cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
carl1to
Helper II
Helper II

Auto-Assig Business Units to Users

I'm struggling with the concept of Business Units in practice. I read a lot about the different mechanisms like Business Units, Group Teams, Security Roles, Hierarchy... and I have a more or less basic understanding about these things.

 

If you use AAD Group-Teams to distribute the roles to your users. You have possible new users joining daily. They are all assigned in the root BU (because, that is what the platform does).

How do you manage to assign them into the right BU? Manually? Power Automate? PS-Script?

Can you even practically use the concept of Business units in combination with AAD Group Teams?

carl1to_0-1656570813657.png

 

4 REPLIES 4
ChrisPiasecki
Super User
Super User

Hi @carl1to,

 

You could use Power automate to set the user's BU based on the AAD group team's BU. This is assuming that your users will only be assigned to one group team at a given point. Keep in mind when you change a user's BU they lose security roles, so you'll want to retrieve the assigned roles prior to moving the user and then reapply the security roles as needed.

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

carl1to
Helper II
Helper II

Hi @ChrisPiasecki 

 

Thank you for your suggestion. I tried some possibilities to automatically set BU with Power Automate: Have a table that links AAD group teams s with their corresponding BU. This works and as long as the users don't have security roles directly assigned to them, it looks doable. 

But this is not really a good solution:  you have to make sure, that each user is only in 1 group team that defines the BU. What happens if this flow fails or a user is not in an AAD group team that defines the BU? --> user stay is root BU have potentially access to records that he should not have!

Even if the user is initially in the root BU before your logic runs, why should they be given any security roles at that stage? If you add the security roles to the teams and users only gain them via membership in the correct team, then a failure of the flow couldn't leave them with too much permissions.

Well, if security roles are given through membership of AAD-Groups, they would have access to the records. For example 1 Person would be member of the following AAD-Groups: 

  • AAD-Members BU1 --> used to assign the user to the correct BU
  • Sales Manager --> has a security role assigned to its users, that lets them see all sales record of BU  and child BUs

If the BU-assignment flow fails, the user in question would see all the sales record of the whole organization.

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

365 EduCon 768x460.png

Microsoft 365 EduCon

Join us for two optional days of workshops and a 3-day conference, you can choose from over 130 sessions in multiple tracks and 25 workshops.

Users online (3,225)