Last year September, I wrote a blog about How to use Azure Active directory for managing users and security in Dynamics 365 for Finance and Operations. One feature was not explained in this blog. Continue reading and you will learn about the Synchronize option available on the (Azure AD) Groups form.
The Synchronize button on the (Azure AD) Groups form is not creating new records with groups available in your Azure Active Directory. To create new groups for granting access to users attached to Azure AD groups, you need to use the Import groups link as mentioned in the initial blog.
The synchronize feature has two tasks that will be performed. I will mention them briefly and explain both with an example below.
- Update the name of the AAD group in Dynamics 365 if it has been changed in Azure AD
- Deactivate groups if they have been deleted in Azure Active Directory.
Update the name
When you import Azure Active Directory groups to be used for security assignment, they will get an internal ID and it will display the name as defined on Azure Active Directory.
You might notice that the names on Azure are not consistent. It would be recommended to use a certain naming convention for recognition and consistency. With a lot of groups, you may want to choose to start either with the country or role name. In my test environment I decided to update both group names. The country will be identified with the ISO-3 coding system and the names will start with the role.
Now when these security group names have been changed, they can be updated using the Synchronize feature. When you click this button, it will connect to Azure AD and checks if the name of the group has been changed.
Now, as you can only see names on Azure AD and on the Dynamics 365 client, how is the application able to find out if a name has been changed? Then you can have a look at the coding to see that there is another unique field which is maintained for this purpose.
A Security identifier field is maintained in the background which is the unique key for the Azure AD group.
When you would decide to delete a security group from Azure AD, you can also use the Synchronize option to deactivate the group in Dynamics 365.
To demonstrate it in this blog, I did delete the Accountant USA security group from Azure AD. On synchronizing, the group in Dynamics 365 will not be deleted, but will be disabled.
I do think this is a better approach compared to just deleting the group when it is not found on Azure AD for several reasons.
- When there is a temporary issue with connecting to Azure AD, you don’t want to have the group deleted automatically
- When it is disabled, you will have alerting and review options.
As mentioned above, the Security identifier field is a unique key for the Azure security group. When you create a new group on Azure AD with exactly the same name, you can import the new group, but with a restriction. The internal ID should be unique. As you can see below, I gave the ID another value. Before importing the new group, you may decide yourself to remove the old group or not.
This also shows that you can’t simply recreate the Azure security group only. The Security identifiers should match; otherwise the security role assignment is not working.
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!