Sharing and revoking record access with Microsoft Power Automate
Reading time: 2 - 3 minutes
We recently had a requirement from a customer to remove access to supplier based account records within Microsoft Dynamics 365 CRM. In this scenario it was to stop the sales staff from accessing supplier accounts records and reviewing the communication in the timeline.
To achieve this, we came up with a solution of sharing the record types based on the ‘account type’, which was simply a custom choice field that was required on the account form.
The setup
First of all we created two Azure AD Security Groups called Sales Team (CRM) and Supplier Team (CRM). Now we could have just used standard CRM Owner teams but as a business we try and follow Microsoft best practice and utilise the Microsoft stack where relevant.
The scenario here is Kelly works in Sales, and Jason works with Suppliers but also need to access Sales based accounts.
Once the AD Security groups were setup, we added two users called Jason and Kelly to the Sales Team and Jason to the supplier Team.
These teams will now appear in Dynamics 365 CRM.
It worth pointing out that the members of the group won't appear here until they log in to CRM.
Security
So, to make this work we need to restrict the security role applied to both Kelly and Jason so they can only view user owned accounts. Below is a screen shot of how this needs to look.
The next step is to use Power Automate to share the account records (based on account type).
The trigger for the flow is when an account is add or the account type field is modified.
We set a variable for the account (used later) and also setup a variable for the guid of the supplier owner team we created previously.
The condition step works out if the account type value on the account record is equal to Supplier.
If it is, we then share the record with the supplier owner team, if it not, then we revoke access.
Once this record is shared with the Supplier, Jason can see this account (as he is a member of the supplier owner team), but Kelly cannot.
Whilst not shown here, we also have another Power Automate flow that does the same thing, but instead shares (or revokes) the account record with the sales owner team if the account type equals Customer.
The benefit of using Power Automate to share a record with a team means that staff within the business don’t need to remember to complete this process manually. Think about a scenario where Jason joins the sales team and no longer has the requirement to see Supplier record, to remove his access would be as easy as removing him from the Supplier Owner Team.
Using Power Automate to perform this action is a really handy way to ensure the right members of staff only get to see records that they own and that are shared with a team they are a member of.
If your business have a requirement for functionality similar to this, please reach out to us directly or talk to your account manager to setup that discussion.