web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / JIT Dataverse Entra ID...
Power Apps
Suggested Answer

JIT Dataverse Entra ID Team Provisioning Not Functioning

(0) ShareShare
ReportReport
Posted on by ZJ-26021747-0

I’m trying to validate whether what we’re seeing is expected behavior or a configuration / platform issue related to Microsoft Entra ID Group Teams and Just‑In‑Time (JIT) provisioning in Dataverse.

Scenario

We are using Microsoft Entra ID security groups as the source of truth for Power Platform access:

  • Environment access is restricted via an Environment Security Group

  • Microsoft Entra ID Group Teams are created in Dataverse and linked to Entra security groups

  • Security roles are assigned to those Entra Group Teams

  • Users are licensed and confirmed members of:

    • The environment security group

    • The Entra security groups backing the Dataverse team  

Per documentation, we expect users to be JIT‑provisioned into Dataverse on first access and automatically inherit team membership and security roles.

 

What We’re Seeing Instead

  • Users can authenticate to Power Apps / make.powerapps.com

  • Users are not provisioned into Dataverse

  • Users do not appear as members of the Entra Group Teams

  • Security roles assigned to those teams are not applied

  • Users receive authorization errors such as:

    •   
The user with object id '<object-id>' does not have access to permission 'CanEdit' in environment '<environment-id>'.

Important note:

  • Entra Group Teams cannot be manually edited (expected)

  • Manually adding users to Dataverse resolves the issue, which suggests this is not a licensing or role definition problem
 

What We’ve Confirmed

  • AD / Cayosoft / Entra sync is healthy

  • Entra group membership is correct

  • Entra Group Teams exist and accept security role assignment

  • Security roles appear correctly in Dataverse

  • Waiting for sync windows (30 minutes → several hours) does not resolve it

  • Logout/login and browser refreshes do not resolve it

This feels like the Entra → Dataverse identity provisioning step is simply not triggering.

 

Questions

  1. What exactly triggers JIT provisioning for Dataverse users?


    • Environment access?

    • Opening a model‑driven app?

    • Having a base security role 

  2. Is Entra ID group membership alone sufficient to provision users into Dataverse, or is some form of manual “bootstrap” required?


  3. Are there known issues or limitations where Entra Group Teams do not resolve members even though group sync is healthy?


  4. Is this behavior by design, or indicative of a misconfiguration / platform issue?

 

Why This Matters

Without reliable JIT provisioning:


  • Entra ID cannot be used as the single source of truth

  • Least‑privilege access becomes manual

  • Entra Group Teams lose most of their value at enterprise scale

Any clarification, confirmation, or real‑world guidance would be greatly appreciated.

Categories:
Error handling
Microsoft Dataverse with Power Apps
Governance & administering
I have the same question (0)
  • Suggested answer
    11manish Profile Picture
    11manish 457 on at
    You’re not imagining this—what you’re seeing is a well-known gray area in how JIT provisioning + Entra Group Teams behave in Microsoft Dataverse.
     
     
    Key Truth (most important)
    • Entra ID group membership alone does NOT guarantee JIT provisioning in Dataverse
    JIT provisioning is triggered by Dataverse access, not just:
    • Being in an Entra group
    • Having a license
    What actually triggers JIT provisioning?
     
    Real triggers (confirmed behavior)
    JIT happens when the user:
    • Opens a Model-driven app
    • Accesses Dataverse-backed resource directly
    • Calls Dataverse API
    In short:
    • User must hit Dataverse, not just Power Apps portal
    What does NOT trigger provisioning
    Opening:
    • make.powerapps.com 
    • Being in Entra group 
    • Having license 
    • Environment security group membership 
    Why your scenario is failing
    You said:
    • Users can access Power Apps but are NOT provisioned
    That means:
    • They never actually hit Dataverse endpoint
    So:
    • No user record created
    • No team resolution
    • No role assignment
    Critical limitation (very important)

    Entra Group Teams membership resolution is NOT real-time
     
    Membership is evaluated:
    • Only after user exists in Dataverse
    • If user is not provisioned:
    • Team membership = X
    • Roles = X
    This is the exact gap you're hitting
     
    Why manual add fixes it
    When you manually add user:
    • User record created in Dataverse 
    • Team membership evaluated 
    • Roles applied 
    Confirms:
    • Issue = provisioning trigger, NOT config
     
    Thanks
    Manish
     
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the February Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 562 Most Valuable Professional

#2
11manish Profile Picture

11manish 324

#3
Haque Profile Picture

Haque 303

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans