web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / User authentication in...
Power Apps
Answered

User authentication inside canvas application

(0) ShareShare
ReportReport
Posted on by Henri2 12

We have a business need for a canvas application that assigns secure items to users in our organization.  The application should assign an item to a person and they must electronically "accept" custody of that item.  We were looking at the user being prompted to log in inside the canvas application as a form of electronically accepting the item.  By having to present their login credentials they are using confidential information to accept the item, which in theory allows us to track and trace items.

 

We understand that canvas applications do not allow secondary logins INSIDE canvas applications because it would violate the "user impersonation" rules Microsoft has put in.  Does anyone have a thought on how this could be done within the application that allows the organization to utilize the AD credentials of the user accepting the item?

 

Categories:
Building Power Apps
I have the same question (0)
  • BCLS776 Profile Picture
    BCLS776 8,994 Moderator on at

    In order to run a canvas app, a user must already be authenticated through AAD. A canvas app does not have the ability to trigger a second authentication from within.

     

    If you are concerned about user devices being left accessible to someone other than the intended user, can I suggest you force a sign out on all devices using AAD before you ask users to access the app?

     

    Hope that helps,

    Bryan

  • Henri2 Profile Picture
    Henri2 12 on at

    So what we are concerned about is assigning ownership of a particular item in the database to a user of the application.  Let me maybe explain this better through an example:

     

    Larry is an admin on a canvas application that allows people to borrow books.  John comes in and asks for a particular book.  Larry looks up the book and see's that it is available.  Larry selects that book and assigns it to John but John must log in using his AAD credentials to verify that he is accepting the book.  So if we look in the database we see that john's electronic credentials were successfully used to accept the book.  

     

    What this gives us is confirmation that the person who is now assigned the book at some point actually signed for the book and they are responsible for its return.  We can look at what books are assigned to the person through reporting and whatnot.  

     

    Simply having Larry assign the book to John is not secure enough for our auditors as it does not account for the possibility of assigning to the wrong person or worse, assigning to someone fraudulently.  

  • Henri2 Profile Picture
    Henri2 12 on at

    So yes, we know that we cannot sign into a canvas application as a different user than the one that ran the app to begin but i was hoping someone has had an experience similar that found a solution that was as close to that as we can get.

  • Verified answer
    BCLS776 Profile Picture
    BCLS776 8,994 Moderator on at

    Can I suggest a slight rework to your solution, so that you can be assured (through AAD authentication) that the user has accepted the book in your example? Create two apps, or an app and an approval flow to accomplish the following:

    • Larry the admin goes into App A and records that he is going to give a particular book to John
    • App A sends John a notification that he must log in and accept the book assignment before Larry will give it to him
    • John either logs into App B to accept the book, or does the same thing using a Power Automate approval. The approval or App B records the authenticated user who accepted the notification using the User() function. As John enters Power Automate or Power Apps, he will be authenticated on that device.
    • Once Larry sees notification of the acceptance, he gives the book to John

    What do you think?

     

    Bryan

  • Henri2 Profile Picture
    Henri2 12 on at

    Yes this seems like a good alternative to the solution.  Initially my client was unwilling to accept a two-app system and wanted the signoff to happen within the single application but it is a good alternative.  Will see if this login can be accepted.  Thanks!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 765 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 343 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 272

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans