One of the big guys emailed me not long ago with this plea, “Help me Paige Wan Kenobi, you're my only hope.” Well that wasn’t the exact message, I paraphrased. It was more “I need one of you CRM consultants to fix this”. The issue was that he could not enable a user he needed to use in one of our sandbox organizations. Every time he tried, he got “The user ID associated with the current record is not valid”. I had a little bit of time on my schedule so I moved the request onto my to do list.
The Troubleshooting Try
First, I tried what he had probably tried several times, clicking the Enable button. You know us troubleshooting types have to try it ourselves, after all, the user might not have been holding their mouth just right. Well, apparently blowing a raspberry at my computer wasn’t holding my mouth right either, clicking the Enable button just gave the error message. Next I verified the user was enabled and working in the production environment, worked fine there. Third thing I checked was verifying the user had a license, yes, user licensed. Then I remembered having an issue a while back where a user had been disabled in CRM, moved to a different domain in Active Directory and then could not be re-enabled in CRM. I knew we had had some domain changes in the recent past so I poked around a bit and saw the domain of the disabled user was the same every place I checked. Okay, to the great Google research library, and then let down, no helpful info! Well, it looked like I had no alternative but to call in the heavy hitter, Microsoft support.
The Contacting of Microsoft Support
Now do not misunderstand me, every time I have called Microsoft support I have gotten great service and in almost every case they have been able to help me solve my problem. But I, like most consultants, like to think I can figure it out with the right mix of search phrases and questions asked to fellow consultants. Well my new friend AR (not his real name) was able to help me within 30 minutes and was almost as happy as I was to have been able to help!
The Solution
Some Microsoft Dynamics CRM online organizations are lucky enough, under the right circumstances or with the right license, to have sandbox environments. These are managed in a pseudo-deployment manager area called the CRM Online Administration Center. Once these organizations are created, there are a few things that can be managed for each organization in the Edit section of the Center.
This includes Name, URL, Purpose, Type and… Security Group. These Security Groups are created and managed under Groups in the Office 365 Admin Center.
If you inadvertently, or without knowing what the heck you are doing, add one of these groups to one of the organizations, only users in THAT security group can be enabled in, and therefore get access to, that organization.
There are a few ways to remedy this situation.
- Remove the Security Group
- Add a different Security Group that is more inclusive or which has the users you need to have access to the organization in it
- Add the user to the Security Group that is currently being used
I do advise caution if you choose 3. Add user to the Security Group option. Odds are good that Security Group was created for other purposes and by an Office 365 admin. Adding that user account to a Security Group may give that user access to things in Office 365 other than a CRM organization to which that user should not have access. So please contact your Office 365 admin before modifying the group or for that matter removing or adding a different one. Actually maybe the Office 365 admin should be managing this. Just forward a link to this blog and she will handle it for you.
And this is where this story ends. After much consulting with one of the Office 365 admins, and the user who created the organization in the first place, the Security Group was removed from the sandbox organization, I was able to enable the user, the big guy was appreciative and I was the office hero. Cool.
For more information about this blog or C5 Insight, contact us here!