In Power Platform, managing and verifying user access levels is crucial to ensure security and compliance. Using PowerShell, administrators can automate the process of checking user roles, permissions, and security groups across Power Apps, Power Automate, and Dataverse.
This guide will cover:
Connecting to Power Platform Admin Center using PowerShell
Listing all users in a Power Platform environment
Checking security roles assigned to users
Verifying Dataverse access levels
Checking Microsoft 365 and Power Platform licenses
Step 1: Prerequisites
Before checking user access, ensure the following:
1. Install Power Platform PowerShell Modules
If not installed, run:
Install-Module -Name Microsoft.PowerPlatform.Administration -Scope CurrentUser -Force
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser -Force
Install-Module -Name AzureAD -Scope CurrentUser -Force # Needed for user role verification
2. Connect to Power Platform
Run the following command and log in with an admin account:
Add-PowerAppsAccount
Now you’re connected!
Step 2: List All Users in an Environment
To get all users in a specific Power Platform environment, run:
Get-AdminPowerAppEnvironmentUser -EnvironmentName "Default-12345"
To format output with Display Name and Email:
Get-AdminPowerAppEnvironmentUser -EnvironmentName "Default-12345" | Select-Object DisplayName, UserPrincipalName
All users in the environment are listed!
Step 3: Check Security Roles Assigned to Users
To check user roles in an environment, run:
Get-AdminPowerAppRoleAssignment -EnvironmentName "Default-12345"
For a specific user, filter by email:
Get-AdminPowerAppRoleAssignment -EnvironmentName "Default-12345" | Where-Object { $_.UserPrincipalName -eq "user@example.com" }
User roles are displayed!
Step 4: Check User Permissions in Dataverse
List all users with Dataverse access
Get-CdsUsers -EnvironmentName "Default-12345" | Select-Object FullName, InternalEmailAddress, IsDisabled
Get roles assigned to a specific user
Get-CdsUserRoles -EnvironmentName "Default-12345" -UserPrincipalName "user@example.com"
Dataverse permissions verified!
Step 5: Check User Licenses in Power Platform
To check if a user has a Power Platform license, run:
Get-AzureADUserLicenseDetail -ObjectId "user@example.com"
For all users:
Get-AzureADUser | ForEach-Object { Get-AzureADUserLicenseDetail -ObjectId $_.ObjectId }
User licenses retrieved!
Step 6: Generate a User Access Report
To export user access details to CSV, use:
$envName = "Default-12345"
$users = Get-AdminPowerAppEnvironmentUser -EnvironmentName $envName | Select-Object DisplayName, UserPrincipalName
$roles = Get-AdminPowerAppRoleAssignment -EnvironmentName $envName | Select-Object UserPrincipalName, RoleName
# Combine user and role data
$userReport = $users | ForEach-Object {
$user = $_
$userRoles = $roles | Where-Object { $_.UserPrincipalName -eq $user.UserPrincipalName } | Select-Object -ExpandProperty RoleName
[PSCustomObject]@{
DisplayName = $user.DisplayName
Email = $user.UserPrincipalName
Roles = ($userRoles -join ", ")
}
}
# Export to CSV
$userReport | Export-Csv -Path "C:\PowerPlatformUserAccessReport.csv" -NoTypeInformation
Write-Host "User Access Report Generated: C:\PowerPlatformUserAccessReport.csv"
User Access Report is now automated!