web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / External Guest users u...
Power Pages
Suggested Answer

External Guest users unable to access Power Pages site after successful Microsoft Entra ID sign-in

(2) ShareShare
ReportReport
Posted on by Brahma Microsoft Employee
 External (guest) users who are present in our Microsoft Entra ID tenant are able to successfully sign in to our Power Pages site using the Microsoft Entra ID identity provider. However, after successful authentication, they are redirected to an "Access Denied" page with the message: "You don't have access to this" or "Your sign-in was successful but you don't have permission to access this resource."
Categories:
Power Apps portals
I have the same question (0)
  • Suggested answer
    Vish WR Profile Picture
    Vish WR 3,648 on at
     
    Successful Entra ID sign-in and site access are two separate things in Power Pages. Authentication passing doesn't automatically grant access — here are the most common causes and fixes:
     
    No Web Role assigned to the Contact
    After sign-in, Power Pages creates or looks up a Contact record in Dataverse. Without a Web Role assigned to that contact, the user is treated as anonymous and hits the access denied page. Go to Portal Management > Contacts, find the guest user, scroll to the Web Roles subgrid and assign the appropriate role (at minimum the default Authenticated Users role).
     
    Site Visibility set to Private
    If the site is still Private, only users with the System Administrator role in the environment can access it. Go to Power Pages Design Studio > Security > Site Visibility and check the setting.
     
    Dataverse Guest Access blocked at environment level
    There's an environment-level toggle that blocks all guest users from Dataverse entirely. In Power Platform Admin Center > Security Hub > Identity and Access, check the Guest Access setting — it may be set to Restricted.
     
    Page-level permissions too narrow
    Even with a Web Role assigned, if specific pages have role-based restrictions that exclude the guest's web role, they'll hit access denied on those pages specifically.
     
     
    Please  Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider answering Yes to Was this reply helpful? or give it a Like 
    Visit my blog Power Platform Insights    LinkedIn  
  • Suggested answer
    11manish Profile Picture
    11manish 3,017 on at
    The error:
    "Your sign-in was successful but you don't have permission to access this resource."
    almost always means:
     
    Authentication succeeded.
    Power Pages authorization failed.
    The first things I would check are:
    • Contact record exists.
    • Contact is linked correctly.
    • Contact has a Web Role.
    • Web Role has the necessary Page and Table Permissions.
    • Portal diagnostics for authorization failures.
    In most cases, assigning the correct Web Role and permissions to the Contact record resolves the issue immediately.
  • Brahma Profile Picture
    Brahma Microsoft Employee on at
    What I noticed is that when the user belongs to the Microsoft domain, a new record is created in the Contact entity. However, if the user is external, no contact record is created in the Contact entity.
  • Suggested answer
    Valantis Profile Picture
    Valantis 6,472 on at
    Hi @Brahma,
     
    The contact not being created for external users is the root cause of the access denied, and there are two confirmed reasons this happens.
     
    1. Guest access to Dataverse is restricted. Microsoft docs confirm: "Guest access is disabled by default for all new environments." Power Pages can't create a Contact record for an external user if Dataverse blocks guest writes. Fix: PPAC > Security Hub > Identity and access > Guest access > find your environment > set to Disabled (which means allowed).
     
    2. Missing email claim in the ID token. Power Pages requires an email, emails, or upn claim in the ID token to create the Contact record. For external/guest users signing in via Entra ID, the UPN claim often contains the guest format (user#EXT#@tenant.onmicrosoft.com) which Power Pages may not map correctly. In your Entra ID app registration for Power Pages, go to Token configuration and ensure the email claim is explicitly added as an optional claim to the ID token.
     
    Fix both of these and the Contact record will be auto-created on first sign-in, at which point you assign the appropriate Web Role to it.
     
     

     

    Best regards,

    Valantis

     

    ✅ If this helped solve your issue, please Accept as Solution so others can find it quickly.

    ❤️ If it didn’t fully solve it but was still useful, please click “Yes” on “Was this reply helpful?” or leave a Like :).

    🏷️ For follow-ups  @Valantis.

    📝 https://valantisond365.com/

    💼 LinkedIn

    ▶️ YouTube

  • Suggested answer
    Haque Profile Picture
    Haque 3,470 on at
    Let's make sure the following items are properly checked:
     
    Checkpoint: No Web Role Assigned to the Contact  
    Solution: In Portal Management app, find the guest user's Contact record and assign at least the default "Authenticated Users" Web Role.

    Checkpoint: Site Visibility Set to Private
    Solution: In Power Pages Design Studio, check Security > Site Visibility and set it to Public or appropriate visibility.
     
    Checkpoint: Dataverse Guest Access Restricted
    Solution: In Power Platform Admin Center under Security Hub > Identity and Access, ensure Guest Access is not restricted.
     
    Checkpoint: Page-Level Permissions Too Restrictive
    Solution: Review page permissions and ensure the guest's Web Role has access.
     
     
    I am sure some clues I tried to give. If these clues help to resolve the issue brought you by here, please don't forget to check the box Does this answer your question? At the same time, I am pretty sure you have liked the response!
     
     
  • Vish WR Profile Picture
    Vish WR 3,648 on at
     
     
     
    Wanted to check if you were able to resolve your issue?
     
    Please  Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider answering Yes to Was this reply helpful? or give it a Like 
    Visit my blog My Tech Space    LinkedIn  

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Kudos to our 2025 Community Spotlight Honorees

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
11manish Profile Picture

11manish 46

#2
Valantis Profile Picture

Valantis 24

#2
omkarsupreme Profile Picture

omkarsupreme 24

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans