Tip #1268: Restrict CDS instance creation

With P2 licensing, can you control who can spin up a CDS instance via Azure Active Directory since each license comes with 2 CDS instances? (we don’t want hundreds of CDS instances cluttering up our tenant)

The question from an enterprise business size UG member, generously relayed to us by Jerry “Forever Tipster” Weinstock

Via set-TenantSettings example towards end of the post

David F Yack


How to govern environment creation

Download and install the admin powershell cmdlets as described here. Read more about our cmdlets here.

$settings = @{ DisableEnvironmentCreationByNonAdminUsers = $true }
Set-TenantSettings $settings

Note for PowerApps/Flow customers – If you use the new flag to restrict the environment creation, only tenant admin will have the ability to create new environments.

Personally, I like the suggestion that the default should be Opt-in not Opt-out. Or, as one of the commentators put it succinctly:

How quickly can I change that setting to false

Cover photo by unsplash-logoAlice Achterhof

Tip #1267: Do PowerApps work with Dynamics 365 on premise?

The answer is “it depends.”

It depends on how you define “works with.”

There is no PowerApps connector for D365 on Premise. There is a SQL Server connector, and this connector can connect to on premises SQL databases. This includes the D365 on premise SQL database. So you can make an app that reads directly from your on premise CRM database, but this connector cannot update or create records in a supported manner. And as you long time tip of the day readers know, we don’t recommend doing unsupported stuffunless George says it’s ok.Another issue with this approach is it is likely to be slow–it’s very difficult to get good performance reading from on premises systems from the cloud, and you have to open up external access to your SQL server. Just don’t do this.

The second option is to integrate your on premise environment with the CDS–in effect setting up a hybrid environment where you have a copy of your configuration in the cloud as well as your on premise CRM, and create a bi-directional integration to synchronize data changes between the two environments. This is probably the best option as it would recognize your existing security and record ownership and provide full CRUD capabilities. But this option also carries some potential overhead–you will need to reflect configuration changes in both (at least for the entities that are included in your PowerApps), and there will be potential delay for record changes to synchronize between the two — If salesperson 1 updates a contact phone number in D365 on premise and contact 2 saves the contact on her PowerApp, this could lead to some interesting data conflicts. There will also be licensing implications — your users will need to have at least a P1 license in the cloud to be able to use PowerApps that use the Common Data Service

A third option is to synchronize your on premise CRM data with another type of cloud storage — could be an Azure data warehouse, SQL database, data lake, or any number of other places. These are viable connections for your PowerApp. The problem (like # 1) is with creates, edits, and deletes, as well as reads if security restrictions in D365 on premise need to be honored. If I want a Power BI dashboard or PowerApp that simply display any record from my CRM on premise system, I can replicate the on premise data to Azure and go to town. However, if users create or modify records from the PowerApp or need to be restricted in viewing records following the same logic that CRM on premise security roles dictate, this is not a great option, and you may inadvertently open the proverbial barn door.

My recommendation

Don’t do this. Go all the way to the cloud, not part way. Your Power Platform experience will always be more satisfying if you are using Common Data Service and Dynamics 365.

But wait, you say, we have a bunch of reports and system integrations that we can’t quickly upgrade, yet we want to give our users the value of the Power Platform now. I get that and totally understand that if you have been developing on CRM on premise for years, it takes a while to get some of those components cloud ready.

Maybe you should take option 2 and flip it on its head–instead of making the assumption that all of the users will keep using D365 on premise, what if all the users moved to the cloud, yet you kept D365 on Premise around short term for reporting purposes? That way the users could start benefiting from the cloud and directly connected PowerApps and Flows now, but keep on premise around as a read only replicated reporting environment (while you work to move those reports and integrations to a cloud ready approach (like PowerBI). This would minimize the overhead of the approach, as the majority of the users would simply access D365 online.


Avoid this if at all possible — go all the way to the cloud. If, for some reason, you need to do this short term, I recommend that you replicate your on premise data with the Common Data Service to enforce appropriate security and make your future cloud migration easier.

Cover photo by unsplash-logoElias Schupmann

Tip #1266: Sign out of Skype when forced to Teams

Anyone have any idea how to log out of Skype when your only option is to “Go to Teams”?

Daryl “Always Raising” LaBar

Why would you need to do that? This is my story. I had two Skype accounts: one from my company and another one from, uhm, a partner. I was signed into Skype as my own account and, after we got upgraded to Teams, I would face “Great news – go to Teams” message every time I start Skype. Didn’t give it a second thought. Until, one day, I received an invitation from the partner to join a Skype call and I had to do that using my partner login. So I needed to sign out of Skype which was not possible because it would kick me straight over to Teams. Which is exactly what Daryl was facing.

Oh man, I wish I could remember exactly the magic combo I used to accomplish that (Skype stuck on the team account and I needed the other one). I used the command line switches plus temporarily blocking sign in url (like disconnect your network adapter).

The Enabler

Go to airplane mode, and when it says trying to sign in, you can cancel


Moral of the story: when everything is going down the drain, pretend you are offline.

Cover photo by unsplash-logoPeter Pryharski

Tip #1265: Dynamics 365 for Marketing prevents solution imports

Some Dynamics 365 administrators have found that installing Dynamics 365 for Marketing in their dev environment prevents them from moving their configuration changes to production.

Trigger warning–licensing talk ahead (but trust me, it will be worth it)

To understand why this is, you first have to understand how the marketing solution is licensed. Unlike almost every other Microsoft solution, D365 for marketing is licensed by the environment, not by user.

D365 for marketing is priced based on the number of contacts included in marketing activities over a 12 month period in an environment. This makes the pricing scale based on the amount of marketing that you do (and is very similar to other marketing automation providers), and each environment needs to be licensed for Marketing.

The problem comes when trying to move solutions if the Marketing app is not provisioned in the target environment. Dynamics 365 for Marketing adds dependencies to the appointment and user entities, so you will not be able to move these entities in an unmanaged solution from an environment with D365 for Marketing to an environment without D365 for Marketing.

See the official documentation for how Marketing apps are added.

But wait–we have marketing included in our license

You may have received a free marketing app with your Dynamics 365 Customer Engagement license–congratulations. Just understand that this doesn’t mean you have a license for all instances. When you provision that instance, if you choose to put it in your dev environment, you will also need to license it for production.

See the FAQ about the “free instance.”


If  you receive the “free” marketing app but you aren’t 100% sure if you are going to use D365 for Marketing in production, don’t provision the free app against your primary development or UAT environments–you can now have as many CDS/D365 environments as you want, so if you just want to stick your toe in the marketing pool before you are fully committed to it, spin up a new environment and install your free app there. That will avoid creating unwanted dependencies.

By setting up a separate dev sandbox for marketing and not installing marketing in your core dev environments, you will avoid adding dependencies for Marketing to your core configuration.

Finally, if you find yourself with configuration dependencies because Marketing is installed in dev and not in downstream environments, you will need to manually remove the lookup fields and navigation links from the entities with dependencies before you can move your solutions. Alternatively, moving your configuration changes in a managed solution may work (but then you need to be prepared for the ramifications of managed solutions).

Cover photo by unsplash-logomarc liu

Tip #1264: Subscribe to AD changes using Flow

My flowbies! I want to trigger a Flow based on someone being added to an Azure AD Group. This doesn’t appear to be possible currently, as the Azure AD connector has no triggers. Am I correct?

Andrew Bibby

Hold my beer

Microsoft Graph API contains the subscription feature where you can create subscriptions where a listener application receives notifications when the changes occur in the specified resource.

The process involves the following steps:

  1. Create the notification endpoint Flow
  2. Create an app in Azure AD
  3. Create a subscription

Let’s dig in.

Notification endpoint Flow

Creating a subscription requires a notification endpoint that must satisfy certain validation requirements, namely return a validationToken passed as a query parameter.

  1. Use HTTP request as a trigger. When the flow is saved, the trigger will contain a unique URL that we will need later.
  2. validationToken expression is triggerOutputs()?[‘queries’]?[‘validationToken’]. queries gives us access to the query string and then straight to the validationToken.
  3. When the token is passed as a query parameter, we are in the validation stage, actual notifications won’t have the parameter. So here we split our execution.
  4. We are asked to validate. As per requirements, return the token value in the plain text body. Flow takes care of all the required decoding.
  5. We are receiving a notification. For now we simply quickly return 202 response (Accepted). (If Microsoft Graph does not receive a 2xx code, it will retry the notification).

App in Azure AD

Creating app in Azure AD is very straightforward – just follow the documentation. Since we are subscribing to the group, we need to add Group.ReadAll permission for Graph API.

Subscriber Flow

I wish I could claim the technique of creating a subscription using Flow but the formidable John “Flow Ninja” Liu described the technique over a year ago :O. Just follow the steps and you’ll be all set. For a change, I decided to use Postman.

The easiest way to deal with authentication is to create a collection and set all requests within the collection to inherit the authentication token.

You’ll find all of the parameters in the app properties in Azure AD. And yes, callback URL does not really matter here but it’s required.

Once Postman has a token, sending request to subscribe to groups changes is a breeze:

You need to use Flow URL from step 1 as a notificationUrl, and set expirationDateTime to something in the future but not too far (less than 3 days). Note that times are in UTC.


After adding a user to one of the groups in Azure AD, you’ll see two
(hopefully) successful runs for the notification Flow. First one is a validation run (you can drill into it and check the validation token that was passed in). Second one is the real McCoy containing the following data in HTTP request body:

    "changeType": "updated",
    "clientState": "MaSekreet",
    "resource": "Groups/deadbeef-dead-beef-dead-beef00000075",
    "resourceData": {
      "@odata.type": "#Microsoft.Graph.Group",
      "@odata.id": "Groups/deadbeef-dead-beef-dead-beef00000075",
      "id": "deadbeef-dead-beef-dead-beef00000076",
      "organizationId": "deadbeef-dead-beef-dead-beef00000077",
      "eventTime": "2019-05-07T11:08:15.4245258Z",
      "sequenceNumber": 636928240954245200,
      "members@delta": [
          "id": "deadbeef-dead-beef-dead-beef00000088"
    "subscriptionExpirationDateTime": "2019-05-07T15:37:48+00:00",
    "subscriptionId": "deadbeef-dead-beef-dead-beef00000069",
    "tenantId": "deadbeef-dead-beef-dead-beef00000096"
    "changeType": "updated",
    "clientState": "MaSekreet",
    "resource": "Groups/deadbeef-dead-beef-dead-beef00000075",
    "resourceData": {
      "@odata.type": "#Microsoft.Graph.Group",
      "@odata.id": "Groups/deadbeef-dead-beef-dead-beef00000075",
      "id": "deadbeef-dead-beef-dead-beef00000076",
      "organizationId": "deadbeef-dead-beef-dead-beef00000077",
      "eventTime": "2019-05-07T11:08:15.4245258Z",
      "sequenceNumber": 636928240954245200
    "subscriptionExpirationDateTime": "2019-05-07T15:37:48+00:00",
    "subscriptionId": "deadbeef-dead-beef-dead-beef00000069",
    "tenantId": "deadbeef-dead-beef-dead-beef00000096"

That’s a lot to digest but members@delta is the magic data that tells us that a user has been added to the group. I’ll save digesting this json for another day.

Here you go, Andy!

Cover photo by unsplash-logoLance Anderson

Tip #1263: Microsoft Flow and Azure outages

Most of you were probably impacted by a most recent Azure outage on May 2 (see https://azure.microsoft.com/en-au/status/history/).

Between 19:29 and 22:35 UTC on 02 May 2019, customers may have experienced connectivity issues with Microsoft cloud services including Azure, Microsoft 365, Dynamics 365 and Azure DevOps. Most services were recovered by 21:40 UTC with the remaining recovered by 22:35 UTC.

Azure status page writer

One of the questions that came up in the aftermath was what happens to the automated and recurrent flows that have either triggers or actions impacted by an outage? (thank you, Jerry, for asking).

I can’t think of a better person to answer this than Stephen Siciliano, a Principal PM Director for Microsoft Flow.

For flows we can divide the impact to triggers and actions. For triggers:

  • For automated flows that poll these flows would have failed to start new runs during the interruption. However, the way that polling triggers work is they check for new data every-so-often, this means they automatically “heal” when the system is healthy — they would simply process all of the events in the window since they last successfully ran, albeit significantly delayed. For webhook triggered automated flows, those events would have to be resent.
  • For instant flows triggers (e.g. flows manually started by users on-demand) they would have immediately received an error upon trying to trigger the flow. Each user will need to retry running the flow. Since the triggering itself failed, there is no way for an admin to ‘resubmit’ this failure.
  • For scheduled flow triggers, there may have been intervals that were skipped. These flows automatically resume upon the system healing.

For actions it would be possible for a flow to have failed in mid-execution if it had previously been triggered but the actions begin failing. Flow makers may want to Resubmit failed flow runs. A maker can see the failures across their flows by going to the Alerts icon at the top of the Flow portal and selecting the flows runs which failed (they don’t need to inspect each flow individually).

And for all nay-sayers out there I can’t think of a better way to express my attitude towards what happened in Azure:

Tip #1262: Dynamics 365 Mobile Offline: it’s baaaaack!

Remember me?

When Dynamics 365 v.8 was released, mobile offline was a big deal. But when we got to v9, the feature was turned off due to stability issues.

Well good news, it is now back. You can configure offline profiles from the classic/advanced settings area.

To use offline mobile, set the organization data download filters on the entity configuration

Then in settings, specify what records should be taken offline for the user–remember the way it works is the organization rules specify the pool of data to be available offline, and the user profiles determine what subset of that data the user gets.

One thing that is different from the original v8 release is the offline profiles are now tied to model driven apps. In the properties of the app (click on the app name in app designer) you can enable an app for mobile offline, then associate what profile should be associated with the model driven app. This way if users switch between multiple apps, they will have the data that they need for the selected app.

See the full documentation here:

Are you using the offline feature? Let us know how it is working.

Tip #1261: Get BAD & MAD in Hawaii

Is there a plan for new Masterclasses in 2019? These classes seem the way to go to be future proof and finetune our current methods.

From the email

Good news! We are opening BAD season straight after the Business Application Summit that takes place in Atlanta on June 10-11. At the summit you’ll hear about a lot of new things, but there won’t be any time to digest. That’s where Busines Application Developer (BAD) Masterclass picks up and breaks it all down for the developers and architects. And don’t just take our word for it.

Very much enjoyed. Two days full of knowledge, learning and excitement. Was a great experience to learn new things from such a great personalities.

– Anagha

Why Hawaii? It is literally half way between US & Australia, where we live. If you are coming to BAS all the way from Asia, Australia, or New Zealand, why wouldn’t you stop for couple days, recharge the batteries, and learn something new?

Wait, are you MAD?

We’ve been repeatedly asked not to let developers have all the fun. We listened. Introducing Managing Application Developers (MAD) Workshop.

Managing your business application developer team doesn’t have to be difficult. In this half-day workshop we’ll discuss communication strategy, common misunderstandings between business and technical teams and learn about leading your team with a good application lifecycle plan. Some of the planned discussion topics:

  • Can you fire all developers now?
  • What are your developers not telling you?
  • Make peace between developers and citizens

MAD Workshop runs in parallel with BAD Masterclass and is designed for team leaders, project managers, CTOs, CEOs, and all other people who are actually responsible for the teams, technology, and, ultimately, projects success.

While your developers are learning BAD, discover how to make the full use of that knowledge. Register your developers and get MAD for FREE!


Follow the links, read the agenda and register:

See you there!
Julie, David & George

Cover photo by unsplash-logoJohannes Hohls

Tip #1260: Use App Access Roles

If you use any of the new Microsoft solutions/apps for Field Service, Customer Service, PSA, or marketing, you will notice some new roles appear in your security role list that contain the works “app access.”

We’ve discussed all of the reasons that model-driven apps may not work correctly for users. The most common reason is that the user doesn’t have a security role with access to the model-driven app.

While you can grant any role to any app, this gets messy. If you give one of your primary roles access to an app, you are giving everybody with that role access to the app.

If you are going to deploy numerous apps, you will find yourself in situations where you want to grant access to the app to selected people, and not everyone.

The beauty of the app access role design is it lets you easily control access to the app without modifying your primary security roles. You can simply add the Field Service app access role to any user to make the Field Service app show up in their app list, and you can remove that security role to make their access to the Field Service model-driven app disappear..

You also may want to follow this design pattern for your custom model-driven apps. Say you are deploying a bank teller app–simply create a blank role called Bank Teller app access, then only assign this role to the app (other than System Administrator and Configurator, which don’t count).

Then for every user for which you want enable access of the Bank Teller model-driven app, simply add this role.

***Note–remember that this grants access to the app, but does not give them access to dashboards and data components in the app.

Summary: Separate app access and data security for maximum flexibility.

Tip #1259: Can non-developers really create PowerApps?

I’m seeing a common reaction in the Power Platform community when wizards like Scott Durow post really cool PowerApp examples.

This is really cool, but I don’t think an average non technical consultant or user can create PowerApps.

Average Citizen

I get this reaction–there are some very long, complicated expressions and near code operations that you can use to make some amazing things happen with PowerApps. But there are also many apps that don’t require these advanced formulas.

Two words: think Excel. PowerApps grew out of Microsoft Office, and by design the formulas in PowerApps mirror the formulas in Excel. Like PowerApps, Excel has some simple formulas, but you can also build some long and complicated formulas like: “=IF((OR(E13=0,ISBLANK(E13))),IF((OR(H13=0,ISBLANK(H13))),IF((OR(K13=0,ISBLANK(K13))),IF((OR(N13=0,ISBLANK(N13))),IF((OR(Q13=0,ISBLANK(Q13))),IF((OR(T13=0,ISBLANK(T13))),IF((OR(W13=0,ISBLANK(W13))),IF((OR(Z13=0,ISBLANK(Z13))),IF((OR(AC13=0,ISBLANK(AC13))),IF((OR(AF13=0,ISBLANK(AF13))),IF((OR(AI13=0,ISBLANK(AI13))),IF((OR(AL13=0,ISBLANK(AL13))),”99″,”12″),”11″),”10″),”09″),”08″),”07″),”06″),”05″),”04″),”03″),”02″),”01″).”

So if you don’t know how to use formulas like patch yet, that doesn’t mean you can’t build PowerApps. Imagine our quote at the beginning of the post, instead substituting Excel:

I think that VBA macro is cool and everything, but I don’t think an average non-technical consultant or user can create Excel spreadsheets.

Said Nobody

In other words:

Use common sense (UCS)

George Doubinski

The user who doesn’t know how to create VBA macros would never try to use that feature of Excel, but would still use Excel to create simple spreadhseets. Likewise the user or consultant who doesn’t know how to use advanced functions in PowerApps can create basic PowerApps, use galleries, use templates, and be productive with PowerApps.

My advice:

  • Don’t let the fact that you don’t know how to use advanced PowerApps formulas scare you from using the platform. You can do some amazing things without touching the more advanced formulas.
  • Build on your knowledge once you get comfortable with the basics–find one formula with which you may not be comfortable, learn how it works, and add to your bag of tricks. If you add one formula every week or two, before long you will go from a basic PowerApps maker to an advanced PowerApps maker.
  • Make friends with more advanced PowerApps makers and get their feedback if there is anything that more advanced formulas could add to make your app more performant. Get comfortable with delegation and how it may impact your app.
  • If you are an advanced PowerApps maker, don’t be a snob. Remember that none of us were experts 2 years ago, share your knowledge with others. Also, don’t feel you have to overcomplicate every app you build–even if you know advanced wizardry, sometimes something more simple can be better. Use the right tool for the job.

Cover photo by unsplash-logoDavid Armstrong