How to Share Canvas App with Guest Users in Power Platform Best Way

In this “Share Canvas App with Guest Users in Power Platform” tutorial, we will learn about how to share the Canvas app with a guest user’s Gmail account step by step following Microsoft best practices. Power Apps can be shared with internal users as well as external users, like Gmail users, which need the same set of licenses and permissions, but the way setting up the external users is a little different than the internal users.

Microsoft Power Platform has revolutionized app development by enabling both developers and non-developers to create custom solutions with ease. One of the key features of Power Apps, part of the Power Platform, is its ability to share Canvas apps not only with internal users but also with external or guest users. However, sharing apps with guest users involves specific configurations and following Microsoft’s best practices to ensure data security, compliance, and a seamless user experience.

In this article, we’ll explore how to share Canvas apps with guest users or External users step by step. We’ll also dive into Microsoft’s best practices to ensure you adhere to security and governance standards. Let’s get started!

How to Share Canvas App with Guest Users in Power Platform Step by Step

I will explain how to share Canvas App With Guest Users or External Users in Power Platform step by step:

Prerequisites for Sharing a Canvas App with Guest Users

Before you share your Canvas app, ensure the following prerequisites are met:

1. Azure AD Guest Account: The external user must have an Azure AD account or be invited to your organization as a guest via Azure AD B2B.
2. Correct Licensing: Ensure that the guest user has a valid Power Apps license. Guest users can use your app if:
   • They are assigned a Power Apps or Microsoft 365 license.
   • Your organization has shared licenses via Power Apps portals.
3. App Environment Readiness: The app should be in an environment that supports sharing with external users. Dataverse integration is recommended for managing permissions.
4. Data Source Permissions: Ensure that guest users have access to the app’s underlying data sources (e.g., SharePoint, Dataverse, etc.).

Add External User As Guest Type in Microsoft Azure Entra ID (Formerly known as Azure Active Directory)

1. Log in to the Azure portal.
2. Navigate to Azure Active Directory > Users > New Guest User.
3. Select Invite user and enter the guest user’s email address.
4. Customize the invitation message and click Invite.
   • The guest user will receive an email to join your organization.

Refer to my previous article with step by step screenshot on how to add external user as a guest user in Azure Active Directory: Create Guest Users: How to Create and Manage Guest Users in Azure AD

Assign the Required Licenses

1. In the Azure portal, go to Azure Active Directory > Users.
2. Select the guest user’s profile.
3. Under Licenses, click Assign Licenses and choose the appropriate Power Apps plan.
4. Save changes.

Note:

• Now, the user licensing is managed through the Microsoft 365 admin centre.

Create a security group in Azure AD for external or guest users

This step is optional, but it is recommended to have a dedicated security group for external or guest user collaboration instead of assigning licenses and permissions for each external or guest user individually, which makes the external access management tedious for the admin team.

Here are the steps to create a security group in Azure AD:

• Log in to the Azure portal with admin credentials.
• In the left-hand menu, select Microsoft Entra ID (formerly known as Azure Active Directory) or search for it using the search bar.
• Click on Groups under the Manage section in Azure AD.
• Click + New Group on the Groups page.
• In the Group Type dropdown, select Security.
• Enter a Group Name (e.g., “SharePoint Access Group”) and optionally add a Description.
• Under Membership Type, select one:
  • Assigned: Manually add members.
  • Dynamic User: Automatically add users based on conditions (requires Azure AD Premium P1/P2).
  • Dynamic Device: Automatically add devices based on conditions (requires Azure AD Premium P1/P2).
• If you chose Assigned Membership, click No members selected under the Members section, search for users or groups, and click Select.
• Review the group details and click Create.
• After creation, verify the group in the Groups list by selecting it to view properties and manage permissions.

These steps create a security group you can assign to resources like SharePoint, Power Apps, or Azure roles.

Please refer to my previous article on how to create a security group in Azure AD step by step with screenshot: How to create security group in Azure AD.

For this demo, I have created the below security group in Azure portal:

Add External or Guest Users to the Security Group

After creating your external user or guest user, add that guest user to the external collaboration guest users security group. As shown below, I have my external user Gmail ID in this external guest users collaboration security group:

Assign Power Apps License to Guest Users or External Users Security group

Next, we need to assign proper Power Apps licenses to the External or Guest Users collaboration security group that we just created.

If we notice, we cannot assign licenses to security groups from Azure Portal. Now, we need to manage the users or security groups licenses from the Microsoft 365 admin centre portal. Please see the below message in the Azure Portal security group licenses section:

“Adding, removing, and reprocessing licensing assignments is only available within the M365 Admin Center. Go to Microsoft 365 Admin Center”

So, now, I am in my Microsoft 365 admin centre and have selected my external security group, which I just created above.

Now, navigate to the “Licenses and subscriptions” menu as shown below from the Microsoft 365 admin centre portal.

From the “Billing” section, click on the “Licenses,” then the “Subscriptions” menu:

Click on the subscription which you need, here, I will go with “Microsoft 365 E5 Developer (without Windows and Audio Conferencing)” where we will see the licenses details for this subscription.

Click on the “Groups” tab, then click on the “+ Assign licenses” menu. We will get the “Assign licenses to group” screen.

Search for groups to assign Microsoft 365 E5 Developer (without Windows and Audio Conferencing) licenses to. You can assign to a maximum of 20 groups at a time.

I have selected my “External or Guest Users Collaboration security group,” then, from the “Turn apps and services on or off” section, selected the licenses I need for my group. For this demo, I went with all service selection. However, you unselect whichever you don’t need; for your Power Apps, make sure to select “Power Apps for Office 365 (Plan 3)” license.

Then, click on the “Assign” button. You will see the below status message:

You assigned licenses to ‎External or Guest Users Collaboration:

Licenses are being assigned to ‎External or Guest Users Collaboration‎, it might take a moment for the process to complete. The assignment and its status will appear in the groups list shortly. Feel free to close this panel.

After sometimes, we will see the status of license assignment to security group as “All licenses assigned.”.

Note:

• If you don’t assign a Power Apps license plan and share the apps directly with the guest user using the Power Apps share app feature, then, when the external user tries to open the shared app from his or her Gmail account, they will get the below message:

“You don’t have the correct plan to access this app. Ask your admin for one, or ask the admin at the organization in which you are a guest.”

The detailed message is shown below:

“You’re seeing this page because you don’t have a license that allows you to use the capabilities used by the app. You can start a trial for a premium license or ask your admin for a Power Apps license.
Your plans: None
App license designation: Standard
Per app plans allocated in environment: No
App configured to consume per app plans: No
App is running: Standalone
Type of environment: Full
Premium features used by the app: None
The user with object identifier ‘2d517ee0-7102-40b2-9efb-4fc3e6e71195’ in tenant ‘f10e1e03-fffa-48d0-82f4-d0e3c517c95d’ does not have an entitlement to use PowerApps.
Session ID: d6db2eae-2480-4dad-0499-cea002489b5e”

Share Power Apps with External Guest Users

Open your Power App and click on the app sharing icon.

Enter your “External Guest Users Security Group,” which you have created.

Select the role of the guest app user; by default, it is “User, can use this app only.” However, you can select “Co-owner” as well.

Click on the “Share” button.

Grant Permission in SharePoint for External Users Security Group

The next thing is to go to the SharePoint Online list, which is used in the Power Apps for the data connection, and assign permission to this external guest user security group.

Navigate to your list, then click on the “List settings” from the gear icon.

Then, click on the “Permissions for this list” link.

Click on the “Grant Permissions” (ensure inheritance is broken by clicking on the “Stop inheriting permissions”).

Add your external Guest Users security group.

Make sure the “Send an email invitation” is checked (by default it will be in a checked state); this is to ensure the guest users are notified over the email.

The permission level by default will be selected as “Edit.” I changed it to “Contribute.” However, you can change it as per your requirement.

Note: Make sure, your security group permission level is “Edit“, it didn’t work with the “Contribute” permission.

Add External Users or Guest Users in the security group in SharePoint PermissionsClick on the “Share” button.

Open Power Apps from External Guest Users Gmail

Login to your Gmail account as a Guest user or External User.

You will get an email invitation like below:

Click on “Open the app” link.

Wow, I am able to open my Canvas Power App using my guest user Gmail account, please see below:

Microsoft Best Practices for Sharing Canvas Apps with Guest Users

Sharing apps with guest users requires careful attention to security and governance. Follow these best practices to ensure a safe and seamless experience:

1. Use Dataverse for Data Management

• Dataverse offers granular control over data permissions.
• Assign security roles to restrict access to sensitive data.

2. Apply Principle of Least Privilege

• Grant only the permissions necessary for the guest user to perform their tasks.
• Avoid assigning co-owner permissions unless absolutely necessary.

3. Monitor and Audit Guest User Activity

• Enable Azure AD sign-in logs to track guest user activity.
• Use Power Platform Admin Center to monitor app usage and permissions.

4. Use Conditional Access Policies

• Enforce multi-factor authentication (MFA) for guest users to enhance security.
• Configure conditional access policies to restrict access based on location, device, or risk level.

5. Regularly Review and Revoke Access

• Periodically review guest user access to apps and data.
• Revoke access immediately when guest users no longer need it.

6. Educate Guest Users

• Provide clear instructions on how to use the app and troubleshoot common issues.
• Share guidelines on security best practices, such as protecting login credentials.

Common Issues and Troubleshooting

Issue 1: Guest User Cannot Access the App

• Verify that the guest user has accepted the Azure AD invitation.
• Check if the guest user’s license is active and correctly assigned.
• Confirm that the guest user has the necessary permissions for the app and data sources.

Issue 2: Guest User Receives “Access Denied” for Data Source

• Revisit the data source permissions and ensure the guest user has adequate access.
• For SharePoint, confirm that the guest user has been granted access to the specific list/library.

Issue 3: Guest User Is Unable to Log In

• Ensure the guest user is using the correct email address associated with the Azure AD invitation.
• Check if the guest user’s account is enabled in Azure AD.

Benefits of Sharing Canvas Apps with Guest Users

1. Enhanced Collaboration: Easily collaborate with external stakeholders on business processes.
2. Scalability: Extend app functionality to vendors, clients, and partners without compromising security.
3. Improved Productivity: Enable external users to contribute directly to workflows and projects.
4. Cost-Effectiveness: Use Power Apps per app plans to minimize licensing costs for guest users.

YouTube Video: How to Share Power Apps with External Users Gmail

Conclusion: Share Power Apps With External Users

Thus, in this article, we have learnt how to share the Power Apps Canvas app with external or guest users step by step with the full-proof practical demo.

Sharing Canvas apps with guest users in Power Platform opens doors to seamless collaboration and operational efficiency. By following the steps and best practices outlined in this guide, you can securely share apps while maintaining control over access and data integrity. Leveraging features like Azure AD B2B and Dataverse ensures that your organization complies with Microsoft’s security and governance recommendations.

Start sharing your Canvas apps with guest users today and unlock the full potential of Microsoft Power Platform. For more updates on Power Apps, SharePoint Online, and the Power Platform ecosystem, stay tuned to Global SharePoint Diary!

FAQs: How to Share Power Apps Canvas App with External or Guest Users

1. Can I share a Power Apps Canvas app with external or guest users?

Yes, you can share a Power Apps Canvas app with external or guest users by adding them as Azure AD guest users in your tenant and assigning the appropriate license. The shared app must also have proper permissions for the underlying data sources.

2. What prerequisites are required to share a Power Apps Canvas app with a guest user?

To share an app with a guest user:

• The guest user must be added to your Azure AD tenant.
• The app must use supported data sources like SharePoint or Dataverse with appropriate permissions.
• The guest user must have a valid Power Apps license assigned.

3. How do I add a guest user to my Azure AD tenant?

You can add a guest user in the Azure AD portal by:

1. Navigating to Azure Active Directory > Users > New Guest User.
2. Entering the guest user’s email address (e.g., Gmail or other domain).
3. Sending the invitation for the user to accept.

4. What type of license does a guest user need to access a Power Apps Canvas app?

The guest user needs a Power Apps Per App Plan or a Power Apps Per User Plan to access the app. The plan depends on the app’s features and its use of premium connectors like Dataverse.

5. Can guest users access apps that use premium connectors like Dataverse?

Yes, guest users can access apps with premium connectors like Dataverse, but they need a valid Power Apps license that supports premium features, such as the Power Apps Per App Plan.

6. How do I assign a license to a guest user?

To assign a license to a guest user:

1. Go to the Microsoft 365 Admin Center > Users > Guest Users.
2. Select the guest user, click Licenses and Apps, and assign a Power Apps license.
3. Save the changes.

7. Can guest users perform CRUD (Create, Read, Update, Delete) operations on data sources like SharePoint or Dataverse?

Yes, guest users can perform CRUD operations, but you must:

• Share the app with the guest user.
• Assign the appropriate permissions to the underlying data source (e.g., SharePoint list or Dataverse table).

8. How do I share the Canvas app with a guest user after setting up their account?

1. Open Power Apps Portal and navigate to the app.
2. Click Share in the top-right corner.
3. Enter the guest user’s email address.
4. Assign the appropriate role (e.g., Co-owner or User).
5. Click Share to send the invitation.

9. Do guest users need to install any special software to use the app?

No, guest users can access Power Apps Canvas apps through:

• A web browser via the Power Apps website.
• The Power Apps mobile app on Android or iOS.

10. How do I troubleshoot access issues for guest users?

• License Issue: Ensure the guest user has a valid Power Apps license assigned.
• Permission Issue: Check that the guest user has the required permissions for the app and its data sources.
• Invitation Issue: Confirm the guest user accepted the Azure AD invitation to join your tenant.
• Sign-In Issue: Verify the guest user is signing in using the email address associated with the invitation.

About Post Author