Solved: Re: Managing environment permissions with Security...

MarkPP · ‎01-29-2020

I have a scenario where i want to be able to manage some roles in an environment/s via a security/office group. I believe the way this is done is by creating a Team in the back-end of the environment and then configuring it to use the security / office group. Once you have created the team you can then assign the security role for that team. However, after setting this up it doesn’t seem to have done anything (I have waited days). It doesn't look to have synced the members as although users have been added to the AAD Group they aren’t appearing as members in the team inside the environment. If the users in the Security/Office group go to Power Apps they don't see the environment either.

I am pulling my hair out so assuming i have done something wrong.

v-siky-msft · ‎01-31-2020

@MarkPP

All your steps are on the right way, but they are special administrator's security roles, it can only be assigned to users directly.

The explanation for both security roles is in the article I shared.

As an alternative workaround, you can go to copy the 'System Administrator and Environment Maker' security roles, and try to set copies to Group.

View solution in original post

v-siky-msft · ‎01-30-2020

@MarkPP,

Could you please share the detailed steps about how did you do that?

Which security role did you assign to the Team?

If 'System Administrator and Environment Maker security roles' are assigned to Group teams, team members get the team privileges only and won't have any direct/inherited privileges. Team members won't be able to perform all the system administrator and environment maker functions. In addition they won't be able to see the list of all the environments in their tenant.

Reference: https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#edit-a-group-team

Sik

MarkPP · ‎01-31-2020

@v-siky-msft Thanks. Please see the steps below

Go to https://admin.powerplatform.microsoft.com/environments > Select the environment you want to use > Settings > Under Users and Permissions select 'Teams'

Select New and populate the following fields:

Team Name

Administrator

Team Type > AAD Office Group

Azure AD Object Id for a group > Object Id of group

Select Save

Once Saved select Manage Roles > I was choosing either System Administrator or Environment Maker

From your statement it seems to imply that you cannot assign Environment Maker or System Administrator using a security group. Does that mean the Microsoft - Establishing an environment strategy article refer to something else when referring to security groups? https://powerapps.microsoft.com/en-us/blog/establishing-an-environment-strategy-for-microsoft-power-...

The environment strategy article (Link above) suggests that the Project dev security group are environment makers. Is it a case that what they are referring to is environments which don't have a CDS database? That way you can assign a security group to that role? If that is the case it would be good to point it out so it is clear. The same article also states

Share resources with Azure AD Security Groups
Security Groups can be used to manage access to PowerApps, Flows, Common Data Service security roles

Are the Environment Maker and System Administrator roles not considered as Common Data Service security roles?

Thanks for your help.