web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Security roles automat...
Power Apps
Unanswered

Security roles automatically not getting assinged for Canvas App

(0) ShareShare
ReportReport
Posted on by jeffgreenrc 66

Hi,


I have CDS environment in which I have created a canvas app. This CDS environment is accessible to all users in my company. For canvas app we have created a Security group in Azure AD and assigned limitted users to it.

 

Now we have shared canvas app with security group having custom Security roles assigned. Our understanding is that when we have shared the App, the users in the security group will automatically be assigned to that new custom security role. However, this is not happening.

 

Please can someone guide how custom security roles assigned works for canvas and model driven apps.

 

Thanks

Categories:
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Joel CustomerEffective Profile Picture
    Joel CustomerEffective 3,224 on at

    I think you are mixing several concepts together in a way that doesn’t work exactly the way that you think it does.

     

    canvas apps can be shared with ad security groups and ad security groups can also be used to provision security access to cds, but these two concepts are not directly related.

     

    1. using ad security groups to manage cds access: there is a type of team called an azure ad security group team. If you assign users to the group linked to the team and they have a license for power apps, they will inherit the roles associated with the team. https://docs.microsoft.com/en-us/power-platform/admin/manage-teams
    some things to note:

    1a. This works if the role assigned to the team has the setting on the first tab of the security role set to basic plus team security. Otherwise the role will not be a true inherited role and cannot grant permission you log in to the system.

    1b. This doesn’t assign roles to a user—this is an alternative to assigning roles to users.

    1c. The user won’t appear as an enabler user in cds or show as a team member until they log in for the first time.

    1d. Users need a full power apps license per user or dynamics. This won’t work for office only licensed users

     

    2. if you share the app with an ad group, the users in the group get access to the app if they have a role either directly assigned to them or they are part of an aad security group team.

     

    note there are some rough edges to the aad security group teams, and if they don’t work you are best just assigning roles to users

  • jeffgreenrc Profile Picture
    jeffgreenrc 66 on at

    Thank you for providing detail response on this.

     

    We have already gone with the first approach. However, I have a question regarding the second approach.

     

    if you share the app with an ad group, the users in the group get access to the app if they have a role either directly assigned to them or they are part of an aad security group team.

     

    Based on the bold text above, did you mean the approach 1 or some other ?

     

    Thanks !

     

     

  • Joel CustomerEffective Profile Picture
    Joel CustomerEffective 3,224 on at

    If they are part of an aad security group linked to a team with a security role

  • jeffgreenrc Profile Picture
    jeffgreenrc 66 on at

    how do i linked aad security group with team?

     

    what i observed is, when a share a app with azure ad security group, it automatically creates a record under teams and has security roles assigned also what i had assigned while sharing the app. But i only see limited users only and those are the one who have so far tried to access the app. However the interested thing is these users who were able to access Apps, didnt have custom security roles assigned which i assigned to security role while sharing an App.

     

    Please guide where i am making mistake. Based on this documentation, my understanding is who is part of security group should automatically get security role access.


    Thanks

  • Joel CustomerEffective Profile Picture
    Joel CustomerEffective 3,224 on at

    So if you choose a security role when you share it it will give them that role. I believe you are right that it will create a team and grant it the selected role. The reason you only see the users who have accessed the app in the team is because users are added to the team when they log in the first time 

     

    See https://docs.microsoft.com/en-us/power-platform/admin/manage-teams#about-group-teamsfor details about how to create the team

  • jeffgreenrc Profile Picture
    jeffgreenrc 66 on at

    but somehow the user when accessing the App (App shared by selecting security group and then security roles) are not getting the custom security role assigned automatically. 


    What could be the reason for that?

  • Joel CustomerEffective Profile Picture
    Joel CustomerEffective 3,224 on at

    If users get a role through a team the role is not added directly to the user. If the user is on a team with the role they inherit the role from the team

  • jeffgreenrc Profile Picture
    jeffgreenrc 66 on at

    I am getting little confuse. Please correct me if i am wrong below.

     

    1. Assign Security Role to Security group while sharing an App
      1. Based on this link (https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app#security-group-considerations), it is my understanding that, if I create a AD security group and assign a custom security role to it when sharing the canvas app, the users in the AD security group will automatically get assigned this custom security role. 
    2. Change security role property to Basic 
      1. After changing the security role property to Basic, i can confirm that user were automatically getting accessed to App as security role was defined on team which was automatically created when we shared the canvas app.

    We did approach 2 because the first approach didnt seem to work. Usually i like the approach as it is clean, i dont have to change security role and i can see which users are assigned which security roles.

     

    Please confirm above and also guide me on how to correctly implement approach 1.

    Thanks

  • Joel CustomerEffective Profile Picture
    Joel CustomerEffective 3,224 on at

    They work together. You have to do #2 to make # 1 work. But you will not see a role linked to the user record. The user inherits permission based on the role associated with their team.

     

    being on a team with a “basic” role assigned to it is equivalent to having that role directly associated with the user

  • jeffgreenrc Profile Picture
    jeffgreenrc 66 on at

    But based on this documentation (https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app#security-group-considerations), it says security role will be assigned automatically without having to change property in security role. 

     

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 717 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 329 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans