[Feature] Accept Entra User or Security Groups as Input

[ianjensenisme]

Description

Right now, the solution requires a list input of individual Entra object IDs to specify which users to add to the Power Platform environment and the Power Platform connections, and it then uses the powerplatform_user resource to set up the user(s). This parameterized list approach is somewhat redundant given that Entra already provides a mechanism to define user groups in user and security groups. Power Platform exposes an Entry Security group parameter for access control in the environment settings; we should consider using this mechanism to set up environment access rather than the user-by-user setup we're doing now. Not only does it reduce the redundancy; for minimum access, we wouldn't have to set up security roles, as users in the environment security group are automatically initialized as basic users when they first log in.

User Story

AS A user of this solution I WANT a way to use my existing Entra security groups to configure Power Platform access SO THAT I'm not burdened with maintaining two separate user lists in this solution as well as Entra itself.

Definition of Done

- A user of this architecture can specify EITHER individual users OR Entra security groups and achieve expected Power Platform environment access at the end of the deployment.

Values Provided

Reduces maintenance overhead for users by removing the requirement for redundant user group definitions.

Additional Information

No response

[mattdot]

So you are saying that we should require user to pass entra groups? You would still need to assign roles. Just adding them to the environment security group does not give them the permissions that they need. But you could also grant those roles through entra linked "teams" in dataverse