web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Control user access to...
Power Apps
Answered

Control user access to environments: security groups and licenses

(1) ShareShare
ReportReport
Posted on by Community Power Pla... Microsoft Employee

Hi,

 

Can someone explain to me exactly what effect it has to secure an environment (with CDS) with a security group?

2020-04-20 11_15_54-Power Platform admin center.png

I do not understand the description on this page https://docs.microsoft.com/en-us/power-platform/admin/control-user-access.

After several tests I don't see any effect if the environment has a security group or not...

 

Thanks

Jens

Categories:
Governance & administering
I have the same question (0)
  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @Anonymous,

    In a tenant where there are several environments (env), especially for different purposes (e.g. Sales CDS and Manufacturing CDS) security groups helps to manage and segregate licensing and users. By default, all users that have a license gets automatically added to CDS. You might not want to pollute all your envs with a bunch of users (even though no security role is assigned) that have no relevance in that env (e.g. Manufacturing users in Sales env and vice-versa). Having a security group associated to an env enables to synchronizes/add only users that are part of that group and thus keeping your list of users clean.

    Secondly, it helps to manage licensing. For instance, Manufacturing department pays for Manufacturing user licenses and same for Sales. Having groups helps to segregate and manage this.

    Hope this clarifies a little!

  • Community Power Platform Member Profile Picture
    Community Power Pla... Microsoft Employee on at

    Hello @EricRegnier,

     

    Thank you for your quick response. In general, the purpose is already clear to me. But what exactly does "all users that have a license gets automatically added to CDS" mean? Where can I see which users are assigned to the CDS? According to the documentation, these users are not automatically assigned a security role.

     

    I have tested the following in a Demo Tenat:

    1. created a trial environment with CDS and a security group to restrict the environment

    sg-group.png

    2. The security group has the following three members

    sg-group-members.png

    3. If I now list the users of the environment there are all licensed users (without assigned security role) enabled

    EnabledUser.png

     

    Therefore again the question where I can see with which users the CDS is polluted?

     

    Thanks

    Jens

     

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @Anonymous,

    "all users that have a license gets automatically added to CDS" means that once these users have a license assigned in Office 365, a new user record is created in Common Data Service (CDS) just like in your screenshot for point #3. If the environment has no security group assigned then all the users get created, but if a group is assigned then only these user within the group. Non-members of the group will not have a user created. If the security group was assigned after creation of the environment, then non-members will automatically get deactivated in the environment. I just tried at it works as expected.

    One important note, you cannot assign a security group to a default environment, the name with a suffix of "(default)", and therefore, all licensed users will exists there. Maybe this is your issue?

    2020-04-22_17-50-52.png

    So in your last screenshot, the "enabled users" view is select so either all these users are part of the group or it's your default environment. Do yo have any disabled users?

     

    Hope this makes sense!

  • Community Power Platform Member Profile Picture
    Community Power Pla... Microsoft Employee on at

    Hi @EricRegnier ,

     

    That makes absolute sense and that's exactly how I imagined it to work.

     

    But it doesn't work for me, my security group actually only has these three members (see screenshot 2). But as you can see, all users have been added (screenshot 3). This is not the default environment but it is a trial environment (in a Demo-Tenant), could this be the problem?

     

    Bye and thanks

    Jens

  • Verified answer
    EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @Anonymous,

    So I did more digging. Another thing I forgot to mention was the Global Admins and Power Platform Admins will always get created in all environments regardless of the group assigned. Whenever changes are made to the roles, it may takes around 5 min to reflect in CDS.

    2020-04-23_9-23-45.png

     

    I also tested with a Trial environment type and it does not filter the users for the Trial. So I confirm security groups don't work and take affect for Trial environments! Weird!

    Hope this helps...

  • Community Power Platform Member Profile Picture
    Community Power Pla... Microsoft Employee on at

    Hello @EricRegnier,

     

    Thank you for your research, it's been very helpful!

     

    But unfortunately it is a pity that I cannot create a productive environment to test it. Because of this problem

    https://powerusers.microsoft.com/t5/Common-Data-Service-for-Apps/I-can-t-create-a-productive-environment-amp-quot-Creating-an/m-p/535301#M4865

     

    Thank you...

     

     

     

  • cgru3eejc2 Profile Picture
    cgru3eejc2 74 on at

    Hi @Anonymous ,

     

    Did you find a solution? Have exactly the same problem, not with a Trial environment though. It's on an additional production environment with an added security group and the group members are not added to the CDS.

     

    Regards,

    Stefan

  • Community Power Platform Member Profile Picture
    Community Power Pla... Microsoft Employee on at

    Sorry I did not research further. And I assumed that it will work in a productive environment 🙂

  • davetheteamsguy Profile Picture
    davetheteamsguy 44 on at

    If you are not a member of the environment security group, and a maker shares an app with you that resides in that environment, but does not have a dataverse connector, can you access the app?

  • EricRegnier Profile Picture
    EricRegnier 8,720 Most Valuable Professional on at

    Hi @davetheteamsguy, my understanding is no as you won't have access to the data behind the scenes 

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Vish WR Profile Picture

Vish WR 915

#2
Valantis Profile Picture

Valantis 571

#3
11manish Profile Picture

11manish 457

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans