web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
Register Today: Microsoft Business Applications Update- April 15th
Your Invited to Keeping It Real with the Power Platform
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / How to expose Access t...
Power Apps
Suggested Answer

How to expose Access to External User for Power Apps

(3) ShareShare
ReportReport
Posted on by TP-14042031-0 Microsoft Employee

Hi community,

I’m designing a Power Pages solution to allow external partners (vendors/partners, not internal Microsoft users) to submit data into Dataverse.

Scenario


  • I am using Power Pages (not Canvas Apps)

  • Users are external partners, not part of my tenant

  • They need to log in using:

    • Personal emails (e.g., Gmail, Hotmail/Outlook.com)

    • Company work accounts (e.g., @capgemini.com, @ingram.com)


      •  

  • Partners will primarily create records (data submission use case)

  • No requirement for partners to access Teams, SharePoint, or internal Power Apps


    •  

Current Approach


  • Using Power Pages authentication

  • Leveraging Microsoft Entra External ID

  • Planning to use:

    • Web Roles

    • Dataverse Table Permissions

      •  

  • No Azure AD B2B guest users created manually

    •  

Questions


  1. Is Power Pages + Entra External ID the recommended and supported approach for this scenario?

  2. Will users with:

    • Gmail

    • Hotmail / Outlook.com

    • External company work accounts

      be able to authenticate without any domain pre‑registration?

      •  

  3. From a security and compliance standpoint:

    • Is this preferred over Canvas Apps with B2B guests for partner data intake?


      •  

  4. Any best practices or pitfalls to be aware of (especially around table permissions and role assignment)?


    5.  

I’m aiming for least‑privilege access, strong tenant isolation, and a model that scales to multiple partner organizations.

 

Thanks in advance for your guidance!

Categories:
Building Power Apps
Microsoft Dataverse with Power Apps
I have the same question (0)
  • Suggested answer
    11manish Profile Picture
    11manish 1,169 on at
    You’re designing this the right way, and your current approach is very close to enterprise best practice.
     
    Using Microsoft Power Pages with Microsoft Entra External ID is the recommended, secure, and scalable approach for external partner data submission.
    Authentication
    • External users (Gmail, Outlook.com, company accounts) can sign in
    • No need to create B2B guest users
    • Identity providers (Microsoft, Google, etc.) must be configured
    Why Not Canvas Apps + B2B
    • Requires guest user creation and licensing
    • Higher admin overhead
    • Not scalable for many partner organizations
     Power Pages is the better choice
     
    Security & Design Best Practices
    • Use least-privilege table permissions
    • Link Contact → Account for organization-based access
    • Design multiple Web Roles (avoid single generic role)
    Control access at:
    • User level or
    • Organization (Account) level
    • Enable auditing and monitoring
    Key Pitfalls to Avoid
    • Over-permissive table access
    • Missing Contact–Account relationship
    • Mixing internal and external access models
     
     Power Pages + External Identity = Best practice for external partner portals
     Scalable, secure, and avoids licensing/management overhead of B2B
  • Vish WR Profile Picture
    Vish WR 499 on at

    Yes, Power Pages + Entra External ID is exactly the right approach here. One thing worth clarifying though — Entra External ID (CIAM) is not the same as standard Entra B2B. With CIAM, no guest user objects get created in your tenant at all, which is what makes it clean and scalable.

     

    Gmail, Hotmail, and external company work accounts will all authenticate fine, but you do need to configure each identity provider explicitly in your CIAM tenant — they don't work out of the box. No domain pre-registration needed though.

     

    Canvas Apps + B2B doesn't make sense for this scenario. Since your partners don't need Teams or SharePoint, there's no reason to bring them into your tenant as guests. B2B means per-user licensing at scale plus ongoing lifecycle management — Power Pages sidesteps all of that.

     

    For best practices — link Contact to Account for org-level access control, scope your Table Permissions tightly, and design Web Roles around actual access scope rather than convenience. Also watch out for column-level security if your submission tables have any internal fields partners shouldn't see.

     
     
      Vishnu WR
     
    Please  Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider answering Yes to Was this reply helpful? or give it a Like 
     
     
     
  • Suggested answer
    Haque Profile Picture
    Haque 1,691 on at
     

    For the scenario where external partners (not part of your tenant) need to log in to Power Pages using personal emails (like hotmail, gmail) or work accounts (like someone@capgemini.com), the recommended approach is to configure your Power Pages site to use Azure AD B2C (Business to Consumer) for authentication. Azure AD B2C allows external users to sign in with a wide variety of identity providers, including:

    • Personal Microsoft accounts (hotmail, outlook.com)

    • Social accounts like Google, Facebook, LinkedIn

    • Work or school accounts from other Azure AD tenants (like capgemini.com)

    • Local accounts with email and password managed by your B2C tenant

    This setup enables seamless external user authentication without requiring them to be part of your internal Azure AD tenant.

    BUT this is possible  If you have an existing Azure AD B2C tenant

    References:
    1. Using Azure AD B2C as an identity provider in Power Pages
    2. Billing model for Azure Active Directory B2C
     
    Based on you plan - the following answers may suffice your questions:
     
     
    Answer on Question-1:  Power Pages + Microsoft Entra External ID as recommended approach:
    • Microsoft Entra External ID is designed specifically to personalize and secure external users’ access to Power Pages sites and applications.
    • It shares foundational technology with Azure AD B2C but is managed via the Microsoft Entra Admin Center.
    • This integration simplifies external user sign-ins and reduces development effort.
    • It is the recommended and supported approach for external partner authentication in Power Pages.
     
    Answer on Question-2:  Support for Gmail, Hotmail, Outlook.com, and external work accounts without domain pre-registration:
    • Microsoft Entra External ID supports authentication from a broad range of external identities, including personal Microsoft accounts (Hotmail, Outlook.com), social identity providers like Google and Facebook, and work or school accounts from other organizations.
    • Users can authenticate without any manual domain pre-registration or guest user creation, enabling seamless external user access.
     
     
     
    Answer on Question-3:  Security and compliance preference of Power Pages + External ID over Canvas Apps with B2B guests:
    • Power Pages with Microsoft Entra External ID is purpose-built for external-facing scenarios, providing scalable and secure external identity management without the overhead of managing Azure AD B2B guest accounts.
    • This reduces licensing complexity and limits external user access strictly to the portal and Dataverse data they need.
    • While Canvas Apps with B2B guests can be used, it often involves more complex guest user management and broader access considerations, making Power Pages + External ID a preferred approach for partner data intake.
     

    Answer on Question-4:  

    Best Practices

    1. Use Table Permissions with Scoped Access: Always enable and configure table permissions to restrict access to only the necessary tables and records. Use scopes such as "Contact" or "Self" to limit users to their own records or related records.
    2. Assign Web Roles Thoughtfully: Create specific web roles for external partners with minimal privileges needed for their tasks. Avoid assigning overly broad roles like "Authenticated Users" unless necessary.
    3. Test Permissions Thoroughly: Test with actual external user accounts to verify that permissions allow intended actions and block unauthorized access.
    4. Use Parent-Child Permissions for Related Records: Configure child table permissions when users need access to related records.
    5. Limit Privileges to Create and Read if Appropriate: For data submission portals, often only "Create" and "Read" privileges are needed.
    6. Regularly Review and Audit Permissions: Periodically review web roles and table permissions to ensure they remain aligned with business needs and security policies.
     
    Common Pitfalls
    1. Not Assigning Table Permissions to Web Roles: Table permissions must be explicitly associated with web roles; otherwise, users will have no access.
    2. Using Global Scope Unnecessarily: Global scope grants access to all records and can expose sensitive data.
    3. Overlapping or Conflicting Permissions: Conflicting permissions can cause unexpected access issues.
    4. Ignoring Child Table Permissions: Forgetting to configure child permissions can block access to related data.
    5. Not Testing with Real External Users: Testing only with internal accounts can miss permission gaps.

     

    "I’m aiming for least‑privilege access, strong tenant isolation, and a model that scales to multiple partner organizations."
     
    Particularly - for accessing data from dataverse via power pages you have planned correctly, I appreciate, before final kick off, you have come here to discuss with forum members - which is a very wise decision, the points made above for your questions bring the better approach of lest privilege access, strong isolation and scales to multiple partner organizations.
     
     
    I am sure some clues I tried to give. If these clues help to resolve the issue brought you by here, please don't forget to check the box Does this answer your question? At the same time, I am pretty sure you have liked the response!
  • Power Platform Guy Profile Picture
    Power Platform Guy 42 on at
     

    Can Gmail / Outlook.com / external work accounts authenticate without pre‑registration?

    Yes — no domain pre‑registration is required.

    With Entra External ID:

    Identity Type Supported? Notes
    Gmail Yes Uses email + OTP or federated Google sign‑in
    Outlook.com / Hotmail Yes Microsoft personal accounts are first‑class
    External work emails (@capgemini.com) Yes Works via email OTP or federation
    Mixed domains (partners) Yes No tenant trust required

    Users self‑register through Open Registration, and Power Pages automatically:

    • Creates a Contact record in Dataverse
    • Links it to an External Identity
    • Assigns default authenticated web role
    Links
    Security & compliance: Power Pages vs Canvas + B2B guests
    From a security, compliance, and scale standpoint, Power Pages wins for partner data intake.
     
    Power Pages + External ID (Your approach)
    ✅ Strengths
    • No guest users inside your tenant
    • Strong tenant isolation
    • CIAM-grade auth flows (MFA, Conditional Access support)
    • Least‑privilege via web roles + table permissions
    • Pay‑per‑authenticated user or page view (clear cost model)
    • Scales across many partner orgs
    ✅ Designed explicitly for:
    • Vendors
    • Partners
    • Customers
    • Public/regulated scenarios
    • Canvas Apps + B2B Guests
    ⚠️ Limitations
    • Every partner becomes a guest user in your Entra tenant
    • Requires license assignment per guest
    • Operationally heavy user lifecycle
    • Not ideal beyond small, known partner sets
    • Not designed for self‑service onboarding
    ✅ Canvas + B2B only makes sense when:
    • Partners are few and long‑lived
    • They collaborate deeply with internal users
    • You need full model‑driven/canvas UX parity
    • For data submission portals → Power Pages is preferred. 

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Register Today: Microsoft Business Applications Update- April 15th
Your Invited to Keeping It Real with the Power Platform

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
11manish Profile Picture

11manish 551

#2
WarrenBelz Profile Picture

WarrenBelz 430 Most Valuable Professional

#3
Valantis Profile Picture

Valantis 298

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans