POACleanupPlanner 1.2026.1.3

POA Cleanup Planner

POA Cleanup Planner is an XrmToolBox plugin for Microsoft Dataverse and Dynamics 365 administrators who need to understand principalobjectaccess (POA) growth before planning any cleanup activity.

The tool analyzes sampled or full POA data, highlights entity, principal, and record-level hotspot patterns, and produces advisory cleanup planning guidance. It is designed to help teams identify where access concentration exists, validate whether inherited access or direct sharing is expected, and prepare safer cleanup discussions before any remediation work is performed.

Cleanup guidance is advisory only. Always validate ownership, sharing model, access teams, business rules, and user access requirements before running any cleanup operation.

Features

• Analyze POA growth by entity and identify the largest contributors
• Review principal-level hotspots for users, teams, and unresolved principal references
• Review record-level hotspots where individual records have concentrated POA access
• Detect inherited access dominant, direct sharing dominant, and mixed access patterns
• Use configurable scan depth options:
  • Quick - 20,000 rows
  • Standard - 50,000 rows
  • Deep - 100,000 rows
  • Full - no row cap
  • Custom
• Apply deterministic POA paging order for more consistent capped scans
• Configure the number of top entities enriched with metadata
• Run analysis using the XrmToolBox asynchronous WorkAsync pattern for better host responsiveness
• Generate cleanup candidate groups based on inherited access concentration and mixed inherited/direct access patterns
• Estimate cleanup opportunity before any remediation work is performed
• Display summary notes, entity hotspots, principal hotspots, record hotspots, candidate analysis, impact estimates, baseline snapshot, export preview, and activity log
• Filter hotspot and planning grids by search text, risk, principal type, entity, candidate strength, candidate type, and confidence
• Open detail dialogs from grids by double-clicking rows or pressing Enter
• Copy selected row details, visible grid rows, text reports, and logs
• Export visible grid rows to CSV
• Export text reports for summary, baseline snapshot, export preview, and log content
• Include validation guidance and safety notes in detail views and exports

Key Benefits

• Helps administrators understand principalobjectaccess growth before cleanup work begins
• Highlights the entities, users, teams, and records contributing most to POA concentration
• Supports performance and storage review conversations for Dataverse and Dynamics 365 environments
• Provides evidence for inherited-access, direct-sharing, access-team, owner-team, and ownership-model reviews
• Helps identify where manual validation should happen before ResetInheritedAccess or other cleanup planning
• Provides baseline snapshots that can be saved before remediation work
• Supports stakeholder review through CSV and text exports

Main Sections

Summary

Shows high-level scan scope, enrichment quality, safety guidance, top entity hotspot, top principal hotspot, top record hotspot, top candidate group, safest starting scenario, and next review focus.

Entity Hotspots

Shows the entities contributing the highest POA row volume in the current scan scope.

This view includes POA row count, percent of scan, affected records, principal references, dominant principal type, access pattern, and risk.

Principal Hotspots

Shows users, teams, or unresolved principals with concentrated POA access across records and entities.

This view helps identify whether cleanup planning should begin with a user, team, owner team, access team, or security design review.

Record Hotspots

Shows individual records with the highest POA concentration.

This view helps administrators identify whether a small number of records are driving access growth or whether the issue is broader across an entity.

Candidate Analysis

Shows advisory cleanup candidate groups based on scan findings.

Candidates are grouped by entity and include the candidate scope, affected record count, estimated cleanup opportunity, candidate strength, reason, recommendation, safety note, and validation checklist.

Impact Estimate

Shows planning scenarios for estimated POA reduction.

The scenarios are advisory estimates only and should not be treated as direct cleanup instructions.

Baseline Snapshot

Shows a point-in-time summary of the scan, including connection name, scan scope, rows analyzed, entities represented, principal references counted, hotspot counts, candidate groups, estimated cleanup opportunity, retrieved pages, retrieval ordering, enrichment counts, and top observations.

Export Preview

Shows the full text export before saving output.

This helps validate what will be shared before generating a report.

Log

Shows the analysis timeline, selected scan depth, requested row cap, enrichment limit, retrieval counts, deterministic ordering status, enrichment status, and export actions.

Typical Use Cases

• Investigating large principalobjectaccess tables
• Reviewing inherited access growth
• Identifying high-volume direct sharing patterns
• Investigating users or teams with concentrated access grants
• Finding records with unusually high POA concentration
• Planning Dataverse security cleanup work
• Reviewing access-team, owner-team, and sharing-model design
• Supporting performance and storage optimization discussions
• Capturing baseline evidence before remediation
• Preparing controlled cleanup or ResetInheritedAccess planning

Requirements

• XrmToolBox
• Microsoft Dataverse or Dynamics 365 environment
• .NET Framework 4.8
• User access that can read principalobjectaccess data and related metadata needed for analysis

Safety Notes

POA Cleanup Planner does not perform cleanup operations. It analyzes and reports potential planning areas only.

Before running any cleanup outside this tool:

1. Confirm the entity is expected to use inherited access.
2. Validate whether access teams, owner teams, or direct sharing patterns are involved.
3. Confirm affected users still have required access through security roles, ownership, teams, or sharing design.
4. Test cleanup in a lower environment first.
5. Capture a before snapshot.
6. Run cleanup in controlled batches only after approval.
7. Capture an after snapshot and compare results.

Version History

Version 1.2026.1.3

• Added release-ready documentation and package metadata for the latest tested feature set
• Added configurable scan depth documentation for Quick, Standard, Deep, Full, and Custom scans
• Added deterministic POA paging and retrieval ordering details to documentation and release notes
• Documented entity, principal, and record-level hotspot analysis
• Documented detail dialogs, copy actions, visible-row CSV exports, text exports, baseline snapshots, and validation guidance
• Refined NuGet/XrmToolBox package metadata for Tool Library publishing

Version 1.2026.1.2

• Updated analysis execution to use the XrmToolBox WorkAsync pattern
• Improved host responsiveness during Dataverse retrieval and hotspot enrichment
• Preserved summary, hotspot, candidate, impact, baseline snapshot, export preview, and log workflows
• Refined package documentation for Tool Library resubmission

Version 1.2026.1.1

• Updated analysis execution to use the XrmToolBox asynchronous execution pattern
• Improved responsiveness during Dataverse retrieval and enrichment
• Preserved hotspot, candidate, impact, baseline snapshot, export preview, and log workflows
• Refined package metadata and Tool Library submission readiness

Version 1.2026.1.0

• Initial public release
• Added POA hotspot analysis
• Added cleanup candidate recommendations
• Added cleanup impact estimation
• Added CSV export support
• Added prioritization guidance for cleanup planning