Home
News
Altus Technical Docs
Home
News
Altus Technical Docs
Sign in
Important Notes
Help Centre
Choose your own adventure
Getting Started
Strategy
Initiatives ⟩ Portfolios and Programs
Initiatives ⟩ Projects
Initiatives ⟩ Work
Initiatives ⟩ Proposals
Initiatives ⟩ Ideas
Resources
Administration
Understanding administration boundaries in Altus
Managing users and security permissions
Describe the default roles and security models in AltusSet up security groups (teams) via Power Platform admin centreManage user access via linked Microsoft 365 groups Set up a custom security role by copying a default roleDescribe special cases and permissions chartImplement Azure Active Directory (AAD) synchronisationCheck effective user rights within a recordGrant ‘Member’ access to Power BI Workspace for Insights Security Troubleshooting Playbook for Altus
Managing system and configuration settings

Implement Azure Active Directory (AAD) synchronisation

Azure Active Directory (Microsoft Entra ID) synchronisation enables organisations to manage user access to Altus using centralised identity and group management.

Altus leverages Microsoft 365 / Entra ID groups in combination with Dataverse Teams to assign security roles and control access at scale.

For detailed Altus-specific guidance on setting up group-based access, refer to:
https://docs.altus.pro/products/AltusPPM/Configuration/Security/index.html#setting-up-microsoft-365-group-sync

Important: Platform & Permissions

This configuration is not managed within Altus directly.

It involves:

  • Microsoft Entra ID (Azure AD)
  • Power Platform Admin Centre

These tasks typically require:

  • Global Admin / User Admin (Microsoft Entra ID)
  • System Administrator (Power Platform)

How AAD Synchronisation Works

  • Users and groups are created in Microsoft Entra ID
  • Groups are linked to Dataverse Teams in the Power Platform environment
  • Security roles are assigned to those teams
  • Users inherit access based on their group membership

This creates a centralised, identity-driven access model aligned with organisational structure.

Key Behaviour

The following behaviours are important when working with Microsoft 365 group sync:

  • Group membership is used to control access centrally
  • Users are added to the Dataverse Team when they access the environment
  • Access permissions are applied automatically based on assigned team roles
  • Adding or removing users from the group updates their access accordingly

This behaviour ensures scalable and automated access control based on identity. [learn.microsoft.com]

High-Level Steps

  1. Create or manage users and groups in Microsoft Entra ID
  2. Navigate to Power Platform Admin Centre
  3. Select the relevant environment
  4. Create a Dataverse Team linked to the Entra ID / M365 group
  5. Assign appropriate security roles to the team
  6. Users inherit access when they access the environment

👉 For detailed Microsoft step-by-step guidance, refer to:
https://learn.microsoft.com/en-us/power-platform/admin/manage-group-teams

How This Impacts Altus

AAD synchronisation controls:

  • Who can access Altus
  • What data users can see and interact with
  • How access scales across:
    • Projects
    • Programs
    • Portfolios

It also enables:

  • Centralised onboarding and offboarding
  • Consistent role-based access
  • Alignment with enterprise identity and governance models

Key Considerations

  • Users must exist in Entra ID before gaining access
  • Group membership is the source of truth for access
  • Users may not appear in the system until they access the environment for the first time
  • Security roles must be correctly assigned to the linked team

Tips

  • Use Entra ID / M365 groups as the primary access control mechanism
  • Align groups with organisational teams or functions
  • Regularly review group membership and assigned roles
  • Apply the least privilege principle


Was this article helpful?

English
Powered by Product Fruits

Altus Help Centre