cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Hailender
Frequent Visitor

Control user access to environments: security groups and licenses

Hi,

 

Can someone explain to me exactly what effect it has to secure an environment (with CDS) with a security group?

2020-04-20 11_15_54-Power Platform admin center.png

I do not understand the description on this page https://docs.microsoft.com/en-us/power-platform/admin/control-user-access.

After several tests I don't see any effect if the environment has a security group or not...

 

Thanks

Jens

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @Hailender,

So I did more digging. Another thing I forgot to mention was the Global Admins and Power Platform Admins will always get created in all environments regardless of the group assigned. Whenever changes are made to the roles, it may takes around 5 min to reflect in CDS.

2020-04-23_9-23-45.png

 

I also tested with a Trial environment type and it does not filter the users for the Trial. So I confirm security groups don't work and take affect for Trial environments! Weird!

Hope this helps...

View solution in original post

8 REPLIES 8
EricRegnier
Super User II
Super User II

Hi @Hailender,

In a tenant where there are several environments (env), especially for different purposes (e.g. Sales CDS and Manufacturing CDS) security groups helps to manage and segregate licensing and users. By default, all users that have a license gets automatically added to CDS. You might not want to pollute all your envs with a bunch of users (even though no security role is assigned) that have no relevance in that env (e.g. Manufacturing users in Sales env and vice-versa). Having a security group associated to an env enables to synchronizes/add only users that are part of that group and thus keeping your list of users clean.

Secondly, it helps to manage licensing. For instance, Manufacturing department pays for Manufacturing user licenses and same for Sales. Having groups helps to segregate and manage this.

Hope this clarifies a little!

Hello @EricRegnier,

 

Thank you for your quick response. In general, the purpose is already clear to me. But what exactly does "all users that have a license gets automatically added to CDS" mean? Where can I see which users are assigned to the CDS? According to the documentation, these users are not automatically assigned a security role.

 

I have tested the following in a Demo Tenat:

1. created a trial environment with CDS and a security group to restrict the environment

sg-group.png

2. The security group has the following three members

sg-group-members.png

3. If I now list the users of the environment there are all licensed users (without assigned security role) enabled

EnabledUser.png

 

Therefore again the question where I can see with which users the CDS is polluted?

 

Thanks

Jens

 

Hi @Hailender,

"all users that have a license gets automatically added to CDS" means that once these users have a license assigned in Office 365, a new user record is created in Common Data Service (CDS) just like in your screenshot for point #3. If the environment has no security group assigned then all the users get created, but if a group is assigned then only these user within the group. Non-members of the group will not have a user created. If the security group was assigned after creation of the environment, then non-members will automatically get deactivated in the environment. I just tried at it works as expected.

One important note, you cannot assign a security group to a default environment, the name with a suffix of "(default)", and therefore, all licensed users will exists there. Maybe this is your issue?

2020-04-22_17-50-52.png

So in your last screenshot, the "enabled users" view is select so either all these users are part of the group or it's your default environment. Do yo have any disabled users?

 

Hope this makes sense!

Hi @EricRegnier ,

 

That makes absolute sense and that's exactly how I imagined it to work.

 

But it doesn't work for me, my security group actually only has these three members (see screenshot 2). But as you can see, all users have been added (screenshot 3). This is not the default environment but it is a trial environment (in a Demo-Tenant), could this be the problem?

 

Bye and thanks

Jens

Hi @Hailender,

So I did more digging. Another thing I forgot to mention was the Global Admins and Power Platform Admins will always get created in all environments regardless of the group assigned. Whenever changes are made to the roles, it may takes around 5 min to reflect in CDS.

2020-04-23_9-23-45.png

 

I also tested with a Trial environment type and it does not filter the users for the Trial. So I confirm security groups don't work and take affect for Trial environments! Weird!

Hope this helps...

View solution in original post

Hello @EricRegnier,

 

Thank you for your research, it's been very helpful!

 

But unfortunately it is a pity that I cannot create a productive environment to test it. Because of this problem

https://powerusers.microsoft.com/t5/Common-Data-Service-for-Apps/I-can-t-create-a-productive-environ...

 

Thank you...

 

 

 

Hi @Hailender ,

 

Did you find a solution? Have exactly the same problem, not with a Trial environment though. It's on an additional production environment with an added security group and the group members are not added to the CDS.

 

Regards,

Stefan

Sorry I did not research further. And I assumed that it will work in a productive environment 🙂

Helpful resources

Announcements
PA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

PowerPlatform 768x460.png

Microsoft Learn

Check out our new Discover Your Career Path blog post series and get all the details.

Users online (2,405)