Assigning security roles to users in Power Apps using PowerShell is essential for managing permissions, ensuring data security, and enforcing role-based access control within Power Platform environments.
Step 1: Install Required PowerShell Modules
Ensure that you have the necessary PowerShell modules installed:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force -AllowClobber
Install-Module -Name Microsoft.PowerApps.PowerShell -Force -AllowClobber
If prompted, press Y to confirm the installation.
Step 2: Authenticate to Power Platform
Connect to Power Platform using an Admin account:
Add-PowerAppsAccount
A Microsoft sign-in window will appear. Log in using your Global Admin or Power Platform Admin credentials.
For service principal authentication (without manual login), use:
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
$tenantId = "your-tenant-id"
$SecureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($clientId, $SecureSecret)
Connect-AdminPowerAppEnvironment -TenantId $tenantId -Credential $Credential
Step 3: Retrieve Power Platform Environments
To list all available environments:
Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName, Location, EnvironmentSku
Identify the EnvironmentName where you want to assign security roles.
Step 4: Retrieve Available Security Roles
List all security roles within a specific environment:
$environmentId = "your-environment-id"
Get-AdminPowerAppSecurityRole -EnvironmentName $environmentId | Select-Object RoleId, RoleName
Take note of the RoleId and RoleName you want to assign.
Step 5: Assign a Security Role to a User
Assign a specific security role to a user in an environment:
$environmentId = "your-environment-id"
$roleId = "your-role-id"
$userEmail = "user@domain.com"
New-AdminPowerAppSecurityRoleAssignment -EnvironmentName $environmentId -RoleId $roleId -PrincipalType User -PrincipalObjectId $userEmail
This will grant the specified security role to the user.
Step 6: Verify Assigned Roles for a User
To check which roles a user has in an environment:
$environmentId = "your-environment-id"
$userEmail = "user@domain.com"
Get-AdminPowerAppSecurityRoleAssignment -EnvironmentName $environmentId -PrincipalObjectId $userEmail
Step 7: Remove a Security Role from a User
If you need to revoke a user’s role:
$environmentId = "your-environment-id"
$roleId = "your-role-id"
$userEmail = "user@domain.com"
Remove-AdminPowerAppSecurityRoleAssignment -EnvironmentName $environmentId -RoleId $roleId -PrincipalObjectId $userEmail
Step 8: Export Security Role Assignments to a CSV (Optional)
For auditing purposes, export all role assignments to a CSV file:
$exportPath = "C:\PowerPlatform\PowerAppsSecurityRoles.csv"
Get-AdminPowerAppSecurityRoleAssignment -EnvironmentName $environmentId |
Select-Object EnvironmentName, RoleId, PrincipalObjectId, PrincipalType |
Export-Csv -Path $exportPath -NoTypeInformation
Navigate to C:\PowerPlatform to find the exported file.
Step 9: Disconnect from Power Platform
Once done, disconnect the session:
Disconnect-PowerAppsAccount