AAD Security Teams, & saving personal views

Previously I’ve touched on how it’s possible to use Azure Active Directory for Dynamics 365 security. This can be of great benefit to an organisation, especially when needing to invite in external users. The details that I go into around it can be found at Dynamics 365 Security & AAD. As I point out there, it’s a very helpful feature, and can also help with onboarding new users within an organisation.

What I’ve found out about it, however, is that there can be some very interesting little quirks with how security actually works. Originally I thought it was a bug, and raised it with Microsoft Support, but it turns out not to be. Let me take you through the journey that I experienced last week…

The scenario is as follows. We had security set up in place, which was working perfectly (or so we thought). We’d gone through all of the following steps:

  1. Create Dynamics 365 security role/s with appropriate permissions
  2. Create AAD security group
  3. Create Dynamics 365 AAD Security Team, and link it to the AAD security group
  4. Assign users to the AAD security group

This was working exceptionally well (except, of course, when the external users hadn’t followed the setup instructions correctly). Users were logging in, searching for information, creating/updating records, etc. All was good…or so we thought.

Now, the users who are actually using the application don’t have a Dynamics 365 background. It’s the first time that they’re using the specific system, and as such, are going through a learning curve. We’re not expecting them to understand the advanced functionality at this point, though some of them are indeed venturing further/deeper into the capabilities that it brings.

The Learning Curve | Listen via Stitcher for Podcasts

One of these, of course, is the Advanced Find. Now, those experienced with Dynamics 365 will know all about it. There are good points, and there are not so good points. Functionality in it has expanded over time, though to be honest it’s still easier to run a SQL query/extract for more advanced information retrieval.

Users seemed to be fine with the Advanced Find. We showed them how it works, how to filter, set up columns, etc. We even showed them how to export data to Excel, and keep a live data connection back to refresh it! Brilliant – they were most pleased.

Then I got an email in from a user needing support. They reported that they weren’t able to save custom searches. This is of course very helpful, in order to avoid having to set up the same search/layout every time. This seemed puzzling to me, and I started to take a look into it.

Always download the error log file – it can be SO useful!

I was able to replicate the problem immediately with a test user, having assigned it the same security role. Opening the log file (which can be extremely helpful at times with troubleshooting), I looked to see what the issues were. I was thinking it was a problem with security permissions – if I assigned the system administrator role to my user, everything worked just fine.

Incidentally, there’s a really good blog post at https://www.powerobjects.com/blog/2015/02/13/access-denied-identify-fix-security-role-issue/ which covers troubleshooting security role issues. I’ve used it on several occasions previously.

In my error log, there were repeated references to ‘ObjectTypeCode”:4230’. This is the View settings in the security role. I therefore went to the security role, and ensured that it was set to allow access to Saved View across all permissions:

It’s only possible to set User-level permissions for Saved Views

Right – permissions set, all should be good. Let’s go ahead & try to save an Advanced Find as a view…but no! It’s still not working, and showing the same error message!

What I then tried to do was apply the security role directly to the user, rather than through the AAD security team. To my surprise (well, not really, actually), it worked. I was able to save Advanced Find views. I changed back to the user getting permissions through the security group (ie not directly), and again I had the issue.

OK – so I thought I had discovered a bug. As far as I was aware, I couldn’t see any reason why the user wouldn’t be able to save the Advanced Find view. After all, they’re able to create & save records within the system. There surely shouldn’t be any difference between saving records, and saving an Advanced Find view?

Stressful woman looks with puzzled expression into screen, wears formal shirt, busy with making financial report, feels worried about deadlines, feels headache from recieving bad news Premium Photo

My next step was to raise a support ticket with Microsoft, and then carry out the obligatory ‘show & tell’ to the support agent. Ivan (the agent assigned to my case) was very helpful, understood exactly what I was trying to accomplish, and what the issue seemed to be. I left him with the support case, and focused on trying to find a workaround for the situation.

After a few days, Ivan came back to me with a resolution. It wasn’t a bug in the system (which was a shame – I was looking forward to having it attributed to me!), but rather a specific case of permissions.

See, there’s something called ‘privilege inheritance’. In a nutshell, there are two ways of giving access through a security role:

  1. User privileges. This is when the user is given the permissions directly
  2. Team privileges. This is when the user is given the permissions as a member of the team. If they don’t have User privileges of their own, they can only create records with the team as the owner

There’s a good article on this at https://docs.microsoft.com/en-gb/power-platform/admin/security-roles-privileges#team-members-privilege-inheritance

So what was actually happening was as follows:

  • Users were able to read, create, update records without issues, as the team was the owner of these records
  • However as views need to be owned by a user (though they can be shared with a team), the user was unable to save them!

Thankfully it’s quite easy to fix – on the security role itself, you change it here:

With this then in place, everything then worked just fine. The user was still getting the role through the Security Team, but was now able to save these directly.

Quite an interesting little quirk, but one that is likely to come in useful when looking at other functionality within the system.

Have you come across this before? Have you found anything else that seems a little strange? Comment below – I’d love to hear!

Continual development in small steps

One of my resolutions for 2020 is to go out and get books to read, for self improvement – all in the name of getting better at stuff!

One of the books that I’ve read is The Phoenix Project (billed as a novel about IT, DevOps, and Helping Your Business Win). It’s been a real eye opener as to how we may currently go about projects, and what would be a much better approach. The thinking behind it is to look at how to best use DevOps.

Incidentally Tricia Sinclair has recently started talking about DevOps, and is REALLY knowledgeable on the subject. I’ve had many conversations with her, and her breadth of information and understanding is second to none. I’d really recommend that you go check out her blog at https://triciasinclair.com/.

There are several ideas/concepts that I’ve taken out of it. One of the main ones (as far as I’m concerned) is about continual improvement, and doing this in small steps.

It’s not about massive changes in life. It’s about identifying something (small) that can be changed/modified, and implementing a new regime around it, or a new way of doing it. This way you can train yourself into a new habit, which will take you forward. Once it’s settled in, pick something else, and then work on that.

The effect will be gradual, but it’ll be noticeable in being better at whatever it is that you’re addressing. It doesn’t just stop there though – improvement in ONE area has shown a noticeable marked improvement in OTHER areas as well across the board.

This concept doesn’t just apply to personal habits – it also applies to technology. Gone are the days (for most people!) when the next updates and/or items were released just in new product versions, or major updates.

Yes it’s true that there are two major releases each year for Dynamics and PowerPlatform (Spring/Fall), but the Microsoft Development Teams don’t work on items and then queue them all up for the major release.

Instead there are items that are released as soon as they’re ready (take a look at https://thecrm.ninja/required-fields-on-forms-what-did-you-forget-to-fill-in/ for an example of this). This is why you’ll be using the system, and suddenly notice that you don’t have as many steps to carry out, or something looks better and works faster, etc.

Every member of the team should feel that their input is valued, and able to be used – this will reinforce the team status. In the Toyota Way (see https://en.wikipedia.org/wiki/The_Toyota_Way for more information) quality takes precedence. Anyone at all, even a ‘lowly’ factor worker, is empowered to stop a production line when they’ve identified a problem.

One of the items in the ‘Toyota Way’ is called the ‘Toyota Kata’. This is a skill-building process to shift our mindset and habits from a natural tendency to jump to conclusions, to a tendency to think and work more scientifically. It’s not difficult to pick up, and recommendations are to practise it for only 10 minutes a day!

Everyone knows that making small improvements everyday is good and everyone wants to do that. But the following questions arise:

  • What to improve?
  • How to improve?
  • How will I know am improving?

The Toyota Kata comprises of 4 steps:

  • Plan. Draw up a list of things to do over the next period of time (one or two weeks). Establish objectives and processes required to deliver the desired results.
  • Do. Carry out the planned items. Small changes are usually tested, and data is gathered to see how effective the change is.
  • Check. The data and results gathered from the Do phase are evaluated. Data is compared to the expected outcomes to see any similarities and differences. The testing process is also evaluated to see if there were any changes from the original test created during the planning phase.
  • Act. This is where a process is improved upon. Records from the “Do” and “Check” phases help identify issues with the process. These issues may include problems, opportunities for improvement, inefficiencies and other issues that result in outcomes that are not optimal. The root causes of such issues are investigated, found and eliminated by modifying the process (as part of Plan in the next cycle).

Work in the next cycle Do phase should not create recurrence of the identified issues – if it does, then the previous action was not effective.

The most obvious manifestation of the Toyota Kata is the two-week improvement cycle at Toyota itself, in which every work centre supervisor must improve something (anything!) every two weeks. Mike Rother (who wrote the book for Toyota Kata) says ‘The practice of kata is the act of practising a pattern so it becomes second nature. In its day to day management, Toyota teaches a way of working—a kata—that has helped make it so successful over the last six decades.”

My resolve is to do this – not only on my personal items, not only in my work environment, but also with the clients that I work with.

Let’s go out there and use this to make things better for everyone. Let’s challenge our clients and see how this can enable and empower them? Sounds crazy, right – but it could actually bring a massive benefit to project/s. Sit down with the business team/s, and get them to identify one point (that’s not too big) that can be (quickly) worked on (try using the 80/20 rule). Do the work on it, release it, and then get them to do it again. See the results and benefit from it!

Note: Don’t get them to build too much of a backlog around this, as release items may cause one or more of the backlog items to be non-relevant anymore!

You could even get managers to give a reward for coming up with ideas around this concept that have a major noticeable effect on productivity etc.

By bringing these concepts together, our clients (along with ourselves) can better understand what’s happening, bring better suggestions to the table in order to build better systems, and a much higher working co-efficient will evolve, empowering everyone!