Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article helps administrators diagnose and resolve common user access issues in Power Platform environments. You'll learn how to use the built-in diagnostics tool to identify problems with permissions, licenses, security roles, and group memberships that prevent users from accessing environments and resources.
To access an environment, a user must meet the following criteria:
- Be enabled for sign-in in Microsoft Entra ID.
- Have a valid license that has a Dynamics 365 or Microsoft Power Platform recognized service plan, or the environment must have active per-app plans.
- Be a member of the environment's Microsoft Entra group (if one is associated with the environment).
- Have at least one Dataverse security role assigned directly to them or to a group team they're a member of.
A user's level of access within the environment and to the resources (apps and data) in the environment is determined by the privileges defined in the security roles assigned to that user. Their access mode being Administrative or Read-Write also determines their level of access within an environment.
Run user diagnostics
Administrators can use the Run diagnostics feature in the Power Platform admin center to assess user access to an environment and get details and mitigation suggestions about why a user can or can't access the environment.
Follow these steps to run user access diagnostics:
In the Power Platform admin center, select an environment.
Select Settings > Users + permissions > Users.
Select a user.
Select Run diagnostics.
Review the details for the user, and take any needed corrective actions.
Note
The action of running or rerunning diagnostics forces the user information in Microsoft Entra ID to synchronize to the environment's Dataverse database to provide up-to-date status on the user's properties. If the diagnostic run doesn't eliminate the root cause of a user access issue and you need to create a support ticket, include the results of the diagnostic run in the support ticket. This information will help Microsoft Support engineers resolve your issue faster.
Assign security roles to users
When a user encounters an error screen stating they have no roles, a system administrator needs to assign roles to the user. Assign roles directly to the user or to a group team that the user is part of. For information on how to assign Dataverse security roles to a user, see Assign a security role to a user.
Troubleshoot record visibility issues
If a user has trouble accessing a record in Dataverse, check if they have the necessary privilege and access. For more information, see How access to a record is determined.
Troubleshoot license issues
Check if the user has a license. If the user doesn't have a license, assign one. For more information, see Add a license to a user account.
After assigning a license, wait for the license change to sync to the environment. To trigger a sync for this user, the system administrator for the environment can re-add the user to the environment. For more information, see Add users to an environment that has a Dataverse database.
Verify environment association and group membership
As a system administrator of the environment, verify that the environment is associated with a Microsoft Entra group. For more information, see Associate a security group with an environment.
Make sure the user with the access problem is a member of the group associated with the environment. For more information, see Create a security group and add members to the security group.
After updating user membership in the environment's group, wait for the change to sync to the environment. To trigger a sync for this user, the system administrator for the environment can re-add the user to the environment. For more information, see Add users to an environment that has a Dataverse database.
Troubleshoot permission issues
If the user doesn't have sufficient permissions to access customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), a system administrator should complete the following steps:
In the Power Platform admin center, select an environment.
Select Settings > Users + permissions > Users.
Open the user record.
Select More Commands (
) > Manage Roles.Make note of the role assigned to the user. If appropriate, select a different security role. Close the Manage Roles dialog box.
Select Security > Security Roles.
Select the security role from step 5.
Select Core Records.
Confirm that the Read permission for User Entity UI Settings is set to the User level (a yellow circle with a wedge-shaped segment).
If the security role is missing this permission, the system administrator needs to change this setting by selecting it.
Troubleshoot unaccounted user issues
In some cases, users aren't automatically provisioned into environments.
If a user meets all access requirements but is still missing from an environment, the user might fall into one of the following cases:
Users with only Office licenses (with Dataverse plan enabled) won't be pre-provisioned into environments.
Owners of Microsoft Entra groups that are associated with environments won't be pre-provisioned.
Members of Microsoft Entra groups that are part of a Group Team created for the Microsoft Entra group won't be pre-provisioned.
Users won't be pre-provisioned into Microsoft Dataverse for Teams environments. For more information, see Users not added automatically in Dataverse.
Although these users aren't pre-provisioned, you can add them on demand. To add or refresh users on demand, see the following section.
On demand user management
As mentioned earlier, there are some scenarios where users aren't provisioned automatically. Also, environments might experience delays in showing the users' latest status. In these situations, adding or refreshing specific users on demand can help.
You can use several methods to do this:
Just-in-time (JIT) user provisioning: When users access an environment URL, the system checks access requirements during sign-in and adds qualified users to the environment.
User impersonation call: An impersonation call triggers a JIT sync for the user. For more information, see How to impersonate a user.
Add users: Administrators can add or refresh users in the Power Platform admin center. For more information, see Add users to an environment.
PowerShell cmdlets: See PowerShell support for Power Apps.
Connectors: See Power Platform for Admins.
Power Automate template: See Force Sync Microsoft Entra Group members to specified CDS instance.
Known issue
The system currently checks only for security roles assigned directly to a user. It doesn't check for roles inherited through group team memberships.