A Fool-Proof Way To Share Power Apps With External Users
Power Apps created for use inside a company can be shared with external users outside of the organization as well. External users require the same licensing as internal users but there is a different method to set them up vs. internal users. We can make sharing easier by placing all Power Apps external users inside of an Azure Active Directory security group and automatically granting app access and licensing to all users within the group In this article I will demonstrate a fool-proof way to share Power Apps with external users.
Table Of Contents:
โข Introduction: The Safety Inspections App
โข Add External User As A Guest In Azure Active Directory
โข Create An Azure AD Security Group For External Users
โข Assign The External User A Power Apps License
โข Share The Power Apps App With A Group Of External Users
โข Share The SharePoint List With An External User
โข Login To The Power Apps App As An External User
Introduction: The Safety Inspections App
The Safety Inspections App is used by External Safety Consultants at a construction company to perform safety inspections. The external safety consultants work at another firm but need access to the construction company’s Power Apps app.
Add External User As A Guest In Azure Active Directory
External Power Apps users must be added as guest users in Azure Active Directory. To do this, open the Global Admin Center from the Apps menu. Only users with administrator access can see this admin center.
Go to the Users section and select Guest Users. Then Add a guest user.
On the New user setup screen choose whether to create a new user account in your organization or invite a guest user with their existing email. Assign a name, email address, first name and last name.
Then write a personal message to the external user you are sharing the Power Apps app with. This will be included in their email invitation to our organization.
The external user will receive an email from Microsoft like this. No action is required. It simply notifies them they were added to the organization.
Create An Azure AD Security Group For External Users
External users also require a Power Apps license to use an app inside our organization. But when we try to give the guest user a license in the Global Admin Center there is no option to assign one. The assign a license tab is not visible for guest users.
Instead, we must create a group for external users in Azure Active Directory and apply licenses to every member of the group. Go to portal.azure.com and open Azure Active Directory.
Select Groups from the left navigation menu.
Then add a New group.
Choose the Group type “Security” and give the group a name and description. Make yourself an owner of the group.
Select Members, add the external user to the group then close the menu and click Create. The new group will now appear in the list of all groups
Assign The External User A Power Apps License
Now that we’ve created a new group for our external user we can configure it to apply Power Apps licenses to every member who joins. Open the External Safety Consultants group.
Go to the Licenses menu and select Assignments.
On the update licenses assignments screen select the licenses the external user will need to run the Power Apps app. The licensing required will be different based on whether we are sharing an app with premium vs. non-premium connectors or a standalone canvas app vs. a customized SharePoint list form. Check out the official Microsoft documentation to confirm which licenses should be applied.
Click Save once finished. We are done setting up the Azure Active Directory group for external users.
Share The Power Apps App With A Group Of External Users
The external user has been created, we’ve setup a new group and applied Power Apps licenses. Its finally time to share our Power Apps app with the external user. Go to make.powerapps.com, click on the three dots our app and select Share.
Type in the name of our Security Group External Safety Consultants then click Save. This will share the app with every member of the group. What we’ve done here is make it so everyone who is a part of this group gets an app and a Power Apps licenses. Its a pretty simple system to maintain.
Share The SharePoint List With An External User
Sharing the app itself is not enough. Every datasource connected to the app must also have read & write permissions for the external user. In this example, we’ll grant the external user access to a SharePoint list.
Open the SharePoint List settings.
Select Permissions for this list.
A SharePoint list has exactly the same permissions as the SharePoint site by default. This concept is called “inheritance.” To give the external user access to only a specific SharePoint list we must stop inheriting permissions from the SharePoint site.
On the next screen select Grant Permissions.
Then share the Safety Inspections SharePoint list with the External Safety Consultants group. Repeat these steps for every SharePoint list connected to the Safety Inspections app.
Login To The Power Apps App As An External User
We are done sharing the Power Apps app with an external user. They can login by clicking on the link in their invitation email.
The first time an external user logs into the organization they will be prompted to review permissions. Click Accept.
The Power Apps app and all of its datasources are now shared with the external user.
Did You Enjoy This Article? ๐บ
Subscribe to get new Power Apps articles sent to your inbox each week for FREE
Questions?
If you have any questions about A Fool-Proof Way To Share Power Apps With External Users please leave a message in the comments section below. You can post using your email address and are not required to create an account to join the discussion.
Thanks for sharing.
I did this 2 weeks ago for our partners. However, there are 2 issues I could not work out.
1) I use share point list as the datatable, when they click the shared APP from the email. It says they could not connect to the share point. Then I have to send them the link of the share point site, they just click it and see the whole share point site. Then they close the share point site and the APP can connect the share point list, then they can use the APP on Windows desktop.
2) For the guest account, when they try to login at mobile APP ( I have iPhone 11 and tested a couple of guest account). Most of them did not work at most of time, I only have a few time success but once logout, then could not login in again. the error message is “We Couldn’t find a work or school account with that email address. ” I submitted a ticket to Microsoft, they are trying to work it out but up to now, no solution yet.
Have you ever experienced above 2 issues ?
Thanks.
Jason.
I experienced a similar situation with an app embedded in Power BI, we came up with the same solution as you which was to direct clients to use the SharePoint site first.
Thank you!!!
So you stop the inheritance on the SharePoint list. My fellow SharePoint colleagues often do not recommend doing that because of performance issues that then might occur.
Did you experience any performance issues in the past due to stopped inheritance?
Hi,
Thank you for the wonderfull article.
I am trying to setup this on my personal instance which I created under Power Apps Community/Developer plan https://powerapps.microsoft.com/en-in/developerplan/.
I was able to configure and setup every steps from your article. However when I try to login to Power apps from my personal gmail account it throws below error –
You do not have a valid Power Apps plan. To access Power Apps you must have a Power Apps plan assigned to you by your organization or the organization in which youโre a guest.
I have attached the list of liceses assigned to this User.
Thanks Again!
Bipin,
I had this issue initially because I forgot to enable the “Power Apps for Office 365” service included in the Office E3 license.
You can also try adding the “Microsoft Power Apps Plan 2 Trial” license for the user.
Dear Matthew, would you be so kind to share how to do that? I’d like external users (outside my tennant) who do not have a powerapps plan to access a canvas app. How can they do that, without having to pay for a powerapps plan?
many thanks
Laura,
Unfortunately, those users are going to need a Power Apps license in your tenant.
Hi Matthew,
thanks for this. Could you please confirm if licenses needs to be granted to gmail users if I share an app with non-premium connectors.
The app will be a standalone canvas app with 2 SharePoint lists as data sources. My use case is that I want to collect personal information (including bank details) from new employees who are still external to the company.
Also, if I give them access to the SharePoint list will they be able to see all data in the SharePoint list?
Thanks,
Sean
Sean,
Premium licenses are not required for external users, just as they are not for internal users so long as you stay away from premium connectors.
If you give the external users access, yes they WOULD be able to see the whole SharePoint list which is not great for personal data. I’d recommend using Item-Level Permissions as I explain in this article to secure the records: https://www.matthewdevaney.com/3-ways-to-filter-a-power-apps-gallery-by-the-current-user/#Option-3:-Change-Item-Level-Permissions-in-SharePoint-List-Settings
Its really Great article found for sharing app with external users.
But i have one question here if i have datavers as a database for my power app then how to share power app to external users? i have believe datavers has more security so how to share this datavers to external users? looking forword to see answers this question.
I have try for same scenario but facing below issues.
1) we can not assign trail license to external users if you try assign trial for 30 days popup message see again and again.
2) when you try to provide datavers access for external users getting issue (which is attached in below)
Nilesh,
The error message says your user is disabled. Can you please try to enable them in the global admin Center?
I have trying for anonomus user outside the organisation users can access the app. like hows has outlook and gmail or yahho account useing there account user can login canvas app submit the responce. how to do this?
Nilesh,
In this article I explain how to allow a gmail user outside the organization to access an app. What I cannot comment on is your licensing needs. You will have to determine the proper license here.
Great post Matthew thanks for this awesome resources ๐๐
Kind regards ๐
Hi Matthew,
Good day.
May I inquire regarding the permission to the SharePoint List for some reason the app gives me an error “Don’t have permission to create row” whenever I am testing guest user/external user. I have already shared the app to the user and set the user role/access to SharePointList as full access.
The weird part is that the app only works when I try to open the url/link of the Sharepoint List (at least once everyday) on the same browser then re-open powerapps application.
My issue is that I want the app to work without manually opening the Sharepoint List every time I will use the power app application to create or modify and save record.
Hope you can assist me.
Kind regards
Thanks Matthew, for such a great article.
For anyone who is reading this, I faced issue that when I click on the application URL (as in the screenshot in heading “Login To The Power Apps App As An External User“, The app opened in Browser, instead of Power App Desktop application.
After some research, I found the solution mentioned in this article: OPen Powerapp in the app instead of browser – Power Platform Community (microsoft.com)
Hello, thanks for sharing.
I have two power apps that I want to share with external users. I use Azure SQL Database as backend.
Should I share this database with external users like you did with sharepoint list ?
Is it possible that I just share the power app with external users without giving them access to our database ?
Also, have you ever experienced and shared Azure SQL Database with Guests ?
I have a little bit of safety.
Thanks in advance.
how can i allow public users to autehnticate their email id and then use that id to give them access
Faisal,
You canโt do it with Power Apps. Use Power Pages instead.
Hi Matthew, did you consider giving access to your apps on a SharePoint page with the Power Apps web part inside Teams ? Would that be a great way to give access your apps to guest user without having to provide them a licence ?
Jerome,
All Power Apps users need either a standard or premium license. I do not recommend doing anything to circumvent the need for a license where one should be obtained.
Why do you say this is circumventing? It seems like if it works, then they are allowing it.
Michelle,
Just because you can do it doesnโt mean itโs within licensing terms. Example – you can use apps without a license by changing the role to System Admin. But when Microsoft sees it you will either need to pay or lose access to your apps. Simple as that.
Another possibility is that the external user has a Microsoft account and that license includes the standard Power Apps plan in which case it is legal and within Microsoft’s licensing guide lines. I created an app for a large company and they scrutinized with Microsoft if what I created was within their guidelines and it was. What I did was store the data in a Teams site, added the external users to the teams site (in a way it did not send them an welcome email) and created my app to use that data. It works.
Hi Matthew, My goal is to be able to create application in Power Apps as a guest user in another tenant. I was able to do it with this new preview feature : https://learn.microsoft.com/en-us/power-platform/admin/invite-users-azure-active-directory-b2b-collaboration#power-apps-support-for-b2b-guest-maker-preview.
Note: I did not need a Power Apps licence assigned to my guest account (I guess because I already have a licence in my own tenant).
My concern with this new feature is the requirement to set Azure AD “External collaboration settings” to “Guest users have the same access as members (most inclusive)”. Looks like existing guests will now be seen as regular tenant members. Not sure I want this….
Have you tried this setup? If yes, Am I wrong to think it will give too much access to all guest users just to give a guest user the “Environment Maker” role in Power Apps?
Thanks!
Martin,
That’s news to me. I have not tried this setup. Why would you want to allow guest users to create Power Apps in your tenant?
If I want to help a customer to create or edit in app in their environement, I would like to use my account and avoid the need to create an account in the customer environment.
Hi. I’m testing to use Power Apps from the browser to my external users. They can run the App from the browser without any issue. I have multiple flows for the App to send emails, change fields etc… and everything is fine until now. They cannot approve anything but I can use Send email with Options if I need a response.
Right now my only permissions are SharePoint and Office365 users. I eliminated anything in the App related to Microsoft Outlook permission because does not work with external users.
Is another work around to not use Power App licenses for simple Apps using SharePoint List.
Jose,
In response to your question “is another work around to not use Power App licenses for simple Apps using SharePoint list” my answer is you must have a standard Power Apps license to use this. Non-premium.
Hi,
This approach described in this article and Azure B2C concept are same?.
We are developing an power app canvas app. This app need to used for 60 external users. In order to provide license to all these users which license do we need go for subscription.
Per app/user/month or per user/month app subscription?. Please help!
Surya,
Both Per app/user/month or per user/month app subscription will work. Choose the one the that works best for you.
Hello Matt,
I seem to have essentially the same set-up for my app with guest users. Only we are using Dataverse instead of SharePoint and licensing the users.
However, one of our groups of users keeps getting an error when they 1st try to log into the app & create a connection to Dataverse.
It just says โWe werenโt able to add this connection.โ
Do you have any way to fix this?
Forum support request: https://powerusers.microsoft.com/t5/Building-Power-Apps/Dataverse-Connector-Error-For-Guest-Users/td-p/2295833
Thanks,
Hi Matthew,
great article as always ๐
I wonder if it is possible to somehow secure the SharePoint list so that the user cannot view it outside the application.
Will these lists be visible in Lists, Quick Access etc. for external guests with their own M365?
If not, they would theoretically have to guess the group name and list name to create a URL for it.
Sylwester,
Security by obscurity is the only way that I know of to hide a SharePoint list. It is a limitation of the datasource.
That’s what I’m planning but I thought maybe there was something else. Thanks for the answer.
So that the user can work with elements from the application level, it gives him permissions to the list as Contribute.
At the list, only the ID remains in the default view.
However, a user with Contribute permissions can add his own view and display any columns on it.
So I assume that I need to create an additional level of permissions and limit this possibility?
I am a developer and creating a solution which includes Power Apps, Power BI, SharePoint, Dataverse and Power Automate. And i want to share this application to external user. Which Licence are required for this. For both Developer and User?
Suraj,
A developer requires no licenses. The user will require a Power Apps Per App ($5) license or a Power Apps Per User license ($20).
Thank you Matthew
Thanks for the post! This is exactly what I need. My plan is to create a POC of an app an invite few external testers to test the application.
Janner,
You’re welcome. I used it myself this week ๐
Hi Matthew,
I was just working my way through this and Microsoft AD is now Microsoft Intra. I managed to create a group and add an external user but I’m stuck as the ‘License’ part as the option is no longer available.
Any idea?
EDIT: it does exist, I was in the wrong security group