A Fool-Proof Way To Share Power Apps With External Users

A Fool-Proof Way To Share Power Apps With External Users

Power Apps created for use inside a company can be shared with external users outside of the organization as well. External users require the same licensing as internal users but there is a different method to set them up vs. internal users. We can make sharing easier by placing all Power Apps external users inside of an Azure Active Directory security group and automatically granting app access and licensing to all users within the group In this article I will demonstrate a fool-proof way to share Power Apps with external users.

Table Of Contents:
โ€ข Introduction: The Safety Inspections App
โ€ข Add External User As A Guest In Azure Active Directory
โ€ข Create An Azure AD Security Group For External Users
โ€ข Assign The External User A Power Apps License
โ€ข Share The Power Apps App With A Group Of External Users
โ€ข Share The SharePoint List With An External User
โ€ข Login To The Power Apps App As An External User




Introduction: The Safety Inspections App

The Safety Inspections App is used by External Safety Consultants at a construction company to perform safety inspections. The external safety consultants work at another firm but need access to the construction company’s Power Apps app.





Add External User As A Guest In Azure Active Directory

External Power Apps users must be added as guest users in Azure Active Directory. To do this, open the Global Admin Center from the Apps menu. Only users with administrator access can see this admin center.



Go to the Users section and select Guest Users. Then Add a guest user.



On the New user setup screen choose whether to create a new user account in your organization or invite a guest user with their existing email. Assign a name, email address, first name and last name.




Then write a personal message to the external user you are sharing the Power Apps app with. This will be included in their email invitation to our organization.



The external user will receive an email from Microsoft like this. No action is required. It simply notifies them they were added to the organization.




Create An Azure AD Security Group For External Users

External users also require a Power Apps license to use an app inside our organization. But when we try to give the guest user a license in the Global Admin Center there is no option to assign one. The assign a license tab is not visible for guest users.



Instead, we must create a group for external users in Azure Active Directory and apply licenses to every member of the group. Go to portal.azure.com and open Azure Active Directory.



Select Groups from the left navigation menu.



Then add a New group.



Choose the Group type “Security” and give the group a name and description. Make yourself an owner of the group.



Select Members, add the external user to the group then close the menu and click Create. The new group will now appear in the list of all groups





Assign The External User A Power Apps License

Now that we’ve created a new group for our external user we can configure it to apply Power Apps licenses to every member who joins. Open the External Safety Consultants group.




Go to the Licenses menu and select Assignments.



On the update licenses assignments screen select the licenses the external user will need to run the Power Apps app. The licensing required will be different based on whether we are sharing an app with premium vs. non-premium connectors or a standalone canvas app vs. a customized SharePoint list form. Check out the official Microsoft documentation to confirm which licenses should be applied.

Click Save once finished. We are done setting up the Azure Active Directory group for external users.




Share The Power Apps App With A Group Of External Users

The external user has been created, we’ve setup a new group and applied Power Apps licenses. Its finally time to share our Power Apps app with the external user. Go to make.powerapps.com, click on the three dots our app and select Share.



Type in the name of our Security Group External Safety Consultants then click Save. This will share the app with every member of the group. What we’ve done here is make it so everyone who is a part of this group gets an app and a Power Apps licenses. Its a pretty simple system to maintain.





Share The SharePoint List With An External User

Sharing the app itself is not enough. Every datasource connected to the app must also have read & write permissions for the external user. In this example, we’ll grant the external user access to a SharePoint list.

Open the SharePoint List settings.



Select Permissions for this list.



A SharePoint list has exactly the same permissions as the SharePoint site by default. This concept is called “inheritance.” To give the external user access to only a specific SharePoint list we must stop inheriting permissions from the SharePoint site.



On the next screen select Grant Permissions.



Then share the Safety Inspections SharePoint list with the External Safety Consultants group. Repeat these steps for every SharePoint list connected to the Safety Inspections app.




Login To The Power Apps App As An External User

We are done sharing the Power Apps app with an external user. They can login by clicking on the link in their invitation email.





The first time an external user logs into the organization they will be prompted to review permissions. Click Accept.



The Power Apps app and all of its datasources are now shared with the external user.





Questions?

If you have any questions about A Fool-Proof Way To Share Power Apps With External Users please leave a message in the comments section below. You can post using your email address and are not required to create an account to join the discussion.

Matthew Devaney

Subscribe
Notify of
guest

46 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Jason
Jason
2 years ago

Thanks for sharing.

I did this 2 weeks ago for our partners. However, there are 2 issues I could not work out.

1) I use share point list as the datatable, when they click the shared APP from the email. It says they could not connect to the share point. Then I have to send them the link of the share point site, they just click it and see the whole share point site. Then they close the share point site and the APP can connect the share point list, then they can use the APP on Windows desktop.

2) For the guest account, when they try to login at mobile APP ( I have iPhone 11 and tested a couple of guest account). Most of them did not work at most of time, I only have a few time success but once logout, then could not login in again. the error message is “We Couldn’t find a work or school account with that email address. ” I submitted a ticket to Microsoft, they are trying to work it out but up to now, no solution yet.

Have you ever experienced above 2 issues ?

Thanks.

Jason.

Shaun
Shaun
2 years ago
Reply to  Jason

I experienced a similar situation with an app embedded in Power BI, we came up with the same solution as you which was to direct clients to use the SharePoint site first.

aydar sitdikov
aydar sitdikov
2 years ago

Thank you!!!

Niko
Niko
2 years ago

So you stop the inheritance on the SharePoint list. My fellow SharePoint colleagues often do not recommend doing that because of performance issues that then might occur.

Did you experience any performance issues in the past due to stopped inheritance?

Bipin Kumar
2 years ago

Hi,

Thank you for the wonderfull article.

I am trying to setup this on my personal instance which I created under Power Apps Community/Developer plan https://powerapps.microsoft.com/en-in/developerplan/.

I was able to configure and setup every steps from your article. However when I try to login to Power apps from my personal gmail account it throws below error –

You do not have a valid Power Apps plan. To access Power Apps you must have a Power Apps plan assigned to you by your organization or the organization in which youโ€™re a guest.

I have attached the list of liceses assigned to this User.

Thanks Again!

Capture.PNG
Laura
Laura
2 years ago

Dear Matthew, would you be so kind to share how to do that? I’d like external users (outside my tennant) who do not have a powerapps plan to access a canvas app. How can they do that, without having to pay for a powerapps plan?
many thanks

Sean
Sean
2 years ago

Hi Matthew,

thanks for this. Could you please confirm if licenses needs to be granted to gmail users if I share an app with non-premium connectors.

The app will be a standalone canvas app with 2 SharePoint lists as data sources. My use case is that I want to collect personal information (including bank details) from new employees who are still external to the company.

Also, if I give them access to the SharePoint list will they be able to see all data in the SharePoint list?

Thanks,
Sean

nilesh birari
nilesh birari
2 years ago

Its really Great article found for sharing app with external users.
But i have one question here if i have datavers as a database for my power app then how to share power app to external users? i have believe datavers has more security so how to share this datavers to external users? looking forword to see answers this question.

I have try for same scenario but facing below issues.
1) we can not assign trail license to external users if you try assign trial for 30 days popup message see again and again.
2) when you try to provide datavers access for external users getting issue (which is attached in below)

Share app.JPG
nilesh
nilesh
2 years ago

I have trying for anonomus user outside the organisation users can access the app. like hows has outlook and gmail or yahho account useing there account user can login canvas app submit the responce. how to do this?

Eduardo
Eduardo
2 years ago

Great post Matthew thanks for this awesome resources ๐Ÿ˜Ž๐Ÿ‘

Kind regards ๐Ÿ‘‹

Sherwin
Sherwin
2 years ago

Hi Matthew,

Good day.

May I inquire regarding the permission to the SharePoint List for some reason the app gives me an error “Don’t have permission to create row” whenever I am testing guest user/external user. I have already shared the app to the user and set the user role/access to SharePointList as full access.

The weird part is that the app only works when I try to open the url/link of the Sharepoint List (at least once everyday) on the same browser then re-open powerapps application.

My issue is that I want the app to work without manually opening the Sharepoint List every time I will use the power app application to create or modify and save record.

Hope you can assist me.

Kind regards

Yasir Khan
Yasir Khan
2 years ago

Thanks Matthew, for such a great article.

For anyone who is reading this, I faced issue that when I click on the application URL (as in the screenshot in heading “Login To The Power Apps App As An External User“, The app opened in Browser, instead of Power App Desktop application.
After some research, I found the solution mentioned in this article: OPen Powerapp in the app instead of browser – Power Platform Community (microsoft.com)

Kodzo
Kodzo
1 year ago

Hello, thanks for sharing.

I have two power apps that I want to share with external users. I use Azure SQL Database as backend.
Should I share this database with external users like you did with sharepoint list ?
Is it possible that I just share the power app with external users without giving them access to our database ?

Also, have you ever experienced and shared Azure SQL Database with Guests ?

I have a little bit of safety.

Thanks in advance.

faisal
faisal
1 year ago

how can i allow public users to autehnticate their email id and then use that id to give them access

Jerome Rancourt
Jerome Rancourt
1 year ago

Hi Matthew, did you consider giving access to your apps on a SharePoint page with the Power Apps web part inside Teams ? Would that be a great way to give access your apps to guest user without having to provide them a licence ?

Michelle W.
Michelle W.
1 year ago

Why do you say this is circumventing? It seems like if it works, then they are allowing it.

Kurt H
Kurt H
11 months ago

Another possibility is that the external user has a Microsoft account and that license includes the standard Power Apps plan in which case it is legal and within Microsoft’s licensing guide lines. I created an app for a large company and they scrutinized with Microsoft if what I created was within their guidelines and it was. What I did was store the data in a Teams site, added the external users to the teams site (in a way it did not send them an welcome email) and created my app to use that data. It works.

Martin Coupal
Martin Coupal
1 year ago

Hi Matthew, My goal is to be able to create application in Power Apps as a guest user in another tenant. I was able to do it with this new preview feature : https://learn.microsoft.com/en-us/power-platform/admin/invite-users-azure-active-directory-b2b-collaboration#power-apps-support-for-b2b-guest-maker-preview.

Note: I did not need a Power Apps licence assigned to my guest account (I guess because I already have a licence in my own tenant).

My concern with this new feature is the requirement to set Azure AD “External collaboration settings” toGuest users have the same access as members (most inclusive)”. Looks like existing guests will now be seen as regular tenant members. Not sure I want this….

Have you tried this setup? If yes, Am I wrong to think it will give too much access to all guest users just to give a guest user the “Environment Maker” role in Power Apps?

Thanks!

Martin Coupal
Martin Coupal
1 year ago

If I want to help a customer to create or edit in app in their environement, I would like to use my account and avoid the need to create an account in the customer environment.

Jose
Jose
1 year ago

Hi. I’m testing to use Power Apps from the browser to my external users. They can run the App from the browser without any issue. I have multiple flows for the App to send emails, change fields etc… and everything is fine until now. They cannot approve anything but I can use Send email with Options if I need a response.

Right now my only permissions are SharePoint and Office365 users. I eliminated anything in the App related to Microsoft Outlook permission because does not work with external users.

Is another work around to not use Power App licenses for simple Apps using SharePoint List.

Surya
Surya
1 year ago

Hi,

This approach described in this article and Azure B2C concept are same?.

We are developing an power app canvas app. This app need to used for 60 external users. In order to provide license to all these users which license do we need go for subscription.
Per app/user/month or per user/month app subscription?. Please help!

Tyler
Tyler
1 year ago

Hello Matt,

I seem to have essentially the same set-up for my app with guest users. Only we are using Dataverse instead of SharePoint and licensing the users.

However, one of our groups of users keeps getting an error when they 1st try to log into the app & create a connection to Dataverse.
It just says โ€œWe werenโ€™t able to add this connection.โ€
Do you have any way to fix this?

Forum support request: https://powerusers.microsoft.com/t5/Building-Power-Apps/Dataverse-Connector-Error-For-Guest-Users/td-p/2295833

Thanks,

Sylwester
Sylwester
1 year ago

Hi Matthew,

great article as always ๐Ÿ™‚
I wonder if it is possible to somehow secure the SharePoint list so that the user cannot view it outside the application.
Will these lists be visible in Lists, Quick Access etc. for external guests with their own M365?
If not, they would theoretically have to guess the group name and list name to create a URL for it.

Sylwester
Sylwester
1 year ago

That’s what I’m planning but I thought maybe there was something else. Thanks for the answer.

Sylwester
Sylwester
1 year ago

So that the user can work with elements from the application level, it gives him permissions to the list as Contribute.
At the list, only the ID remains in the default view.
However, a user with Contribute permissions can add his own view and display any columns on it.
So I assume that I need to create an additional level of permissions and limit this possibility?

Suraj
1 year ago

I am a developer and creating a solution which includes Power Apps, Power BI, SharePoint, Dataverse and Power Automate. And i want to share this application to external user. Which Licence are required for this. For both Developer and User?

Suraj Chakrawarti
Suraj Chakrawarti
1 year ago

Thank you Matthew

powerapps developer
1 year ago

Thanks for the post! This is exactly what I need. My plan is to create a POC of an app an invite few external testers to test the application.

Suleman
Suleman
10 months ago

Hi Matthew,

I was just working my way through this and Microsoft AD is now Microsoft Intra. I managed to create a group and add an external user but I’m stuck as the ‘License’ part as the option is no longer available.

Any idea?

EDIT: it does exist, I was in the wrong security group

Last edited 10 months ago by Suleman