Previously, we looked into security roles and how we can use them to create a hierarchy of access privileges within our model-driven apps in this post. However, it is a bit of a pain allocating roles on a person by person basis – we can simplify this by using Teams.

Building on from our previous post with our new Dojo Membership app, let’s assume we have created the following security roles:

• Miyagi-Do Admin – full read/write access to the Contact table.
• Miyagi-Do Readers – read access only to the Contact table.

Instead of allocating roles to individuals, we want to associate Entra groups with security roles, and members of those groups automatically inherit the roles. Note that members of the groups must also have the access to the environment the solution is in, and be licensed appropriately.

Conceptually, this means that granting / removing privileges to an application user is simply a matter of adding or removing them to the relevant Entra group.

If you do not have administrator access on your office tenant, ask your admin to create two AD enabled security groups.

• Miyagi-Do Admin
• Miyagi-Do Readers

Within Power Platform Admin, navigate to the environment your have created the Dojo Membership solution in and select Teams.

From the navigation ribbon on the Teams screen, click + Create team and fill in the dialog that appears from the side before clicking Save.

• Team Name – Miyagi-Do Admin
• Business unit – select default business unit for environment
• Administrator – select administrator user
• Team type – Microsoft Entra ID Security Group
• Group name – Miyagi-Do Admin
• Membership type – Members and guests

On saving, the side navigation will prompt you to select a security role for your new team. Select the Miyagi-Do Admin role and click save.

Repeat the above process to create another team for Miyagi-Do Readers.

• Team Name – Miyagi-Do Readers
• Business unit – select default business unit for environment
• Administrator – select administrator user
• Team type – Microsoft Entra ID Security Group
• Group name – Miyagi-Do Readers
• Membership type – Members and guests

On saving, the side navigation will prompt you to select a security role for your new team. Select the Miyagi-Do Readers role and click save.

Navigate back to the solution view for our Dojo Membership solution and then click Apps from the side navigation. Select our Dojo Membership app and then click Share from the navigation ribbon.

From the dialog that is displayed, select the Miyagi-Do Admin team from the list of users, and select the Miyagi-Do Admin role before clicking the Share button (note, there may be a bug where you must unselect the default role and then reselect it to enable the Share button).

Repeat the process to share the app with the Miyagi-Do Readers team, assigning them the Miyagi-Do Readers security role by default.

In this way we can keep track of user permissions simply by checking membership of the relevant Entra groups!