With the announcement of Microsoft Dataflex for Teams announced last week, and the ability to create Power App solutions with a relational database back-end within Microsoft Teams, it got me thinking about how organisational wide access to these solutions from within a Microsoft Team would work.
“If you add an Active Directory Security Group to a Microsoft Team, it’ll only add the users that are members of that group at that point in time.”
Typically, Microsoft Teams is used by small/medium groups of colleagues to collaborate with one another. e.g. Project sites or Department sites. Adding members or owners to the Team is a relatively easy job and doesn’t require IT involvement or complex provisioning processes.
What if the HR department creates an employee holiday request Power App solution and everyone in the organisation needs access to?
With a traditional Power App solution created in the native Power Apps ‘maker’ studio, with a Common Data Service (or Dataflex Pro) back-end, the App Maker could publish the app to anyone. But with a Power App solution created from inside Microsoft Teams, everyone will need to be a member of the Team to access it.
Unlike adding permission to a traditional Power App, adding users to a Microsoft Team is slightly different.
Firstly, we need to understand how Microsoft Team membership is managed. Obviously, adding every employee individually into a Team isn’t realistic, so Active Directory Group membership seems like a good idea, however, adding a Microsoft Active Directory Security Group only adds the members of that group at the point in time; it doesn’t keep the membership up to date.
“You can use Microsoft Dynamic Group membership to handle new members or members being removed for the Active Directory group.”
So how will this work in reality?
Microsoft Teams supports teams associated with Microsoft 365 groups by using dynamic membership. Dynamic membership enables the membership of a team to be defined by one or more rules that check for certain user attributes in Azure Active Directory (Azure AD). Users are automatically added or removed to the correct teams as user attributes change or users join and leave the Microsoft 365 tenant.
How to configure a Dynamic Group
1. Sign in to the Azure AD admin center with an account that is in either the Global administrator, Intune administrator, or User administrator role in the Azure AD organization.
2. Search for and select Groups.
3. Select All groups, and select the Group associated to your Microsoft Team.
4. From the left hand menu, click Properties.
5. Change the Membership type from ‘Assigned’ to ‘Dynamic User’
6. When the membership type has been selected, a new option will appear at the bottom of the page that will allow you to specify a dynamic membership rule.
7. Define your dynamic rule; in my example I’ve added all accounts that begin with ‘Aaron’.
8. After creating the rule, select Save.
9. Wait for your dynamic membership rule to process. Depending upon the complexity of the rule and the size of the Azure Active Directory, this may take a few minutes.
10. Membership to this group will now be reflected in your Microsoft Teams, Team!
- Until a user logs into Teams, they won’t appear in the ‘Members’ or ‘Owners’ group.
- Microsoft Teams may take anywhere from a few minutes to up to 24 hours to reflect dynamic membership changes once they take effect in the Microsoft 365 group for a team.
- Owners will not be able to add or remove users as members of the team, since members are defined by dynamic group rules.
- Members will not be able to leave teams backed by dynamic groups.
- A user can only be a member of up to 1000 Teams.
- There can only be 10,000 members in a Team (5,000 for Org Wide Teams).