Latest Posts

Assigning Security Roles to Power Apps Users using PowerShell

Posted on by Rishan Solutions

Assigning security roles to users in Power Apps using PowerShell is essential for managing permissions, ensuring data security, and enforcing role-based access control within Power Platform environments.

Step 1: Install Required PowerShell Modules

Ensure that you have the necessary PowerShell modules installed:

Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force -AllowClobber
Install-Module -Name Microsoft.PowerApps.PowerShell -Force -AllowClobber

If prompted, press Y to confirm the installation.

Step 2: Authenticate to Power Platform

Connect to Power Platform using an Admin account:

Add-PowerAppsAccount

A Microsoft sign-in window will appear. Log in using your Global Admin or Power Platform Admin credentials.

For service principal authentication (without manual login), use:

$clientId = "your-client-id"
$clientSecret = "your-client-secret"
$tenantId = "your-tenant-id"

$SecureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($clientId, $SecureSecret)

Connect-AdminPowerAppEnvironment -TenantId $tenantId -Credential $Credential

Step 3: Retrieve Power Platform Environments

To list all available environments:

Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName, Location, EnvironmentSku

Identify the EnvironmentName where you want to assign security roles.

Step 4: Retrieve Available Security Roles

List all security roles within a specific environment:

$environmentId = "your-environment-id"

Get-AdminPowerAppSecurityRole -EnvironmentName $environmentId | Select-Object RoleId, RoleName

Take note of the RoleId and RoleName you want to assign.

Step 5: Assign a Security Role to a User

Assign a specific security role to a user in an environment:

$environmentId = "your-environment-id"
$roleId = "your-role-id"
$userEmail = "user@domain.com"

New-AdminPowerAppSecurityRoleAssignment -EnvironmentName $environmentId -RoleId $roleId -PrincipalType User -PrincipalObjectId $userEmail

This will grant the specified security role to the user.

Step 6: Verify Assigned Roles for a User

To check which roles a user has in an environment:

$environmentId = "your-environment-id"
$userEmail = "user@domain.com"

Get-AdminPowerAppSecurityRoleAssignment -EnvironmentName $environmentId -PrincipalObjectId $userEmail

Step 7: Remove a Security Role from a User

If you need to revoke a user’s role:

$environmentId = "your-environment-id"
$roleId = "your-role-id"
$userEmail = "user@domain.com"

Remove-AdminPowerAppSecurityRoleAssignment -EnvironmentName $environmentId -RoleId $roleId -PrincipalObjectId $userEmail

Step 8: Export Security Role Assignments to a CSV (Optional)

For auditing purposes, export all role assignments to a CSV file:

$exportPath = "C:\PowerPlatform\PowerAppsSecurityRoles.csv"

Get-AdminPowerAppSecurityRoleAssignment -EnvironmentName $environmentId |
    Select-Object EnvironmentName, RoleId, PrincipalObjectId, PrincipalType |
    Export-Csv -Path $exportPath -NoTypeInformation

Navigate to C:\PowerPlatform to find the exported file.

Step 9: Disconnect from Power Platform

Once done, disconnect the session:

Disconnect-PowerAppsAccount

Leave a Reply

Your email address will not be published. Required fields are marked *