Have you ever needed to give a super-user the ability to easily add or remove users of a Power App?  Here’s how to do that from within an app without needing to directly access Azure Active Directory

security groups

Security Groups

Security groups are groups of users with specific access rights.  They are created within Azure Active Directory (AAD) and exist at the tenant level.  A tenant represents an organization

Security groups are an efficient way to grant users access to tenant resources such as Power Apps.  For example, if you have 50 users needing access to 5 apps, rather than grant every user access to all 5 apps, if the 50 users are added to a security group and all 5 Power Apps are shared with that security group, they all have access.  If a new user joins the organisation, or someone leaves, just add or remove them from the security group

Updating a Security Group from with a Canvas App

Security groups are usually updated using AAD and any changes are carried out by an Administrator. However, that can create delays making changes.  Better to give a super-user the ability to make changes themselves.  This could even be done within the same app on a screen that only the super-user has access to

In a Canvas App, a user can view all the security groups that they own in a tenant.  For this reason, the super-user will need to be the owner of a security group to be able to make changes

Below I’ll explain how to create a simple one screen app to allow a super-user to add and remove members from all the security groups they own

Viewing Security Group Members

Create a Power App and add the Office365Groups connector

The Office365Groups connector returns a single record with a table of the Security Groups embedded in the ‘value’ column

Create a gallery with the Items property as below.  This gallery will display all the security groups owned by the user.  Name this gallery galSecurityGroup

Office365Groups.ListOwnedGroups().value

So that we can see which record has been selected, set the gallery’s TemplateFill property to:

If(ThisItem.IsSelected,LightGray,White)

Create a label in the gallery with the text value set to the following to display the name of the security group

ThisItem.displayName

A collection that contains the current members of the security group is required.  This is because the gallery does not refresh automatically when a change is made and the Office365Group connector cannot be updated using the Refresh function. A collection that mirrors the security group members will get around this issue.  Set the OnSelect property of the gallery to the following:

ClearCollect(colSecurityGroupMembers,
Office365Groups.ListGroupMembers(galSecurityGroup.Selected.id).value
)

To list the names of the members of a particular security group, create a second gallery called galGroupMembers with its Items property set to the collection we have just created:

colSecurityGroupMembers

Set the gallery’s TemplateFill property to:

If(ThisItem.IsSelected,LightGray,White)

Add a label within the gallery with the following Text property:

ThisItem.displayName

Now each time a security group is selected, the members are displayed in the second gallery

Add a Security Group Member

To add a security group member we need a list of current users.  We have some options on how to do this

The simplest option is to add the Office365Users connector

Alternatively the Dataverse ‘AAD User’ table could be used.  This table contains all the current users in AAD.  Using Dataverse is useful if you want to reference existing information about the user not available from the connector or even add custom user columns to capture additional info

The separate Dataverse ‘Users’ table should not be used.  This table contains all users who are currently licenced or who have held licences in the past.  Additionally it contains a large number of system generated users

The Office365Users connector will be used here for simplicity

Add the Office365Users connector

Add another Gallery called galAADUsers with the following Items property:

Office365Users.SearchUser()

Add a label with the Text property of:

ThisItem.DisplayName

Set the gallery’s TemplateFill property to:

If(ThisItem.IsSelected,LightGray,White)

Add a button with the Text ‘Add’.  Set the OnSelect property to:

Office365Groups.RemoveMemberFromGroup(galSecurityGroup.Selected.id,
galGroupMembers.Selected.userPrincipalName
);
ClearCollect(colSecurityGroupMembers,
Office365Groups.ListGroupMembers(galSecurityGroup.Selected.id).value
)

Selecting a security group together with a user and clicking the ‘Add’ button adds that user to the security group and the collection

The gallery galGroupMembers is updated accordingly

In a production app multi-select capability would be used so more than one user could be added

Remove a Security Group Member

Add a button with the Text ‘Remove’.  Set the OnSelect property to:

Office365Groups.AddMemberToGroup(galSecurityGroup.Selected.id,
galAADUsers.Selected.'AAD user id'
);
ClearCollect(colSecurityGroupMembers,
Office365Groups.ListGroupMembers(galSecurityGroup.Selected.id).value
)

Selecting a Security Group together with a user and clicking the ‘Remove’ button removes that user from the group.  Again, the gallery galGroupMembers is updated to show the change

The members of each security group can be viewed, added and removed as demonstrated below

security groups

Viewing Security Group Members

A user who is not a security group owner can still see the members of a security group

Each security group has a unique GUID which can be found within AAD or at https://account.activedirectory.windowsazure.com/r#/groups

To view the members of a security group, create a gallery with the Items property referencing the relevant GUID:

Office365Groups.ListGroupMembers("7b50a003-d28a-4eb0-9a52-15a59aee701f").value

Add a label with the Text property of:

ThisItem.DisplayName

We could also find the records in the Dataverse ‘User’ table for the members of a particular security group by using the following formula:

Filter(
Users,
'Full Name' exactin Office365Groups.ListGroupMembers("7b50a003-d28a-4eb0-9a52-15a59aee701f").value.displayName
)

Summary

Users have to be created in AAD before they can be added to a security group.   It’s not possible to create a user using a Power App

It’s only possible to add or remove members from security groups that the user owns.  Security groups can have multiple owners.  The security group owners don’t need to have any security roles assigned to them, ownership, or co-ownership of the security group is sufficient

Current users can be sourced from the Office365Users connector or from the ‘AAD User’ table in Dataverse

A user who is not a security group owner can still view the members of a security group, even if they are not in the group themselves

Updates to AAD can take a few second to action so an app that makes multiple rather than single changes would be preferable

Because security groups exist at the Tenant level, the Power App can reside on any of the environments in the tenant and will show the identical results

Finally, even if a user is added to a security group, they still need to have an appropriate licence to be able to use the Power App

Leave a Comment

Your email address will not be published.

Scroll to Top