Unanswered

Role Based Access - Requesting Access to application

(0) Share

Report

Posted on by Chris Hammond

130

We use Role Based Access in our company and users who have a need to access a Power App are granted permission using Azure Active Directory groups. These groups are managed automatically by our service request system

However, if a user does not currently have access and tries to access an application they get prompted with the following screen and an option to "Request Access"

They then click on the "Request Access" link which sends an email to the Owner of the application but the owner is the person who created the app, in this case and internal development team who have no authority to grant access.

Can this screen be customised to show the "Business Process" that would need to be followed to obtain access .... e.g. a "Raise a Service Request with the Company Support Centre"

Categories:

Governance & administering

I have the same question (0)

All responses (8)

Answers (0)

RusselThomas 4,014 on at

Like (1)

Report
Copy link

Link copied!

Hi @BO55VXR ,
I don't believe you can customise that screen - however you might want to consider some alternative ways to deal with this. I can think of one off the top of my head for example;
Owners of an app can use flow to trigger off user access requests - the flow can reply explaining the process and perhaps forwarding the request to the correct team, or even just add them directly to the relevant group, tossing in an approval process if required and letting the user know when it's done. If this isn't doable, perhaps using RPA to go and capture the request on the relevant service request system on behalf of the user... the point is, some or even all of the onboarding process can potentially be automated. You can get the user id, app id and environment id all off the request email that PowerApps sends to the owner, so this should be relatively easy to achieve.

There are possibly some other automation tricks you can use to get this done, (such as an 'open to all' hub app that checks for access before launching the relevant app) - but they may be perhaps less elegant. I think the above is the most elegant as it combines the 'out-the-box' request access feature with some automation that can be quite seamless for the user.
Probably a few other ways to do this, but customising the redirect screen is unfortunately not one of them.

Hope this helps,
RT

Was this reply helpful? Yes No
Chris Hammond 130 on at

Like (0)

Report
Copy link

Link copied!

Thanks @RusselThomas -

I had already thought of the automated response email using Power Automate and I've implemented that today.

The trick is that you cannot just "reply" to the email as it comes from Microsoft ... so you have to delve into the message body to extract the email address of the requester and then use that (a Regular Express action would have been so helpful for this but that's a different story)

Thnx

Was this reply helpful? Yes No
RusselThomas 4,014 on at

Like (1)

Report
Copy link

Link copied!
Hi @BO55VXR ,
Yep, the workflow definition language is not a pretty sight at the best of times, and the extract formulas hurt your brain and your eyes - but once done, they're done (until some bright spark changes the notification email 😉).
This might help get you started with the flow expressions if you haven't done it already - this was mine, so by no means the best approach, just one I found worked for me. Trigger in this case is the email:
EnvironmentID
substring(triggerOutputs()?['body/body'], add(indexOf(triggerOutputs()?['body/body'], 'https%3A%2F%2Fmake.powerapps.com%2Fenvironments%2F'), 50), sub(indexOf(triggerOutputs()?['body/body'], '%2Fapps%2F'), add(indexOf(triggerOutputs()?['body/body'], 'https%3A%2F%2Fmake.powerapps.com%2Fenvironments%2F'), 50) ) )
AppID
substring(triggerOutputs()?['body/body'], add(indexOf(triggerOutputs()?['body/body'], '%2Fapps%2F'), 10), sub(indexOf(triggerOutputs()?['body/body'], '%2Fshare'), add(indexOf(triggerOutputs()?['body/body'], '%2Fapps%2F'), 10) ) )

Hope this helps,

RT

Was this reply helpful? Yes No
Chris Hammond 130 on at

Like (0)

Report
Copy link

Link copied!

https://powerusers.microsoft.com/t5/Power-Apps-Ideas/Improve-Access-Request-Screen-for-Enterprise-Role-Based-Access/idi-p/848050

Was this reply helpful? Yes No
Chris Hammond 130 on at

Like (1)

Report
Copy link

Link copied!
Not really the Environment / App ID that was needed, it was the email address of the requester ...

So, here's what I did to get the email address from the request ...

Step 1: Compose Action (Remove all text before the request text)
substring(triggerOutputs()?['body/body'],indexOf(triggerOutputs()?['body/body'],'You’ve received a request from'), 200)
Step 2: Compose Action (Find the start of the email address)
add(indexOf(outputs('Remove_all_text_before_the_request_text'),'('),1)

Step 3: Compose Action (Find the end of the email address)
indexOf(outputs('Remove_all_text_before_the_request_text'),')')

Step 4: Compose Action (Extract email address)
substring(outputs('Remove_all_text_before_the_request_text'),outputs('Find_the_start_of_the_email_address'),sub(outputs('Find_the_end_of_the_email_address'),outputs('Find_the_start_of_the_email_address')))

Once I had the email address, it was simply a case of sending an automated email to that person with details on what they need to do to obtain access

Was this reply helpful? Yes No
RusselThomas 4,014 on at

Like (0)

Report
Copy link

Link copied!

Hi @BO55VXR
Looks similar to my spaghetti-can of flow expressions 🙂
AppId and EnvironmentID I use to automatically assign them access - for my use case, there's no 'control' required on who can use the app and who can't, we just haven't shared it with "everyone" by default - so the first time they try and use it, the flow goes and gives them access, then tells them they can use it now.
Turnaround time from the time they click the button to getting access is around 3min, which is all based on email service times, so reasonably slick from a user perspective.
Kind regards,
RT

Was this reply helpful? Yes No
Chris Hammond 130 on at

Like (0)

Report
Copy link

Link copied!

Unfortunately, I cannot just give access to anyone who requests it as we have Role Based Security where the apps are shared using Azure Active Directory and the user has to follow a specific business process to gain access.

Was this reply helpful? Yes No
Community Power Pla... Microsoft Employee on at

Like (0)

Report
Copy link

Link copied!
So I made a similar thing today although I think mine is slightly simpler.

The compose expression is

last(split(first(split(outputs('Html_to_text')?['body'],')')),'('))

I did a full write up on this in another thread as I also use approval workflow so out other teams can grant access to apps simply using teams approvals with an automated group add at the end. This reduces repetitive work for our service desk as they no longer have to add users to AD groups manually for app access.
Access Request options for canvas apps - Power Platform Community (microsoft.com)

Was this reply helpful? Yes No