web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Power Apps Mobile - Se...
Power Apps
Unanswered

Power Apps Mobile - Securely embedding authenticated external web app inside the mobile

(0) ShareShare
ReportReport
Posted on by abhisc 8

Hi all,

I’m working on a Model-Driven App (Dynamics/Power Apps) integration where we want to show an external web application inside the Power Apps mobile app shell (without opening an external browser).

However, based on Microsoft documentation, we are seeing several constraints:

Given these documented limitations, we are trying to understand what supported or practical approaches others are using in real-world implementations.


Goal

  • From a record (e.g., Account/Lead), open an external web app inside the Power Apps mobile shell

  • Pass record context securely (record id, entity name)

  • Avoid session hijack / replay if a launch token leaks

  • Avoid opening an external browser if possible


Current technical idea (server-driven launch pattern)

  1. User clicks a command/button in the model-driven app

  2. We call a Dataverse Custom API server-side (identity derived from InitiatingUserId, not from client inputs)

  3. The Custom API generates a short-lived, one-time launch token (TTL 1–5 minutes)

  4. Mobile loads the external app inside an embedded frame (web resource / PCF hosting iframe)

  5. Optional hardening: client-generated nonce (“bindingId”) to reduce replay risk

The external app would exchange the launch token server-side and establish a secure session.
 

Questions for the community

  1. Given the documented limitations, is there any supported pattern to securely embed an authenticated external web app inside the Power Apps mobile shell?

  2. In practice, are people:

    • Moving the UI into a Custom Page or PCF, keeping only the backend external?

    • Using a backend-for-frontend (BFF) style pattern?

    • Using token-per-request approaches instead of cookies?

    • Or ultimately opening the external app in the device browser as the only stable option?

  3. Does it make any difference (from a mobile support or security standpoint) whether we use:

    • A web resource iframe, or

    • A PCF control hosting an iframe?

  4. If staying inside the shell is mandatory, what architecture have you successfully implemented that aligns with Microsoft’s supported scenarios?

Any guidance, architectural recommendations, or practical experiences would be greatly appreciated.

Thanks in advance,
Abhishek

Categories:
Building Power Apps
General topics
I have the same question (0)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
11manish Profile Picture

11manish 530

#2
WarrenBelz Profile Picture

WarrenBelz 459 Most Valuable Professional

#3
Haque Profile Picture

Haque 314

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans