Home > Dynamics 365 > Working with Azure Active Directory (AAD) Groups in Dynamics Customer Engagement

Working with Azure Active Directory (AAD) Groups in Dynamics Customer Engagement

In Dynamics 365 online, along with ‘Owner’ and ‘Access’ type, following types have been introduced in ‘Teams’.

  • AAD Security Group
  • AAD Office Group


With these new ‘Team Types’, records in Dynamics 365 can be owned by AAD Groups.

Lets understand what is Azure Active Directory (AAD) group and what’s the significance of making AAD group as owner of a Dynamics record.

  • The administrator can create Azure AD group teams that are associated to the Azure AD groups in each of the Customer Engagement and assign a security role to these group teams.
  • When members of these group teams access these environments, their access rights are automatically granted based on the group team’s security role.

Create AAD Group:

  • Make sure you have Office 365 account (Subscribe to 30 days trail here)
  • Connect to Microsoft 365 Admin Center using Office 365 credentials.
  • Create Users and assign ‘Dynamics 365 Customer Engagement Plan’ license.


  • Now connect to Azure Active Directory Portal
  • Create a new Group of type ‘Office’ and add the Users.
  • Copy the ‘Object ID’ which we need in next steps.


Create Team of type ‘AAD Office Group’:

  • Connect to Dynamics instance
  • Navigate to Settings -> Security -> Teams -> New
  • Select ‘Team Type’ as ‘AAD Office Group’ and paste the AAD Group ‘Object Id’ copied in above section.
  • Save and assign a role.


Access the Dynamics as ‘AAD Group’ Team Member:

As we created a AAD Group and a Team in Dynamics App with ‘Sales Manager’ security role, it’s time for ‘Test User 1’ to access the Dynamics Application.

  • Login to Dynamics Application as ‘Test User 1’
  • Post login, Dynamics App greeted me with ‘You need a Microsoft Dynamics 365 security role to continue’ message.


  • From the message, its clear that Dynamics App expecting ‘Test User 1’ to have a User level Security role and not honoring the Team level Security Role which he is member of.
  • We can resolve this issue by assigning ‘Sales Manager’ role to ‘Test User 1’ which means for every User of AAD group we have to on-board by assigning them an individual security role.
  • But we can make ‘Test User 1’ access Application with out assigning a Role, as we got a cool ‘Member’s privilege inheritance’ feature introduced in ‘Security Role’.

‘Member’s privilege inheritance’ in Security Role:

  • Navigate to ‘Settings -> Security -> Security Roles’
  • Open the ‘Sales Manager’ security role.
  • Change the ‘Member’s Privilege Inheritance’ to ‘Direct User (Basic) access level and Team privileges‘ and Save.


  • Refresh the Dynamics application, ‘Test User 1’ can access the records and application.


  • By setting ‘Member’s Privilege Inheritance’ to ‘Direct User (Basic) access level and Team privileges‘ makes the ‘Sales Manager’ role as both User role as well Team role.
  • This feature eliminates the need of AAD Admin to assign User level roles to individual group members.

Assign Records to ‘AAD Group’ Teams:

  • We can assign the record to ‘AAD Group’ Teams similar to ‘Owner’ Teams.






Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: