web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Creating a custom prod...
Power Apps
Unanswered

Creating a custom production environment

(0) ShareShare
ReportReport
Posted on by BillYoung-arm 133

Hi! Can anyone confirm that creating a custom Production environment with all users only having use rights (no Maker rights) is appropriate, and also can you indicate what the process is to achieve this? This would be in addition to Dev & Test environments with limited Maker access.

I'm struggling to get a straight answer to this elsewhere and I can't find answers in the documentation.

Thanks

Categories:
Governance & administering
I have the same question (0)
  • v-siky-msft Profile Picture
    v-siky-msft Microsoft Employee on at

    Hi @BillYoung-arm ,

     

    It is not supported to restrict user from creating Apps in PowerApps.

    For more reference: https://powerusers.microsoft.com/t5/Power-Apps-Ideas/Restrict-users-from-creating-PowerApps-in-default-environment/idi-p/68812#comments 

    Best regards,

    Sik

  • BillYoung-arm Profile Picture
    BillYoung-arm 133 on at

    Hi Sik,

    Thanks for the quick response.

    I'm aware that this is the case in the Default environment, as that discussion says but doesn't appear to be so for custom environments.

    Could you confirm, please?

    Cheers

    Bill

  • v-siky-msft Profile Picture
    v-siky-msft Microsoft Employee on at

    Hi @BillYoung-arm ,

     

    Sorry for my omissions.

    If you want that, you should first to create a new security role ,and restrict the Create right of Canvas App.

    Second, assign the security role to users. For more reference: Security roles and privileges 

    Then, Users will have no permission to create apps.

    Snipaste_2019-12-10_16-23-27.png

    Snipaste_2019-12-10_16-32-54.png

    11283.PNG    11282.PNG

     

    Please note that only admin could assign roles!

    Best regards,

    Sik

  • BillYoung-arm Profile Picture
    BillYoung-arm 133 on at

    Thanks again Sik for the detailed information.

     

    Having looked into this further, I may, however, have misunderstood how things work in custom environments.

     

    As I now understand this, users can’t view or create apps in a custom environment (with CDS), unless they are licensed for CDS but can however, view and use canvas apps created in those environments despite this. I tried this and was able to confirm that a user who was not listed in the “Enabled Users” list of the custom CDS environment, could run an app from that environment via its web URL.

     

    Presumably users just need to be on the same tenancy to use Canvas apps from any environment?

     

    I had expected that users needed to be “enabled” for this to be possible and that, as they did not see the environment or subsequently the apps in that environment, these wouldn’t be available to them.

     

    Is this correct?

    Thanks Bill

  • v-siky-msft Profile Picture
    v-siky-msft Microsoft Employee on at

    Hi @BillYoung-arm ,

     

    I don't think so, if the user isn't assigned to Enabled User list of environment, he will not be able to see the environment and have no permission and access to the data and app.

    Only if user is enabled to the environment ,assigned with role having enough permission, and shared with the app can be able to run the app.

    I have test on my side, could you please check if the account sign in to the app has permission? Could you share more screenshot to detail your scenario?

    Snipaste_2019-12-13_10-57-37.png

    Best regards,

    Sik

  • BillYoung-arm Profile Picture
    BillYoung-arm 133 on at

    Thanks again Sik for the feedback

     

    I've done some further testing, which shows that:

    Only if user is enabled to the environment ,assigned with role having enough permission, and shared with the app can be able to run the app.

    ...doesn't appear to be the case. I have tried this with a couple of custom environments, where I can create a Canvas app and share it with anyone in the tenancy (enabled user or not and, where this is the case, consequently no role assigned in that environment).

    That user can use the app. The app doesn't access CDS but does use data from the tenancy's SharePoint sites. The apps work fine for the user.

     

    Obviously they can't make anything in the environment nor edit the apps but do appear to be able to use them!

     

    Cheers

    Bill

  • v-siky-msft Profile Picture
    v-siky-msft Microsoft Employee on at

    Hi @BillYoung-arm 

     

    Whether or not the user is assigned to the environment, Only if the app is shared with the user, the user would be able to run it. 

    In my test,

    1. I create a canvas app, the data source is a SharePoint list. 

    2. Users is the member of that SharePoint list, and is not enabled to the environment.

    3. If I don't share the app to the user, and share the URL to him, it shows that the user don’t have access to this app.

    Snipaste_2019-12-16_09-54-10.png

    4. If I share the app to the use, then I share the URL to him, it is able to run the app properly.

    Snipaste_2019-12-16_09-55-31.png

     

    If this doesn't make sense for you, could you please share the details steps with screenshots, so that we could provide further assistant. 

    Best regards,

    Sik

  • BillYoung-arm Profile Picture
    BillYoung-arm 133 on at

    Hi Sik

    Thanks for taking the time to investigate and detail your findings

    Yes that's exactly what I find also.

     

    To describe my understanding:

    • I can give access to any user to any app in any custom environment, as long as the app is shared with them and they have access to the datasource
    • To enable access to CDS data, they also need an appropriate licence
    • If users have a CDS licence and are added to a custom environment's linked security group, they will subsequently be able to view the environment and the apps. Without a CDS licence (or other appropriate licence e.g. Dynamics or role e.g. Global Admin), adding them won't enable them and thus won't make the environment or apps visible to them
    • Enabled users will need to be subsequently assigned Security Roles to access the CDS and/or be able to create/edit the apps

     

    My primary issue is that I am trying to create a "Production" environment where the users can view all of the apps (e.g. on their mobile) but not edit them. However, when I added "Everyone" to the linked Security Group, it didn't enable any users in the group, even those users who have a CDS licence for that environment. Adding them individually works, so I'm trying some smaller SGs to see if this does.

    Do you know if nesting should work?

    Perhaps there's some issue with our Everyone SG!

     

    I still haven’t been able to identify where all of this is detailed but if anyone has any references, that would be great

     

    Thanks again Sik

     

     

  • v-siky-msft Profile Picture
    v-siky-msft Microsoft Employee on at

    Hi @BillYoung-arm 

     

    I think you just need to enable all user to business unit (environment), then assign them a security role that only assign read permission to Canvas apps in User level, then all users will be able to see all apps in the environment, and they can only run them.

    Snipaste_2019-12-17_09-52-06.pngSnipaste_2019-12-17_09-54-45.png'

    Best regards,

    Sik

  • BillYoung-arm Profile Picture
    BillYoung-arm 133 on at

    Thanks again Sik

    It's the "assign them a security role" bit that's a problem.

    I ended up recreating the environment without a SG. This populated the "Enabled users" list with all of the users, who are also in one Team. I then added the "minimum security" role to the environment and assigned it to that team, however, this hasn't subsequently assigned any user roles to any of the Enabled Users, which is what I was expecting/hoping for.

     

    The only thing that I can think of that I haven't tried is recreating the environment with the "Everyone" security group.

     

    Any comments/further suggestions you have would be great. Thanks again!

    Bill

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
Vish WR Profile Picture

Vish WR 839

#2
Valantis Profile Picture

Valantis 533

#3
Haque Profile Picture

Haque 412

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans