Skip to main content

Notifications

Implementing Tier Security using MS365 Security Groups with SharePoint as a Data Source in Canvas App

SebS Profile Picture SebS 4,141

Overview…

 

What are Security Groups and what we should use them for…

Microsoft O365 Security Group is a way to group users and/or other security groups together in order to manage access to resources in Microsoft 365, such as files, folders, and applications. This allows you to create a group of users with similar security requirements, and then assign permissions and access controls to that group as a whole. This can save you time and effort compared to managing each user's access individually.

  • Example: If you have a team of employees who need access to a specific file, you can create a security group for that team, adding all relevant colleagues and then grant the group access to the file, rather than granting access to each individual, making it easier to manage access rights, particularly as teams grow and change over time.

In addition to simplifying access management, security groups can also be used to control access to resources based on specific attributes of the user, such as their job title or department. This can help ensure that users only have access to the resources they need to do their job.

Creating and Implementing Security Group…

  • Appendix 1 – Creating a security group via the Outlook email
  • Appendix 2 – Creating a security group via Microsoft MyAccount/My Groups
  • Appendix 3 – Taking note of the Security Group Token
  • Appendix 4 – Implement security groups to SharePoint lists
  • Appendix 5 – Applying your Security Group access control to you Power App
  • Appendix 6 – Testing New Functionality of the app

Who to contact if you want to know more…

  • SebS

 

When creating a security group, we recommend using a proper naming convention that includes a prefix indicating your site or business area, followed by the type of group (e.g., role). For example, "Newhouse Warehouse Team Manager Security Group" could be abbreviated as TeamManagers, using a consistent format will make it easier for our IT team to understand the purpose of the group in the future.

 

When opening your emails, select the New Group option from the Home tab

SebS_1-1682679209730.png

 

When the create group form appears:

  • Give the group a name
  • Give te group and email address
  • Give the group a description
  • Select the sensitivity from the dropdown options
  • Select the privacy level fom the dropdown options
  • Select Create

Note: you can still add members to the group after you’ve created it

SebS_2-1682679209733.png

 

 

 

Another method to create a security group is to use Microsoft MyAccount and navigate to My Groups - Overview. My Groups - Overview (microsoft.com)

Navigate to My Groups - Overview (microsoft.com) and select Create Security Group

SebS_3-1682679209737.png

 

When the new security group form is displayed:

  • Give the group and name
  • Give the group a description
  • Select a policy from the drop down options
  • Select next
SebS_4-1682679209740.png

 

 

Once you’ve created the security group either method, it’s important to take note of its Security Group Token, this will be necessary to gain access to the security group through Power Apps:

Take note of the security group you’ve created by navigating to My Groups - Overview (microsoft.com) and then:

  • Select groups I own from the left side of the screen
  • Locate and select the name you gave the group when creating it from the window in the middle

 

SebS_5-1682679209746.png

 

In the site address window, there is a long string of letters and numbers following the last forward slash, this is the Security Group Access Token:

  • Highlight and copy everything after the last forward slash ( / )
  • Paste this into your note pad and save it under the group name

 

SebS_6-1682679209751.png

 

 

By securing access to SharePoint lists, we can prepare them for use in Power Apps without adding users to the SharePoint site. This reduces the need for additional security measures around other content on the SharePoint site

 

Creating a SharePoint List

To create a list, from the home page of your SharePoint site:

  • Select the Cog in the top right of the screen
  • Select Site Content from the list that appears
SebS_7-1682679209757.png

 

Once the Site Content page opens:

  • Select List from the options in the ‘New’ dropdown list in the top left corner of the screen
SebS_8-1682679209759.png

 

  • Select blank list from the options that are displayed
  • Give your list a name
  • Add a description to your list
  • Click create
SebS_9-1682679209760.png

 

SebS_10-1682679209761.png

 

Change the permission settings for the list you created or an existing list

To change permissions to a list, from the home page of your SharePoint site:

  • Select the Cog in the top right of the screen
  • Select Site Content from the list that appears
SebS_11-1682679209767.png

 

Once the Site Content page opens:

  • Locate and select the chosen list

Note: If you’ve created a new list, it will appear here

SebS_12-1682679209773.png

 

Once the selected list opens,

  • Select the Cog in the top right of the screen
  • Select List Settings from the list that appears
SebS_13-1682679209779.png

 

Once the Settings page appears:

  • Select Permissions for this list from under the Permissions and Management section
SebS_14-1682679209781.png

 

Once the Permissions page appears:

  • Select Stop inheriting Permissions from the top left of the screen
  • In the list below, select all the items from the list other than the owner
  • Select Remove user permissions from the top of the screen

After removing all the permissions from the list other than the Owner of the list:

  • Select Grant permissions from the top ribbon of the screen

Once the Grant permissions pop up appears:

  • Start typing the name of the User Group you created earlier into the ‘Enter names or email addresses’ box, and then select the user group from the dropdown that appears
  • Select Show options
  • Unselect Send an email invitation
  • Select the required permissions from the Select a permission level dropdown option
  • Select share

 

SebS_15-1682679209785.png

 

SebS_16-1682679209788.png

 

SebS_17-1682679209791.png

 

SebS_18-1682679209793.png

 

 

 

Add the Office365Groups connector to your app by:

  • Select the Data (cylinder) icon on the left of the screen
  • Select Add data
  • Locate and select the Office365Groups connector from the connector section

You’re now connected to Office365Groups

 

SebS_37-1682681583276.pngSebS_38-1682681596984.png

 

 

Now we will set a variable what will pull data from our security group in App > OnStart property

  • Select the tree view icon on the left of the screen
  • Select App from the list of pages
  • Select OnStart from the property’s dropdown options

 

SebS_39-1682681612899.pngSebS_40-1682681620894.png

 

 

 

Now we will set a variable that will pull data from our security group in the OnStart property, utilising the ListGroupMembers property of the Office365Groups connector we added in the last step and the Security Group Access Token that we noted down earlier:

  • In the formula window across the top of the page, type in the following code replacing the words ‘Security Access Token’, with the actual Token that we noted down earlier:

 

SebS_41-1682681664110.png

 

Set(
 VarGroupWHTeamManagers,
 Office365Groups.ListGroupMembers("Security Access Token").value

);​

 

 

 

 

We can add a number of security groups, and it is recommended to create at least three, the specific design and names are up to you, but the below is a good structure to work to

  • User: for everyone who will use the app
  • Superuser: for small changes, corrections, and support to users
  • Admin: for those who can do everything and have access to all settings in the app, such as expanding lists and adding users (note that adding users is more complex and requires access to add new members to the security group from the app level)

Alternatively, below is another example of possible security group’s structure:

  • Clerical: for data entry
  • Team Manager: for approving and authorizing
  • Shift Manager: for second-tier management or managing the removal of tickets

Important note: The User/Clerical security group will be required in SharePoint lists if we want to restrict access to data stored in those lists when sharing the app with everyone in the business and not with specific employees. This means that if someone is not included in any of the security groups assigned to the SharePoint lists connected to the app, they will only see blank dropdowns and galleries. You can redirect someone to a special screen or create a pop-up message for users who are not in any of the groups; this is a personal choice.

Now we need to create a way to verify if the currently logged-in user is part of any of our security groups and establish what role in our hierarchy it holds, to do this, we need to create a test function, but before that, we need to create a way to test all the functionality without asking anyone to use the app or breach our policy by logging in as someone else.

We will build a quick demo mode that will allow us to use someone else's email and create an experience as if someone else is logging in to our app.

 

 

To create your test mode, we will create a block code what will allow us to use fake details instead of logged user details.

  • varDemoMode will be trigger for Action to change state of the User
  • Setting this variable to true will use our testing setup and fake email and FullName.
  • Setting varDemoMode to false will allow us to use current logged user details.

 

In App.OnStart property place this code under previously added code responsible for security group.

 

 

Set(
 varDemoMode,
 false
 );

If(
 varDemoMode,
 Set(
 varCurrentUser,
 {
 FullName: “Test User”,Email: “test.user@coop.co.uk});,
 Set(
 varCurrentUser,
 {
 FullName: 
 User().FullName,
 Email: 
 Lower(User().Email), 
 Photo: User().Image
 }
 )
);​

 

 

 

 

Now we can set up two control groups

  • User
  • Admin

To do this, we need to collect Emails stored in our Security Groups and we will do this using the concat function.

To make it clean and consistent with our block code we will create a new variable what will store both, we will call it varAppGlobals this variable will store two properties.

  • UserEmails
  • AdminEmails

This will be done by adding this block of code to our App.OnStart below the code you’ve already added

 

 

Set( 
 varAppGlobals,
 {
 UserEmails:
 Concat(varGroupUsers,mail, ";") ,
 AdminEmails: 
 Concat(varGroupWHTeamManagers,mail,";") 
 
 }

);​

 

 

 

Next, we create variable varUserRole this will hold all emails that will be used to verify if Logged User is in our Security Group, by adding:

 

 

Set(
 varUserRoles,
 varAppGlobals.UserEmails

);

 

 

After User Variable is done we will Verify our Admin and create function to collect all emails for UserRole verification, this is an important step as the User can be Admin as well and we need to make sure Admin will be able to use all functions what User can without additional code , add the below:

 

 

Set(
 varIsAppAdmin,
 !IsBlank(Find( Lower(varCurrentUser.Email),varAppGlobals.AdminEmails )
 )
);

If(
 varIsAppAdmin,
 Set(varUserRoles,

 varAppGlobals.UserEmails & varAppGlobals.AdminEmails 
 )
);​

 

Now, we will create our overall UserRole Verification this need to be last block and You decide to add another level for Example AdminManager this code will need to include all emails from that function as well there is no limit to size of the hierarchy but I will keep it simple to don’t overcomplicate process in the app, add the below:

 

 

Set(
 varIsUserRole, 
 !IsBlank(Find( Lower(varCurrentUser.Email),
 varUserRoles 
 )
 )

);​

 

 

Testing new added Functionality…

 

In App.OnStart Go to Set(varDemoMode,false) and change false to true

This step will force application to verify all functions against our fake user what we should set up in our DemoMode Settings.

Now in the Screen place two buttons next to each other

 

                                                    SebS_30-1682679209834.png

In the button on left we will add code to DisplayMode property this code will disable this button if the Current Logged User will not have Admin Rights

 

If(
 varIsAppAdmin,
 DisplayMode.Edit,
 DisplayMode.Disabled
)​

 

Next we will change Text property and include an If statement what will change button Name base on logged User we will use code below

 

If(
 varIsAppAdmin,
 "Hello ADMIN",
 "Not an Admin"
)​

 

Now we need to do similar actions in button on the right but this one will be related to User.

First we need to add code to the DisplayMode of this button

 

If(
 varIsUserRole,
 DisplayMode.Edit,
 DisplayMode.Disabled

)​

 

 

And Final we will change Text Property

By adding code below

 

If(
 varIsUserRole,
 "Hello USER",
 "Not a User"

)​

 

 

After all is done You should notice the left button is disabled and right one depends on if you use Email of user who is added already to Your User Security group or not will be blue or also Disabled

In this case I used email of a person who belong to user security group

 

                                                        SebS_35-1682679209846.png

 

And here I switched varDemoMode to true witch will apply my email address to verify and both Button was switched to Edit Mode means we can press on both

 

                                                      SebS_36-1682679209848.png

 

We've implemented Admin function based on Security Group and a method to prevent adding the same person to both the User and Admin Security Groups. This way, we can avoid unnecessary redundancy also on top of that we created a way to test this.

This approach will become even more valuable as the hierarchy grows. We can simply add each person to their corresponding Security Group and not worry about adding them to any lower-ranked positions, as the variables will handle it for us if we design them correctly.

Lastly, we've created a user role check at the end.

I’m hoping, everything is working at Your side! 😊 Thank you for taking the time to read through it, and I hope it was helpful.

 

 

Here is the whole code for the App > OnStart property of your app

Set(

 varGroupUsers,

 Office365Groups.ListGroupMembers("Access Token Here ").value

);

Set(

 varGroupWHTeamManagers,

 Office365Groups.ListGroupMembers("Access Token Here").value

);

Set(varDemoMode,false);

If(

 varDemoMode,

 Set(

 varCurrentUser,

 {

 FullName: "Test user",

 Email: "test.user@domain.com"

 }

 );

 ,

 Set(

 varCurrentUser,

 {

 FullName: User().FullName,

 Email: Lower(User().Email),

 Photo: User().Image

 }

 )



);

Set(

 varAppGlobals,

 {

 UserEmails:Concat(

 varGroupUsers,

 mail,

 ";"

 ) ,

 AdminEmails: Concat(

 varGroupWHTeamManagers,

 mail,

 ";"

 )

 }

);

 Set(

 varUserRoles,

 varAppGlobals.UserEmails

 );

Set(

 varIsAppAdmin,

 !IsBlank(

 Find(

 Lower(varCurrentUser.Email),

 varAppGlobals.AdminEmails

 )

 )

);

If(

 varIsAppAdmin,

 Set(

 varUserRoles,

 varAppGlobals.UserEmails & varAppGlobals.AdminEmails

 )

);

Set(

 varIsUserRole,

 !IsBlank(

 Find(

 Lower(varCurrentUser.Email),

 varUserRoles

 )

 )

);

 

 

Example App with working Example is attached

Comments

*This post is locked for comments