Monday 22 March 2021

PowerApps - Share Canvas App with External Users



Introduction

Have you ever got a need to share your Canvas App with external organization users? It's a very common business requirement, where you may want to share your app with external users.

For example, You are designing a Canvas App for the Sales Person who works in your organization. However, there are some users like external business partners, vendors, contractors, etc who are not actually part of your organization but they still work for you, and therefore you want them to access your canvas apps.

There are various organizations like Uber, Amazon, Subway, Macdonald, etc who work in the same fashion. They not only work with the users who are part of their organization but also work with their vendors and partners as well.

Today, I am going to share #PowerGuide28 where you'll learn how to share your app with external organization users using the Azure AD B2B collaboration.


What is Azure AD B2B?

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department.
A simple invitation and redemption process lets partners use their own credentials to access your company's resources.

With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. Guest users sign in to your apps and services with their own work, school, or social identities.
  • The partner uses their own identities and credentials; Azure AD is not required.
  • You don't need to manage external accounts or passwords.
  • You don't need to sync accounts or manage account lifecycles.

Pre-Requisites
  • Azure Active Directory  Subscription (Trial is also fine)
  • Power Platform Environment (Trial is also fine)
  • Canvas App (create a new app or use an existing one that you want to share with external users)

Solution Design


Implementation Steps

Go to Azure Portal https://portal.azure.com and Open Active Directory.



Click on Users from the left panel




Click on + New guest User


Choose the Invite user option and fill out all external user details to whom you want to share the canvas app. and hit the Invite button





Open newly created guest user


Click on Licenses from the left panel.


Click on +Assignments and assign an appropriate license to the guest user.


Go to https://make.powerapps.com and share the canvas app with the guest user.



Important Note: Guests can only be assigned the User role, and not the Co-owner role, for apps shared with them. That means, they cant edit the app, they can only run the app.


Test and Demo

Open the invitation email and Accept the Invitation.



Open the app that is being shared with you.




Considerations and limitations for guest access
  • Guests can only be assigned the User role, and not the Co-owner role, for apps shared with them.
  • Power Apps can't recognize guests that authenticate by using Azure AD direct federation or email one-time passcode authentication.
  • Power Apps per-app plans are scoped to apps in a specific environment, so they can't be recognized across tenants.

Useful Resources





Hope you found this Tip helpful

Stay tuned for #PowerGuideTip29

Cheers

Sunday 21 March 2021

PowerApps Portal - Control Azure AD User Access


Introduction:

Hi Everyone,

Welcome to the Power Guide Blog series. Hope you all are doing great and staying safe!

In the past few days, I have got several queries regarding controlling the PowerApps Portal access to a particular group/subsidiaries or business unit.

Let's understand this with the help of the following business use case.

As we all know that PowerApps Portal supports Azure AD authentication, which allows all Azure AD users to directly login to the portal without being registered on the portal. However, sometimes we want to restrict portal access only to a specific group of users instead of all Azure AD users.

For example, Power Guide is an organization that has two departments let say: Helpdesk and HR Department. The helpdesk department has around 50 support agents who need PowerApps Portals access to handle queries and resolution of tickets. However, the HR department requires to have access only to Microsoft Teams. Now, If the organization wants to give portal access only to the Helpdesk department, not to the HR department then how can you handle that scenario?

In this article, I will share PowerGuideTip27 and will tell you a tip to handle such scenarios using Azure AD Conditional Access Policies.


What is Azure AD Conditional Access

Check this article to know about Microsoft's Azure AD Conditional Access.


Pre Requisites:
  • Azure AD Subscription (Trial is also fine)
  • Dynamics 365 License (Trial is also fine)
  • PowerApps Portals (of any type)

Implementations Steps:

1. Create a Dynamics 365 Free Trial.
2. Create a trial (subscription-based) environment in the Power Platform admin center.
3. Install PowerApps Portal (ignore if you already have). Click here for the installation steps.
4. Configure Azure AD Conditional Access Policy.

Step 1: Go to https://portal.azure.com/ and sign with your Dynamics 365 trial credentials

Note: Make sure you have Global Administrator rights.

Step 2: Click on View under Manage Azure Active Directory.


Step 3:  Click on Properties 



Step 4: Click on Manage Security defaults 


Step 5: Turn Off the Enable Security defaults settings and choose My organization is using Conditional Access. Click Save

Step 6: Click on Security.


Step 7: Click on Conditional Access


Step 8:
 Click on + New Policy.

Note: if the + New Policy option is disabled, that means you don't have an Azure AD Premium P2 subscription. Click on the -> arrow and Activate it.




Step 9: Give the policy name


Step 10:
 Click on 0 users and groups selected under Assignment.

Include - Users whom you want to restrict from accessing the portal
Exclude - User whom you want to give access to the portal

Under Include >  Select users and groups > choose Users and group checkbox > Search the user or group that you want to keep out of this policy and then Select to add them in the Include list.

Under Exclude >  Select users and groups > choose Users and group checkbox > Search the user or group that you want to keep out of this policy and then Select to add them in the Exclude list.

Note: If you have fewer users, then you can search and choose them individually from the list, otherwise create a security group, add all these users in that group and then search the group name and choose the group from the list. By doing that, this policy will be applied to all the members of that particular group.




Step 11: Click on No cloud apps or actions selected under Cloud apps or actions

Click on Include and Choose Select apps.

Search and choose all those apps that you want to restrict and apply this policy to.

Since we want to restrict only PowerApps Portal, therefore we will search Microsoft CRM Portals and add only that to the Include list.

Similarly, if you also want to restrict PowerApps and Power Automate then you can search for PowerApps and Microsoft Flow app respectively, and add them too to the include list




Note: Choose Microsoft PowerApps and Microsoft Flow apps only if you want to restrict Model-driven apps, Canvas apps, and Power Automate along with PowerApps Portals.


Step 12: Click on Grant under Access controls > choose Block Access >  Select


Step 13: Finally Turn On the Enable policy and Hit Create to create the policy,



Test and Demo







Hope you found this PowerGuideTip helpful.

Stay tuned for the next interesting Power Guide Tip. 

Cheers.
Blogger Widgets