Using Azure Active Directory groups to give access to Power Apps applications.

Written by

Posted on 1 Comment

Many of you have questions about giving access to a Power Apps application from Azure Active Directory groups.

  • How do we manage access to a model app in Power Apps from AAD?
  • How can we assign a role in Dataverse to a user? Without doing it for each active user.
  • Where can I find the AAD security groups on the Power Platform Administrator page?
  • Can we have multiple roles assigned to AAD groups?
  • Which type of groups can we use? Security – or Microsoft 365 groups?

Let us talk first then about the types of groups that exist in AAD?

Azure AD Security Groups

What are they?

AAD security groups are similar to security groups from an on-premise Windows Active Directory. It’s a security principle, so you can use it to secure objects in AAD. Security groups can be created in AAD or synced from an on-premises Windows AD with AAD Connect. Members can be static, or they can be generated dynamically with rules.

How are they used?

AAD security groups aren’t often used in Microsoft 365. AAD security groups are mainly used to apply licenses to users and apply access to Power Apps – applications. Centralize access management for Power Apps – applications from AAD.

Azure AD Microsoft 365

What are they?

Microsoft 365 groups give us the possibility to easily have permissions to a group of related resources. Those resources vary depending on where the creation of the Microsoft 365 group has done. For example, creating a team site in SharePoint will create a Microsoft 365 group and at the same time, a shared mailbox, calendar in Outlook, Planner Plan and a Power BI workspace.

We can assign two roles to a Microsoft 365 Group:

  • Owner
  • Member

Owners can change settings and membership of the group.
Members can remove themselves, add members to a public group and invite guest users. 

How are they used?

Microsoft 365 groups allow active users to take advantage of the entire suite of Microsoft 365 applications with minimal administrative overhead. It gives group owners one pane of glass to see what their group is doing and can use Microsoft 365 groups to access Power Platform applications.

Apply Azure Active Directory group to an environment in Power Platform

Apply Azure AD group to an environment in Power Platform

Step 1: Create a group in Azure AD
Go to Azure AD in the Azure Portal or open the Azure AD admin center.

Click “New Group”,

Azure AD security group

  • Group Type: Security
  • Group name: Name of the AAD security group
  • Group description: Description of the AAD security group
  • Membership type:
    Assigned: Manual assignment
    Dynamic user: Assign users based on rules
    Dynamic devices: Assign devices based on rules
  • Owners: The owner of the security group can manage members
  • Members: Add active users or guests to the AAD security group (Step 2)

Click Create to save the security group.

Azure AD Microsoft 365 group

  • Group Type: Microsoft 365
  • Group Name: Name of the AAD Microsoft 365 group
  • Group Description: Description of the AAD Microsoft 365 group.
  • Membership Type:
    Assigned: Manual assignment
    Dynamic user: Assign users based on rules
  • Owners: Owner of the AAD Microsoft 365 group
  • Members: Add active users to the AAD Microsoft 365 group (Step 2)

Click Create to save the Microsoft 365 group.

Another option is to create a SharePoint Team site, making a Microsoft 365 group in the background.


Step 3: Assign AAD group to a team in an environment in the Power Platform.

But first.

What are Teams?

Teams in Dataverse is a vital security building block. A business unit has a default team, and a business unit owns a team. There are two types of teams:

  • Owning Teams can own records, which give any team member direct access to that record. Users can be members of multiple teams. It is a powerful way of granting permissions to users in a broadway without micromanaging access at the individual user level.
  • Access teams provide auto-creation of a team and share record access with the team based on a template of permissions applied. You can also use it without the template of permissions; add/remove members manually. Access teams have a better performance because they don’t own records or have security roles assigned. Users get access because the record is shared with the team, where the user is a member.

How do we link an Azure AD group to a team in the Power Platform?

Go to the Power Platform admin center and open the environment where you would like to add the Azure AD group. You can use two ways to open “teams access” in the admin center.

  1. Just click the environment that you would like to manage. Click in the Access panel on “See All” under Teams.

  2. Click the three dots and click “settings”. Select “Users + permissions” and click “Teams”

Both ways will open the same window.

Click “Create team

Team name: we will use the same name as the Azure AD group. For example: secgrp-app-managers
Description: Add a team description
Business unit: Select the business unit
Administrator: Assign to the person that has created the team
Team type: Select the type of the team. This is the part that where we select the Azure AD group type.

AAD Security Group or AAD Office Group ( = Microsoft 365 Group)
In this example, I have selected the AAD Security group.

Fields “Group name” and “Membership type” will showing up.
Search and select the security group.
The “Membership type”, will select the active users based on these four filters:
  • Members and guests: Member and guest of the security group
  • Members: Only the members of the security group
  • Owners: The owners of the security group
  • Guests: Only the guests of the security group

Click “Next”
Step 4: Assign role to the team.

Select the role that you would like to assign to the team and click “save”.
This will create a new entry and a link to the Azure AD via a team.

Is possible to assign a second role to the team. Select the team and click “Manage security roles”

Select a second role and click “save”

Conslusion

We can indeed use Azure Active Directory groups to give access to a Power Platform application. Can use both security and Microsoft 365 groups. The environment needs to have a Dataverse database, and owning team is used. So that we can assign one or more roles to the created team, I hope this helps you and all commentaries are welcome.

Posted in Governance, Power Platform
Tagged ,

About the Author:

I’m a Microsoft Power Platform enthusiast working in Belgium. In my career as an IT specialist, nothing was an unknown domain, Cisco networking, Microsoft servers, IBM hardware specialist, automation via PowerShell, … But, It all started at the Microsoft Business Application summit in 2018 (Seattle), where I was blown away by the possibilities of “Power Automate” (at that time named “Microsoft Flow“) and the Power Platform. My journey took first a short detour, getting to know “Azure”, but I never lost the connection with “Power Platform“. I took the big step in 2020 to concentrate entirely on the Power Platform with links towards Azure services. In 2019, I came in contact with the community. Became a member of the #BEPAFUG in Belgium, speaker, blogger and became part of a big warm family #FLOWFAM, #POWERADDICTS, #COMMUNITYROCKS

1 comment

  1. Pingback: How can we use Dataverse teams to show specific controls/content on a canvas app? – Power Platform Dude

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: