Dataverse Security Explained: Business Units, Teams, Roles & Ownership

1. Dataverse Table Ownership (Organization vs User/Team)

Organization-Owned Table:

  • Records do NOT have individual owners.
  • Only None or Organization permission levels are allowed.
  • Used for: Configuration tables, global reference data.

User/Team-Owned Table:

  • Records are owned by users OR teams.
  • Allows scopes: None, User, Business Unit, Parent:Child BU, Organization.
  • Used for: Operational data (Projects, Cases, Accounts).

2. Business Unit vs Team (They Are Not Same)

Business Unit:

  • Defines security boundary and data visibility.
  • Every user belongs to exactly one BU.
  • Cannot own records.

Team:

  • A group inside a Business Unit.
  • Can own records (Owner Team).
  • You can add/remove members.
  • Roles assigned to Teams apply only to Team members.

3. Default Business Unit Team (Auto-created Team)

This team is automatically created when a Business Unit is created.

  • Has the same name as the Business Unit.
  • You cannot add/remove members manually.
  • Members appear automatically = All users in that BU.
  • Used for BU-wide security inheritance.
  • Not meant for record ownership or sharing.

4. Normal Team (Owner Team)

This is the Team you create manually.

  • Must select a Business Unit while creating.
  • You can add/remove members normally.
  • Can own records.
  • Can have Security Roles assigned.

Roles assigned here apply ONLY to team members.

5. Why Team Must Be Linked to a Business Unit

  • Team's security scope depends on its BU.
  • Record ownership uses team's BU.
  • Permissions (User/BU/Parent-Child) must be calculated based on BU hierarchy.
  • Team roles must match Business Unit security context.

6. Role Assignment: Team vs Business Unit

When you assign a security role to a Team:

  • Only Team Members get the permissions.
  • Other BU users do NOT get the role.

When you assign a security role to the Business Unit's Default Team:

  • ALL users in the Business Unit get the role automatically.
  • Default Team acts as a security propagation layer.

7. Assigning a Record to Another Business Unit

  1. You cannot assign a record directly to a Business Unit.
  2. You must create an Owner Team inside that BU.
  3. The Team must have correct security roles: Read + Write + Assign.
  4. Record ownership changes to that Team, and BU updates automatically.

8. Assigning Security Roles to a Business Unit (How It Actually Works)

You cannot assign a security role directly to a Business Unit.

Instead, Dataverse creates a hidden mechanism called:

✔ Default Business Unit Team

  • This team has the same name as the Business Unit.
  • You cannot manually add or remove members from it.
  • All users belonging to the Business Unit appear automatically as members.
  • When you assign a role to this Default Team → all BU users get the role.

Summary:

  • Role assigned to Default BU Team → ALL BU users get the role.
  • Role assigned to a custom team → ONLY team members get the role.
  • Default team = BU-wide role propagation mechanism.

9. Does Adding a User to a Team in Another Business Unit Give Record Access?

Short Answer: NO - Not automatically.

The user can see records from another BU ONLY IF the team they joined has the required security role permissions.

Team membership ALONE does not grant access.

✔ When the user CAN see the record

  • The team they joined has Read permission for that table.
  • The team has Write/Assign permission (if needed).
  • The team is the owner of that record and the user is a team member.

When the user CANNOT see the record

  • The team has no roles or insufficient permissions.
  • User is added to the correct team but the table is organization-owned with no team rights.
  • The team is an Access Team with no privileges assigned.

✔ Final Rule

Team membership + Team's assigned roles = Final access

A user from any BU can access records in another BU through:

  • Team roles (Read/Write/Assign)
  • Team-based ownership of the record

Dataverse Security Scenario - Business Unit Mismatch & Read Privilege Failure

🟢 Scenario Setup

  • Security Role: "Security"
  • Table: User Owned (sun_userowned)
  • Team: Test Security (Owner Team)
  • Team Business Unit: BU2
  • User Business Unit: BU1
  • Role Privileges for Table:
    • Create = Organization
    • Read = Business Unit
    • Other permissions = Business Unit
  • BU1 doesn't have any permission or security role assigned..
    The user who belong to BU1 also is part of Test Security Team.

🔴 The Issue

The user in BU1 encounters the error:
“Missing prvReadsun_userowned privilege. Read Privilege Check For Owner failed.”

This happens because Read = Business Unit only gives access to records within the same Business Unit. Since the user is in BU1 and the record or team is in BU2, the user cannot read the record. Dataverse does not allow a role to grant privileges for multiple specific BUs.

🔎 Why the Error Occurs

  • The user is in BU1.
  • The team is in BU2.
  • Read privilege is scoped to Business Unit.
  • BU-level privileges only apply to the user’s own BU, not other BUs.
  • Therefore, the Read privilege check for records in BU2 fails.

🟡 Incorrect Assumption

Assigning the "Security" role to a user in BU1 does not allow them to read records from BU2. Adding Create privilege also does not fix Read privilege issues because Create and Read are independent privileges.

🟢 How to Resolve the Issue

  • Option 1 (Recommended): Change Read = Organization for the table in the Security role.
    This allows users to read records across all BUs.
  • Option 2: Move the user from BU1 to BU2.
    Now Read = Business Unit works correctly because the user and team/records belong to the same BU.
  • Option 3: Ensure records are owned by a BU1 team.
    If record owners are in BU1, BU1 users can read them with BU-level privileges.

Microsoft 365 Group Roles vs Dataverse Team Types

🟢 Microsoft 365 / Microsoft Entra ID Group Roles

When you create a Microsoft 365 Group or Microsoft Teams group, the group contains three types of members:

  • Owners – Manage the group, add/remove users, control settings.
  • Members – Regular internal users who can collaborate.
  • Guests – External users with limited permissions.

When this group is used in Dataverse, all three roles (Owners, Members, Guests) become team members inside the mapped Dataverse Team.

🔵 Dataverse Team Types

Dataverse supports different team types, each behaving differently:

  • Owner Team – Can own records and have security roles assigned. Members inherit the team's roles. Team belongs to a Business Unit.
  • Access Team – Cannot own records. Only used for sharing specific records. No security roles assigned.
  • Azure AD Group Team – Created by mapping a Microsoft 365 or Entra ID Group to Dataverse. Functions like an Owner Team but membership is automatically synced.

🟣 How Microsoft 365 Group Members Map to Dataverse Team Members

  • Owner (M365) → Member in Dataverse Team
  • Member (M365) → Member in Dataverse Team
  • Guest (M365) → Member in Dataverse Team (limited Dataverse access)

Dataverse does not differentiate between Owners, Members, and Guests. All become simply team members in the Dataverse Azure AD Group Team.

🟠 Business Unit and Privilege Behavior (Important)

Azure AD Group Teams behave exactly like Owner Teams:

  • Team belongs to a Business Unit (BU).
  • The security roles assigned to the team determine what members can do.
  • If the team has Read = Business Unit, members can access records:
    • Owned by the team, and
    • Inside that team's Business Unit

🟡 Example

Team: Test Security (Azure AD Group Team, Owner Type) – BU2
User: Belongs to BU1
Record Owner: BU2 Owner Team
Privileges: Read = Business Unit

  • BU1 user is added as Member to Microsoft 365 Group.
  • Group is mapped as an Azure AD Group Team in Dataverse.
  • Dataverse treats them as a team member of the BU2 team.
  • User inherits BU2 team's security roles.

Result: BU1 user can access BU2 team-owned records.

Limitation: BU1 user cannot access BU2 user-owned records unless Read privilege is at Organization level.

Comments

Post a Comment

Popular posts from this blog

Part 1: Creating Code Apps in Power Apps - A step-by-step guide (with real errors I faced & how I fixed them)

Image
Intro In this post I’ll walk you through how I set up a code-based app for Power Apps (React/Vite front-end + Power Platform CLI for packaging/deployment), the exact errors I ran into, and how I solved them. If you want a hands-on, copy-paste able guide that covers Node versions, pac auth, environment issues, and packaging tips, this is for you. Prerequisites Microsoft 365 account with access to a Power Platform environment Node.js ( 20.19+  recommended LTS) VS Code Install power platform tools extension in VS Code. Steps: Step 1 : Open Visual Studio Code and launch the integrated terminal. Step 2: In the terminal, run the following commands one by one.   mkdir D:\CodeApps - Force cd D:\CodeApps npm create vite @latest myfirstapp -- -- template react - ts cd D:\CodeApps\myfirstapp npm install Initially, I ran the command: npm create vite@latest MyFirstApp -- --template react-ts This gave the error: Invalid package.json name The issue was caused because package...
Read more

Calling Microsoft Graph API from Power Automate Using Azure App Services – Step-by-Step Guide

Image
Step 1: You should have an Azure subscription, or if you have access to the Microsoft Entra Admin Center, you can create an app from there. This app can then be used in Power Automate to connect to Microsoft Graph API. Step 2: Click on "New registration" , provide a name for your app, assign the required API permissions (such as Microsoft Graph permissions), and then click "Register" to complete the app registration process. Step 3: After registration, you'll be redirected to the app's overview page. From there, navigate to the API permissions tab and click "Add a permission" to assign the necessary Microsoft Graph API permissions. Step 4: Select Microsoft Graph as the API, and based on your requirements, choose the appropriate permissions. In my case, I selected Application permissions , which do not require user sign-in and are suitable for background services or automation. Step 5: Select the required Microsoft Graph API permissions. Yo...
Read more

Step-by-Step Guide: Power Automate Custom Connector Using Graph API from Azure App Service

Image
Step 1: Open Power Automate, navigate to the Custom Connectors tab, and select Create from blank as shown in the image below. custom connector(click image for better resolution) Step 2: In the General tab, upload an icon (less than 1MB), add a description, select the correct scheme (in my case, HTTPS ), and provide the host name. For example, if your API URL is https://graph.microsoft.com/v1.0/users/{email} , the host name will be the highlighted part — graph.microsoft.com . Step 3: Go to the Security tab. Here, you need to select the authentication method. Choose OAuth 2.0 as the authentication type, as shown in the image below. Step 4: Select the Identity Provider as Azure Active Directory . Check the box Enable Service Principal Support . This option allows you to create a connection using a Client ID and Client Secret instead of using the user's own authentication. Next, provide the Client ID , Client Secret , Tenant ID , and other required details as shown in t...
Read more