The standard integration between CDS|Dynamics 365 and SharePoint doesn’t offer a way to keep user access in sync between both systems.
For some use cases there is a simple solution for that. In my previous blog post I’ve used an Azure AD mail-enabled security group to provide users access to Dynamics 365 and SharePoint.
This security group is used in a Team in Dynamics 365, and a security role is assigned to the Team. In this way members of the security group get access to Dynamics 365 if/once they are enabled as user in Dynamics 365.
In SharePoint the same mail-enabled security group is used to grant access for the same users. In the ‘Grant access to an item or a folder’ action a mail-enabled security group (or Office 365 group) can be added as recipients. For example to grant access to a Shared folder:
Before granting access:
After granting access:
I prefer to assign permissions/grant access to a SharePoint group and add the mail-enabled security group (or security group or Office 365 group) to that SharePoint group; it’s a best practice to assign permissions indirectly.
Grant access for a SharePoint group can be done with the following actions in a Power Automate flow:
First I declare variables for the MembershipGroupId of the SharePoint group and the RoleDefId of the permission level. Then I get the folder metadata, because I need the ItemId of the folder in the following actions.
The last 2 actions will break inheritance of the permissions and grant access to the folder for the “Readers” SharePoint group with the Restricted View permission level.
Reference REST API requests: Set custom permissions on a list by using the REST interface
Using a Azure AD “group” is a way to keep user access in sync between CDS|Dynamics365 and SharePoint.