Have you ever needed to give a super-user the ability to easily add or remove users of a Power App? Here’s how to do that from within an app without needing to directly access Azure Active Directory
Security Groups
Security groups are groups of users with specific access rights. They are created within Azure Active Directory (AAD) and exist at the tenant level. A tenant represents an organization
Security groups are an efficient way to grant users access to tenant resources such as Power Apps. For example, if you have 50 users needing access to 5 apps, rather than grant every user access to all 5 apps, if the 50 users are added to a security group and all 5 Power Apps are shared with that security group, they all have access. If a new user joins the organisation, or someone leaves, just add or remove them from the security group
Updating a Security Group from with a Canvas App
Security groups are usually updated using AAD and any changes are carried out by an Administrator. However, that can create delays making changes. Better to give a super-user the ability to make changes themselves. This could even be done within the same app on a screen that only the super-user has access to
In a Canvas App, a user can view all the security groups that they own in a tenant. For this reason, the super-user will need to be the owner of a security group to be able to make changes
Below I’ll explain how to create a simple one screen app to allow a super-user to add and remove members from all the security groups they own
Viewing Security Group Members
Create a Power App and add the Office365Groups connector
The Office365Groups connector returns a single record with a table of the Security Groups embedded in the ‘value’ column
Create a gallery with the Items property as below. This gallery will display all the security groups owned by the user. Name this gallery galSecurityGroup
Office365Groups.ListOwnedGroups().value
So that we can see which record has been selected, set the gallery’s TemplateFill property to:
If(ThisItem.IsSelected,LightGray,White)
Create a label in the gallery with the text value set to the following to display the name of the security group
ThisItem.displayName
A collection that contains the current members of the security group is required. This is because the gallery does not refresh automatically when a change is made and the Office365Group connector cannot be updated using the Refresh function. A collection that mirrors the security group members will get around this issue. Set the OnSelect property of the gallery to the following:
ClearCollect(colSecurityGroupMembers,
Office365Groups.ListGroupMembers(galSecurityGroup.Selected.id).value
)
To list the names of the members of a particular security group, create a second gallery called galGroupMembers with its Items property set to the collection we have just created:
colSecurityGroupMembers
Set the gallery’s TemplateFill property to:
If(ThisItem.IsSelected,LightGray,White)
Add a label within the gallery with the following Text property:
ThisItem.displayName
Now each time a security group is selected, the members are displayed in the second gallery
Add a Security Group Member
To add a security group member we need a list of current users. We have some options on how to do this
The simplest option is to add the Office365Users connector
Alternatively the Dataverse ‘AAD User’ table could be used. This table contains all the current users in AAD. Using Dataverse is useful if you want to reference existing information about the user not available from the connector or even add custom user columns to capture additional info
The separate Dataverse ‘Users’ table should not be used. This table contains all users who are currently licenced or who have held licences in the past. Additionally it contains a large number of system generated users
The Office365Users connector will be used here for simplicity
Add the Office365Users connector
Add another Gallery called galAADUsers with the following Items property:
Office365Users.SearchUser()
Add a label with the Text property of:
ThisItem.DisplayName
Set the gallery’s TemplateFill property to:
If(ThisItem.IsSelected,LightGray,White)
Add a button with the Text ‘Add’. Set the OnSelect property to:
Office365Groups.RemoveMemberFromGroup(galSecurityGroup.Selected.id,
galGroupMembers.Selected.userPrincipalName
);
ClearCollect(colSecurityGroupMembers,
Office365Groups.ListGroupMembers(galSecurityGroup.Selected.id).value
)
Selecting a security group together with a user and clicking the ‘Add’ button adds that user to the security group and the collection
The gallery galGroupMembers is updated accordingly
In a production app multi-select capability would be used so more than one user could be added
Remove a Security Group Member
Add a button with the Text ‘Remove’. Set the OnSelect property to:
Office365Groups.AddMemberToGroup(galSecurityGroup.Selected.id,
galAADUsers.Selected.'AAD user id'
);
ClearCollect(colSecurityGroupMembers,
Office365Groups.ListGroupMembers(galSecurityGroup.Selected.id).value
)
Selecting a Security Group together with a user and clicking the ‘Remove’ button removes that user from the group. Again, the gallery galGroupMembers is updated to show the change
The members of each security group can be viewed, added and removed as demonstrated below
Viewing Security Group Members
A user who is not a security group owner can still see the members of a security group
Each security group has a unique GUID which can be found within AAD or at https://account.activedirectory.windowsazure.com/r#/groups
To view the members of a security group, create a gallery with the Items property referencing the relevant GUID:
Office365Groups.ListGroupMembers("7b50a003-d28a-4eb0-9a52-15a59aee701f").value Add a label with the Text property of:
ThisItem.DisplayName
We could also find the records in the Dataverse ‘User’ table for the members of a particular security group by using the following formula:
Filter(
Users,
'Full Name' exactin Office365Groups.ListGroupMembers("7b50a003-d28a-4eb0-9a52-15a59aee701f").value.displayName
)
Summary
Users have to be created in AAD before they can be added to a security group. It’s not possible to create a user using a Power App
It’s only possible to add or remove members from security groups that the user owns. Security groups can have multiple owners. The security group owners don’t need to have any security roles assigned to them, ownership, or co-ownership of the security group is sufficient
Current users can be sourced from the Office365Users connector or from the ‘AAD User’ table in Dataverse
A user who is not a security group owner can still view the members of a security group, even if they are not in the group themselves
Updates to AAD can take a few second to action so an app that makes multiple rather than single changes would be preferable
Because security groups exist at the Tenant level, the Power App can reside on any of the environments in the tenant and will show the identical results
Finally, even if a user is added to a security group, they still need to have an appropriate licence to be able to use the Power App