PowerApps Role Based Security using SharePoint Group & Flow


Posted By : Ranjan Pandey

Added :

42 Comments


PowerApps Role Based Security using SharePoint Group & Flow



In this blog, you will learn how to implement role based security in PowerApps controlled by SharePoint Groups. It is straightforward to check user membership in Office 365 group as we have a direct connector available for the same.

Customers keep asking this question that how can we show/hide screens in PowerApps based on user membership in a SharePoint Group. This blog post will show you one approach to find out the SharePoint Group membership of current logged in user and show/hide screen based on the same.

Create a SharePoint Group

Create a SharePoint group and add members that you would want to use for role based security in your PowerApps app & open SharePoint group settings.

Choose everyone under Group settings “Who can view the membership of the group?”.

Why this is required?
Our PowerApps will invoke a Flow to check user membership in a SharePoint group using a SharePoint HTTP REST call. Not all of the users using PowerApps app will have admin privilege to read group membership detail. To allow each user to have read access to group membership it is required to provide “Everyone” access.

Steps to create Flow & invoke it from PowerApps


  • Create a new flow using blank template.
  • Add a PowerApps trigger so that we can invoke this Flow from our PowerApps.
  • Add initialize variable action to create a new variable IsGroupMember(boolean). Add one more initialize variable action & create a new variable MembershipJSONResult(string)

IsGroupMember(boolean) – It will store true or false depending on the user is a member of the SharePoint group.
MembershipJSONResult(string) – It will store JSON payload that we will receive from the REST API call in the next step

  • Add “Send an HTTP request to SharePoint” action available under SharePoint actions. we will configure this action to make a REST call to SharePoint to determine user group membership.

Site Address: Provide URL of the site where you have created the SharePoint Group
Method: Get
Uri:_api/web/sitegroups/getByName(‘Your-SharePoint-Group-Name‘)/Users?$filter=Email eq ‘[email protected]

Note: Above Uri should be updated correctly. Replace ‘Your-SharePoint-Group-Name’ with your SharePoint Group Name. My SharePoint Group Name is “OrgAdmins” so my Uri looks like _api/web/sitegroups/getByName(‘OrgAdmins’)/Users?$filter=Email eq ‘[email protected]. After this we will have to replace [email protected] with the email id of current logged in user in PowerApps. To do this remove [email protected] , place your cursor between single quote and click on Ask in PowerApps under Flow Dynamic content as shown here:

After adding variable using Ask in PowerApps

This SharePoint REST call will return an empty object or user properties based on the user is member of OrgAdmins SharePoint group or not:

If User is Member of the SharePoint Group, it will non-empty object & will include user properties:

If user in not a member of the SharePoint group it will return empty object like this:
{ “d”: { “results”: [] }}

  • Once we have received response from the above SharePoint REST call, we can parse it to get the results. Add a set variable action to set the variable ‘MembershipJSONResult’ created before to expression body(‘CheckUserGroup’)[‘d’][‘results’]
  • CheckUserGroup is the name of previous action which includes REST call to SharePoint. If your action name has spaces, replace the spaces with underscore (_) character.
  • Add a condition step to check the results value. If the results object is empty then user is not a member of the group. Use the expression equals(variables(‘MembershipJSONResult’),'[]’) to evaluate the object. ‘MembershipJSONResult’ is the variable used to store the object value and [] compares to an empty object.
  • Set the variable ‘IsGroupMember’ to false if this condition is true as shown below:
  • Last step in our Flow would be to send the group membership check result back to PowerApps as an output parameter to show/hide screens/controls. Add “Respond to PowerApps” action and choose a text output. Provide a name IsGroupMember to the output parameter and set value equal to variable “IsGroupMember”
PowerApps Output parameter

This is how the complete Flow will look. Verify that you have not missed any step.

Create PowerApps to call flow


Our Flow is complete and now we should call this flow from PowerApps app. Create a blank screen in PowerApps & rename it as WelcomeScreen. Navigate to OnVisible property of the WelcomeScreen, click on Flows tab –> Add the Flow you created from the right navigation to the formula bar to associate the flow to the ‘OnVisible’ event of the screen.

Type the below function on the ‘OnVisible’ formula bar.

In this above formula, first we are creating a global variable isMember and setting the value equal to the text returned by Flow i.e. True or False. In the next step, we are setting IsVisible boolean equal to true/false based on the text value.

  • Add a button on the screen and set Visible property of the button to IsVisible variable defined above

If you are interested, I can train your team in PowerApps and Flow anywhere in the world. My workshops are fully hands-on oriented.

0 0 votes
Article Rating
Subscribe
Notify of
guest
42 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Rado
3 years ago

This is an excellent tutorial! Thank you a lot… it perfectly works!

AmyRock
AmyRock
3 years ago

This is awesome!!! Just followed your steps one by one and it worked on the first try. So happy to have found this thank you for posting!

Raj
Raj
3 years ago

HI Ranjan , thanks for the post,it really helped . i have a requirement in my project which involves multiple user groups, powerapp does not allow me to attach multiple workflow.
Can i check multiple group in the same flow u created above?

Bryan Huang
Bryan Huang
3 years ago

Hi Ranjan,

This is very helpful. i got it working on my first attempt. Do you know if could i apply this to Drop Down value?

On the drop down it will only show relevant access to the user.

Thanks

YeahBoy!
YeahBoy!
3 years ago

Hi Ranjan,

Kudos for this! Have another question if it’s ok:) what if I want to get other result such as “Title” and “Login Name” from the result?

TIA!

YeahBoy!
YeahBoy!
3 years ago

Hi Ranjan,

Yes for the current user.

TIA

YeahBoy!
YeahBoy!
3 years ago
Reply to  Ranjan Pandey

Thanks Ranjan!

I would want to use a another REST API “/_api/SP.UserProfiles.PeopleManager/GetUserProfilePropertiesFor”

Thanks in Advance!

YeahBoy
YeahBoy
3 years ago
Reply to  Rakesh Pandey

Thanks Rakesh! Just want to know how to get it ourput base on flow provided by Ranjan. Base on his example he get/checked (“{ “d”: { “results”: [] }}”) this is what i want to know.

TIA!

Uday
Uday
3 years ago

Hi Ranjan,

Thanks for the detailed post. Would like to understand, if it is feasible from Powerapps to fetch user details from Azure AD services. i.e fetching Corporate Directory role information from Azure AD.

Thanks

Uday
Uday
3 years ago

Hi Ranjan,

Thanks for the detailed post, would like to understand, if it is feasible for Powerapps to get user CD role information from Azure AD services ? provided if CD role is integrated with Azure AD.

Kindly suggest.

Thanks

Uday
Uday
2 years ago

Thanks Ranjan, that was very helpful !

Sai Alkesh
Sai Alkesh
2 years ago

Hi Ranjan
Thank you for a wonderful post & the detailed video.
Am trying to learn, by following your video, however am stuck at retrieving user details from SharePoint Group.
I created a SharePoint Group, in our Sharepoint team sites and ensured that its visible to everyone.
When i provide the below Uri, am not able to get user properties –
_api/site/sitegroups/getByName(‘StagingAdmins’)/Users?$filter=Email eq ‘[email protected]

Any advise, on where am i going wrong.

Thank you so very much.

Sai Alkesh
Sai Alkesh
2 years ago

Dear Ranjan
i get partial response, without getting user details.

shyam
shyam
2 years ago

Hi,

great post.this is what exactly i am searching for.this is working for me at my first attempt.

christophe lambert
christophe lambert
2 years ago

Hello Ranjan,
I make an app for belgian police, and i would like to create a flow to verify user permissions to a list not to a group…is it possible ?

Raju K
Raju K
2 years ago

Hi Ranjan – Thanks for this blog , its really helpful .
I have O365 E5 license for Flow ,I read that per day there are limited API calls(2000) we can make, if I use this security trimming method in multiple apps isn’t it apps will utilized heavily then this approach could really consume my allotted Flow runs.

Raju K
Raju K
2 years ago
Reply to  Ranjan Pandey

Thanks for your response Ranjan .
I understood . silly me , I thought its 2000 API calls per tenant . I didn’t know it is 2000 API calls for each user per day. flow method really works for me .
I was thinking about using Azure AD connector within PowerApps . if I use Azure AD connector as it is with global admin account , it will give Directory.ReadWrite.All access all users isn’t it ? please advise .

