Security Roles – The 3 Phases

Security Roles the least fun part about Power Platform – Dataverse / Dynamics 365. I would rather use hours finding the right ICON for every single custom entity😂. Yet security roles happen to be the pilar of why our platform is so much more powerful than other technical platforms.

I find that my approach to security roles almost always ends up the same way when I deliver new solutions. Therefore I thought I would share a bit of what goes through my mind in the different stages:)

1. Creating the role

There are many blogs about creating roles, and recently we even received a new modern way of modifying security roles. I’m not going to cover the hows, but you can pick up a few tips from the following blogs:

Blogs about the new ways of creating roles:
https://learn.microsoft.com/en-us/power-platform/admin/security-roles-privileges
https://malindonosomartnes.com/2023/06/29/new-security-roles-admin/
https://nishantrana.me/2023/05/01/manage-security-roles-using-the-new-modern-ui-preview-power-platform-admin-center/

What I do want to share is my personal opinion on where to start. As you know I mostly work with Dynamics 365 and not pure Power Platform environments. If I am delivering a Sales solution I almost always start off by copying the Salesperson’s security role.

Don’t ever start a security role from scratch. It’s simply not worth the time.

So for Dynamics sales I would typically just copy the Salesperson as a start

And for Power Platform I might start with Basic User as a start.

A typical error I do is hoping that I can end up with a single security role to make things simple. Pushing all users into the same role because why not. I am one for more access to users, and depend on teaching people to handle data with respect. Within the first few weeks, you soon realize that you probably need an admin role for administrative tasks.

PS: One thing I always do is of course to limit any delete actions for ALL users the first few weeks so that they don’t blame the system for GHOST deleting items. Yes, that has happened! 🤷‍♂️

2. Assigning the role

After hours of banging your head on the wall, trying to figure out what security privileges you are missing for the application to work as expected, you arrive at the next task of assigning the security roles to the users.

The next error that I have done more than once is thinking that we can manage the security roles directly on the user. To begin with I use a tool like XrmToolBox to deploy roles to multiple users at the same time, but a few weeks/months down the line people hired/fired/re-org having to make these changes often is going to take way too much time. Having to bill for these changes is also going to be frowned upon because it’s “just a simple task”.

Traditionally this has been very straightforward for the sales and customer service users, but lately, this is becoming more and more of a challenge. With the release of new functions, you will soon understand that keeping up with security roles is almost impossible. With new solutions from Microsoft being installed automatically, you might also see a few security roles to follow along. Examples of this would be the Forecasting functionality to sales.

Normally one would think “Let’s just add these to the main security role for all users” BUT there are times when the actual security role ID/Name is the one opening up the functionality.

The Dynamics 365 app for Outlook User is one of these apps I believe. In order to actually qualify for the app deployment, you need this security role.

So my first initial thought that one user could have “Salesperson” as a single role with all of the functionality is now turning into a nightmare handling pr user. I now have to manage lots and lots of users/changes etc while trying to maintain the correct roles given.
The image below is just an example

3. Structuring the security roles with teams

This leads us to the final phase of security roles for me, where I realize that I should have done things right from the beginning. Using the extra time early on so that I save time when the project is live😤

Just like marketing people are oddly obsessed with personas, we have to think about what types of users do we expect to see in Dynamics / Power Platform. In a simple solution, you could easily have the following personas.

Sales User
Sales Admin
Marketing user

Dynamics users are well aware of teams being able to connect security roles, but Power Platform users are not always aware of this.

Create a team, add users, and then add the security roles. This is a much simpler way of managing changes in security roles because changes only need to happen in 1 place.

⛔Hold up⛔

The problem with this solution is that Dynamics / Power Platform consultant or someone familiar with Dynamics / Power Platform needs to make these changes. In a worst-case scenario, a company would have IT create a user and assign a license. THEN they would have to contact other consultants to add security roles or add someone to the team for correct access. This method is flawed and will at some time become a problem. Microsoft has fortunately given us a great solution for this.

✅Solution✅ – AAD Security Groups / Entra Identity Security Group

I am not going to cover how to create a security group in AD and later on, add it to Dynamics / Dataverse. Have a look at the following posts for these tasks:

https://learn.microsoft.com/en-us/power-platform/admin/manage-group-teams#create-a-group-team
https://forwardforever.com/how-groups-teams-work-in-power-apps-dataverse/

What I think is so important about the Security Group is that it removes the burden of access from the Dynamics / Power Platform consultant, and puts it in the hands of IT managing general access to all systems in AD. This just makes so much more sense, because these people normally do the on/off-boarding for all technical aspects. All you have to worry about is that security roles are given to the correct team.

Within Dynamics / Dataverse there is no difference in how to assign security roles BUT there is a major difference in having the members auto-populated based on AD security groups.

Moral of the story

Use Security Groups unless you have a very good reason not to 😘

Dynamics 365 – Adding products issue

This might be the dumbest blog in a while, but I am adding it in case others have problems with the same issue.

Recently I needed to add new products to the product table of Dynamics, and the buttons for adding the products/families were gone.

I of course had to look at the documentation in case there was something obvious I was missing. The documentation only wanted to ensure that I had a license + security role.

All of this was checking out on my side as I had a license and I was an administrator. Still, I was desperate trying to understand such a stupid issue that I made sure I had enough roles:

Eventually, I got some help from friends, and a huge thank you to Vivian Voss for pointing me in the right direction. First I was told to check the “obvious”.

Are you able to configure products via the old UI?
Vivian Voss

Well, turns out I was.

Solution?

Go to the Default Solution of configuration and make sure that “read only” was not on for the product table in the new UI😂😂🤷‍♂️🤷‍♀️🤷

The only thing that I can think of is an update from Microsoft changing this value for some odd reason. The fact that it is read-only in the Unified Client makes no sense, but hey. Not the first time something like that has happened.. hehe.

Just make sure this is OFF, Save changes, and then publish the table. You should be able to configure products again.

Dynamics 365 AI code with ChatGPT

By now I am sure most of you have heard about ChatGPT. The AI product is pouring out surprisingly intelligent responses to all sorts of questions that people all around the world have given it lately.

There have been examples of the tool writing papers for school, creating blog posts for people, and helping formulate fairly complex text for webpages and marketers. One thing that someone tipped me off about was the ability to write code, and I was a bit curious as to what that would mean.

So one of the many gaps in my knowledge is specifically regarding Plugins. A plugin is a piece of backend code that runs in real time when triggers occur in Dataverse. I tried doing a little plugin with some help a few years ago and wrote about it on the Company Blog – Plugin in 1 hour.

I was curious how ChatGPT would do with a similar issue, so I took it for a spin😊

Question

First off I started out with a question that you write the same way you would anything Google/Yahoo/AltaVista/Bing/AskJeeves/DuckDuckGo/etc etc etc

The response I get is fairly spot on. Certainly, some will comment about something not being 100% accurate here, but this is more than good enough and quite well-written!

This wasn’t exactly what I was hoping for, so I asked a follow-up question to my original question.

It thought for a few moments before it started spitting out CODE!! 🤯🤯🤯🤯 (above is just a snip of the total code. I put it all in a code box below).

using Microsoft.Xrm.Sdk;
using Microsoft.Xrm.Sdk.Query;
using System;
using System.Linq;

namespace MyPlugins
{
    public class SumProductValues : IPlugin
    {
        public void Execute(IServiceProvider serviceProvider)
        {
            // Obtain the execution context from the service provider.
            IPluginExecutionContext context = (IPluginExecutionContext)serviceProvider.GetService(typeof(IPluginExecutionContext));

            // Obtain the organization service reference which you will need for CRUD operations.
            IOrganizationServiceFactory serviceFactory = (IOrganizationServiceFactory)serviceProvider.GetService(typeof(IOrganizationServiceFactory));
            IOrganizationService service = serviceFactory.CreateOrganizationService(context.UserId);

            // Retrieve the Opportunity record that the plugin is running against.
            Entity opportunity = (Entity)context.InputParameters["Target"];

            // Create a query to retrieve the related products.
            QueryExpression query = new QueryExpression
            {
                EntityName = "product",
                ColumnSet = new ColumnSet("productid", "price"),
                Criteria = new FilterExpression
                {
                    Conditions =
                    {
                        new ConditionExpression
                        {
                            AttributeName = "parent_opportunity_id",
                            Operator = ConditionOperator.Equal,
                            Values = { opportunity.Id }
                        }
                    }
                }
            };

            // Retrieve the related products.
            EntityCollection products = service.RetrieveMultiple(query);

            // Sum up the value of the products.
            decimal totalPrice = products.Entities.Sum(product => product.GetAttributeValue<Money>("price").Value);

            // Update the Total Price field of the Opportunity record.
            opportunity["totalprice"] = new Money(totalPrice);
            service.Update(opportunity);
        }
    }
}

🤯🤯🤯🤯

At this point, I was extremely excited to see that the result is pretty darn good. Sure the trigger here is based on Opportunity, and not the opportunity product, but that is beside the point. It seems that I could have formulated my question in a way that I would have understood it correctly. This is actual usable code for a plugin that could run on Opportunity level to update the sum of all Opportunity products.

