PowerApps Security, Environments, and Plan 2 

Thanks for sharing 🤩

Those are great examples. 😀

Use Power Automate workflow to set item level security on item creation on SP list. That way, the user can only view their own items, even if they have access to the list.

Thanks for the support! 🐶

Kea you just keep making awesome stuff and I will be happy. 🐶

Interesting idea 😀

Love the idea

Thanks 😊

Environments don't help in securing SharePoint lists at all. :(

@@ShanesCows that's bad.

Thanks for the info!

Happy to help. Have a great day. 🐶

Thank you. You are very kind.

Wow, thanks! 🤗

No drilldown for me either :(

Thank you for the kind words

One of my slides also covers it. So that is why I finally bit the bullet and made the video so I can link to it. Be sure to stop and say hello if you get a chance.

Try looking at Approvals in SharePoint. Might get you close.

You are welcome!

I don’t think so. They are just building departmental solutions that security isn’t an issue I would guess.

Will add it to my list. 😀

RE #1 - The main difference is that a trial environment only lives for 30 days before it is deleted. Production environments are permanent, and require production capacity to create: powerapps.microsoft.com/blog/provisioning-and-administration-is-getting-easier/. RE #2 - It really depends on how you are structuring your "development app" vs your "production app" and which type of app it is: 1. If you are just building a canvas app - your 'development' app can just be the working draft of the same production app. And when you are ready you can 'publish' it to all of the users who have access: docs.microsoft.com/powerapps/maker/canvas-apps/save-publish-app 2. If you have a more complex app, including model-driven apps against CDS, you could consider creating separate "developer" and "live production" environments. This is important because you will be making metadata changes that can introduces conflicts in the same environment. In this scenario you will need to have an application lifecycle management process using solutions to transport your changes from development and publish to production: powerapps.microsoft.com/blog/alm-at-scale-new-features-and-automation-capabilities/

Thanks James! 👍 In case anyone is wondering these are his features so he is the authority.

Try this video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-0MB-z9cyFCQ.html

Martin I want to say yes. But I don't remember everything I said. :)

I think so

As long as the app doesn’t have a premium datasource your users will NOT need a premium license.

You need to share the file in OneDrive

Not that I know of. You would have to look to see if there is a Graph API call that does it and then go from there.

That is default behavior. People can only edit apps they are owner of. But they can use any connection you have shared with them.

Everyone who logs into your app has to have an Azure Active Directory account. That is the only way to log in.

Thanks 😊

Not that I know of

Yes. As long as they only need read then that is all you have to give them in SharePoint

2 I don't think so. I believe it just converts the environment to be permanent.

1 nope. 2 you would have to write the logic to avoid conflict. It can be a pain in the butt. 😑

Not really. Learn Powerapps is the first then they go crazy. 😀 we do have proper classes available www.PowerApps911.com/training

SharePoint is a bit different. SharePoint is about permissions to the list.

If your app has a premium connector (like sql or cds) then all users of the app have to have a premium license. So in your case everyone needs a premium license

I haven’t tried before but I think the answer is yes. As long as you share the app with all of the PBI users you should be good

Yes, look into Solutions. They allow you to package up your changes from Dev and move to Prod. Not perfect but close.

Hi Tommy. The license stuff is different. The SQL connection stuff is the same. Though you could also setup your SQL connection to use Azure AD instead of SQL and then that would change some of the challenges.

@@ShanesCows Thanks for the reply, Shane. I've followed the video, created a new environment to isolate the connection from end users, and it works like a charm. Thanks again. You need more subs, this is useful stuff!

Hi Marie. Yes licensing changed. I do think to properly secure your data you will need sql or cds. Both of which requires a premium license

I don’t yet. Sorry

You need enough per user plans to cover everyone, not just you.

Glad to help

I haven't used them before but it sounds like something I should look at.

It is on my list for sure. I just keep hoping they will update the UI. Security still uses the old tooling. UGH.

James I am not 100% but I think unity can create environments without additional licenses now. Not sure. I need to try. SQL is now premium though.

That is correct. You can make it harder for them but in the end they must have access.

They would need a p1 to access cds

CHeck the Role permissions. My CDS series starts here ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-49O1UW-tkyo.html

I haven’t written it down. Sorry.

Yes. Sorry.

YEs but you would have to build test lists and such and then change which ones the app is wired to when you move it.

They changed all of the licenses. Now anyone can create an environment but you need to pay for storage

Nope because you have to grant access to SharePoint directly 😢

Thanks Shane ... it is strange that Microsoft didn’t think if it.

If Power Apps triggers the flow then it runs in the context of the user. 😑

No you cannot secure SharePoint the same way. Sorry

Not that I know of Kim but I am far from an expert on Dynamics security so not 100% sure

Correct. It is still shared but the good news is in the second environment they cannot access it to use it. 😀

It isn’t ideal that is for sure.

NOTE: today each PowerApps Plan 2 license only grants you 2 environments to provision, so if you only needed that then that is correct. HOWEVER, I'm happy to call-out that we are removing the Plan 2 license requirement for admins in the next couple of months as outlined here: powerapps.microsoft.com/blog/provisioning-and-administration-is-getting-easier/.

Thanks again James. :)

@@mitshot60 Does this mean that we will be able to remove the maker role from a user without a Plan 2 license? How do the new provisioning rules affect Plan 1 users? Will they be able to create multiple environments that use Azure SQL Server as the back end?

@@woodmanjon Q: Does this mean that we will be able to remove the maker role from a user without a Plan 2 license? A: Correct Q: How do the new provisioning rules affect Plan 1 users? A: They would be able to create and manage environments the same as P2 users can today. Not impact to their current capabilities. Q: Will they be able to create multiple environments that use Azure SQL Server as the back end? A: Yes, as long as there is available capacity in their organization to create those additional environments

@@mitshot60 that's amazing!! Thank-you!!

Can be done by VB lenguaje ?

Yes I have built multilingual apps like this with if formulas. 😀

Yes, if you give them access to read SP list, they will not see the data coming from SP to PA but they won't be able to edit the data. This is what Shane has discussed in this video, if they somehow find your list, they can edit, wipe, download the entire data as they have access to the Sharepoint List. Unfortunately, same theory goes for Microsoft Flow too if you have lined it with your PowerApps. I am surprised to see Shane didn't mention about it. You will have to make your users Co-Owner of the Flow too (no Run only permission here for PA type), and hence if they find your Flow (which is pretty easy by logging in to Flow website), they can do a lot of damage to the entire process or make it a paralysed Flow! MSFT has a long way to go for this.

Before I was into PowerApps, I used SharePoint Designer Workflows to remove List permissions and set permission on each record itself. I didn't tested it yet, but i suppose that would still be an option. MS Flow should also work of course.

I think the only option so far is export and import the app.

Correct.

Vishal is correct. I would use Import and Export.

Whoops. All better. Thanks. 😂

Yes, but when you publish the app the users of the published app will need licenses.

@@ShanesCows so developer can develop in Office 365 but license is needed as per his connectors

@@shubhamsatpathy6489 Yes, licensing matter when a user uses the app, not for the developer making it.

@@ShanesCows how to verify the license that has been assigned to the workspace is powerapps/user license. ?