PowerApps Role Based Security using SharePoint Group & Flow

PowerApps Role Based Security using SharePoint Group & Flow



In this blog, you will learn how to implement role based security in PowerApps controlled by SharePoint Groups. It is straightforward to check user membership in Office 365 group as we have a direct connector available for the same.

Customers keep asking this question that how can we show/hide screens in PowerApps based on user membership in a SharePoint Group. This blog post will show you one approach to find out the SharePoint Group membership of current logged in user and show/hide screen based on the same.

Create a SharePoint Group

Create a SharePoint group and add members that you would want to use for role based security in your PowerApps app & open SharePoint group settings.

Choose everyone under Group settings “Who can view the membership of the group?”.

Why this is required?
Our PowerApps will invoke a Flow to check user membership in a SharePoint group using a SharePoint HTTP REST call. Not all of the users using PowerApps app will have admin privilege to read group membership detail. To allow each user to have read access to group membership it is required to provide “Everyone” access.

Steps to create Flow & invoke it from PowerApps


  • Create a new flow using blank template.
  • Add a PowerApps trigger so that we can invoke this Flow from our PowerApps.
  • Add initialize variable action to create a new variable IsGroupMember(boolean). Add one more initialize variable action & create a new variable MembershipJSONResult(string)

IsGroupMember(boolean) – It will store true or false depending on the user is a member of the SharePoint group.
MembershipJSONResult(string) – It will store JSON payload that we will receive from the REST API call in the next step

  • Add “Send an HTTP request to SharePoint” action available under SharePoint actions. we will configure this action to make a REST call to SharePoint to determine user group membership.

Site Address: Provide URL of the site where you have created the SharePoint Group
Method: Get
Uri:_api/web/sitegroups/getByName(‘Your-SharePoint-Group-Name‘)/Users?$filter=Email eq ‘useremail@tenant.com

Note: Above Uri should be updated correctly. Replace ‘Your-SharePoint-Group-Name’ with your SharePoint Group Name. My SharePoint Group Name is “OrgAdmins” so my Uri looks like _api/web/sitegroups/getByName(‘OrgAdmins’)/Users?$filter=Email eq ‘useremail@tenant.com’ . After this we will have to replace useremail@tenant.com with the email id of current logged in user in PowerApps. To do this remove useremail@tenant.com , place your cursor between single quote and click on Ask in PowerApps under Flow Dynamic content as shown here:

After adding variable using Ask in PowerApps

This SharePoint REST call will return an empty object or user properties based on the user is member of OrgAdmins SharePoint group or not:

If User is Member of the SharePoint Group, it will non-empty object & will include user properties:

If user in not a member of the SharePoint group it will return empty object like this:
{ “d”: { “results”: [] }}

  • Once we have received response from the above SharePoint REST call, we can parse it to get the results. Add a set variable action to set the variable ‘MembershipJSONResult’ created before to expression body(‘CheckUserGroup’)[‘d’][‘results’]
  • CheckUserGroup is the name of previous action which includes REST call to SharePoint. If your action name has spaces, replace the spaces with underscore (_) character.
  • Add a condition step to check the results value. If the results object is empty then user is not a member of the group. Use the expression equals(variables(‘MembershipJSONResult’),'[]’) to evaluate the object. ‘MembershipJSONResult’ is the variable used to store the object value and [] compares to an empty object.
  • Set the variable ‘IsGroupMember’ to false if this condition is true as shown below:
  • Last step in our Flow would be to send the group membership check result back to PowerApps as an output parameter to show/hide screens/controls. Add “Respond to PowerApps” action and choose a text output. Provide a name IsGroupMember to the output parameter and set value equal to variable “IsGroupMember”
PowerApps Output parameter

This is how the complete Flow will look. Verify that you have not missed any step.

Create PowerApps to call flow


Our Flow is complete and now we should call this flow from PowerApps app. Create a blank screen in PowerApps & rename it as WelcomeScreen. Navigate to OnVisible property of the WelcomeScreen, click on Flows tab –> Add the Flow you created from the right navigation to the formula bar to associate the flow to the ‘OnVisible’ event of the screen.

Type the below function on the ‘OnVisible’ formula bar.

In this above formula, first we are creating a global variable isMember and setting the value equal to the text returned by Flow i.e. True or False. In the next step, we are setting IsVisible boolean equal to true/false based on the text value.

  • Add a button on the screen and set Visible property of the button to IsVisible variable defined above

If you are interested, I can train your team in PowerApps and Flow anywhere in the world. My workshops are fully hands-on oriented.

Sharing is Caring

40 thoughts on “PowerApps Role Based Security using SharePoint Group & Flow”

  1. This is awesome!!! Just followed your steps one by one and it worked on the first try. So happy to have found this thank you for posting!

  2. HI Ranjan , thanks for the post,it really helped . i have a requirement in my project which involves multiple user groups, powerapp does not allow me to attach multiple workflow.
    Can i check multiple group in the same flow u created above?

  3. Hi Ranjan,

    This is very helpful. i got it working on my first attempt. Do you know if could i apply this to Drop Down value?

    On the drop down it will only show relevant access to the user.

    Thanks

  4. Hi Ranjan,

    Kudos for this! Have another question if it’s ok:) what if I want to get other result such as “Title” and “Login Name” from the result?

    TIA!

    1. Thanks Ranjan!

      I would want to use a another REST API “/_api/SP.UserProfiles.PeopleManager/GetUserProfilePropertiesFor”

      Thanks in Advance!

        1. Thanks Rakesh! Just want to know how to get it ourput base on flow provided by Ranjan. Base on his example he get/checked (“{ “d”: { “results”: [] }}”) this is what i want to know.

          TIA!

  5. Hi Ranjan,

    Thanks for the detailed post. Would like to understand, if it is feasible from Powerapps to fetch user details from Azure AD services. i.e fetching Corporate Directory role information from Azure AD.

    Thanks

  6. Hi Ranjan,

    Thanks for the detailed post, would like to understand, if it is feasible for Powerapps to get user CD role information from Azure AD services ? provided if CD role is integrated with Azure AD.

    Kindly suggest.

    Thanks

  7. Hi Ranjan
    Thank you for a wonderful post & the detailed video.
    Am trying to learn, by following your video, however am stuck at retrieving user details from SharePoint Group.
    I created a SharePoint Group, in our Sharepoint team sites and ensured that its visible to everyone.
    When i provide the below Uri, am not able to get user properties –
    _api/site/sitegroups/getByName(‘StagingAdmins’)/Users?$filter=Email eq ‘fistname.lastname@domain.com’

    Any advise, on where am i going wrong.

    Thank you so very much.

    1. Hi Sai,

      I am glad that the video tutorial is useful for you.

      1. Is the issue with malformed URL OR
      2. You are getting blank JSON data in return OR
      3. getting partial response without the expected property value.

      Thank you.

  8. christophe lambert

    Hello Ranjan,
    I make an app for belgian police, and i would like to create a flow to verify user permissions to a list not to a group…is it possible ?

  9. Hi Ranjan – Thanks for this blog , its really helpful .
    I have O365 E5 license for Flow ,I read that per day there are limited API calls(2000) we can make, if I use this security trimming method in multiple apps isn’t it apps will utilized heavily then this approach could really consume my allotted Flow runs.

    1. Hi Raju,

      Glad that it helped.

      When you deploy this app to the production environment, each user accessing this app will be using his/her own connection which in turn will deduct API call from their individual balance. It is not the case that if you are developing it all the API calls will be made through your account. 2000 API calls for each user per day should be sufficient to accommodate this request.

      Thanks,
      R.

      1. Thanks for your response Ranjan .
        I understood . silly me , I thought its 2000 API calls per tenant . I didn’t know it is 2000 API calls for each user per day. flow method really works for me .
        I was thinking about using Azure AD connector within PowerApps . if I use Azure AD connector as it is with global admin account , it will give Directory.ReadWrite.All access all users isn’t it ? please advise .

        1. I am not sure what is your business requirement but using an Azure AD global admin account at the app level is not recommended.

          Did you try using Microsoft Graph for your problem?

          1. Hi Ranjan – I want to disable few controls on power apps to few users . I thought of creating Ad group and use Azure AD connector in power apps to check if logged in user present in that group then disable the controls . I came across below blog about limitation with azure AD connector .
            https://www.powerappsug.com/communities/community-home/digestviewer/viewthread?GroupId=2243&MessageKey=c1df15ae-10cd-4f13-8647-fb3a85f2462e&CommunityKey=9f5c6fd1-bb0c-4ffa-adab-06d3d72c11da&tab=digestviewer&ReturnUrl=%2Fpowerappsusergroup%2Fcommunities%2Fcommunity-home%2Fdigestviewer%3Fcommunitykey%3D9f5c6fd1-bb0c-4ffa-adab-06d3d72c11da%26tab%3Ddigestviewer#bmc1df15ae-10cd-4f13-8647-fb3a85f2462e

            I also thought about below approaches for my requirement .
            1. PowerApps with flow – method mention your article
            2. Azure AD connector
            3. Sharepoint list to store admin users , if logged in users present in this list then disable it .

            What is your advice and which is the best practice to achieve role based security in PowerApps

  10. I use thesam emthode as here, but i have issues in emails using different capitalizations vs. what is the mail passed by PowerApp.
    Tried using tolower, indexof, substringof, etc. all failing as not usable in my SP ODATA query.

    any idea how to overcome it?

    thanks!

  11. Hi Ranjan, Thank you for this. Exactly what i need.
    However, when I try to test the GET method, I get an XML error which says:
    his XML file does not appear to have any style information associated with it. The document tree is shown below.

    -1, Microsoft.SharePoint.Client.InvalidClientQueryException
    The expression “Email eq ‘my email address‘” is not valid.

    Any ideas? Please.

    1. Please verify that the endpoint is correct: _api/web/sitegroups/getByName(‘OrgAdmins’)/Users?$filter=Email eq ‘useremail@tenant.com’

      try opening it in google chrome and see that is it returning correct JSON

  12. Hi Ranjan, Thank you for solution sharing. Could you please help me to find out where i’m wrong to implement it, as i couldn’t get it works.
    firstly i want to say if i have got empty object like this:{ “d”: { “results”: [] }} on step Add “Send an HTTP request to SharePoint” , however i’m sure i’m in group i’m checking for. i’m trying to different method of checking(by email, by id, by displayname).
    and in general i getting issue in app checker, that saying “invalid number of arguments received 1, expected 2” for that formula Set(isMember, CheckUserPermissioninSPGrpoup.Run(EncodeUrl((User().Email)))); Set(IsVisible, If(Lower(isMember.isgroupmember) = “true”, true, false))

    1. Hello Vyacheslav,

      1. If you are part of the group and still getting { “d”: { “results”: [] }} Please check if you have selected the option who can view the membership of the group to everyone.

      2. invalid number of arguments received is coming because the number of parameters expected by the flow is not being passed from the Power App, just count the number of parameters your flow is expecting and then pass those number of parameters, you can pass few dummy values if required to match the parameter count.

      Let me know if it helps.

      1. thanks for fast responce.
        Ranjan, everyone was selected for group membership check on first step.
        is it possible to use other parameter of /Users?$filter=, in my SP that presented by name.
        and could you please explain how to count the numbers of parameters and pass few dummy?
        i’m just starting with SPO and that quied different from previous SP, sorry if my question so stupid

          1. Hello Ranjan,
            i was able to fix these yerstaday, by doing step by step with maximum concentration and checking on each flow step how it works. that seems flow is sensitive to uppercase in email string. as we use first and last name in our envoriment.
            So now everithing working and i’m twice say thank to you.
            Separete thanks for links!

  13. Ranjan, this worked great, thank you! Have you been able to do something similar to determine what kind of permissions a user has on a given SharePoint list? Have been looking all around but no viable proven solutions.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top