Answered

Error when trying to access a Canvas App :- This app isn’t opening correctly.You can't open apps in this environment. You are not a member of the environment's security group

(0) Share

Report

Posted on by johnjohnPter

1,871 Season of Giving Solutions 2025

I have developed a solution inside our Dev Environment , and i shared a canvas power apps with some users and they were able to access the app which is connected to SharePoint.

then i created a new Prod environment, and i defined this security group so only admins can edit the environment and i shared the power apps with the related users (the users are not part on the below security group), as follow:-

but when the users try to access the power apps inside the above Prod environment they will get this error message:-

now i remove the security group from the environment setting and i define it as None, as follow:-

but still the users are getting the same error.. any advice?

Categories:

Governance & administering

I have the same question (0)

All responses (9)

Answers (1)

Sort by

AlbertoCastro 1,201 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!

Hi,

you must to have a security group assigned to the environment. All user that needs to access to the environment, to admins, makers or consumers, have to be in the security group or in a subgroup this.

My recomendation:

1. Asign again a security group to the environment.

(maybe you can change the name, from "env admin" to "env users")

2. Include in this group the admins users, and assign in the environment the system administrator role.

3. Include in this group the app users. In this case, like you use sharepoint, you don't need asign them roles.

Was this reply helpful? Yes No
johnjohnPter 1,871 Season of Giving Solutions 2025 on at

Like (0)

Report
Copy link

Link copied!

Thanks a lot for the great and helpful reply. now i have a question, if i add a user to the enviroment security group, will those users be able to edit the power apps and flows inside the environment or i still need to share those apps and flows with the users ?

second question, now i assign a consumer users to the security group >> and the user was able to access the canvas app >> but the canvas app calls a power automate flow >> and when the user tried to call this flow from the power apps by clicking on a button, the user get this error:-

PowerAppV2->Createitem,Condition.Run failed: {"error":{"code":"0x80042f09","message":"RetrievePrivilegeForUser: The user with id 144d1db1-3f0e-ef11-9f89-6045bd6a0f44 has not been assigned any roles. They need a role with the prvReadWorkflow privilege."}}

so i grant the user Basic User role inside the prod environment, and now the user is getting this error now:-

PowerAppV2->Createitem,Condition.Run failed: {"error":{"code":"0x80048306","message":"Principal with id 144d1db1-3f0e-ef11-9f89-6045bd6a0f44 does not have ReadAccess right(s) for record with id a8a8227e-380e-ef11-9f8a-6045bd15b5b7 of entity workflow. Details: {\"CallerPrincipal\":{\"PrincipalId\":\"144d1db1-3f0e-ef11-9f89-6045bd6a0f44\",\"Type\":8,\"IsUserPrincipal\":true},\"OwnerPrincipal\":{\"PrincipalId\":\"d7ddef55-9d09-ef11-9f8a-6045bd151a18\",\"Type\":8,\"IsUserPrincipal\":true},\"ObjectId...

any advice?

@AlbertoCastro

Was this reply helpful? Yes No
AlbertoCastro 1,201 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!

Let's go:

1. New users in the Security Group, don't have automatically access to the environment or its apps. This is only the first requisite. The second is

- to have a Security Role in the environment to develope

- or share with the user the app.

2. In this case, the users needes privileges at environment level to run flows. I recommed you use a copy of the security role "App Opener"
https://learn.microsoft.com/en-us/power-platform/admin/create-edit-security-role#minimum-privileges-for-common-tasks

3. Two opciones to solve the message "Principal with id 144d1db1-3f0e-ef11-9f89-6045bd6a0f44 does not have ReadAccess right(s) for record with id a8a8227e-380e-ef11-9f8a-6045bd15b5b7 of entity workflow. "
- Grant access to the users to flows used in the app

- Change the flow to use always owner's connection (recommended)
https://learn.microsoft.com/en-us/sharepoint/dev/business-apps/power-automate/guidance/manage-list-flows#managing-run-only-users

Was this reply helpful? Yes No
johnjohnPter 1,871 Season of Giving Solutions 2025 on at

Like (0)

Report
Copy link

Link copied!

@AlbertoCastro thanks for the detailed reply.. here are my questions to your reply:-

1. New users in the Security Group, don't have automatically access to the environment or its apps. This is only the first requisite.

so let say i added a security group to the environment, then how i can add new users? if adding new users to the security group will not grant them access to the environment ?

The second is

- to have a Security Role in the environment to develope

- or share with the user the app.
can you advice more on this point please?

2. In this case, the users needes privileges at environment level to run flows. I recommed you use a copy of the security role "App Opener"
https://learn.microsoft.com/en-us/power-platform/admin/create-edit-security-role#minimum-privileges-...
so you mean instead of assigning those users Basic User security role, to grant them "App Opener" security role?

3. Two opciones to solve the message "Principal with id 144d1db1-3f0e-ef11-9f89-6045bd6a0f44 does not have ReadAccess right(s) for record with id a8a8227e-380e-ef11-9f8a-6045bd15b5b7 of entity workflow. "
- Grant access to the users to flows used in the app

- Change the flow to use always owner's connection (recommended)
https://learn.microsoft.com/en-us/sharepoint/dev/business-apps/power-automate/guidance/manage-list-f...

in my case some flows run under the user context, other runs under the service account context,,, and i want the user to be able to run both types of flows

can you please advice further? thanks in advance for your valuable help.

Was this reply helpful? Yes No
AlbertoCastro 1,201 Most Valuable Professional on at

Like (0)

Report
Copy link

Link copied!

1.1:
Exactly, only with the action add an user to the SG of an environment, the user cannot access to the environment.
You need add the user to the environment and asign him a Security role.
https://learn.microsoft.com/en-us/power-platform/admin/database-security

1.2:
I mean:
- If the user needs create flows/power apps/tables, you have to assign to the user a security role for this: Environment maker, System customizer... In the below link you have the info about default security roles.
- If the user needs execute power app that uses dataverse, you need create a custom security role to access your custom tables, and asign it to the user.
- If the user needs execute power app that run flows, you need assign him app opener security role.
- If the user needs execute a power app more simple, for example, only request info from a sharepoint list, the user doesn't need security role.

2.
Exactly.

3.
Under user context:

Under service account:

Was this reply helpful? Yes No
johnjohnPter 1,871 Season of Giving Solutions 2025 on at

Like (0)

Report
Copy link

Link copied!

@AlbertoCastro thanks again for the detailed reply, so what is the main differences between Basic User and App Opener ? will the app opener allow the users to edit existing power apps and flows and/or create new power apps and flows inside the environment?

second point, i were able to fix the error of calling flows from power apps, by creating a copy of the Basic User security role, then i changed the Process Read permission from User to Organization,,, seems this fixed the issue for all the users:-

does this fix sound valid to you?

Thanks

Was this reply helpful? Yes No
Verified answer

AlbertoCastro 1,201 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!

1.
App Opener info:
https://learn.microsoft.com/en-us/power-platform/admin/create-edit-security-role#minimum-privileges-for-common-tasks

2. Yes, Is valid.

Was this reply helpful? Yes No
johnjohnPter 1,871 Season of Giving Solutions 2025 on at

Like (1)

Report
Copy link

Link copied!

@AlbertoCastro thanks for your help

Was this reply helpful? Yes No
AlbertoCastro 1,201 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!

It's was a pleasure 👍

Was this reply helpful? Yes No