Skip to main content

Notifications

Power Apps - Building Power Apps
Unanswered

Licencing Guest Users for Dataverse/Model Driven App

(1) ShareShare
ReportReport
Posted on by 308
Hi all,
 
I've had a look around and have seen similar questions to the below but mostly regarding SharePoint as a data source whereas this will be Dataverse. Also, the vast majority of the posts are not marked as Solved, so I'm hoping someone can advise.
 
Scenario:

A model driven app, with Dataverse hosted data.
User A with credentials within the host tenant: standard: Power Apps Premium licence.
User B without host tenant credentials, but with a Microsoft account as an employee at an institution with a Microsoft tenancy.

Question:

Can the model driven app (and the underlying data) be shared with user B?

Proposed solution:

As proposed in Matthew Devaney’s blog article (albeit that references SharePoint as the data source);
  1. Add the Guest User to the host tenant, within an Entra group (“Group B”).
  2. Licence any member of Group B to inherit a Power Apps Premium Licence.
  3. Assign the appropriate security roles and share the model driven App with Group B.
Does this work, or is another approach required (and if so please could you share details)?
 
Many thanks for your help!
Categories:
  • pp365 Profile Picture
    pp365 308 on at
    Licencing Guest Users for Dataverse/Model Driven App
    I received an email to say my question had a verified answer... but I didn't mark any response to this thread as an answer as I consider the questions pending. Very strange. I will see if I can contact an admin to have the thread 'unanswered'.
     
    Would welcome any comments on the pending questions @AndrewR1 and anyone else reading!
  • pp365 Profile Picture
    pp365 308 on at
    Licencing Guest Users for Dataverse/Model Driven App
     
    Hi @AndrewR1 ,
     
    Thank you very much for this very comprehensive response (even if it's not a straightforward 'Yes, that will work' :) !) .
     
     
    • Simply assigning a license to an Entra group does not automatically grant guest users a license in Dataverse. The Power Apps per-app/per-user license must be explicitly assigned.
     
    We are already working with using Entra groups to assign Power Apps licences to internal users and this works fine. Is there a reason this does not work in the same way when working with guest users? Perhaps it would be optimum to get their host tenant to assign a Power Apps Premium licence at source which would then carry over?
     
    • Guest users might face issues with Model-Driven Apps because their security roles don’t always apply correctly. You might need to assign permissions directly instead of relying solely on the Entra group.
     
    This sounds like a complete mess! We would never normally assign security roles directly to a user. Are there guidelines about when this problem occurs, anything that can be done to avoid it, any way of checking in advance that it hasn't occurred (IE before a guest user attempts to use the Model Driven App)?
     
    • If the goal is external user access, consider Power Pages instead of a Model-Driven App. Power Pages is designed for external users without requiring full Dataverse access.
     
    Thanks for this steer. We've not had a use case for Power Pages yet and like everything in the Power Platform, the licencing model and complexities is yet another massive task to undertake to understand/resolve. But, I'll definitely keep it in mind.
     

    Alternatively... get host tenant credentials?

     
    I'm wondering if another approach would be to get "User B" an account within the host tenant. That way they would have the appropriate credentials, not be guests, and we could work with them just like any other user in the same tenant. I will have to ask our tenant admins if this is permitted at our organisation. I'm assuming the main disadvantage with this would be security and compliance (IE they would possibly have access to other unrelated 'org wide' resources) but if there's anything else you're aware of, please let me know.
     
    Many thanks again for your time and help!
  • AndrewR1 Profile Picture
    AndrewR1 1,518 on at
    Licencing Guest Users for Dataverse/Model Driven App
    Your proposed solution is mostly on the right track, but there are some important nuances when sharing a Model-Driven App with external users (Guest Users) in Dataverse. Here's a breakdown of what works and what might need adjustment.

    1. Guest User Access to Dataverse

    • Guest users in Microsoft Entra ID (formerly Azure AD) can be granted access to Power Apps and Dataverse, but Dataverse permissions for external users are limited.
    • Unlike SharePoint, Dataverse does not natively support guest access without additional configuration.

    2. Power Apps Licensing for Guests

    • Each guest user must have a Power Apps Premium license (either assigned in the host tenant or via their home tenant with a per-app/per-user plan).
    • Simply assigning a license to an Entra group does not automatically grant guest users a license in Dataverse. The Power Apps per-app/per-user license must be explicitly assigned.

    3. Security & Sharing the Model-Driven App

    • Adding the guest user to an Entra group ("Group B") is good practice for security role management.
    • Ensure that the guest user has appropriate security roles in Dataverse (at least Read access to the necessary tables).
    • Guest users might face issues with Model-Driven Apps because their security roles don’t always apply correctly. You might need to assign permissions directly instead of relying solely on the Entra group.

    4. Recommended Approach

    1. Invite User B as a Guest to the Host Tenant using Microsoft Entra ID.
    2. Assign Power Apps Premium licensing to the guest user in one of these ways:
      • A per-user Power Apps license assigned to them directly.
      • A per-app Power Apps license covering the specific Model-Driven App.
    3. Assign Dataverse Security Roles:
      • Ensure they have appropriate security roles (custom role if needed) that grant table access.
      • Test access with minimal privileges first to avoid excessive permissions.
    4. Share the Model-Driven App with Group B.
    5. Have User B log in using their guest credentials at make.powerapps.com and test their access.

    Alternative Option: Power Pages

    • If the goal is external user access, consider Power Pages instead of a Model-Driven App. Power Pages is designed for external users without requiring full Dataverse access.

    Final Answer

    ✅ Yes, a guest user can access the Model-Driven App with Dataverse, but:

    • Licensing must be explicitly assigned.
    • Security roles in Dataverse need careful configuration.
    • Model-Driven Apps are not as guest-friendly as SharePoint-based apps.
    • Consider Power Pages if external access is a frequent requirement.
  • pp365 Profile Picture
    pp365 308 on at
    Licencing Guest Users for Dataverse/Model Driven App
    Can anyone assist with this? It must be a fairly standard use case so I am hoping there are some experts out there who have encountered this before. Many thanks in advance for your help.
  • pp365 Profile Picture
    pp365 308 on at
    Licencing Guest Users for Dataverse/Model Driven App
    (Moving to the correct forum area)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Microsoft Kickstarter Events…

Register for Microsoft Kickstarter Events…

Announcing Our 2025 Season 1 Super Users!

A new season of Super Users has arrived, and we are so grateful for the daily…

Announcing Forum Attachment Improvements!

We're excited to announce that attachments for replies in forums and improved…

Leaderboard

#1
WarrenBelz Profile Picture

WarrenBelz 145,422

#2
RandyHayes Profile Picture

RandyHayes 76,287

#3
Pstork1 Profile Picture

Pstork1 64,711

Leaderboard