This is a follow-on from from my previous post Power Platform Environments Demystified and If not already done so, I recommend reading that article before this one.

In this post, I’ll cover the different ways an app can be shared with users. Apps can be shared individually with a user or shared collectively using a security group.

To share an app, security roles will need to be assigned. This can be done at the time the app is shared, or the security roles can pre-assigned to users or security groups. Pre-assigning security roles can be useful, because it has the benefit of removing the necessity of assigning security roles at the time the app is shared.

Before we start, let’s quickly re-cap on security groups. As I covered in the earlier article. A security group is simply a collection of users who require the same access to a resource. Security groups are created in the Entra Admin Centre and can be used tenant-wide and are not specific to a particular environment.

In the earlier article, the security groups I discussed were assigned to an environment. The purpose of applying a default security group to an environment is to restrict top-level access to the environment. All users have to be in the default environment security group to even access the environment. The security groups I’m covering in this article have a different purpose, to manage which users have access to individual Power Apps.

App Sharing

The first thing to say is that Admins can decide who they want to be able to share apps. This may be the app maker. Alternatively, the app maker may be restricted to the development environment and not be given access to the test or production environments, in which case an environment or tenant Admin would perform this function.

There are good reasons why this may be beneficial. App Makers may assign inappropriate security roles to users or security groups, rather than creating a custom security role, either because it’s quicker/easier or they don’t understand individual security roles or how they work. This goes against the security principle of least privilege (PoLP).

I’ll explain later how security roles can be pre-assigned to a user or security group thus removing the need for the sharer to specify security roles.

It’s also possible to give App Makers access to an environment to build apps, but prevent them from sharing them, and to make this an Admin only role too, and I’ll cover how to do that in a future article.

1) Sharing an App with an Individual User

The easiest and probably the most common way to share an app is directly with a user and assign the required security roles during the sharing process.

The downside of this approach is that if an App Maker is responsible for sharing the app and assigning the security roles, as I mentioned earlier, Power Apps doesn’t enforce the principle of least privilege.

The relationship is shown below. When the app is shared with a user, the user has one or more security roles assigned

Relationship

2) Sharing an App with a Security Group

Sharing apps with a small number of individuals is fine, but once you get above a handful of users, it’s much better to share apps with a security group.

Sharing an app with a security group makes adding or removing user access straightforward, as it is as simple as adding or removing users from the security group. The capability to add or remove users from security groups is not usually given to App Makers and is an Admin role perfomed in the Entra Admin Center.

This approach simplifies and streamlines the process and helps separate the role of building an app from the ongoing role of user management.

The same downside exists with sharing an app and adding security roles with individual users or security groups. It is the app sharer’s responsibility to do this correctly.

The relationship is shown below. Similar to option 1, when the app is shared with a security group, the group has one or more security roles assigned. Note that the security role exists at a tenant level, not at the environment level, so it isn’t denoted as a table.

Security group and sercurity role relationship

3) Assigning Security Roles to a Security Group Via a Dataverse Team

This is the approach I much prefer as the security roles are pre-assigned by a tenant Power Platform Administrator, or an Environment Maker/System Administrator of the environment, and not when the user shares the app.

A team is created to connect with one or more security roles. A security group is also assigned to the team, and the members of the security group inherit the team’s security role privileges.

Think of a team as an intermediate table between the security group and the security roles – which is pretty much exactly what it is.

The other concept to get your head around is that there is no need to add users to the team. The users are only added to the security group. The team is simply the means to connect the security group to multiple security roles.

A final benefit is that using this method, you get complete freedom to add any security role in the environment to the team. You can’t always do that when adding security roles when sharing an app, because Power Apps doesn’t always offer all the security roles. Sometimes it just gives the option to select the relevant roles based on it’s interpretation of the app’s data sources. When pre-assigning security roles with this approach, the app isn’t even a consideration, so all the security roles in the environment are available for selection.

When a team is created, the team is positioned between the security group and the security roles.

structure between security group, team and security roles

Step by Step

If not done so already, create your security group in the Microsoft Entra Admin Center, and add members to the group.

In the Power Platform Admin Center, select the Environment > Settings > Teams.

screen shot of the envirnment settings screen

You will then see all the teams in the environment’s Dataverse table. This environment has only just been created so there is just a single team.

screen print showing the list of existing teams

Clicking on create team at the top left of the screen allows us to create a new team. Complete the form and select ‘Microsoft Entra ID Security Group’ and add your security group. Click on next.

creating a new team

Add one or more security roles that you want to be assigned to the newly created team. Click save.

screen shot assigning security roles

For this environment, all users who are members of the security group now have those security roles assigned to them, as long as they are members of the group. If they are removed from the group then those security roles privileges are rescinded.

An app can now be shared with the security group, without security roles needing to be assigned. 

4) Assigning Security Roles to a User

It’s also possible to pre-assign security roles to users. This may be useful if the app only has one or two users.

Here the structure is the same as option 1. The only difference being that the user is pre-assigned security roles in the Power Platform Admin Center, and not when the app is shared.

Relationship between user and security roles

Step by Step

Ensure the user has been added to the default environment security group (if there is one assigned) and they have an appropriate license.

In the Power Platform Admin Center, select the Environment > Settings > Users

screen shot showing how to access a user record

What we then see is a list of all the users with disabled and enabled status

Select ‘Manage security roles’ against a user

Now security roles can be added or removed

screen shot assigning security roles to a user

An app can now be shared with individual users, without further security roles needing to be assigned. 

Additional Info

Some apps have differing groups of users who have access to different functionality or data. Assigning security groups delivers this model as multiple security groups can be created and have seperate security roles assigned. The app can then be shared with both groups.

If security roles have been assigned at the environment level, when sharing an app with a user or security group, these security roles are viewable but cannot be amended. However, bear in mind that it is possible for the app sharer to assign additional security roles. It isn’t possible to assign the privilege to share an app but not be able to assign security roles. Any security roles assigned to a user or security group when the app is shared, can be removed in the Power Platform Admin Center.

Security role privileges are accumulative, and an individual user will have the cumulation of all the roles directly assigned to them, plus those assigned to security groups of which they are members.

As I mentioned earlier, it’s possible to prevent Makers from sharing apps altogether, and I’ll cover how to do this in the next post.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top