26. 03. 2025 Liviu Cruceriu Dynamics 365, Microsoft, Power Platform

On-demand Full Synchronization from ENTRA Security Group to Dynamics 365 (PPAC)

In the world of Dynamics 365 and Power Platform administration, ensuring users have timely access to environments is a common challenge. The standard synchronization process between Azure Entra security groups and Power Platform environments can sometimes leave administrators waiting longer than desired, especially when onboarding multiple users simultaneously.

The Challenge

We’ve all been there – you’ve added several users to your Azure Entra security group, but they’re still waiting for access to the Power Platform environment. The typical synchronization process through the Power Platform Admin Center (PPAC) works well for routine operations, but falls short in scenarios where:

You need to synchronize a large number of users without delay
Users require immediate access to critical business applications
You’re managing multiple environments with different security groups
Administrators need to configure user settings, roles, and security, but can’t do so while users are disabled in PPAC

On-demand sync is the solution for a few other known issues as well: Troubleshoot user access issues for different environments.

Implementation Guide

I’ve put together a small PowerShell script that forces the immediate synchronization of all enabled users from an Azure Entra security group to a Power Platform CRM environment.

Ready to implement this solution in your environment? Here’s how to get started:

Prerequisites

Before running the script, ensure you have:

PowerShell 5.1 or later installed
Sufficient permissions in both Azure Entra (User Administrator) and Power Platform (Environment Admin)
The GUID of your Power Platform environment

How It Works

The script works through several well-defined stages:

Environment preparation: Checks for and installs the required PowerShell modules (AzureAD and Microsoft.PowerApps.Administration.PowerShell)
Service connection: Establishes authenticated connections to Azure Entra and Power Platform services
Security group retrieval: Identifies the security group associated with the specified Power Platform environment
User enumeration: Gets all enabled users from the security group
Synchronized updates: Forces synchronization of each user to the Power Platform environment
Status reporting: Provides detailed feedback on the success or failure of each synchronization

The Code

Let’s explore some key sections of the script to understand how it works:

Module Installation and Connection

The script first ensures that all required modules are installed and that proper connections to Azure AD and Power Platform are established:

# Check if AzureAD module is installed
if (-not (Get-Module -ListAvailable -Name AzureAD)) {
    Write-Host "AzureAD module not found. Installing..." -ForegroundColor Yellow
    Install-Module -Name AzureAD -Force -Scope CurrentUser
}

# Connect to Azure AD (if not already connected)
try {
    Get-AzureADTenantDetail | Out-Null
} catch {
    Connect-AzureAD
}

This approach makes the script more resilient by handling dependencies automatically.

Security Group Identification

The script retrieves the security group associated with the specified Power Platform environment:

# Retrieve the Security Group Object ID for the specified environment
$groupId = (Get-AdminPowerAppEnvironment -EnvironmentName $environmentName).SecurityGroupId

User Synchronization

The core functionality focuses on synchronizing only enabled users:

# Get members of the Azure AD group who are enabled
$groupMembers = Get-AzureADGroupMember -ObjectId $groupId -All $true | Where-Object AccountEnabled -eq $true

# Iterate over each group member to force sync
$groupMembers | ForEach-Object {
    # Display UPN and DisplayName of the user being synced
    Write-Host "Force sync for: $($PSItem.UserPrincipalName)" -ForegroundColor Yellow
    
    try {
        # Attempt to sync the user in PowerPlatform
        Add-AdminPowerAppsSyncUser -EnvironmentName $environmentName -PrincipalObjectId $PSItem.ObjectId -ErrorAction Stop | Out-Null
        Write-Host "   Sync ok" -ForegroundColor Green
    } catch {
        # Output error message if sync fails
        Write-Host "   Sync failed: $($PSItem.Exception.Message)" -ForegroundColor Red
    }
}

Running the Script

Save the script to your local machine as SyncUsersPPACFromADSG.ps1
Open PowerShell (with administrative privileges required only if the modules are not already installed)
Navigate to the directory containing the script
Execute the script using .\SyncUsersPPACFromADSG.ps1
When prompted, enter the GUID of your Power Platform environment

Understanding the Output

As the script runs, you’ll see detailed information about:

The number of enabled users found in the security group
Each user being synchronized (identified by UserPrincipalName)
The status of each synchronization attempt (success or failure)

Adding Custom Logic

The base script provides an excellent starting point, but the real power comes from adapting it to your specific needs. Here are some ways you can extend and customize the script for your environment:

1. Building a Custom Synchronization Solution

While the provided script works well for on-demand synchronization, you might want to build your own solution that integrates with your existing tooling:
Example: Create a reusable function Sync-PowerPlatformUsers that can be imported as a module Return sync results for further processing Then call it from other scripts or modules $syncResults = Sync-PowerPlatformUsers -EnvironmentId "your-environment-guid"

2. Adding Logging and Notifications

Enhance the script with comprehensive logging and notifications/emails

3. Adding Validation and Error Handling

Implement robust validation and error handling:

# Validate environment exists before proceeding
try {
    $environment = Get-AdminPowerAppEnvironment -EnvironmentName $environmentName -ErrorAction Stop
    Write-Host "Found environment: $($environment.DisplayName)" -ForegroundColor Green
} catch {
    Write-Host "Environment not found or access denied. Error: $($_.Exception.Message)" -ForegroundColor Red
    exit 1
}

# Validate security group has members before proceeding
if ($groupMembers.Count -eq 0) {
    Write-Host "No enabled users found in the security group. Nothing to synchronize." -ForegroundColor Yellow
}    
# Additional diagnostics based on your needs/ # Enhanced error collection for troubleshooting

# Export error details for troubleshooting or support cases

4. Implementation for Specific Business Requirements

You can also add custom business logic to filter or process users differently:

# Filter users based on department or other attributes
# Skip users with specific titles or departments if needed
# Skip users who were created very recently (might not be fully propagated)
# Process users in batches with progress tracking
# Process batch with parallel jobs for faster execution

These enhancements transform the basic script into a robust, enterprise-ready solution that can be integrated into your broader Power Platform management strategy.

Conclusion

The default behavior of Power Platform CRM, which disables users after an environment copy and only enables them upon individual login, creates a significant roadblock in development, testing, and training workflows. This seemingly small limitation can cause cascading delays and administrative headaches throughout your project lifecycle.

By leveraging the Power Platform Force User Synchronization script, you can overcome this limitation and take control of your environment management process. The script provides a simple yet powerful solution that proactively enables all eligible users from your Azure AD security group, making your newly copied environments immediately usable for configuration and testing.

This approach aligns with best practices in DevOps and CI/CD for Power Platform, where automation eliminates manual steps and reduces wait times between phases of your development cycle. Whether you’re creating a single testing environment or managing a complex multi-environment ecosystem, this script helps ensure your environments are ready when you need them, with all users properly enabled and configured.

Additional Resources

These Solutions are Engineered by Humans

Did you find this article interesting? Are you an “under the hood” kind of person? We’re really big on automation and we’re always looking for people in a similar vein to fill roles like this one as well as other roles here at Würth Phoenix.