Answered

Dynamic Synchronization of Azure AD Security Groups with Dataverse Teams

(1) Share

Report

Posted on by omkarsupreme

My requirement is to automatically synchronize the users from the Azure AD Security Group with the Dataverse Team. Specifically, whenever a user is added to or removed from the Azure AD Security Group, the same change should be reflected in the Dataverse Team membership.

I'm looking for the best and most reliable approach to achieve this synchronization dynamically

Categories:

AI Builder

Building Power Apps

GCC, GCCH, DoD - Federal App Makers (FAM)

Connector development

Error handling

Microsoft Dataverse with Power Apps

Experimental features

Governance & administering

Power Apps Pro Dev & ISV

Power Query

General topics

I have the same question (0)

All responses (2)

Answers (2)

Sort by

Verified answer

11manish 2,293 on at

Like (1)

Report
Copy link

Link copied!
The best and most reliable way to achieve this is to use AAD-Group-linked Teams (also known as AAD Security Group Teams) within Dataverse. Instead of building a manual synchronization logic with Power Automate or custom code, you leverage a native Dataverse feature designed specifically for this purpose.

Why this is the "Best" approach:

Automatic Sync: Dataverse automatically manages membership. When a user is added to the Azure AD group, they are added to the Team in Dataverse the next time they access the environment.

Automatic Cleanup: When a user is removed from the Azure AD group, they immediately lose the permissions associated with that Dataverse Team.

Zero Maintenance: No flows to fail, no API limits to worry about, and no "sync delay" issues.

Was this reply helpful? Yes No
Verified answer

MParikh 508 Super User 2026 Season 1 on at

Like (1)

Report
Copy link

Link copied!
HI @omkarsupreme,

Great point on using AAD Security Group Teams as the foundation. That is absolutely the right starting point. Worth adding one practical caveat though: the automatic sync only triggers when a user actively accesses the environment. If a user is added to the Azure AD group but has never logged into the environment before, they will not appear in the Dataverse team until that first access.
For most scenarios that is fine. But if you need guaranteed, near-real-time propagation regardless of user login activity, you can layer a lightweight Power Automate flow on top of the native behavior:

Trigger: Office 365 Groups "When a group member is added" fires immediately on Azure AD group membership changes.

Action: Power Platform for Admins "Force Sync User" provisions the user into the environment's system user table right away, without waiting for them to log in.

Action: Dataverse "SyncGroupMembersToTeam" bound action on your team GUID pushes the membership update immediately.

For removals, no flow is needed. The native behavior handles it. When a user is removed from the Azure AD group, they lose the team's permissions on their next access attempt.
This keeps zero-maintenance as your baseline, and only adds automation where the native sync has a timing gap.

Thank you!
Proud to be a Super User!
📩 Need more help?
✔️ Don’t forget to Accept as Solution if this guidance worked for you.
💛 Your Like motivates me to keep helping

Was this reply helpful? Yes No