Not really sure what more to write about this ATM.. Still trying to wrap my head around it all for now.

Custom Page – Opportunity Close Solution Download

Initially, I was just going to explore some possibilities with Custom Pages, but decided to make a solution out of it instead. This way you can just download the solution and do the required modifications for your project (GIPHY API key), and you are good to go😁

I am really excited to hear your feedback after seeing/trying this out, and hopefully, I will be able to make it a lot better in next revisions of the Custom Page!

Go to my GitHub to get a hold of the solution. It’s a pretty “thin” solution that should be easy to configure and easy to delete if you no longer need it.

💾 DOWNLOAD 💾

I have also included a video displaying how you install and use the solution

Installation and setup

Because of ribbon changes, I was forced to create a managed solution for this. The only way it wouldn’t overwrite the current opportunity ribbon.

If you want to play around with the solution, download the unmanaged. Just make sure you don’t have any other ribbon customizations on Opportunity. If you do back it up first!!

For everyone else, you have to download the managed solution to be on the safe side.

On my Gihub page I have written what components get installed, so you can easily remove it all at a later point in time.

Custom Page – Teams Integration

Did you think my last post was the final stage of the “Custom Page – Win Notification“? Of course not!! We have one more important step to complete the whole solution.

I am all about salespeople being able to boast about their sales. If you meet a salesperson who doesn’t love to brag about closing, are they even in sales? 😉

Communication is key when you work in organizations of any size and location Onprem/Online/Hybrid. Doesn’t matter where you work, we can all agree that spreading the word around, and making sure everyone gets the latest news is hard. Microsoft is making it pretty obvious that Teams is a preferred channel, so that’s where I also wanted to focus my energy.

Notify the team

I decided to extend the solution a bit to reuse the GIF that we got from the last closing screen, and include it in the Teams integration that I wrote about earlier in the Adaptive Cards.

The first thing I did was to add a new group of fields for the Teams notification. I wanted to let the user choose if they wanted to post the sales to Teams or not. The obvious reason is that some opportunities might have to be reopened, and you don’t want the credit 2 times etc. It’s just a simple logo, text and boolean field.

The next step is adding the variable BoolPostTeams to the run statement of the Power Automate when I click “Confirm Win”.

On the Flow side of things, I will now receive 1 more variable that I can handle. Because I wanted to use the bool type, I have to convert the string “true/false” to a boolean

bool(triggerBody()['Initializevariable2_Value'])

What team are we updating?

Glad you asked 😉 A part of the solution is to include a Team ID and Channel ID. I added these fields to the Business Unit Table. When we store the Teams/Channel ID’s at this level, we can reuse the same solution for several teams in an organization without having to hard code anything.

These are simple text fields that will hold the unique values to the Team and the Channel you want to notify.

NB! A tip for getting the Teams ID and the Channel ID:
Add the Team and Channel via the drop-down selector (flow step below). Then open the “peek code” to see what the ID’s of the teams are. If you don’t understand this step, just have a look at my video in the final post of the series 🎥

Back to the flow!

We update the get Opportunity with extra linked tables. This way we don’t have to do multiple retrieves, and only get the fields we need from the linked tables.

parentaccountid($select=name), owninguser($select=fullname, internalemailaddress), owningbusinessunit($select=saleswin_teamschannelid,saleswin_teamsid)

After we update the opportunity as closed with our Custom Action “close opportunity”, we check if the close dialog wanted to notify the team.

Then we need to get the @mention tag for the given user that made the sales. Here I am using the email address from the SystemUser table we are getting from the Opportunity extended table.

Finally, we post the Adaptive Card to Teams and behold the wonder of the adaptive card!! 💘

{
    "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
    "type": "AdaptiveCard",
    "version": "1.2",
    "body": [
        {
            "speak": "Sales Morale Boost",
            "type": "ColumnSet",
            "columns": [
                {
                    "type": "Column",
                    "width": 8,
                    "items": [
                        {
                            "type": "TextBlock",
                            "text": "🚨WIN ALERT🚨",
                            "weight": "Bolder",
                            "size": "ExtraLarge",
                            "spacing": "None",
                            "wrap": true,
                            "horizontalAlignment": "Center",
                            "color": "Attention",
                            "fontType": "Default"
                        },
                        {
                            "type": "TextBlock",
                            "text": "@{outputs('GetOpptyInfomation')?['body/name']}",
                            "wrap": true,
                            "size": "Large",
                            "weight": "Bolder",
                            "horizontalAlignment": "Center"
                        },
                        {
                            "type": "ColumnSet",
                            "columns": [
                                {
                                    "type": "Column",
                                    "width": 25,
                                    "items": [
                                        {
                                            "type": "TextBlock",
                                            "text": "🏠 Kunde",
                                            "wrap": true,
                                            "size": "Large",
                                            "weight": "Bolder",
                                            "horizontalAlignment": "Right"
                                        },
                                        {
                                            "type": "TextBlock",
                                            "text": "💲 Verdi",
                                            "wrap": true,
                                            "size": "Large",
                                            "weight": "Bolder",
                                            "horizontalAlignment": "Right"
                                        },
                                        {
                                            "type": "TextBlock",
                                            "text": "👩‍🦲 Selger",
                                            "wrap": true,
                                            "size": "Large",
                                            "weight": "Bolder",
                                            "horizontalAlignment": "Right"
                                        }
                                    ]
                                },
                                {
                                    "type": "Column",
                                    "width": 50,
                                    "items": [
                                        {
                                            "type": "TextBlock",
                                            "text": "@{outputs('GetOpptyInfomation')?['body/parentaccountid/name']}",
                                            "size": "Large",
                                            "weight": "Bolder"
                                        },
                                        {
                                            "type": "TextBlock",
                                            "text": "@{outputs('GetOpptyInfomation')?['body/actualvalue']}",
                                            "weight": "Bolder",
                                            "size": "Large"
                                        },
                                        {
                                            "type": "TextBlock",
                                            "text": "@{outputs('Get_an_@mention_token_for_a_user')?['body/atMention']}",
                                            "weight": "Bolder",
                                            "size": "Large"
                                        }
                                    ]
                                }
                            ]
                        }
                    ]
                }
            ]
        },
        {
            "type": "Image",
            "url": "@{body('Parse_JSON')?['data']?['images']?['original']?['url']}",
            "horizontalAlignment": "Center"
        }
    ]
}

Now, this is what an opportunity close dialog should look like!! 🙏🏆🌟🎉

Custom Page – Open Custom Page with Ribbon Button

I am using Dynamics 365 as an example, but the process will be the same for Power Apps – Model Driven. Only difference is that Dynamics 365 has the Opportunity table that we are wanting to use.

If you want to learn more about Custom pages I suggest you look at the following posts:
Scott Durrow
Lisa Crosby
MCJ
Microsoft Custom Pages

I have also added the simple button setup to Github, if you just want to give it a go.
👉DOWNLOAD SIMPLE BUTTON HERE👈

Creating an app and adding the button

Start off by adding an app to a solution and giving it a proper name. In my case, I am choosing Sales Win, because I am creating a simple app for everyone to see the functionality. You could of course just add this to your existing app if that is what you want to do.

For the tricky part, you need to open the Command Bar. This is essentially Ribbon Workbench jr😉 In time I would only imagine that most of the Ribbon Workbench would be available here, but we are probably still a few years away from a complete transition here.

Choose the main form for this exercise, and then create a new Command. Command is actually a button. Why it’s called Command I’m not sure as we all are used to add buttons to a ribbon🤷‍♂️

On the right side, you can add an image, and I usually find mine through SVG’s online.
SVG’s for download <- a blog post I wrote about the topic. Add this as a webresource.

Now, we are going to have to create some JavaScript. It’s actually the only way to open a Custom Page. The JavaScript is pretty “simple”, and I will provide you with the copy-paste version.

JavaScript

🛑BEFORE YOU STOP READING BECAUSE OF JAVASCRIPT🛑

I will provide the JavaScript you need. Unfortunately, you will still need to understand how to copy-paste some script for stuff like custom pages to work.

The only parameter you have to change here if you are creating everything from scratch is:
name: “saleswin_saleswin_c0947” <- replace with the name of your custom page.

function CloseWON(formContext) {
    //Get Opportunity GUID and remove {}
    var recordGUID = formContext.data.entity.getId().replace(/[{}]/g, "");
    // Centered Dialog
    var pageInput = {
        pageType: "custom",
        name: "saleswin_saleswin_c0947", //Unique name of Custom page
        entityName: "opportunity",
        recordId: recordGUID,
    };
    var navigationOptions = {
        target: 2,
        position: 1,
        width: {value: 450, unit: "px"},
        height:{value: 550, unit: "px"}
    };
    Xrm.Navigation.navigateTo(pageInput, navigationOptions)
        .then(
            function () {
                // Called when the dialog closes
                formContext.data.refresh();
            }
        ).catch(
            function (error) {
                // Handle error
                alert("CANCEL");
            }
        );
}

This JavaScript opens up a custom page and sends in a GUID parameter (look at PageInput) to use within the page. This is just how Custom Pages work, so don’t try to do any magic here!

