If anonymous (non-authenticated) users can view data or access pages that are meant to be restricted to logged-in users, it’s a critical security issue in Power Pages. This can expose sensitive information unintentionally and defeat the purpose of role-based access.
This guide provides a step-by-step explanation on how to identify the root cause and prevent anonymous access to protected data in Power Pages.
Root Causes
- Incorrect Entity Permission Configuration
- Missing or Loose Web Page Access Control Rules
- Web Role assigned to Anonymous Users
- Entity List or Form not restricted properly
- Caching issue showing stale data
- JavaScript-based access control (which is not secure)
Step-by-Step Troubleshooting and Solution
Step 1: Identify the Affected Entity/List/Page
- Determine where the anonymous user can see restricted content:
- Is it an Entity List?
- Is it a Web Page that was supposed to be behind login?
- Is it a custom page using Liquid or FetchXML?
Step 2: Check Web Page Access Control Rules
- Open Portal Management App
- Navigate to Web Pages
- Open the specific Web Page
- Scroll to Access Control Rules
- Confirm it’s set to:
- Restrict Read Access
- Associated with the correct Web Role (e.g., Authenticated Users)
If there’s no rule, the page is publicly accessible.
Step 3: Check Entity Permissions
- Go to Entity Permissions in the Portal Management App
- Locate the permission assigned to the entity shown on the page
- Confirm:
- Scope is correct (
Global,Contact,Account, etc.) - Privileges include only what’s needed (e.g., Read)
- Web Role is not set to Anonymous Users
- Scope is correct (
If “Anonymous Users” is listed here, remove it immediately to block public access.
Step 4: Validate Entity List Settings
- Go to Entity Lists
- Open the specific list in question
- Scroll to the Entity Permissions section
- Make sure:
- It’s checked: Enable Entity Permissions
- Permission is correctly linked to a non-anonymous role
If “Enable Entity Permissions” is unchecked, the list will be accessible to anyone.
Step 5: Check Entity Form Settings
If the issue involves a form:
- Go to Entity Forms
- Open the relevant form
- Ensure “Enable Entity Permissions” is turned on
- Verify the linked permission is not accessible by Anonymous Users
Step 6: Inspect Web Role Assignments
Make sure:
- Web Roles such as
Authenticated Users,Admins,Employees, etc., are not assigned to Anonymous Users - Navigate to Web Roles and confirm Anonymous Users is not linked with restricted permissions
Step 7: Look for JavaScript-Based Restrictions
If visibility or access control is implemented via JavaScript (e.g., hiding sections if not logged in), that is not secure.
Avoid this:
if (!user.loggedIn) {
document.getElementById("secret-section").style.display = "none";
}
Why? – The data is already delivered to the browser and just hidden. It can be viewed by inspecting the HTML.
Step 8: Clear Cache
After making permission or role changes:
- Clear portal cache using:
https://<your-portal>.powerappsportals.com/_services/about - Or, go to Portal Management > Portal Actions > Clear Config Cache
- Ask user to log out/in again
Best Practices to Prevent This
- Always enable Entity Permissions on all lists/forms showing Dataverse data
- Never assign restricted Entity Permissions to Anonymous Users
- Use Access Control Rules on Web Pages that should be private
- Use Web Roles and test access by logging in as different roles
- Periodically audit all Entity Permissions, Web Roles, and Page Rules
- Document and standardize access requirements during development
Example Scenario
Let’s say a support ticket list is showing to public users.
Fix:
- Go to Entity Lists > Open “Support Tickets”
- Ensure Entity Permission is enabled
- Check the linked permission is assigned to Authenticated Users
- Open Entity Permissions > Confirm “Support Ticket” has no permission for Anonymous Users
- Open Web Page > Assign Access Control Rule to hide page from anonymous access
- Clear cache and retest