Implementing Tier Security using MS365 Security Groups with SharePoint as a Data Source in Canvas App
Overview…
What are Security Groups and what we should use them for…
Microsoft O365 Security Group is a way to group users and/or other security groups together in order to manage access to resources in Microsoft 365, such as files, folders, and applications. This allows you to create a group of users with similar security requirements, and then assign permissions and access controls to that group as a whole. This can save you time and effort compared to managing each user's access individually.
- Example: If you have a team of employees who need access to a specific file, you can create a security group for that team, adding all relevant colleagues and then grant the group access to the file, rather than granting access to each individual, making it easier to manage access rights, particularly as teams grow and change over time.
In addition to simplifying access management, security groups can also be used to control access to resources based on specific attributes of the user, such as their job title or department. This can help ensure that users only have access to the resources they need to do their job.
Creating and Implementing Security Group…
- Appendix 1 – Creating a security group via the Outlook email
- Appendix 2 – Creating a security group via Microsoft MyAccount/My Groups
- Appendix 3 – Taking note of the Security Group Token
- Appendix 4 – Implement security groups to SharePoint lists
- Appendix 5 – Applying your Security Group access control to you Power App
- Appendix 6 – Testing New Functionality of the app
Who to contact if you want to know more…
- SebS
When creating a security group, we recommend using a proper naming convention that includes a prefix indicating your site or business area, followed by the type of group (e.g., role). For example, "Newhouse Warehouse Team Manager Security Group" could be abbreviated as TeamManagers, using a consistent format will make it easier for our IT team to understand the purpose of the group in the future.
When opening your emails, select the New Group option from the Home tab |
|
When the create group form appears:
Note: you can still add members to the group after you’ve created it |
|
Another method to create a security group is to use Microsoft MyAccount and navigate to My Groups - Overview. My Groups - Overview (microsoft.com)
Navigate to My Groups - Overview (microsoft.com) and select Create Security Group |
|
When the new security group form is displayed:
|
|
Once you’ve created the security group either method, it’s important to take note of its Security Group Token, this will be necessary to gain access to the security group through Power Apps:
Take note of the security group you’ve created by navigating to My Groups - Overview (microsoft.com) and then:
|
|
In the site address window, there is a long string of letters and numbers following the last forward slash, this is the Security Group Access Token:
|
|
By securing access to SharePoint lists, we can prepare them for use in Power Apps without adding users to the SharePoint site. This reduces the need for additional security measures around other content on the SharePoint site
Creating a SharePoint List |
|
To create a list, from the home page of your SharePoint site:
|
|
Once the Site Content page opens:
|
|
|
|
Change the permission settings for the list you created or an existing list |
|
To change permissions to a list, from the home page of your SharePoint site:
|
|
Once the Site Content page opens:
Note: If you’ve created a new list, it will appear here |
|
Once the selected list opens,
|
|
Once the Settings page appears:
|
|
Once the Permissions page appears:
After removing all the permissions from the list other than the Owner of the list:
Once the Grant permissions pop up appears:
|
|
Add the Office365Groups connector to your app by:
You’re now connected to Office365Groups
|
Now we will set a variable what will pull data from our security group in App > OnStart property
|
Now we will set a variable that will pull data from our security group in the OnStart property, utilising the ListGroupMembers property of the Office365Groups connector we added in the last step and the Security Group Access Token that we noted down earlier:
|
We can add a number of security groups, and it is recommended to create at least three, the specific design and names are up to you, but the below is a good structure to work to
Alternatively, below is another example of possible security group’s structure:
Important note: The User/Clerical security group will be required in SharePoint lists if we want to restrict access to data stored in those lists when sharing the app with everyone in the business and not with specific employees. This means that if someone is not included in any of the security groups assigned to the SharePoint lists connected to the app, they will only see blank dropdowns and galleries. You can redirect someone to a special screen or create a pop-up message for users who are not in any of the groups; this is a personal choice. Now we need to create a way to verify if the currently logged-in user is part of any of our security groups and establish what role in our hierarchy it holds, to do this, we need to create a test function, but before that, we need to create a way to test all the functionality without asking anyone to use the app or breach our policy by logging in as someone else. We will build a quick demo mode that will allow us to use someone else's email and create an experience as if someone else is logging in to our app.
|
To create your test mode, we will create a block code what will allow us to use fake details instead of logged user details.
In App.OnStart property place this code under previously added code responsible for security group.
|
Now we can set up two control groups
To do this, we need to collect Emails stored in our Security Groups and we will do this using the concat function. To make it clean and consistent with our block code we will create a new variable what will store both, we will call it varAppGlobals this variable will store two properties.
This will be done by adding this block of code to our App.OnStart below the code you’ve already added
|
Next, we create variable varUserRole this will hold all emails that will be used to verify if Logged User is in our Security Group, by adding:
|
After User Variable is done we will Verify our Admin and create function to collect all emails for UserRole verification, this is an important step as the User can be Admin as well and we need to make sure Admin will be able to use all functions what User can without additional code , add the below:
|
Now, we will create our overall UserRole Verification this need to be last block and You decide to add another level for Example AdminManager this code will need to include all emails from that function as well there is no limit to size of the hierarchy but I will keep it simple to don’t overcomplicate process in the app, add the below:
|
Testing new added Functionality…
|
In App.OnStart Go to Set(varDemoMode,false) and change false to true This step will force application to verify all functions against our fake user what we should set up in our DemoMode Settings. Now in the Screen place two buttons next to each other
|
In the button on left we will add code to DisplayMode property this code will disable this button if the Current Logged User will not have Admin Rights
|
Next we will change Text property and include an If statement what will change button Name base on logged User we will use code below
|
Now we need to do similar actions in button on the right but this one will be related to User. First we need to add code to the DisplayMode of this button
|
And Final we will change Text Property By adding code below
|
After all is done You should notice the left button is disabled and right one depends on if you use Email of user who is added already to Your User Security group or not will be blue or also Disabled In this case I used email of a person who belong to user security group
|
And here I switched varDemoMode to true witch will apply my email address to verify and both Button was switched to Edit Mode means we can press on both
|
We've implemented Admin function based on Security Group and a method to prevent adding the same person to both the User and Admin Security Groups. This way, we can avoid unnecessary redundancy also on top of that we created a way to test this. This approach will become even more valuable as the hierarchy grows. We can simply add each person to their corresponding Security Group and not worry about adding them to any lower-ranked positions, as the variables will handle it for us if we design them correctly. Lastly, we've created a user role check at the end. I’m hoping, everything is working at Your side! 😊 Thank you for taking the time to read through it, and I hope it was helpful.
|
Here is the whole code for the App > OnStart property of your app |
|
Example App with working Example is attached
*This post is locked for comments