Anonymous access unexpectedly granted

In Power Pages (formerly Power Apps Portals), anonymous access refers to the ability of users to access the portal without needing to sign in or authenticate. While anonymous access can be useful for public-facing content, it can be an issue if sensitive or restricted content becomes accessible without proper authorization. If you are experiencing unexpected anonymous access, it means users may be able to access areas of the portal that should be restricted or should only be accessible to authenticated users.

Here’s a step-by-step guide to troubleshoot and resolve the issue of unexpected anonymous access:

---

Step 1: Check Portal Authentication Settings

The first place to check is whether the portal authentication settings are correctly configured to enforce the correct access control mechanisms.

A. Review Portal Authentication Settings

1. Navigate to Power Platform > Power Pages > Portals.
2. Select the specific portal you are working with.
3. Under Portal Management, navigate to Authentication settings.
4. Check whether anonymous access is allowed for the portal and which authentication types are enabled (for example, Azure AD, Google, or Facebook).
5. Ensure that anonymous authentication is either disabled or restricted to only specific pages that need public access.

---

Step 2: Review Permissions for Web Roles

Web roles control which users can access different parts of the portal. If the permissions for these roles are incorrectly set, users might be granted unexpected anonymous access to restricted content.

A. Check Permissions for Web Roles

1. Navigate to Portal Management > Web Roles.
2. Select the web role associated with the restricted content or page.
3. Under the Entity Permissions or Web Page Permissions, review the access settings for anonymous users.
4. If the anonymous access option is incorrectly enabled for sensitive content, you should disable it.

B. Restrict Permissions for Anonymous Users

• Ensure that anonymous users do not have read, write, or any other permissions on critical entities (e.g., documents, profiles, sensitive pages).
• You can use the Authenticated User web role to restrict access to all authenticated users and ensure that only authenticated users can view certain content.

---

Step 3: Check Web Page Permissions

Web pages and their associated content have access controls that can be configured in Power Pages. If page permissions are misconfigured, users might be able to access restricted pages without authentication.

A. Review Web Page Permissions

1. In Portal Management, navigate to Web Pages.
2. Open the page that should be restricted (e.g., a login or sensitive page).
3. In the Security section, review the permissions set for this page.
4. Ensure that the page’s security settings are correctly configured to restrict anonymous access. You can do this by checking the permissions for each web role.
   • Set the permission to None or Not Set for the Anonymous web role, which will prevent them from accessing this page.

B. Use Content Access Rules

• Use content access rules to set specific conditions for granting or restricting access to portal content. These rules can be configured for certain roles, ensuring that sensitive pages are only accessible to the correct users.

---

Step 4: Verify Forms and Lists

Forms and lists are key elements in Power Pages that might also grant unintended anonymous access if misconfigured. Check their permissions to ensure that they are not inadvertently exposing sensitive data to anonymous users.

A. Review Form and List Permissions

1. Navigate to Portal Management > Forms or Lists.
2. Review the permissions associated with each form or list that could be accessed by anonymous users.
3. Ensure that anonymous users do not have view or edit access unless the form or list is meant to be publicly accessible (e.g., a contact form).
4. If the form/list should be restricted to authenticated users, ensure the web roles are properly assigned to allow access only for the appropriate users.

---

Step 5: Check Authentication Provider Configuration

If you are using an external authentication provider (e.g., Azure AD B2C, Google, Facebook, etc.), there could be an issue in the authentication flow that causes users to be granted anonymous access unexpectedly.

A. Verify External Authentication Settings

1. Go to Portal Management > Authentication Settings.
2. Review the settings for the identity provider you are using.
3. Ensure that the authentication flow is correctly handling the user’s sign-in process and that it is not inadvertently granting access to authenticated content as an anonymous user.
4. If there’s a problem with the authentication process, such as missing tokens or incorrect configurations, users might be logged in as anonymous even though they should be authenticated.

---

Step 6: Review Site Settings

Portal site settings can sometimes be misconfigured, leading to unexpected anonymous access. Some settings could allow public access to all pages or give users more permissions than necessary.

A. Check Site Settings for Authentication Control

1. Navigate to Portal Management > Site Settings.
2. Look for settings related to authentication or anonymous access. Some common settings to review include:
   • Authentication/Anonymous Access Enabled: Make sure this setting is correctly configured.
   • Default Authentication Mode: Check if the default mode is set to Anonymous or Authentication Required for all pages.
   • Enable/Disable Anonymous Access: This controls whether or not users can access the portal without signing in.
3. Adjust these settings according to your desired behavior, ensuring that sensitive pages or areas are not accidentally exposed to anonymous users.

---

Step 7: Clear Cache and Re-publish Portal

In some cases, changes may not take effect immediately due to cached settings or old configuration data.

A. Clear Cache

1. Navigate to Power Platform > Power Pages > Portals.
2. Select the portal and go to the Cache tab.
3. Clear any cached data, as old permissions or configurations might still be active in the cache.
4. Wait for the cache to be cleared and ensure that the changes to permissions and settings are applied correctly.

---

Step 8: Test the Portal

Finally, test the portal after making these adjustments to ensure that anonymous access is correctly restricted.

1. Open the portal in incognito mode or using a different browser to simulate the experience of an anonymous user.
2. Attempt to access sensitive pages or forms that should require authentication.
3. Confirm that only the pages that should be publicly accessible are viewable by anonymous users, and that restricted content requires authentication.