cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Termigez1
Helper I
Helper I

Security architecture

Hello,

 

I have a simple business case:

- 1 environment with security group to give access to the environment

- 3 groups of users with custom security roles

 

I want to create an architecture based on Azure AD that will allow admin to: 1. add a user to main security group (so he can access the environment), 2. add a user to specific security group so he can get security role automatically. I listed such steps to achieve it:

 

1. Create main, access SG in Azure (Let's call it SG1)

2. Add SG1 as security group of the environment

3. Create Dynamics Team 1, type: AAD, connect it to SG1, then add it as a member of SG1 in Azure so it can synchronize. 

4. Create SG2, SG3, SG4 in Azure

5. Do step 3 for all SG in Azure. 

6. Create 3 custom security roles and add them to the appropriate Dynamics Teams.

 

Once I do all these steps I expect, that If I add User 1 to SG1 and SG2 he will be able to access environment (due to SG1) and will be given security role of SG2, am I right?

 

I also wonder whether I need to:

1. Add a security role to Dynamics Team 1? If yes, can it be very simple group without much permissions? 

2. Add Azure SG2, SG3, SG4 as a member of SG1 co it can all work? 

 

If you think that I missed something or it can be done better, please feel free to provide better solution. Thank you in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
ChrisPiasecki
Dual Super User
Dual Super User

Hi @Termigez1,

 

You're on the right track, just a few points:

  • If SG1 is just meant for association of users to the environment, you don't need to give it any Dataverse security role nor create an AAD Group Team for it. Just simply set the Security Group of the environment to SG1. 
  • Create 3 AAD Group Teams for SG2, SG3, SG4. 
  • Assign Dataverse security roles to appropriate AAD group teams above as per your need
  • Add SG2, SG3, SG4 to SG1. 
  • Add users into either SG2, SG3, SG4. Users get access to environment due to nested membership of SG1, then access to Dataverse through security roles assigned to the AAD Group Team and the SG associated to that Group Team.

 

So overall less steps are required than your initial thoughts. 

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

View solution in original post

1 REPLY 1
ChrisPiasecki
Dual Super User
Dual Super User

Hi @Termigez1,

 

You're on the right track, just a few points:

  • If SG1 is just meant for association of users to the environment, you don't need to give it any Dataverse security role nor create an AAD Group Team for it. Just simply set the Security Group of the environment to SG1. 
  • Create 3 AAD Group Teams for SG2, SG3, SG4. 
  • Assign Dataverse security roles to appropriate AAD group teams above as per your need
  • Add SG2, SG3, SG4 to SG1. 
  • Add users into either SG2, SG3, SG4. Users get access to environment due to nested membership of SG1, then access to Dataverse through security roles assigned to the AAD Group Team and the SG associated to that Group Team.

 

So overall less steps are required than your initial thoughts. 

 

---
Please click Accept as Solution if my post answered your question. This will help others find solutions to similar questions. If you like my post and/or find it helpful, please consider giving it a Thumbs Up.

Helpful resources

Announcements
PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.

Microsoft Build 768x460.png

Microsoft Build is May 24-26. Have you registered yet?

Come together to explore latest innovations in code and application development—and gain insights from experts from around the world.

May UG Leader Call Carousel 768x460.png

What difference can a User Group make for you?

At the monthly call, connect with other leaders and find out how community makes your experience even better.

Top Solution Authors
Users online (1,379)