web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Issue (bug?) with inhe...
Power Apps
Unanswered

Issue (bug?) with inherited team privileges Azure AD Group Dataverse

(0) ShareShare
ReportReport
Posted on by HFG 516

Hi all, 

 

I am trying to replace our current security set up and use Azure AD groups to provide access to a Model Driven App and data in Dataverse. I am seeing some very strange behaviour and need your help.

 

The current set up is as follows:

 

Root BU with two sub business units 

Security roles which give access to the data at BU unit level

Users are in one of the sub BUs and assigned a security role directly

 

This allows us to manage the access to the tables through the security role and access to the data through the BU. 

 

What we would like to do is use Azure AD groups to assign the security role so that we don't need to assign a role to each person individually. This is the current test model:

 

Root BU with two sub business units

Azure AD group(s) which are in the root BU and each have a role attached. The role has Direct User/Basic access level and Team privileges

User is in a sub BU and has no individual role attached to them

 

This is the strange behaviour I am seeing:

When user access is given to a table, the user sees only records that they own - correct
When organisation level is given the user sees all records - correct
However, when BU level is given, the user doesn't see anything! (Why would they lose access to their own records when a higher access level has been given?!)

When the security role with BU level access is assigned directly to the user, we see the desired effect: the user has access to the table, but only the records for their BU.

 

Can anyone shed any light on what is going on? It would be hugely appreciated!

 

 

 

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • HFG Profile Picture
    HFG 516 on at

    A bit of further information: 

    When we assign records directly to the Azure AD Group Team, the users in the team are able to see them. 

  • Verified answer
    HFG Profile Picture
    HFG 516 on at

    OK I think I figured it out. I'm going to post my findings rather than just deleting the thread. 

    When the user has basic level given, the role acts like the user directly so they are able to see any records that belong to them directly. 

    When the user is given a higher level, the role looks at the team rather than the user. In this case, the team and user were in different divisions so when the division level access was given, the user only saw records that were owned by their team or anyone in the same division as the team. 

     

  • v-yujincui-msft Profile Picture
    v-yujincui-msft on at

    Hi @HFG ,

     

    Thanks for your sharing.

     

    Glad to see you solved the problem.
    You might consider marking your answer as a 'solution' so that it will be useful for others.

     

    Best Regards,
    Charlie Choi

  • Fubar Profile Picture
    Fubar 8,338 Super User 2025 Season 2 on at

    A Security Role assigned to a Team: the Privileges inherited are relative to the BU for that Team

    A Security Role assigned to a User : the Privileges are relative to the BU for that User

     

    Traditionally a User/Basic level privilege inherited from a Team is not the same as a User/Basic assigned directly against the User - but there is now an inheritance variation, based on the setting on the Security Role itself "Member's privilege inheritance" dropdown. 

    https://docs.microsoft.com/en-gb/power-platform/admin/security-roles-privileges#team-members-privilege-inheritance

     

    (and then there's hierarchy and position based models)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 796 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 327 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans