Overview

It is critical that this migration is completed before your system is upgraded to Version 25.3, as User Groups will be removed during the update.

As part of Microsoft Dynamics 365 Business Central’s 2024 Release Wave 2 (Version 25), Microsoft is deprecating User Groups in favor of Security Groups. This transition impacts Sparkrock 365 customers who currently use User Groups to manage permissions.

To ensure a seamless transition, Sparkrock has developed a migration tool to facilitate the migration from User Groups to Security Groups or Permission Sets. 

This article outlines the required steps to prepare for and complete this migration.

Key Takeaways

1. Microsoft is removing User Groups in Business Central Version 25.0. Therefore, action needs to be taken before Sparkrock 365 is updated to Version 25.3.
2. You have the option of migrating from User Groups to Security Groups or Permission Sets.

3. If you choose to migrate to Security Groups, Microsoft Administrators must create Entra Security Groups in the Microsoft Admin Center or Azure Portal before the migration tool can be used.

4. If you choose to migrate to Security Groups, Sparkrock 365 Administrators must create Security Groups in Sparkrock 365 and link them to the Entra Security Groups before the migration tool can be used.

5. Migration must be completed before the upgrade to Version 25.3, as User Groups will no longer exist post-upgrade. Users with un-migrated User Groups may not be able to log in and perform their work.

6. Only customers using User Groups with assigned Permission Sets are affected. If you assign permissions directly to users, no action is needed.

What Are Security Groups?

Security Groups offer the same ability to manage permission sets as User Groups, with the added advantage of working across all Microsoft 365 applications. This allows administrators to manage access across the entire Microsoft suite from a single location.

Read about Security Groups in Sparkrock 365 Help.

Security Groups vs. Permission Sets

As of Version 25.0 of Business Central, Microsoft is removing User Groups in favor of Security Groups, but you have the option of converting your User Groups to nested Permission Sets instead.

Which should you use: Security Groups or Permission Sets?

Security Groups

• There’s centralized user management. Security Groups are managed in Microsoft Entra, so IT admins can control user access centrally
• It’s more scalable, making it easier to manage a large number of users, even across multiple environments
• They’re consistent across Microsoft 365, so IT can control access across the whole suite.
• Permissions are automatic. When a user is added to a Security Group in Microsoft Entra, they’ll automatically have the correct permission sets in Sparkrock 365.
• Security Groups support Sparkrock 365 customizations such as Application Area Setups.

Some things to note about Security Groups:

• They a dependency on Microsoft Entra admins. Microsoft admins need to create Entra Security Groups, and need to assign users to them. 
• Security Groups aren’t as granular as User Groups. For example, you can’t create a company-specific Security Group like with User Groups and Permission sets.

Permission Sets

• Permission Sets are controlled completely within Business Central. There’s no need to have Microsoft admins create them or assign users, so changes may be able to be made more quickly.
• Users can be assigned Permission Sets for specific companies, just like User Groups.

Some things to note about Permission Sets:

• User management may be more complex. You need to assign Permission Sets to individual users, instead of managing them in groups.
• Not centralized, so permissions sets only impact Sparkrock 365, not other MS services.
• Permission Sets do not currently support Sparkrock 365 customizations such as Application Area Setups and report filters.

Choose Security Groups if you want centralized access control across multiple Microsoft 365 services and have an IT team managing user roles, and you need Sparkrock 365 customizations such as Application Area Setups.

Choose Permission Sets if you need fine-grained control within Sparkrock 365 and want Sparkrock 365 administrators to handle user permission management without relying on Microsoft Entra.

Migration Process

Step 1: If migrating to Security Groups: Create Security Groups in Microsoft Admin Center or Azure Portal

Before running the migration tool, a Microsoft Administrator must create Security Groups in the Microsoft Admin Center for each existing User Group that needs to be migrated.

Export Existing User Groups and Members

1. In Sparkrock 365, navigate to User Groups.

2. Export the list to Excel.

3. Export the members list separately.

4. Share the exported data with Microsoft Administrators to create corresponding Security Groups.

Set up Security Groups in Microsoft Admin Center

These instructions are for the Microsoft Admin Center. If you use the Azure or Entra portal, the steps will be similar.

1. Log in to Microsoft Admin Center.

2. Navigate to Teams & Groups > Active teams & groups

3. Create a new Security Group.

4. Assign users to the Security Group based on existing User Group memberships.

Step 2: If migrating to Security Groups: Set up Security Group in Sparkrock 365 and link it to the MS Entra Security Group

Once Security Groups are created on the Microsoft side, they need to be created in Sparkrock 365 and then linked to their corresponding Microsoft group.

Note: For the Sparkrock 365 migration tool to function optimally, the name of the new Security Group should match the name of the existing User Group.

1. Create new Security Group

   • In Sparkrock 365, navigate to Security Groups.

   • Select + New
     
     
     

2. Select the related MS Entra Security Group

   • Select the 3-dots button beside "Microsoft Entra security group"
     
     
     
     

   • Select the Security Group you'd like to create.

   • Select Create.

Step 3: Running the Sparkrock 365 Migration Tool

Use the Sparkrock 365 Migration Tool to transition from User Groups to Security Groups or Permission Sets.

1. Enable the Security Group Migration Feature:

• In Sparkrock 365, search for Feature Management.

• Locate Feature: Convert User Permissions.

• Set the feature to Enabled for All Users.
  
  
  

• Review the warning message and confirm your understanding.

2. Select Migration Option

• There will be two options:
  1. Convert User Group to Security Group
  2. Convert User Group to Permission Set
• Select the desired option
  

2a. Convert User Group to Security Group

• The migration tool will attempt to match existing User Groups with newly created Security Groups.
  
  
  

• If the system does not find an exact match, manually select the correct Security Group.

• Review the assignments, make necessary changes, and finalize the migration.

• Post-Migration Actions:
  
  
  

• User Group Permission Sets and Members will be migrated to the corresponding Security Groups.

• Sparkrock 365 custom enhancements (Application Area Setups, Report Filtering, etc.) will be carried over.

• User Groups will be permanently removed from Sparkrock 365.

• Users should retain their previous permissions through Security Groups.

2b. Convert User Group to Permission Set

• User Groups will be listed, and for each one, in the Action column there are two choices:
  
  

  Assign to user	Assign the permissions in user groups directly to the users who were assigned to the group, and remove their user group assignments.
  Convert to a permission set	Create a new permission for the permissions in each user group. The new permission set is assigned to all members of each user group.

  
  

• Convert to a permission set may be cleaner as you then have one permission set you can then assign to anyone going forward, instead of having to individually assign permissions.
• Select Next and then Finish.
  
  
• Post-Migration Actions:
  
  
  
• Existing User Group Permission Sets will be migrated either to nested or direct permission sets.
• User Groups will be removed from Sparkrock 365.
• Users will no longer have access to Sparkrock 365 customizations such as Application Area Setups and Report Filters, as those are currently only supported by Security Groups.

  
  

Action Items Recap

• If migrating to Security Groups: Microsoft Administrators  must create Security Groups in Microsoft Admin Center for each existing User Group.
• If migrating to Security Groups: Sparkrock 365 Administrators must create Security Groups in Sparkrock 365 and link them to the associated Entra security group.

• Run the Sparkrock 365 Migration Tool to transition User Groups to Security Groups or Permission Sets.

• Complete this process before upgrading to Version 25.3 to avoid losing permission assignments.

• Read the release notes for further details on this change.

• Contact Sparkrock Support or your Customer Success Manager if you need assistance.

Need Help?

If you need further guidance on this transition, contact Sparkrock 365 Support or consult your implementation consultant if you are in-project. Your Customer Success Manager can also provide additional support and consultation options.

Prepare ahead—ensure a smooth migration before the Version 25.3 upgrade!