Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps - Power Apps Governance and Administ... / Seeking clarity on per...
Power Apps - Power Apps Governance and Administ...
Unanswered

Seeking clarity on permissions model - desktop app on Win 10/S in Assigned Access / Kiosk Mode

(0) ShareShare
ReportReport
Posted on by AlexAlger 9

Hello, 

We have a kiosk solution in a semi-public space deployed on a desktop as well as Surface.  Both are using Assigned Access/Kiosk Mode, autologin to a non-admin local account provisioned only with access to the PowerApps desktop app. 

 

My InfraSec and Exchange teams expressed concern around using a Service Account in place of an actual user, primarilly because we're leveraging Flow to send Skype/Teams messages to staff in certain scenarios, and stating that messaging via a Resource Account would be a violation of MS TOS.  After hearing that, I went back to leadership and got approval on a process change to have staff sign-in themselves for each session. However, somewhat to my surprise, there was no prompt for sign-in after an initial session despite having selected not to store credentials.

 

I had a user who only has view access to the app sign in, once. Now all messages come through as if sent from this user and PowerApps opens as that user. (I happened to use our Director's account.)

 

I need to provide my OpsSec team some documentation of how this works, whether/how the credential is stored, and whether there is any risk and/or appropriate mitigation steps related to that credential being stored/passed. 

 

Thanks in advance.

 

  • AlexAlger Profile Picture
    AlexAlger 9 on at
    Re: Seeking clarity on permissions model - desktop app on Win 10/S in Assigned Access / Kiosk Mode

    For anyone in the same scenario, maybe skip down to the section after "I want to note:" for pertinent updates.

     

    Thanks for pointing me to the GPO options related to clearning out cookies for IE.  This might work if you're working in a browser session, but we're specifically working to avoid that approach and these steps did not have the desired outcome when working through the PowerApps desktop app.  

     

    Working from an OOBE Win10Pro 1038 desktop outside the domain, I signed out as the authenticated user within the PowerApps app.  I then logged in as a local admin and made the changes described on the linked article, and then restarted the machine. 

     

    Being in Assigned Access with only the PowerApps app provisioned, the system booted into the standard user local account and opened PowerApps where it prompted for login.  I authenticated and opened the application. I then restarted the computer once again. 

     

    Upon startup, PowerApps opened already authenticated but without any available apps listed.  I used Ctrl+Alt+Del to bounce back to the Switch Users screen (since that's all you can do from that account) and then back in as the local user.  PowerApps went through it's startup splash screen and then listed the expected applications. In otherwords the credential was not required in any new session.  Upon restart this pattern persists.   Since not having the apps listed is undesirable and because the authentication within PowerApps was retained, I'm reverting the changes to GPO. 

     

    I want to note:

     

    Our team met with our MS representatives and Teams/PowerApps staff yesterday. (An unexpectedly great experience I should add.) It seems the understanding of licensing and potential for use of a service account in this scenario was not entirely accurate.  The details of that don't belong on this thread, but I'll see if there's any related inquiries on Community to chime in on.  We are now working to leverage a limited account, which changes the perception of the retained credential from a concern into a feature!  

     

    That said, unless individual domain users' authentication from within a Kiosk device signed in as a local user is appropriate in a future use case, I'll likely only dig into this particular question as free time allows. (Read as not in the forseeable future.) 

     

    If anyone does reply with a suggested solution, I'll test and follow up as I'm able. I just can't commit to pursuing this on my own at this time. 

     

  • OneThing Profile Picture
    OneThing 393 on at
    Re: Seeking clarity on permissions model - desktop app on Win 10/S in Assigned Access / Kiosk Mode

    [Double Post]

  • OneThing Profile Picture
    OneThing 393 on at
    Re: Seeking clarity on permissions model - desktop app on Win 10/S in Assigned Access / Kiosk Mode

    Hi Alex,

     

    I can't comment on the Documentation but this behavior is the default for Windows and Internet Browsers. They will keep the logged on users within the Cookies.

     

    I would look to delete cookies on Exit

     

    Thanks,
    Nicky

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Paul Stork – Community Spotlight

We are honored to recognize Paul Stork as our July 2025 Community…

Congratulations to the June Top 10 Community Leaders!

These are the community rock stars!

Announcing the Engage with the Community forum!

This forum is your space to connect, share, and grow!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 791 Most Valuable Professional

#2
MS.Ragavendar Profile Picture

MS.Ragavendar 410

#3
mmbr1606 Profile Picture

mmbr1606 275 Super User 2025 Season 1

Last month Overall leaderboard

Featured topics

Product updates

Microsoft Power Platform Community release plans