Deployment to sandbox and production Dataverse environments became available for Project for the web in early 2021. Prior to that it was only possible to install P4W in a tenant’s default environment. While the possibility to install P4W in a sandbox or a production is a great win for ALM, there are some caveats to keep in mind:
- When P4W is installed in a sandbox or a production environment, it’s not possible to create new projects to those environments from Project Home.
- Opening a project that resides in a sandbox or a production environment from Project Home opens the project in Project for the web’s model-driven app.
- Creating a new project from Project Home will create the project in the default environment. Consider turning P4W off in your default environment for your organization if P4W is used in a production Dataverse environment.
- Certain Office 365 licenses allow users to read data in P4W. When P4W is installed in a sandbox or a production environment, users with an Office 365 license can open the P4W model-driven app and access data. There is no technical enforcement in Office 365 licenses to prevent users from creating, updating or deleting records when using the P4W model-driven app. You have to tell them not to CUD data or come up with your own technical enforcement. For more information on what users can and can’t do, see Microsoft Project service description.
- The Project for the web Teams app won’t allow to add projects that reside in non-default environments. A shout-out to Antonio Berra for pointing this out!
Installing P4W to a sandbox or a production environment
To install P4W to a sandbox or production environment, create a new environment without Dynamics 365 apps in PPAC. Project for the web can’t be installed in a Dynamics 365 environment. When the environment is ready, install the Microsoft Project Service Core solution. In my tenant the solution was displayed twice but installing one or the other yielded the same results.
Syncing users to a new Dataverse environment
When P4W is installed to a new environment, users need to be given security roles in Dataverse so that they can access P4W. While users who are assigned a Dynamics 365 license are automatically synced to a Dynamics 365 Dataverse environment (assuming security groups are not used), users with an Office 365 license or a Project Plan 1/3/5 are not automatically synced. I waited overnight for a user with a P3 license to get synced but that never happened. There are two ways to get a user record created in the SystemUser table.
Add a user manually from PPAC
A user can be manually added to an environment from PPAC as long as the following criteria are met:
- User is enabled in Azure Active Directory.
- User has an active license.
- User is a member of the environment’s security group.
Adding several users manually is a fairly time-consuming process. This approach works when there are no more than few users that need to be added to an environment.
Add users with Power Automate
Fellow MVP Yash Agarwal wrote about syncing users while I was working on this blog post so kudos to Yash as the original author of this approach. The idea is simple: Use a Power Platform for Admins connector to force the sync of users to an environment. But which users should be synced?
My thinking is that every Dataverse environment should have a security group. This simplifies administration and makes environments more secure. When a user is added to a security group, they can easily be synced to an environment. All of this can be achieved with a simple on-demand cloud flow.
The first step is to create a new security group in Azure AD. Users in this group are allowed access to the Dataverse environment that was created in the previous steps. This blog post doesn’t cover assigning licenses or security roles. There’s a lot that can be done around both of those topics with security and M365 groups.
The next step is to add the security group to the environment from PPAC.
A simple on-demand flow can be used to sync users to the environment. To fire off the flow, type in the Object ID of the AAD security group. The flow loops through all group members and forces sync to the environment. It doesn’t matter if a user already has a row in the SystemUser table. After the flow has run, synced users can immediately be seen in the Dataverse environment.