Power Apps deployment needs to be controlled to prevent unauthorized applications from being published in production environments. Using PowerShell, administrators can restrict app deployment, allowing only approved users or security groups to deploy apps.
What You’ll Learn:
Connecting to Power Platform using PowerShell
Retrieving a list of all Power Apps
Restricting app deployment by environment
Blocking specific users from deploying apps
Automating deployment restrictions
Step 1: Prerequisites
1. Install Required PowerShell Modules
Ensure you have the necessary modules installed:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
Install-Module -Name Microsoft.PowerApps.PowerShell -Force
2. Connect to Power Platform
Authenticate using your admin account:
Add-PowerAppsAccount
Now you can manage Power Apps using PowerShell.
Step 2: Retrieve All Power Apps
To list all Power Apps in your tenant:
Get-AdminPowerApp | Select-Object DisplayName, AppName, EnvironmentName, CreatedBy, CreatedTime, LastModifiedTime
This retrieves all apps along with the creator’s name.
Step 3: Restrict Deployment by Environment
To allow only certain environments for deployment, identify environment IDs first:
Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName
Let’s assume we allow deployment only in ‘Production’ and restrict ‘Test’ and ‘Development’ environments. Use this script:
$restrictedEnvironments = @("Test", "Development")
$apps = Get-AdminPowerApp | Where-Object { $_.EnvironmentName -in $restrictedEnvironments }
foreach ($app in $apps) {
Write-Output "Blocking deployment of '$($app.DisplayName)' in '$($app.EnvironmentName)'"
Remove-AdminPowerApp -AppName $app.AppName -EnvironmentName $app.EnvironmentName -Confirm:$false
}
This removes apps deployed in unauthorized environments.
Step 4: Block Specific Users from Deploying Apps
To restrict app deployment for specific users, first retrieve all app creators:
Get-AdminPowerApp | Select-Object DisplayName, AppName, CreatedBy
Then, define a list of restricted users and prevent their apps from being published:
$restrictedUsers = @("user1@domain.com", "user2@domain.com")
$apps = Get-AdminPowerApp | Where-Object { $_.CreatedBy -in $restrictedUsers }
foreach ($app in $apps) {
Write-Output "Blocking deployment of '$($app.DisplayName)' created by '$($app.CreatedBy)'"
Remove-AdminPowerApp -AppName $app.AppName -EnvironmentName $app.EnvironmentName -Confirm:$false
}
This prevents apps from unauthorized users.
Step 5: Restrict Power Apps Deployment to Security Groups
To restrict deployment only to approved security groups, first get your group ID:
Get-MgGroup -Filter "DisplayName eq 'PowerApps_Approved_Developers'"
Now, block all users except members of this group:
$allowedGroup = "PowerApps_Approved_Developers"
$members = Get-MgGroupMember -GroupId $allowedGroup | Select-Object Mail
$apps = Get-AdminPowerApp | Where-Object { $_.CreatedBy -notin $members.Mail }
foreach ($app in $apps) {
Write-Output "Blocking deployment of '$($app.DisplayName)' created by unauthorized user '$($app.CreatedBy)'"
Remove-AdminPowerApp -AppName $app.AppName -EnvironmentName $app.EnvironmentName -Confirm:$false
}
This enforces deployment restrictions for only approved users.
Step 6: Automate Deployment Restrictions
To enforce restrictions automatically, schedule the script in Task Scheduler:
- Open Task Scheduler
- Click Create Basic Task
- Set recurrence to daily or weekly
- Choose Start a Program → PowerShell.exe
- Add script path:
-File "C:\Scripts\Restrict_Deployment.ps1" - Click Finish
Now, unauthorized app deployments are blocked automatically.