web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Users are not coming i...
Power Apps
Unanswered

Users are not coming in the correct business unit

(3) ShareShare
ReportReport
Posted on by dennisb88 603
Hi all,
 
I've a question about how to automatically assign users to the correct business unit(s).
My problem is:
When an user, that is only a member of the entra group 1, I expect that the user after the first loging in, is automatically set to business Unit 1. But it's always added automatically to the default business unit. That is not what I want. I want that the user is added directly to the correct business unit. 
 
I've created an environment, let call it ProductionEnvironment. To have access to this environment, I set up an Entra ID group named: Environment group. I've also two extra groups created: 
  • Entra Group 1
  • Entra Group 2
Both groups are a member of the Environment group.
 
I've also created two extra business units in my environment:
  • Business Unit1
  • Business Unit2
Both business units has the default business Unit as parent.
 
To assign my Entra Group members the permissions they needed and assign them to the correct business unit, I've created two Teams:
  • Access Team 1
  • Access Team 2
Both Teams are from the type of: Microsoft Entra ID Security Group And I added the correct Entra ID groups to them.
I assign the correct Business units to these Teams.
 
So I'm expect that the users when they are signing in for the first time to the environment, automatically are added to the correct business unit, but that is not happens.
In my draw below I try to make a clear overview.
 
 
My setup is as follow:
 
Does anyone know what I'm missing or doing wrong?
 
Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Suggested answer
    Jonathan Manrique Profile Picture
    Jonathan Manrique 2,687 on at
    Hi 
     
    You have an incorrect concept in the access groups you must use teams. Your diagram is correct except for the access teams. When you create business units, they create teams, then you can create more teams associated with that business unit. What you must do is later add your users to the team and they will reside in the business unit associated with the team
     
     
     
     
    Now this assignment must be manual, it is not automatic, there are tools in XRMToolBox that allow you to move users from business units and teams massively.
     
     
    If I have answered your question, please mark your post as Solved.
    If you like my response, please give it a Thumbs Up.
    You can accept more than one post as a solution
    Follow me on Linkedin, I talk about Power Platform
    www.linkedin.com/in/jonathan-manrique-rios
     
  • Michael Tokyo Profile Picture
    Michael Tokyo 2 on at
    I was looking at this same thing and noticed this important content here on the learn page: 

    https://learn.microsoft.com/en-us/power-platform/admin/wp-security-cds#associate-a-business-unit-with-a-microsoft-entra-security-group

    The user in the above diagram will be created in the root business unit when the user accesses the environment. It's fine to have the user and the Dataverse group teams to be in the root business unit. They only have access to data in the business unit where the security role is assigned.

    Posting here in case it helps
  • M-M Profile Picture
    M-M 58 on at
    @Michael Tokyo - that's confusing tho... because a Team can only be in 1 BU, and only Security Roles with that same BU can be assigned to the Team.
     
    So I don't know how it's true that the User AND Team can be in the Root BU but still have a Security Role from a specific non-root BU on the Team.
     
    As far as I can tell... and judging by the diagram on the MS Learn page (https://learn.microsoft.com/en-us/power-platform/admin/media/business-unit-with-aad-sec-group2.png) - indeed you have to have the Team in 1 particular BU and then Security Role applied in the same BU. That way, the User (synced from Azure AD Group Team) gets access to whatever BU the Team and its Role are in.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 717 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 329 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans