PowerApps Security, Environments, and Plan 2

Great video as always, Shane. For those of us that are "stuck" using SharePoint as a data source, it'd be great to get a more detailed look at the workarounds that you've found for "securing" those sources. My favorites are hiding the list from the browser and/or (where that's not practical) adding a PowerApps customized form to prevent folks from making changes to list items outside of the designated Apps.

Liking this stuff before hitting 'play'. Shane's becoming a legend.

You can keep the SharePoint back-end and add a Power Automate workflow to set item level security when item is created on SP list. That way, the user can only see and edit their own requests. In that case, even if they go to the SP list they can only see their own items. This will also make the additional step of adding filters in PowerApps redundant as it will only pull data user has access to.

Thanks for this video Shane, a must see for anybody sharing an app. Also, a lot of fun to watch.

Once again saved by you Shane, where are the flowers supposed to go?

Shane, in SharePoint it is possible to create a permission level that excludes "View Application Pages" under list permissions, which stops the user seeing the list in SharePoint, including view, edit and add forms. As long as they still have read, edit, add and delete permissions the App will work. Probably still a "security by obscurity" option as I'm sure they could still use API to do what they like, or link to the table with MS Access, but it remove all but most IT-savvy user.
And thanks for your videos - I'm slowly catching up on the last 2 years!

Thank you for this great video. Just figured out that the reader (in your case chevy) is able to access the secure environment if he typed the guid of the secure-environment in the url. By doing so the user can see all connections and apps but has no edit permissions and therefore can't use the connector.

Thanks, Shane. At minute 6:50 you mention that you don't love hiding SharePoint site. You did mention how Environments will protect SQL connection and the app as the user won't be able to see the "Secure" or protected Environment, but you did not clarify how Environments can help in data security of an app that is using SharePoint Lists as its data source. I hope I haven't missed something in the video. Could you please clarify this point?

Hi Shane. Great video as always. One thing that's struck me watching a lot of the videos from the recent MS Business Apps summit 2019 is the number of big companies who appear to be using Sharepoint as their data source (including a transatlantic airline and a European rail company). Am I missing something or are these big enterprises finding a way to manage the security issues you raise with Sharepoint lists?

Many thanks for explaining how to secure SQL connector in PROD environment. That was my upcoming consideration.
Also, regarding SharePoint list as PowerApps data source security - my idea would be to perform App registration in Azure portal and create a custom REST API connector with obtained AppID/credentials.
This way PowerApp would connect to SP using AppID account instead. No need to grant permissions for end user.
I should probably make a proof of concept if I gate a chance to have sufficient rights in my ENV.

Good stuff Shane! A vid every admin and maker should watch!

Thanks for this video. It's very clear to understand. I have an issue with my SQL Connection. My App works well with the connector if I use directly in My App, but I have some problems using with a Power Automate Connection which is called from my App. This PA call a SQL store procedure and give back some info to my App. Since I configure Imlicit connection, it doesn't work.

Shane Young is out here doing God's work...and solving things Microsoft should probably pay entire teams to deal with :P What would we do without you Shane?!

Great video! Seriously thank you so much, best powerapps teacher on TH-cam!

Shane, this is a very helpful video and I realize it is a little dated, but presumably this still applies today. It sounds like, from a licensing perspective, you would have to have every user licensed in the PowerApps per user or per app plan in order for them to access data outside of the default environment. Does that sound right to you? This approach could get expensive with a large user base. Or, can I just have my admin account maintain that plan, create the additional environments and apply the security configurations mentioned in the video against all my end users without licensing them?

Excellent. Thank you Shane!

Hi Shane. Awesome video, thank you! Do you plan to make one to cover Dataverse security too? Pretty please... :)

This is a great video. I have some thing like a simple suggestion box powerapp that is connected to SharePoint list that list has items on it I do not want visible. I would like to make it where we have two classes of uses normal cannot see or access the list and admins can see the full list. Maybe this is more of a SharePoint Security Video and not a powerapps ones but am in need. Your videos rock! Please keep making them. I am very new to SharePoint/PowerApps and cant spell SQL if you know what I mean.

Great video as always Shane! Just wanted to say two things: #1 - super great idea with the new SOP, creating the other environment. #2 - on the Analytics Report (which uses Power BI) when you saw United States, there should be the ability to “drill down” or expand downwards to see the hierarchy, Country, State, City, etc.
Give me a thumbs up if that drill down works for you. Otherwise, keep up the fantastic work!

Shane - Thanks for this video! Super helpful when navigating the dilemma of implicitly shared connections. Taking this one step further, if an app is created in a "secure" environment that we spin up and shared with other users who do not have maker privileges in that environment, can they use that app through the PowerApps visual in Power BI? If so, do we need to share the app with all users that also have access to the PowerBI app for them to be able to interact with it?

Great video. This covers exactly the security concerns we were having. Now to just get that P2 license...

Great video Shane, thank you :) One question, given that Chewy can't access the PowerApps Secure studio environment, I was wondering if there was a way for him to get a link/url to the app without relying on the e-mail he received?

Shane you are the best! Love your videos!

Great video Shane! If you use a P2 license to create your PowerApps application using CDS. Can other users who do not have a P2 license use the app? Same for the environments?

Very good video thanks again Shane, when we add someone to the production environment as app maker that person will be able to edit all apps within the environment? If so how can we setup security based on the app, so only a specific people can edit specific apps? Thanks.

Hi Shane, great video and answered what i needed to know about security in SharePoint.
I have PowerApps for O365 licence and was looking for Plan 2 - am I correct in saying that this type of licence is no longer available? Can I achieve what you demo'd in your video with my current licence? Does creating an additional environment with CDS come at an additional cost?
So it would appear that SQL connections as you described is the only way to secure your data. Does that mean that i would need SQL connectivity licence for every employee in my organisation that potentially would like to use any applications we build? I work for local government and need to ensure data is secure but our solutions are not too costly.

Thanks for a great Video Shane...
Dose changing environment give similar protection to Sharepoint too ?

Hi Shane , thanks for great video, my question is if it is possibile add to Enviro Makers also O365 groups instead od individual person.

Hey Shane...looks like an amazing course and excited to learn. Any pointers on- which order should I view ur tutorial to get a deep understanding.I am CRM professional thanks. 🙂

Thanks Shane,
I have one question, how can you solve the problem if you use SharePoint as data source? I guess you would have to limit and personalize permissions in SharePoint lists. Is there anything "environments" can do to help manage this?

Hello, First of all, thanks a lot for making those videos. They really help and are really informative.
One quick question at the license level: SQL Connection (as CDS) requires the use of a premium connector. If I get a premium license, I should be able to access those. However, when sharing the app (even in a secure environment) to other users, as I am "implicitly" sharing the SQL connection, does that mean that the app user can use the app?
My understanding is the following: users will be leveraging my connection. Therefore, my assumption is that they should be ok using the app with a basic license (the one that comes out of the box with an office 365 license). Is that correct? Or, do they need to upgrade their licenses?
Thanks in advance for your answer,
Cheers, Leonard

Shane, thanks a lot for another great video. I am relative new to Powerapps. Actually I have two main questions
1) is it possible to assign a more meaningful name for a connection than the standard name Sharepoint without any hint to which web-site it provides the connection?
2) how is it possible with Powerapps and SPO or SQL to deal with concurrent users in a reservation app with a great number but also limited articles, for example parking spaces. Is there any thing like transaction support in SPO which prevent that users overwrite an existing reservation? Do you have any suggestions where I can found further information?
Thanks a lot
Kind regards
Christian

Hi Shane, great explanation, I have two questions (maybe already asked): 1 I have an app in PRO environment, how can move to "secure" environment and viceversa?.
2. There is an option on the top that says "Convert to Production" (you don´t have it in your video -26:57), it will replace the original production and will lost the existing apps?

Thanks Shane, this is very useful information. Do we have this documented somewhere? Some text I could reference maybe?

Nice explanation shane thanks! I thought envrionments in power apps should work as spaces where we can develop apps and pass it over different environments in order to follow a deployment flow... like and app that was created in a "DevEnvironment", and then pass to "QAEnvironment", then to "StressEnviornment", and finally in a "Production" environment. Is this exists in power apps?

Great stuff cheers... Two questions... What if you have an app with some content editors and some content readers. How could you achieve this via security rather than visibility or some other hack?
To limit access to the SharePoint list could you not change the permissions in the SharePoint list. So instead of them being members they become readers?

Hi Shane, great video. Just wanted to confirm security with you. Are you saying that there's no way to secure the Sharepoint list from users as they can access and updated bu going directly to the list ? thanks

Great subject to cover, Shane. And to confirm, there is only the need to have one licensed P2 account to generate the environments and manage the environment's security? Thank you.

Hey Shane. I'm assuming all the things you said about Sharepoint here would apply also to Dataverse?

I have 2 quick questions.
1. What's the difference between Trial and Production environment?
2. In PowerApps is it possible that, one of my app is always be in production. One will be in development.. Whenever development completed it is moved to the production?

Thanks for this Shane, very timely ahead of MBAS, one of our slides we're presenting is specifically on this topic, but I have 1.5mins to cover it vs your 27! Haha

Good one Shane! But I was looking for how users can login to Power Apps Canvas apps.?
If I create an App with Username/Pwd , what are the different ways to process User's credentials in a secured way?
If I have users who are not in the PowerApp users list how do we consider their Login mechanism?
Regards
Atanu

Hi Shane. Does this method still apply in 2022, or is there a new way to approach this issue? Thanks!

Thank You for providing such informative videos. Could you post more videos regarding security. It is a bit different now with admin.powerapps changing to admin.powerplatform. Again, thank you for all the videos you post.

Hi Shane. Following the licence changes a couple of months ago, what are the licence requirements to achieve the set-up you recommend in this video? We are Office365 users so we all have access to Power Apps default environment from that.
Am I right in saying:
To create a new envionment = at least one person will need a 'Power Apps Per User' licence $40/month
To run an app that uses the SQL connector (Premium) = every user will require either a 'Per App' licence $10/month of a 'Per User' licence $40/month.

Great video. I have a question. If I share a Sharepoint list with users but I dont send them an invitation email and I dont tell them the name nor the location of the sharepoint list, how they can access it outside the app? Is there on Sharepoint something like "Shared with me" list of docs,lists? Thx.

Shane the illustration used for creating a secondary environment to help with SQL can you apply the same principles using the secondary environment but with a SharePoint list?

Nice video, thanks!
I've been thinking about making any SharePoint list to be read only when there is a need to just read the list. And calling a flow with the data that I want written to a SharePoint list when updating data is required. A flow SHPO connector is authenticated inside the flow and there would not be any need to grant write access rights to the power app users.
Obviously this is a bit tedious but wouldn't this work?

Great information. While i don't use sql connections and mainly use SharePoint, the sql info is still interesting. For SharePoint, would setting users up as read only permissions stop those users that have been shared the app the ability to edit the list or library, but still be able to see the data in the PowerApp?

Thanks for the video, as we started using Power Apps with CDS as source. However users who were able to access/update the data from an Entity, suddenly started to get error message.
May i know if you have any suggestion on how to resolve this, thanks in advance

Could you do a video on using Environment Variables that can change code based on which environment you're in?

Hello Shane, I am trying to get the screens visible based on security roles .. so I have tried to get my security roles using clearcollect but I am not able to check the screens based on roles

excellent !! thanks

Good Day Shane, this is my first message, but not appreciation for all your contents. My question is: Can we achieve the new environment security with SharePoint Lists? It seems I have P2 License since I have all these features, but when sharing apps with cds backend, they are being requested for a P2 Trial. So I’m stuck with SharePoint Lists.

What's the condition for implicit data source share ; are there a condition for excel sheet to be implicitly shared because I can't have the Share button . IT DOES NOT appears FOR MY SHARED ONE DRIVR EXCEL SHEET

Hi Shane. Is there a way to logically set the roles of users added to groups in Dynamics 365? I'm a gov employee, we're using Azure to authenticate and powershell to add users to groups but is there a way to assign roles automatically as opposed to manually? we'll be onboarding about 500 users...

Hi Shane, I was wondering if there was a way to use an app in a Test Environment without affecting/impacting live data in SharePoint? If that makes sense.
Thanks

15:03 great video thanks for the information! excellant pls keep making!

I would actually like to, even in the default environment, to only allow users to use but NOT create PowerApps. In that case would it also prevent them from customizing sharepoint forms with powerapps

Do you have an updated video that covers AD security with a sql connection? For some reason I deleted all of my old implicitly shared connections to an app, and reconnected using AD but its still showing that there is an implicitly shared connection. Not sure why.

Hi Shane, I have a Power Apps Per User Plan and created an environment and app with SQL connector. When I shared an app with E3 users, they were not able to access an app. Can you please explain why users could not access?

Is plan 2 you mention the $10 a month or $40 a month plan from Microsoft?

Very useful information..

Shane is their way with code or power automate to password protect document excel and word

Great video. Thanks you !

so, if i have one List in Sharepoint connected at PowerApp, the users always can change the data of the List en Sharepoint without occupying the app? :(

Hi Shane, is it possible to copy from our default environment to the secure environment.

Is posible to do a rol interface for different users in power apps and call a different table in excel por each one of the users ?

So, how many noticed the title of Shane's video has 'Environments' spelled wrong! LOL :)

I followed all steps and still having the message "you are using one or more implicitly shared connections"

Environments are useless when you are using On-Premise Data Gateways because you can only access them via the default (corporate) environment. This means I have no test or dev environment because they cannot access my test db.

I have office 365 license of power apps. But still it connects to sqlserver.