Home
News
Altus Technical Docs
Home
News
Altus Technical Docs
Sign in
Important Notes
Help Centre
Choose your own adventure
Getting Started
Strategy
Initiatives ⟩ Portfolios and Programs
Initiatives ⟩ Projects
Initiatives ⟩ Work
Initiatives ⟩ Proposals
Initiatives ⟩ Ideas
Resources
Administration
Understanding administration boundaries in Altus
Managing users and security permissions
Describe the default roles and security models in AltusSet up security groups (teams) via Power Platform admin centreManage user access via linked Microsoft 365 groups Set up a custom security role by copying a default roleDescribe special cases and permissions chartImplement Azure Active Directory (AAD) synchronisationCheck effective user rights within a recordGrant ‘Member’ access to Power BI Workspace for Insights Security Troubleshooting Playbook for Altus
Managing system and configuration settings

Manage user access via linked Microsoft 365 groups

Altus supports managing user access using Microsoft 365 (M365) or Microsoft Entra ID groups, enabling administrators to assign access at a group level rather than per individual user.

This approach allows organisations to centrally manage access, aligning with existing organisational structures and simplifying onboarding and offboarding.

For more information on Altus security configuration, refer to:
https://docs.altus.pro/products/AltusPPM/Configuration/Security/index.html

Important: Platform & Permissions

This configuration is not managed within Altus directly.

It requires access to:

  • Microsoft 365 Admin Centre / Microsoft Entra ID
  • Power Platform Admin Centre

These tasks typically require:

  • Global Admin or User Admin (Microsoft 365 / Entra ID)
  • System Administrator (Power Platform)

How It Works

  • A Microsoft 365 or Entra ID group is created and maintained externally
  • The group is linked to a Dataverse Team in Power Platform
  • A Security Role is assigned to that team
  • All group members inherit the assigned permissions automatically

This means:

  • Access is managed by group membership, not individual assignment
  • Changes to membership automatically update access rights

Key Behaviour

  • Users are granted access when they access the environment
  • Membership updates dynamically add or remove access
  • One role can be applied to multiple users simultaneously

This supports scalable and consistent access management across the organisation.

How This Impacts Altus

Microsoft 365 group-based access controls:

Access to:

  • Projects, programs, and portfolios
  • Work entities (Issues, Risks, Tasks, Deliverables)
  • Reporting and financial data

Governance through:

  • Team-based ownership
  • Consistent permission application
  • Alignment with organisational structure

Additional Reference

For detailed Microsoft guidance on managing group-based access in Power Platform, refer to:
https://learn.microsoft.com/en-us/power-platform/admin/manage-group-teams

Key Considerations

  • Group membership is managed outside Altus (in Microsoft 365 / Entra ID)
  • Users may need to access the environment before appearing in some views
  • Ensure appropriate security roles are assigned to the group team
  • Align groups with teams, functions, or governance models

Tips

  • Use groups instead of individual access assignments wherever possible
  • Follow the least privilege principle
  • Maintain clean and consistent group naming conventions
  • Regularly review group membership and assigned roles


Was this article helpful?

English
Powered by Product Fruits

Altus Help Centre