1

Currently, there is a bug in the Power Platform where, if a user loses access to the environment or their account gets disabled in Microsoft Entra ID, their Azure AD Groups are no longer synced with the "teammemberships" table in the Dataverse. In such cases, manual removal of teams from the user’s profile in the Admin Center is required.


The user must be manually removed from the teams at the environment level.


We have separate Microsoft Entra ID groups created for segregation of access roles. Group(s) are assigned to a user, which provides specific access rights to our model-driven app. Once the user is added to a specific Entra ID Group, his "team memberships" updates in the model-driven app. However, if user's groups are removed from the Entra ID or he leaves the organization (meaning his Azure acc is disabled), "team memberships" in the model-driven app are not updated/synced with Entra ID. User must sign out and sign back in for the cache to be cleared. It goes without saying that the user is unable to sign out/sign in if his access rights are revoked, therefore his "team memberships" are never updated. 

 

Please find Microsoft's documentation below. The part in bold is not correct or does not work as intended:

 

Due to the team member's privileges being derived dynamically at run-time, the team member's Microsoft Entra group memberships are cached upon the team member's log-in. This means that any Microsoft Entra group membership maintenance done on the team member in Microsoft Entra ID will not be reflected until the next time the team member logs in or when the system refreshes the cache (after 8 hours of continuous log-in).

Category: Dataverse
STATUS DETAILS
New