Dynamics 365 Team Not Reflecting Entra ID Membership Changes

What's happening?

Users removed from Microsoft Entra ID groups are not automatically removed from the corresponding Dataverse group teams in Dynamics 365. Even after forcing a synchronization, the user remains in the Dataverse team for several days.

Reason:

Team memberships from Microsoft Entra ID do not automatically synchronize in real-time to Dataverse group teams. The synchronization of user membership changes from Entra ID to Dataverse occurs only under specific conditions.

Resolution:

Team memberships from Microsoft Entra ID groups are synchronized to Dataverse group teams under the following conditions:

• The user logs into the Dataverse environment after their membership has changed in Microsoft Entra ID.
• The user is impersonated within the Dataverse environment.
• An API call is executed on behalf of the user.

To manually force synchronization of team membership from Microsoft Entra ID to Dataverse, use the following API call:

POST https://orgurl/api/data/v9.2/teams(GUID_OF_TEAM_ID_IN_Dataverse)/Microsoft.Dynamics.CRM.SyncGroupMembersToTeam

Note the following important points:

• The corresponding group team must be manually created in Dataverse; it does not automatically get created when a Microsoft Entra group is created.
• When creating a group team in Dataverse, you must select the appropriate team membership type. Users will be synced from Microsoft Entra based on this membership type. For example, if a team is created with membership type "Owners," only owner users of the corresponding Entra group will be added to the Dataverse team.
• Execution of any API on behalf of a user will update that user's Entra group membership in Dataverse.

There is no specific timeline for automatic synchronization completion, as it depends on the number of users syncing into Dataverse from Microsoft Entra ID. The synchronization process can sometimes be quick and sometimes take several days.

For additional details, refer to the following documentation: - Sync Group Members to Team - Impersonate another user using the Web API

Resolution:

• Ensure the user logs into the Dataverse environment after their membership has changed in Microsoft Entra ID, or impersonate the user within the Dataverse environment.
• Alternatively, execute an API call on behalf of the user to immediately reflect the membership changes in Dataverse.