Thank you very much for this very comprehensive response (even if it's not a straightforward 'Yes, that will work' :) !) .
- Simply assigning a license to an Entra group does not automatically grant guest users a license in Dataverse. The Power Apps per-app/per-user license must be explicitly assigned.
We are already working with using Entra groups to assign Power Apps licences to internal users and this works fine. Is there a reason this does not work in the same way when working with guest users? Perhaps it would be optimum to get their host tenant to assign a Power Apps Premium licence at source which would then carry over?
- Guest users might face issues with Model-Driven Apps because their security roles don’t always apply correctly. You might need to assign permissions directly instead of relying solely on the Entra group.
This sounds like a complete mess! We would never normally assign security roles directly to a user. Are there guidelines about when this problem occurs, anything that can be done to avoid it, any way of checking in advance that it hasn't occurred (IE before a guest user attempts to use the Model Driven App)?
- If the goal is external user access, consider Power Pages instead of a Model-Driven App. Power Pages is designed for external users without requiring full Dataverse access.
Thanks for this steer. We've not had a use case for Power Pages yet and like everything in the Power Platform, the licencing model and complexities is yet another massive task to undertake to understand/resolve. But, I'll definitely keep it in mind.
Alternatively... get host tenant credentials?
I'm wondering if another approach would be to get "User B" an account within the host tenant. That way they would have the appropriate credentials, not be guests, and we could work with them just like any other user in the same tenant. I will have to ask our tenant admins if this is permitted at our organisation. I'm assuming the main disadvantage with this would be security and compliance (IE they would possibly have access to other unrelated 'org wide' resources) but if there's anything else you're aware of, please let me know.
Many thanks again for your time and help!