Monday, December 19, 2022

Configure Security Teams In Microsoft Dynamics 365

Teams in Dynamics 365 are a collection of users (of the same role) who can belong to the same or different business units. A team can have multiple users, and a user can be part of multiple teams.

You can assign security roles to teams, and the permissions apply to the members of the team.

There are four types of teams:
  1. Owner
  2. Access
  3. AAD (Azure Active Directory) Security Group
  4. AAD (Azure Active Directory) Office Group
Teams can be created and configured under Advanced Settings, Settings -> Security -> Teams.


OR open Power Platform admin center (microsoft.com) [https://admin.powerplatform.microsoft.com/environments], select the required Environment, click Settings, and click Teams under Users + permissions.


Owner Team:
Administrators can assign security roles to an owner team, and an owner team can own records (owner of records).

When a record is owned by an owner team, all the members of the team get access to the record.

A member can be part of more than one owner team.

Each member of the owner team inherits permissions defined by their security roles and “team member’s privilege inheritance” roles (which can be User privileges or Team privileges).

Administrators need to add members to the owner team manually.

Use owner teams when:
  1. The structure and definition of teams are known at the time of implementation. The structure is static.
  2. Records can be owned by the team.
  3. Security roles can be assigned to a group of members (i.e., team)
There are different views to find different type of teams.


Administrators can find Owner teams under the "All Owner Teams" view.

Select the team's name to open or click New to create a new owner team.


Here the Team Type must be Owner. Once a record is saved, the Team Type cannot be changed. It is possible to add users to the Owner team.

Click + sign on the Team members sub-grid to add new members. It is possible to assign security roles to the owner team.


Access Teams:
You cannot assign security roles to an access team, and an access team cannot own records.

It is possible to add members to an access team, and each member in the access team has permissions assigned by their security roles.

Members can be added manually to the access team.

Use access teams when:
  1. The structure of the team is dynamic (changing – forming and dissolving).
  2. Record-level access is provided (owner of the record can define access to other users).
  3. Records can have varying levels of access (read to some users, write to another, and so on).
  4. Access can be removed anytime by the record owner.
Administrators can find Access teams under the "All User Access Teams" view. Select the team's name to open or click New to create a new access team.


Here the Team Type must be Access. Once a record is saved, the Team Type cannot be changed. It is possible to add users to the Access team.

Click + sign on the Team members sub-grid to add new members. It is not possible to assign security roles to the access team.


Records can be shared with Access teams. Open a record that users want to share, click Share.


Select an access team as per requirements, click Add.


Select the permission that the team members must-have. Click Share to share the record, and users will access the record based on the permissions defined by the record owner.

The owner of the record will not change, and the owner can change/remove the record at any time.


AAD (Azure Active Directory) Security Group Team:
Administrators can manage and control Dynamics 365 application access using Azure Active Directory Security Groups.

In Dynamics 365, administrators need to select AAD Security Group as the team type and enter the Azure AD Object Id for a group that is created in Azure Active Directory Groups.

Each member has permission assigned to the AAD Security Group team (no need to assign security roles to individual members).

Administrators can find AAD Security Group Teams under "All AAD Security Group Teams" view. Select the team's name to open or click New to create a new AAD Security Group team.


Here the Team Type must be AAD Security Group. Once a record is saved, the Team Type cannot be changed.

It is not possible to add users manually to the AAD Security Group team.

It is possible to assign security roles to the AAD Security Group team.


The Azure AD Object Id for a group field (shown above) must be the group id from the Azure Active Directory Security Group Object Id (shown below). It is mandatory to create the AAD Security Group team in Dynamics 365, and once the record is saved, it cannot be changed.


Members have added automatically to the Dynamics 365 AAD Security Group team when they are added to the Azure Active Directory Security Group. Group type must be Security.


You can sign up for Azure Free Trial and create new groups here: Click here

Important: Only Membership type – Assigned can be used to secure user-access rights. Dynamic User and Dynamic Device is not supported.

Users cannot be added manually to the Dynamics 365 AAD Security Group teams.

Make sure the Member’s privilege inheritance is set to Direct User (Basic) access level and Team privileges on the respective security role.


You may not see users added to the AAD Security Group team in Dynamics 365 if the users have never logged in to Dynamics 365 before. Make sure users sign into Dynamics 365, and then only you can see them in the team members sub-grid.


AAD (Azure Active Directory) Office Group Team:
AAD Office Group is like AAD Security Group with a few differences:
  1. Security: Used to manage members and computer access to shared resources for a group of users.
  2. Office 365: Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more.
In Dynamics 365, administrators need to select AAD Office Group as the team type and enter the Azure AD Object Id for a group that is created in Azure Active Directory Groups.

Each member has permission assigned to the AAD Office Group team (no need to assign security roles to individual members).

Administrators can find AAD Office Group Teams under "All AAD Office Group Teams" view. Select the team's name to open or click New to create a new AAD Office Group team.


Here the Team Type must be AAD Office Group. Once a record is saved, the Team Type cannot be changed.

It is not possible to add users manually to the AAD Office Group team. 

It is possible to assign security roles to the AAD Office Group team.


The Azure AD Object Id for a group field (shown above) must be the group id from the Azure Active Directory Security Group Object Id (shown below). It is mandatory to create the AAD Office Group team in Dynamics 365, and once the record is saved, it cannot be changed.


Members have added automatically to the Dynamics 365 AAD Office Group team when they are added to the Azure Active Directory Security Group. The group type must be Office 365.


You can sign up for Azure Free Trial and create new groups here: Click here

Important: Only Membership type – Assigned can be used to secure user-access rights. The Dynamic User is not supported.

Users cannot be added manually to the Dynamics 365 AAD Office Group teams.

Make sure the Member’s privilege inheritance is set to Direct User (Basic) access level and Team privileges on the respective security role.


You may not see users added to the AAD Office Group team in Dynamics 365 if the users have never logged in to Dynamics 365 before. Make sure users sign into Dynamics 365, and then only you can see them in the team members sub-grid.




Related Articles:
  1. Configure Security Teams In Microsoft Dynamics 365
Disclaimer: This post is for personal use only.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.