Raju K
Raju K
2 years ago
Reply to  Ranjan Pandey

Hi Ranjan – I want to disable few controls on power apps to few users . I thought of creating Ad group and use Azure AD connector in power apps to check if logged in user present in that group then disable the controls . I came across below blog about limitation with azure AD connector .
https://www.powerappsug.com/communities/community-home/digestviewer/viewthread?GroupId=2243&MessageKey=c1df15ae-10cd-4f13-8647-fb3a85f2462e&CommunityKey=9f5c6fd1-bb0c-4ffa-adab-06d3d72c11da&tab=digestviewer&ReturnUrl=%2Fpowerappsusergroup%2Fcommunities%2Fcommunity-home%2Fdigestviewer%3Fcommunitykey%3D9f5c6fd1-bb0c-4ffa-adab-06d3d72c11da%26tab%3Ddigestviewer#bmc1df15ae-10cd-4f13-8647-fb3a85f2462e

I also thought about below approaches for my requirement .
1. PowerApps with flow – method mention your article
2. Azure AD connector
3. Sharepoint list to store admin users , if logged in users present in this list then disable it .

What is your advice and which is the best practice to achieve role based security in PowerApps

Maurizio
Maurizio
2 years ago

I use thesam emthode as here, but i have issues in emails using different capitalizations vs. what is the mail passed by PowerApp.
Tried using tolower, indexof, substringof, etc. all failing as not usable in my SP ODATA query.

any idea how to overcome it?

thanks!

Mo
Mo
2 years ago

Hi Ranjan, Thank you for this. Exactly what i need.
However, when I try to test the GET method, I get an XML error which says:
his XML file does not appear to have any style information associated with it. The document tree is shown below.

-1, Microsoft.SharePoint.Client.InvalidClientQueryException
The expression “Email eq ‘my email address‘” is not valid.

Any ideas? Please.

Vyacheslav
Vyacheslav
1 year ago

Hi Ranjan, Thank you for solution sharing. Could you please help me to find out where i’m wrong to implement it, as i couldn’t get it works.
firstly i want to say if i have got empty object like this:{ “d”: { “results”: [] }} on step Add “Send an HTTP request to SharePoint” , however i’m sure i’m in group i’m checking for. i’m trying to different method of checking(by email, by id, by displayname).
and in general i getting issue in app checker, that saying “invalid number of arguments received 1, expected 2” for that formula Set(isMember, CheckUserPermissioninSPGrpoup.Run(EncodeUrl((User().Email)))); Set(IsVisible, If(Lower(isMember.isgroupmember) = “true”, true, false))

Vyacheslav
Vyacheslav
1 year ago
Reply to  Ranjan Pandey

thanks for fast responce.
Ranjan, everyone was selected for group membership check on first step.
is it possible to use other parameter of /Users?$filter=, in my SP that presented by name.
and could you please explain how to count the numbers of parameters and pass few dummy?
i’m just starting with SPO and that quied different from previous SP, sorry if my question so stupid

Vyacheslav
Vyacheslav
1 year ago
Reply to  Ranjan Pandey

Hello Ranjan,
i was able to fix these yerstaday, by doing step by step with maximum concentration and checking on each flow step how it works. that seems flow is sensitive to uppercase in email string. as we use first and last name in our envoriment.
So now everithing working and i’m twice say thank to you.
Separete thanks for links!

Jorge Morales
Jorge Morales
1 year ago

Ranjan, this worked great, thank you! Have you been able to do something similar to determine what kind of permissions a user has on a given SharePoint list? Have been looking all around but no viable proven solutions.

Veeresh
Veeresh
1 year ago

Excellent and real world scenario based demo. Congrats and please do try to bring more Power app and Power automate related real world scenarios.
Have Query – would appreciate for response:
You said at the end of demo, if we have many sharepoint groups to cross verify, we have to to do proper naming convention.
Problem statement:
> We have many folders inside a DOC library. These folders have specific access SP groups.
> How do we show/list out the folders based on the user logged into Power App.
Thanks for your sharing..

Jorge
Jorge
3 months ago

Hello Ranjan,
I have been using your solution for many months now, and it’s worked great but have a question on whether or not differences in case can affect the comparison. We came across a scenario where the comparison is failing and believe it’s due to a difference in case between the results of the REST call and the e-mail of the current logged on user. Could this be possible? If yes, I was thinking of using toUpper() to fix things. I can run this function on the e-mail of the current logged on user, but how would I do this for the URI path results in the REST call?
Thanks,
Jorge