If your PU group is pretty stable, you can assign profiles and resources en masse via the Power App...just select all the users you want to assign then use the Choose Action button to assign all selected users. I use the filters to find those who are NOT assigned a specific resource then select them all and assign the profile and resources all at once.

Unfortunately, the group has the potential to change frequently. I was hoping to avoid a situation where we are having to maintain the PU profile assignment manually bi-weekly or even weekly. 

How do you handle your user updates? CSV? data connection, etc.? Maybe you can do something there? I use the CSV import to add PU’s and assign them their role at the same time but not sure if this will allow access to a different domain without going into the PU profile to assign resources...it works great when the PU is in the branch they can manage...

We have a daily feed coming over from our HRIS. 

This got me thinking. Our field team would be in a different branch (and domain) than our partners. I actually went ahead and tested the configuration, and it seems like none of this is even possible. As a superadmin, I can impersonate users in different domains, but PUs cannot. PUs can impersonate users in the domains they are assigned to. Time to abandon this idea. Thanks for hearing me out @lrnlab! It seems like there is no efficient way to give our field team access to our partner domain.

What you just create a ‘sample’ account for each domain that the PU’s can share? If it’s just for demo purposes it should be safe…?? Too simple?

This would be ideal, however, our partners use single sign-on and multi-factor authentication, which makes it difficult to create and share demo accounts. Unless there is a way to bypass SSO, which sounds more like a security issue the more I think about it. 

Unless your SSO is configured at the root,, they should be able to login with that URL (not under their domain); You probably wont be able to enforce MFA though...