I have an Azure AD group And i have enabled Azure AD identity provider for my powerapp portals.
I want to provide access to the Azure AD group members to be able to access the portal. No Other Azure AD member should be able to access my portal.
I know i can turn off the registrations for Azure AD but then how will my Azure AD group members get access?
How can i automate this so that whenever a user gets added to azure Ad he should automatically also get access to Powerapps portals.
Hi @Anonymous ,
i think, you have to create a powershellscript or whatever which runs from time to time to align the two userbases. You should not do it manually, i agree.
May be, this can be achieved with power automate. I'm not an expert in that one, but if there is some kind of trigger when a user enters or leaves the group, then the alignment can be executed.
This could also be an azure function, which does this job.
The contact and the external identities are only entities in the cds, which can be created/deleted/updated via the services or with power automate (formerly knows as flow).
The only complicated thing for the automation for me is, how to authorize the process to read users from the ad. Writing to the crm can easyly be achieved by an applicationusr by clientid/clientsecret.
Really an interesting scenarion and a common question from our customers, who usually do manual stuff afterwards. May be i should try out automating this 🙂
Have fun,
Christian
Hi Christine,
I don't want to do anything in the Contacts entity in CDS manually.
My Azure AD group is dynamic.
Importing the users from Azure AD group to Contacts in CDS should be automatic.
Whenever a user get added in Azure AD group , he must be automatically added as Contact in CDS.
So when user logs in to Portal, the portal should authenticate that user.
How can we do this?
Hi @Anonymous ,
as i got it, every portaluser is a contact in dynamics cds. So you have to create contacts and create an external authentication entry for them.
This could be automated. We tried to create this by hand by copying the objectids from the AD in the external identities entity in the crm which basically contains a lookup to the contact and the id from the external (in your case ad) system. This worked.
The issue is a little bit how to know after selecting the users belonging to that group, whether the contacts for that specific user already exist as a contact. I think, using an email or seomething like that to identify the contact could be a working idea. A better idea could be to create a new field on the contact as text and store the ad-objectid (redundantly, i know) in it. So, even when the user changes his email in the ad (is this possible??), the right contact would be found.
Hope this helps,
Christian
PS if this was too academic, i could make some screenshots about the idea 🙂
PPS of course, this is not supported in any way as i did not read anything from microsoft about the external identity entity. My colleagues and me just looked at it and made an educated guess 🙂
#1
Lucas001
60
Super User 2025 Season 1
#2
Fubar
55
Super User 2025 Season 1
#3
surya narayanan
35
Share
Report
All responses (
Answers (