Other examples of how to load a custom page:
Microsoft Docs Custom Page

Hide-Show button

It’s important to hide or show the button at the correct times, and that is why you have to add logic. With the following function, the button is only visible when the Opportunity is in edit mode. When creating a new Opportunity you will not see this button.

Self.Selected.State = FormMode.Edit

Add a new page to your solution

A custom page is a lot like a Canvas App, but it’s not exactly the same. Not all functionality is the same as a Canvas App, so you need to get familiar with it first.

The first thing I noticed was the lack of multiple screens.

It seems not impossible to add more screens, but Microsoft has hidden this feature. The reason seems to be related to isolating a Screen to be a specific application. Might make sense, but not for my use case. It does make somewhat sense because a Custom Page can be opened from everywhere within Model Driven Apps. It’s actually not tied to anything (entity) at all. If you need to turn it on: 👇

Please don’t judge this Canvas App ATM. It will only get better over time 😂

I added labels and text boxes without any logic to them yet and added a data source for Opportunities. This is all for the next step of our configuration of the Sales Win dialog.

Last step (maybe the most important one)

We now need to add the custom page to the APP.

Make sure you UNCHECK the “Show in navigation”. Otherwise, you will see this page as a navigation option on the left side like account, contact, oppty etc.

Finally, publish in the ribbon editor

What have we achieved so far?

Once the button is pushed, the Custom Page loads. 🙏👍🎉

Dynamics 365 App for Outlook button

Tiny blog for a tiny button 😂 This is only relevant if you have users that work in Outlook Web. Every now and then I do encounter a few Apple users that prefer the Outlook Web, even though it works well with Outlook for Mac.

Outlook client

If you use the Outlook client you know the button from the ribbon. Click the button do load the client.

Outlook Web.

OOTB the Dynamics client is hidden once it is deployed for the user. Only way to find it is to open the actual email and choose the ellipsis

Great thing is that we can change the order of the buttons:)

Solution

Open the Outlook Web settings and choose “View All Outlook Settings”.

Find the Dynamics 365 button in the Customize Actions and click save.

You now have the button easily accessible 🤗

Dynamics 365 Teams Document Locations – Where art thou?🤷‍♂️

Even though we all wish it wasn’t so, Document Locations still rule the integrations between Dynamics 365 and SharePoint. I’m not saying that I have a better idea what would be a smarter way of solving it, but it all seems a bit “2011” ish.

Last week I encountered a problem with the Document Locations for Teams, and I was surprised when I couldn’t find them in the Document Locations at first. The list only contained the SharePoint sites that the standard SharePoint connector uses.

In this list I was missing all of the Teams locations. Turns out that the view is only showing Active SHAREPOINT locations.. hehe

All you have to do is add the “MS TEAMS” to the search, and you should see all of the document locations for that also

Dynamics / Power Apps + Office App Launcher

Launching a new app or launching a new CRM system always leaves the users with the same question. Where do I find the application? At first I didn’t really understand the question, because I thought it was natural to bookmark the URL to your application ie https://www.company.crm4.dynamics.com/***** etc.

Eventually I realized that most users are actually using the waffle menu in office 365 when navigating to applications that they don’t use continuously.

They were expecting to see the application in the list when you clicked the waffle menu, because this would save them time.

Luckily this is not a problem 😊 Open the all apps, and locate the app you are looking for

And just like that you now have a quick navigation to your CRM or Power App application in the Microsoft 365 app launcher👊

Dynamics 365 form or advanced find images error

This post is almost not relevant any more due to the fact that we all will be pushed into the make.powerapps experience in “the fullness of time”, but I will still be using the classic viewer for the foreseeable future 🙂

From time to the images can get distorted due to unknown reasons. This is not a big deal as the buttons still work, but can be annoying for the users. You might have seen this in the 2 places:

Advanced find:

Form configuration:

Fix

There seem to be several ways to solve this issue, but not all seem to work the same. I have seen some options describing a cache clear in the console of the browser, but for some reason none of those worked for me. Lately I have had to open the developer tools and delete a bit more manual.

Click F12 in the browser where you see the error

Open the Application tab on the dev tools

Clear or delete anything within the storage related to dynamics.

Try to restart the browser, and hopefully that should do the trick:)