
- Invite the “enabled” user to the model-driven app
First deliverable, granting access to the system, can only be done in an indirect way. The idea is to let the key user add users to an Azure AD “group” and use the same group in a Team in Dynamics 365 and assign the custom “Readers” security role to it.
There are different options for self service group membership in Azure AD by making the key user owner of an:
- Office 365 Group
- Azure AD Security Group
- Azure AD Mail-enabled Security Group
I prefer to use the Mail-enabled Security Group (I don’t like the overhead of an Offce 365 Group) that has the following advantages:
- Owner of the group can manage the members from Outlook
- The group has an e-mail address that can be used to send notifications to its members
- This type of group can be used in the action ‘Grant access to an item or a folder’ of the Power Automate SharePoint connector
- This type of group can be used for Group-based licensing
So I create My First Mail-enabled Security Group in Azure AD.
Then I create a Team in Dynamics 365 of the type ‘AAD Security Group’ and use the Azure AD Object Id of the My First Mail-enabled Security Group, and assign it to the relevant Business Unit. Last I assign the custom “Readers” security role to this Team.
Now this will only work for/give access to users that are enabled in Dynamics 365, so they should be licensed and be(come) a member of the Azure AD Security Group that gives access to the Dynamics 365 instance. So the users should be added to that Azure AD Security Group.
Nested or multiple security groups are not supported, so please vote for this idea by Marc Gerner: Support for nested or multiple security groups.
Assigning licenses to users can be automated by group membership in Azure Active Directory but for the moment I’m not going to use this in our case; that’s something to implement in the near future.
For now this is (still) an action for/by the IT department.
Next step is to add users to the Azure AD Security Group, that gives access to the Dynamics 365 instance, with the help of Power Automate flow. I’m going to use the Azure AD connector and 3 of its actions in this flow. I’ve added the account of the connection as owner of the Azure AD Security Group.
Here is the overview of the flow:
This flow will start by a scheduled trigger and will get all group members of the mail-enabled security group “Readers” that is managed by the key user.
For every group member the membership of the “grant access to instance” Azure AD security group “Users” is checked. The guid of this security group is set in the Initialize variable action.
If the user is no member then it’s added to the security group “Users”.
This will make the user (re)enabled in Dynamics 365, and get access to the app via the Team privileges.
In SharePoint we have a document library for every supplier and the folder Agreements has unique permissions to give the stakeholders read-only access to these folders only.
In part 2 I will show how to Power Automate the assignment to the relevant Business Unit once the user is (re)enabled in Dynamics 365, and to send an invite to the “enabled” user with the link to the model-driven app.