Search code examples
power-platform

New environment has all users added by default and cannot remove users?

I have created a new environment where I only want a sub set of people to be able to create apps and flows. However it seems like everybody is added by default and cannot be removed?

enter image description here

Solution

  • This is the expected functionality. When you create a Dataverse database in an environment all licensed users will be added. Users do not have any access to the database unless you assign them a security role.

    Once a user is added to the Dataverse database that user record cannot be deleted. They can be inactivated, but not deleted.

    You can control this behavior by defining a security group at the time of database creation. If you define a security group only the members of the security group will be added as users to the database.

    When creating the database you can assign a security group:

    Assign Security Group to Database

    From https://learn.microsoft.com/en-us/power-platform/admin/control-user-access:

    • When users are added to the security group, they are added to the Dataverse environment.
    • When users are removed from the group, they are disabled in the Dataverse environment.
    • When a security group is associated with an existing environment with users, all users in the environment that are not members of the group will be disabled.
    • If a Dataverse environment does not have an associated security group, all users with a Dataverse license (customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), Power Automate, Power Apps, etc.) or per app plan will be created as users and enabled in the environment.
    • If a security group is associated with an environment, only users with Dataverse licenses or per app plan that are members of the environment security group will be created as users in the Dataverse environment.
    • When you assign a security group to an environment, that environment will not show up in home.dynamics.com for users not in the group.
    • If you do not assign a security group to an environment, the environment will show up in home.dynamics.com even for those who have not been assigned a security role in that Dataverse environment.
    • If you do not specify a security group, all users who have a Dataverse license (customer engagement apps (such as Dynamics 365 Sales and Customer Service)) or per app plan will be added to the new environment.
    • New: Security groups cannot be assigned to default and developer environment types. If you've already assigned a security group to your default or developer environment, we recommend removing it since the default environment is intended to be shared with all users in the tenant and the developer environment is intended for use by only the owner of the environment.
    • Dataverse environments support associating the following group types: Security and Microsoft 365. Associating other group types is not supported.