Adding Security Group Members to a Managed Power App Using a Low-Code/No-Code Mindset

One of the coolest parts of working with the Power Platform is how seamlessly all of its components work together to solve problems. Gathering group members from a database and granting them certain permissions used to require a knowledgeable developer making multiple API calls. Power Automate has made it possible to do low-code/no-code operations in a visual way that is easier for new users to pick up and start building themselves.

For this use case, we want to figure out how add group permissions to apps from managed solutions. Managed solutions are a way to package apps, tables, flows, and anything else necessary from one Power Apps environment to another. The most common use case for a managed solution is using a development environment for developing and testing apps, then packaging them to a send to a production environment. This is a great workflow, but one problem we've seen come up regularly is users are unable to add bulk security group permissions through the Power App "Share" settings like they would be able to do with an unmanaged Power App. Like many other issues, there are scripts you can run in PowerShell to achieve this task. However, taking a low-code/no-code approach is preferrable for a broader audience so this is how you would accomplish this task in Power Automate step-by-step. In doing so, we'll be showing another example of just how intuitive this platform can be for everyone on your team.

The Problem

With an unmanaged Power App (one that you build outside of a Managed Solution), you can add an entire security group as a co-owner when sharing the app:

In a managed Power App, that option is greyed out:

This is a problem if your team needs all members of a specific security group to have permissions to the app. We know that we can add owners individually to a managed Power App, but adding each person separately would be tedious and scale poorly:

The Solution

We now know that we can add owners individually to a managed Power App, so let's leverage Power Automate to find all members of that security group and individually add them as owners to the app. You can pick whatever trigger you want for a flow; I chose for this to run every morning so we can find new members. The first step is getting all of the group members in a security group using the "Azure AD" connector and the "Get group members" action. This step will ask for the "Group ID" which can be found in the Overview tab for the group in Azure AD under "Object ID".

The next step will be to use the "Power Apps for Admins" connector and the "Edit App Role Assignment as Admin" action:

This requires the following information:

• Environment Name - the ID of the environment you're working in (can be found in the URL of your current Power Automate tab or in the Power Platform Admin Center for that Environment)
• PowerApp Name - the ID of the app you're trying to access (can be found in the Details for the app under "App ID")
• Role Name - you can choose between 'CanView', 'CanViewWithShare', or 'CanEdit'. 'CanEdit' will make the user a co-owner.
• Principle Email - the group member "Mail" from the "Get group members" action we added. An "Apply to each" loop will be opened automatically since we have multiple members.
• Principle Object ID - the group member "ID" from the "Get group members" action we added
• Principle Type - this should usually be "User"
• Tenant ID - the tenant ID of your entire Azure AD (can be found on the "Overview" tab in Azure AD)

The entire flow should look like this:

If you wanted to do this for every app in your environment, you can use the same "Power Apps for Admins" connector and the "Get Apps as Admin" action, then apply the environment ID's and app ID's in an Apply to each loop from that connector.

The Result

For the test today, we knew the 4 users of the security group we were testing with. After running the flow, we went back to the "Share" option for the Power App and found that all members were listed as co-owners:

Conclusions

We wanted to show how easy it is to use the Power Platform tools available to you to achieve tasks without the need for any custom coding. Power Automate is great for individuals with a development background because it sticks to so many principles they gain while learning about programming (conditional logic, looping, etc), but it is also incredibly easy for new users without that background to pick up. All you need to do is come up with a problem to solve, the steps needed to solve it, then start building.