cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Helper II
Helper II

Managing environment permissions with Security/Office Groups

I have a scenario where i want to be able to manage some roles in an environment/s via a security/office group. I believe the way this is done is by creating a Team in the back-end of the environment and then configuring it to use the security / office group. Once you have created the team you can then assign the security role for that team. However, after setting this up it doesn’t seem to have done anything (I have waited days). It doesn't look to have synced the members as although users have been added to the AAD Group they aren’t appearing as members in the team inside the environment. If the users in the Security/Office group go to Power Apps they don't see the environment either.

 

I am pulling my hair out so assuming i have done something wrong.

1 ACCEPTED SOLUTION

Accepted Solutions

@MarkPP   

All your steps are on the right way, but they are special administrator's security roles, it can only be assigned to users directly.

The explanation for both security roles is in the article I shared. 

As an alternative workaround, you can go to copy the 'System Administrator and Environment Maker' security roles, and try to set copies to Group.

 

Snipaste_2020-01-31_17-33-46.pngSnipaste_2020-01-31_17-55-04.png

 

View solution in original post

3 REPLIES 3
Community Support
Community Support

@MarkPP,

 

Could you please share the detailed steps about how did you do that?

Which security role did you assign to the Team?

If 'System Administrator and Environment Maker security roles' are assigned to Group teams, team members get the team privileges only and won't have any direct/inherited privileges. Team members won't be able to perform all the system administrator and environment maker functions. In addition they won't be able to see the list of all the environments in their tenant.

Reference: https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#edit-a-group-team 

Sik

@v-siky-msft Thanks. Please see the steps below

 

Go to https://admin.powerplatform.microsoft.com/environments > Select the environment you want to use > Settings > Under Users and Permissions select 'Teams'

 

Select New and populate the following fields:

Team Name

Administrator

Team Type > AAD Office Group

Azure AD Object Id for a group > Object Id of group

 

Select Save

 

Once Saved select Manage Roles > I was choosing either System Administrator or Environment Maker

 

From your statement it seems to imply that you cannot assign Environment Maker or System Administrator using a security group. Does that mean the Microsoft - Establishing an environment strategy article refer to something else when referring to security groups? https://powerapps.microsoft.com/en-us/blog/establishing-an-environment-strategy-for-microsoft-power-...

 

SecurityGroups.png

The environment strategy article (Link above) suggests that the Project dev security group are environment makers. Is it a case that what they are referring to is environments which don't have a CDS database? That way you can assign a security group to that role? If that is the case it would be good to point it out so it is clear. The same article also states

 

Share resources with Azure AD Security Groups
Security Groups can be used to manage access to PowerApps, Flows, Common Data Service security roles

 

Are the Environment Maker and System Administrator roles not considered as Common Data Service security roles?

 

Thanks for your help.

@MarkPP   

All your steps are on the right way, but they are special administrator's security roles, it can only be assigned to users directly.

The explanation for both security roles is in the article I shared. 

As an alternative workaround, you can go to copy the 'System Administrator and Environment Maker' security roles, and try to set copies to Group.

 

Snipaste_2020-01-31_17-33-46.pngSnipaste_2020-01-31_17-55-04.png

 

View solution in original post

Helpful resources

Announcements
New Badges

New Solution Badges!

Check out our new profile badges recognizing authored solutions!

New Power Super Users

Congratulations!

We are excited to announce the Power Apps Super Users!

Power Apps Community Call

Power Apps Community Call: February

Did you miss the call? Check out the Power Apps Community Call here.

Microsoft Ignite

Microsoft Ignite

Join digitally, March 2–4, 2021 to explore new tech that's ready to implement. Experience the keynote in mixed reality through AltspaceVR!

Users online (21,433)