Control user access to environments: security groups and licenses

If your company has multiple Common Data Service environments, you can use security groups to control which licensed users can be a member of a particular environment.

Consider the following example scenario:

environment Security Group Purpose
Coho Winery Sales Sales_SG Provide access to the environment that creates sales opportunities, handles quotes, and closes deals.
Coho Winery Marketing Marketing_SG Provide access to the environment that drives marketing efforts through marketing campaigns and advertising.
Coho Winery Service Service_SG Provide access to the environment that processes customer cases.
Coho Winery Dev Developer_SG Provide access to the sandbox environment used for development and testing.

In this example, four security groups provide controlled access to a specific environment.

Note the following about security groups:

  • When users are added to the security group, they are added to the Common Data Service environment.
  • When users are removed from the group, they are disabled in the Common Data Service environment.
  • When a security group is associated with an existing environment with users, all users in the environment that are not members of the group will be disabled.
  • If a Common Data Service environment does not have an associated security group, all users with a Common Data Service license (model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer Service, Power Automate, Power Apps, etc.) will be created as users and enabled in the environment.
  • If a security group is associated with an environment, only users with Common Data Service licenses that are members of the environment security group will be created as users in the Common Data Service environment.
  • When you assign a security group to an environment, that environment will not show up in home.dynamics.com for users not in the group.
  • If you do not assign a security group to an environment, the environment will show up in home.dynamics.com even for those who have not been assigned a security role in that Common Data Service environment.
  • If you do not specify a security group, all users who have a Common Data Service license, (model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer Service, Power Automate, Power Apps, etc.) will be added to the new environment.
  • New: Security groups cannot be assigned to default and developer environment types. If you've already assigned a security group to your default or developer environment, we recommend removing it since the default environment is intended to be shared with all users in the tenant and the developer environment is intended for use by only the owner of the environment.
  • Common Data Service environments support associating the following group types: Security and Microsoft 365. Associating other group types is not supported.

Note

All licensed users, whether or not they are members of the security groups, must be assigned security roles to access environments. You assign the security roles in the web application. Users can't access environments until they are assigned at least one security role for that environment. For more information, see Configure environment security.

Create a security group and add members to the security group

  1. Sign in to the Microsoft 365 admin center.

  2. Select Groups > Groups.

  3. Select + Add a group.

  4. Change the type to Security group, add the group Name and Description. Select Add > Close.

  5. Select the group you created, and then next to Members, select Edit.

  6. Select + Add members. Select the users to add to the security group, and then select Save > Close several times to return to the Groups list.

  7. To remove a user from the security group, select the security group, next to Members, select Edit. Select - Remove members, and then select X for each member you want to remove.

Note

If the users you want to add to the security group are not created, create the users and assign to them the Common Data Service licenses.

To add multiple users, see: bulk add users to Office365 groups.

Create a user and assign license

  1. In the Microsoft 365 admin center, select Users > Active users > + Add a user. Enter the user information, select licenses, and then select Add.

    More information: Add users individually to Office 365 - Admin Help

Associate a security group with a Common Data Service environment

  1. Sign in to the Power Platform admin center at https://admin.powerplatform.microsoft.com as an admin (Dynamics 365 service admin, Global admin, or Power Platform service admin).

  2. In the navigation pane, select Environments, select an environment, and then select Edit.

    Select Edit

  3. In the Settings page, select Edit (Edit).

    Edit security group

  4. Select a security group, select Done, and then select Save.

    Select a security group

The security group is associated with the environment.

Security group added

Remove a security group's association with a Common Data Service environment

  1. Sign in to the Power Platform admin center at https://admin.powerplatform.microsoft.com as an admin (Dynamics 365 service admin, Microsoft 365 Global admin, or Power Platform service admin).

  2. In the navigation pane, select Environments, select an environment, and then select Edit.

    Edit environment

  3. In the Settings page, select Delete (Delete).

    Select Delete

  4. Confirm removal, select Remove, and then select Save.

The security group associated with the environment will be removed and the environment's access will no longer be restricted to only users that are members of that group.

See also

Create users and assign security roles