Force Sync Users to a Dataverse Environment

Force Sync Users to a Dataverse Environment

Unlike a default environment in your tenant, which includes all valid users in Entra, other Dataverse environments that use security groups to control access do not automatically sync those users. In order for a user to obtain access to an environment, they need the following:

  1. A valid Power Apps license
  2. Access to the environment’s security group
  3. A security role within the environment

If any of those three conditions aren’t met, then nope—no access.

Even then, however, the user still won’t automatically show up!

The reason is because Dataverse uses just-in-time (JIT) user provisioning, meaning qualified users are only added to the environment once they’ve met the aforementioned criteria. This poses a problem when you are trying to provision a user to a specific security role ahead of time such as for User Acceptance testing, or staging.

What’s the solution then? I’ll discuss two ways—using Power Automate and PowerShell—to perform these actions.

Table of Contents hide
1. Example: Finance Admin Team and Security Role
2. Using Power Automate to Force Sync
3. Using PowerShell to Force Sync Members
4. Conclusion

Example: Finance Admin Team and Security Role

I have a security group called “Financial Coordinators” within Entra, which consists of these group members.


In the Power Platform Admin Center, I have my environment and a team called “Financial Coordinator Team” associated with this security group.

Clicking on the 3 dots and going to “Manage Team Members”, you can clearly see that there are no members, despite the fact that my security group has them! The warning shows that the users won’t appear until they’ve accessed the environment. There’s the disconnect! Now, on to the syncing process.

Using Power Automate to Force Sync

The steps involve passing the object ID of the security group, retrieving the object IDs of the group members, and force syncing them using the handy “Force Sync User” action found under the Power Platform for Admins actions.

Copy the Object id of the Security Group to pass into the Power Automate

Next, use the “List Group Members” Office 365 Groups action to get the members’ object IDs and loop through them to sync.

If you’re not using a security group full of members, you can also just sync individual users to the environment by getting their object ID directly from Entra instead.

When I ran this flow, 3 of my 5 members synced successfully while the 2 error because they were lacking the PowerApps License. This error is very clearly spelled out:

User is missing a PowerApps License
Users synced into environment and showing as member of the Team

Using PowerShell to Force Sync Members

Using the MgGraph and PowerAppsAdministration module, we can effectively create a simple script that does the same thing as the Power Automate approach. In the end, you’ll get a status 200 message upon successful add.

<#

.SYNOPSIS

Use the MgGraph and PowerApps Administration Module Cmdlets to fetch members of a security group 
and sync members to the Dataverse Environment

#>

$groupid = "" # The Object Guid of the Group in Azure/Entra
$environmentName = "" # Environment Guid for the target environment

Connect-MgGraph -Scopes GroupMember.Read.All, User.Read.All, Group.Read.All, Directory.Read.All

Add-PowerAppsAccount

# Retrieve members of a specified group
$groupMembers = Get-MgGroupMember -GroupId $groupid

$groupMemberDetails = foreach ($groupMember in $groupMembers) {
    
    $MemberUserObj = Get-MgUser -UserId $groupMember.Id

    [PSCustomObject]@{
        Id                = $MemberUserObj.Id
        DisplayName       = $MemberUserObj.DisplayName
        UserPrincipalName = $MemberUserObj.Mail
    }
}

# Sync users and capture results
$SyncResults = foreach ($member in $groupMemberDetails) {

    Write-Host "Adding $($member.DisplayName) to environment $environmentName"

    $result = Add-AdminPowerAppsSyncUser `
        -EnvironmentName $environmentName `
        -PrincipalObjectId $member.Id

    [PSCustomObject]@{
        DisplayName = $member.DisplayName
        Id          = $member.Id
        Code        = $result.Code
        Description = $result.Description
        Error       = $result.Error
        Success     = [bool]!$result.Error
    }
}

# Optional: view results
$SyncResults | Format-Table -AutoSize

Conclusion

Whichever approach you take, this is a process you’ll likely encounter again and again. In my User Acceptance Testing example, success depends on a few key prerequisites. You must add users to the environment’s security group. Confirm they have a valid Power Apps license. Place them into the appropriate security groups tied to your security roles. Once those steps are complete, running the force sync process becomes straightforward. From there, it’s smooth sailing. 😁

Tags: , ,