Power Platform Canvas App only environment, app user permissions - security

I have been building canvas apps as part of solutions on non-default environments for a while.
Recently a customer required that the app be shared (to run, not edit) with an AAD security group's members.
The SG setup is as follows;
Image of SG setup
I imagined this to be simple and indeed I was able to 'Share' the canvas app with the SG.
However, users were unable to access the app even via a direct URL unless I gave them individual access.
I have spent many hours perusing the documentation and it seems that it is all aimed at 'Dynamics/CDS' environments.
The only way that i was able to share the app to them using the SG, was to create an environment DB add then to set the SG as the env SG.
Is that the correct approach?
It seems counter-intuitive because, according to MS, if an SG is not set to an environment, then all users can access the env?

First, make sure the group you are sharing with is really a security group or security-enabled M365 group.
You can't share an app with a distribution group in your organization or with a group outside your organization.
...
You can share an app with Microsoft 365 groups. However, the group must have security enabled
You can do that at Azure Portal:
Go to Azure AD Active Directory > Groups (direct URL)
Click [Columns] and add Security enabled column to the list
Find the group and make sure it is security-enabled
Also, make sure users have permissions to access and other resources
For a shared app to function as you expect, you must also manage permissions for the data source or sources on which the app is based, such as Microsoft Dataverse or Excel. You might also need to share other resources on which the app depends, such as flows, gateways, or connections.
Source: https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app

Related

SharePoint: How to allow devs to promote apps when they do not have designer or owner access

I am in a SP Online environment where users do not have owner access to their sites. This makes life difficult in several areas, one of them being the promotion of apps to the app catalog. I am in a very large organization and we are looking for the cleanest way to allow devs to promote their apps to their individual sites. We also don't want to clutter the tenant app catalog.
I have been investigating site collection app catalogs. I am assuming that - once the ability for the site to have apps is enabled - that I would need to give a dev elevated access to the site in order to publish apps directly to the site?
The second question is around apps that might belong on multiple sites. If I went this route (publishing to local apps) would it then be incumbent on the devs to publish to multiple sites in their pipeline using CLI?
Thank you in advance!

How to Access Microsoft PowerApp

I am using Microsoft Power App for the first time. I created a rudimentary app for others to use. However, whenever I try sharing my app with other people, they are unable to open it.
I am using OneDrive. I can see which data connections each user has, and it appears that they all have access to the OneDrive folder.
I have tried sharing the app and changing the users' permissions, but it did no good.
Check out https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app
After you build a canvas app that addresses a business need, specify which users in your organization can run the app and which can modify and even reshare it. Specify each user by name, or specify a security group in Azure Active Directory. If everyone would benefit from your app, specify that your entire organization can run it.
You can only share your app in your organization.

Which Identity option in IIS' Application Pool is considered best

Currently all of our web apps have their Application Pool Identity set to ApplicationPoolIdentity. Now, When an app needs to access some resources on some some server, say, add/read some file, the app performs impersonation in code to a user that has permissions to do this stuff. But now, we are contemplating to create a specific user for each app, and set its app pool identity to its specific new user. But I have noticed in the Advanced Settings dialog that Microsoft recommends to use the application pool identity, as shown in the following image:
Why does Microsoft recommends to use this identity, and is using a specific user is not best practice or a wrong move?
thanks,
ashilon
ApplicationPoolIdentity uses a concept called Virtual Accounts
and is implemented to have App Pool isolation.This blog explains
in detail about that .
ApplicationPoolIdentity is the recommended approach to have proper isolation between each website/application pool in IIS7+ onwards.So you can have code or files running for one website or app which cannot be accessed by no one else.
But for your scenario where you need to access resource on another server,When you use ApplicationPoolIdentity it uses the Machine identity only always.So the best approach is to use managed service account
Managed Service Accounts are a great way to manage Services
that need network access. Let Windows take care of passwords and SPNs
for you
Please find more information here ,here
But this has problem as only one managed service account can be assigned to one Server.Even with Application Pool identity,it will be using the $machineaccount to access network resources.
If network resources you have to isolate for each website/application,then your only way to create the separate User Account for each Websites and manage that.
Hope this helps!

How to separate development and production environments in Azure?

My company process sensitive data and needs to restrict access to production environment. How do I organize subscriptons and (storage) accounts so that I have separate environments?
I could have completely distinct subscriptions but I want to give some devs the power to deploy on production while others should only have access to development assets.
In my ideal world, I'd add individuals to security groups. Whenever a thw dev wants to deploy on production, he/she would use his/her credentials plus an extra confirmation step, like an otp. This way I'd avoid mistakes but still keep simple users management. Is that possible in azure?
Eventually what you are wanting to do will be possible, and is possible to some degree depending on the resource. As more of the features of Azure make it into the preview portal (portal.azure.com) they are showing up with Role Based Access Controls, which is what you are looking for. Unfortunately, right now not all of the resources are there and some are there without full RBAC baked in (such as storage accounts).
For now, the best bet is to still separate by subscription. If you need developers to have the ability to perform a deployment you can create a script that performs the deployment (using stored PowerShell credentials or secured management certs) and then give the developers the ability to execute the script.

Is it necessary to create an ACS with Azure Active Directory?

Is it required that I create my own Azure ACS if I want to use the Active Directory? Am I able to simply create a new application instance on the Active Directory Pane (on the Azure Management Console) without having an ACS to build on? I don't want to need to pay to create my own ACS niche.
I think you're talking about creating an "Access Control Namespace".
It actually isn't necessary to do so. You can register an application with Azure AD without having an ACN "niche" - having an ACN is something that is generally better for larger enterprise applications or those that have to handle requests on many different levels (with many different applications). So unless you're building something very large, there's no reason to set an ACN up on the Management Console (and you can continue to use everything for free with the AD functionality without an ACN). Hope this helps.

Resources