You’re offline. This is a read only version of the page.
I have questions regarding Microsoft Power Platform Environment creation.
1. Is it best practice to create an Active Directory Security Group and assign one Power App Per User Plan license to the security group?
2. Or should I assign a Power App Per User Plan license for each individual user within the Active Directory Security Group?
Both @AlbertoCastro and @RedBeardDev are correct here, and I believe that is exactly the point of the question @MrJ is asking: Both work, so which is considered "best"?
I would advise a customer this way: Both paths get you to what you want: the real question is who is administering the users?
In a typical small organization (let's say a few hundred users or less) the group that administers Power Platform are the same folks creating AAD accounts and setting up other access as well. In a case like this, the question matters a lot less because it is one group of admins and those admins can pick whichever pattern works best for their workflow and the security granularity of the organization.
In a large enterprise, however (thousands, hundreds of thousands?) an approach like this is totally unworkable. There is a group somewhere that administers AAD accounts, different folks entirely that do PPlatform, and still others that do whatever other apps and services users need. When this happens, splitting licensing away from access away from identity is a recipe for disaster. This is the reason the association between Security Groups and Environments was created in the first place, and why earlier this year they made it a default choice. The assumption here is that BOTH license and access are controlled by Security Group membership so allocation can happen all the way up at the top - the Admins controlling AAD - so we get back to a pattern where only One group has to control it and it is harder for individual users to fall through the cracks.
So, to make a long answer much shorter, it depends on your specific environment and use case, but in general, administering user access and licensing up at AAD is the preferred approach (I'll stop short of calling it 'best practice' because small orgs can still find lots of value in the granularity of multi-level control).
Sorry, but it's possible assign licenses per user to Azure Security Groups:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups#to-assign-a-license-to-a-group
You cannot assign a PerUser license to a security group. PerUser license is per user.
We associate our PerUser license with an azure group, so those in the group have the license. Then you could align that azure group to the security role needed for your role, like System Customizer
Hello,
The security strategy of the environments and the assignment of licenses are different topics.
Regarding the environments:
It is a good practice to assign them a security group and then for each security role to create a Teams security associated with another security group.
Regarding licenses:
If we talk about Power Apps Per User, they can be assigned directly to the user or create a security group that assigns these licenses. The latter can facilitate the management of these licenses.
-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
Regards
Alberto
HI,
I am not sure whats the relationship between the question on Environment Creation and Single Security Group,
but security for Dataverse itself, is not a best practice thing, it's a "depends on your use cases and situation". Truly there is no wrong or right answer, unless you have talked internally and you know how many apps you might have, how many users, what the users need to do etc.
You will end up with lots of roles, lots of security groups, lots of people across different group, you will have groups in groups etc.
I would definitely talk to a License expert at Microsoft Sales though, as any license information you get on this forum should be considered wrong. (even if I post it lol).
Cheers
If you like my answer, please Mark it as Resolved, and give it a thumbs up, so it can help others
Thank You
Michael Gernaey MCT | MCSE | MCP | Self-Contractor| Ex-Microsoft
https://gernaeysoftware.com
LinkedIn: https://www.linkedin.com/in/michaelgernaey
#1
Michael E. Gernaey
9
Super User 2025 Season 1
#2
bscarlavai33
5
Super User 2025 Season 1
#3
getsplash
2
Share
Report
All responses (
Answers (
