Latest Posts

Managing External Users in Power Platform using PowerShell

Posted on by Rishan Solutions

Loading

External users (guests) in Power Platform can access Power Apps, Power Automate, and Dataverse when invited via Azure AD B2B. Managing these users efficiently using PowerShell ensures security and governance.

This guide covers:
Listing all external users
Adding an external user to Power Platform
Assigning security roles to external users
Removing an external user

Step 1: Prerequisites

1. Install Required PowerShell Modules

Ensure you have the required PowerShell modules installed:

Install-Module -Name AzureAD -Force
Install-Module -Name Microsoft.PowerPlatform.Cds.Client -Force
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force

2. Connect to Power Platform and Azure AD

Run the following command to authenticate:

Connect-AzureAD
Add-PowerAppsAccount

Now you are connected to Azure AD and Power Platform.

Step 2: List All External Users in Power Platform

To find all external users (guests), use:

Get-AzureADUser -Filter "UserType eq 'Guest'" | Select-Object DisplayName, UserPrincipalName, ObjectId

This command retrieves all guest users in your organization.

Step 3: Add an External User to Power Platform

To invite an external user, replace <user_email> and <org_domain> in the script below:

$externalUserEmail = "guestuser@example.com"
$displayName = "Guest User"
$inviteMessage = "You have been invited to access Power Platform resources."

New-AzureADMSInvitation -InvitedUserEmailAddress $externalUserEmail `
                        -InvitedUserDisplayName $displayName `
                        -SendInvitationMessage $true `
                        -InviteRedirectUrl "https://powerapps.microsoft.com" `
                        -InvitedUserType Guest

The external user receives an email invitation.

Step 4: Assign Security Roles to External Users in Dataverse

Once the user accepts the invitation, assign security roles:

$guestUserId = "<Azure AD Object ID of the Guest User>"
$roleId = "<Dataverse Security Role ID>"

New-CrmRecord -EntityLogicalName "systemuserroles" -Fields @{
    "systemuserid" = $guestUserId
    "roleid" = $roleId
}

This grants Dataverse access based on the assigned role.

Step 5: Remove an External User from Power Platform

To remove an external user:

$guestUserId = "<Azure AD Object ID of the Guest User>"
Remove-AzureADUser -ObjectId $guestUserId

This revokes the user’s access.

Leave a Reply

Your email address will not be published. Required fields are marked *