Managing Temporary User Access in Dataverse with Access Teams
Access Teams let you give people access to one specific record, not the whole table.
Access Teams in Microsoft Dataverse are a powerful way to provide temporary, record-level access to users without changing the ownership of the record or assigning full security roles. They are especially useful in scenarios where multiple users need to collaborate on a single record, such as cases, opportunities, or projects, for a limited period. Access Teams rely on Access Team Templates, which define specific permissions like read, write, append, append-to, assign, and share, applied only to the selected record. Internally, when a user is added to an Access Team, Dataverse creates entries in the PrincipalObjectAccess (POA) table, which tracks who can access which record and what level of access they have. This approach ensures precise, controlled access, reduces security risks, and allows dynamic collaboration without the complexity of assigning security roles or changing record ownership. Access Teams also support automation, enabling users to be added or removed based on record lifecycle events, making them ideal for approval workflows, case escalations, or temporary project collaboration. However, Access Teams should be used judiciously, as excessive use can cause POA table growth, impacting system performance, and they are not suitable for permanent access or ownership scenarios.
- Read
- Write
- Append
- Append To
- Delete
- Assign
- Share
- Create
- You create an Access Team Template
- Template defines:
- Entity (table)
- Permissions
- Access Team is automatically created per record
- Users added to the Access Team get row-level access
- Internally, Dataverse creates POA (PrincipalObjectAccess) entries
- Share a record they already have access to
- Grant access to other users or teams
- Control permissions like Read / Write / Append on that record
- Access Team Templates
- Predefined permission sets
- Automatic POA (PrincipalObjectAccess) entries
- Changing ownership
- Assigning roles
- If users decide → use Share permission
- If the system decides → use Access Teams
- Access Team Template is evaluated
- Dataverse creates POA entries
- Permissions are applied instantly
- Record ownership remains unchanged
- Related POA entries are deleted
- User immediately loses access
- No role or ownership change occurs
- Fast
- Secure
- Reversible
- Cannot own records
- No security roles
- No create or delete permissions
- Not suitable for long-term access
- POA table can grow if not cleaned up
- Not ideal for high-volume sharing
- Overusing Owner Teams can complicate ownership
- Overusing Access Teams can grow the POA table
- Choose based on business intent, not convenience
Published on:
Learn moreRelated posts
How to Record Snapshots for Teams Memberships
A lawyer asked if it is possible to take a snapshot of Teams memberships (people who were members at a certain point). This isn’t something th...
Microsoft 365 & Power Platform Community Call – July 2nd, 2026 – Screenshot Summary
Call Highlights SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...
Microsoft Copilot Studio – Get Microsoft 365 Copilot agent suggestions based on your work in Copilot Studio
We are announcing the ability to get Microsoft 365 Copilot agent suggestions based on your work in Copilot Studio. This feature will reach gen...
Remote Event Receivers in SharePoint Online will be retired
Remote Event Receivers in SharePoint Online will be retired by July 1, 2027. Azure ACS-registered RERs stopped working April 2, 2026. Organiza...
Microsoft 365 Copilot: Domain exclusion for web grounding
Microsoft 365 Copilot now offers Domain Exclusion, allowing admins to exclude up to 1,000 domains from web grounding to ensure responses align...
Viva Engage: New post creation experience
Viva Engage’s post creation experience will be updated by mid-August 2026 with a simpler, more intuitive layout, improved tool organization, a...
Viva Engage: Reducing reply notification volume on mobile
Viva Engage mobile app will reduce reply notification volume by only notifying users of direct involvement (starting conversations, direct rep...
The Misleading Remove External Chat from User View API in Teams
The Graph removeAllAccessForUser API is supposed to remove external chat messages from the view of a tenant user when the chat contains some o...
How to Set up a Dynamics 365 Integration with SharePoint
Quick Answer You can integrate Dynamics 365 with SharePoint using Microsoft’s native server-based integration in under 30 minutes. This integr...
OneDrive: Block screen capture for sensitivity-labeled PDFs in the OneDrive and SharePoint web viewer
The OneDrive and SharePoint web PDF viewer will block screenshots and screen capture in Microsoft Edge when users open PDFs whose sensitivity ...