Most operations in Dataverse that are related to users are dependent on the Users table (internal name is systemusers), not directly on the list of users in Azure Active Directory. This means some sort of synchronization needs to happen to get a user from Azure AD into Dataverse before you can assign security roles, have the user participate in 1:N or N:N relationships, etc.
There is an automated process that takes care of this synchronization, but the requirements and prerequisites for this to happen aren't super clear. Microsoft has all of it documented across three articles:

Unfortunately, even if all of the requirements are fulfilled it can still take a long time before the automatic synchronization process kicks in. Besides the "happy path" situation, there are also a couple of scenarios when there is no automatic synchronization. In those cases, users will be added on demand either when they first attempt to access the environment or by an administrator using the API or the Power Platform admin center.

Those restrictions were not acceptable in our use-cases: we couldn't wait for the sync to happen "eventually", and with "per app"-passes we couldn't wait for the user to access the app first before they show up in the table. We came up with a method using Power Automate to trigger the synchronization on our terms.

Synchronize users with Power Automate

The preparation work

Our solution consists out of two parts:

  1. A Microsoft 365 Group that contains the users that need to be synchronized. In our case, we use Dynamic Group Membership to get qualifying users in the group automatically.
  2. A Power Automate flow that triggers on membership change of the Group, and starts the synchronization action.

The Power Automate flow

You start the flow with the When a group member is added or removed trigger from the Office 365 Groups connector:

You configure it for the Microsoft 365 Group that you want to monitor, that contains the users that you want to synchronize to Dataverse:

We only take action when a user is added to the group, not when removed, so we check on that in the flow:

And lastly, we use the Force Sync user action from the Power Platform for Admins connector to trigger the actual synchronization:

In that connector, we select the appropriate Dataverse environment and we pass in the Azure AD user id that we got from the trigger:

Additional use cases

Once a user exists in the systemusers table, you can take additional actions on them. We continue this flow, for example, with the following steps:

  • Assign users to the correct Business Unit
  • Update a custom field in Dataverse with the value of a custom field in Azure AD

All this helps us automate some of the tasks I'd normally do manually when a new person joins our company. Now, when they get added to our corporate Teams team, this will also trigger the flow so that their configuration is correct in our Dataverse applications. This saves time and reduces error!