I am using Microsoft Power App for the first time. I created a rudimentary app for others to use. However, whenever I try sharing my app with other people, they are unable to open it.
I am using OneDrive. I can see which data connections each user has, and it appears that they all have access to the OneDrive folder.
I have tried sharing the app and changing the users' permissions, but it did no good.
Check out https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app
After you build a canvas app that addresses a business need, specify which users in your organization can run the app and which can modify and even reshare it. Specify each user by name, or specify a security group in Azure Active Directory. If everyone would benefit from your app, specify that your entire organization can run it.
You can only share your app in your organization.
Related
I have been building canvas apps as part of solutions on non-default environments for a while.
Recently a customer required that the app be shared (to run, not edit) with an AAD security group's members.
The SG setup is as follows;
Image of SG setup
I imagined this to be simple and indeed I was able to 'Share' the canvas app with the SG.
However, users were unable to access the app even via a direct URL unless I gave them individual access.
I have spent many hours perusing the documentation and it seems that it is all aimed at 'Dynamics/CDS' environments.
The only way that i was able to share the app to them using the SG, was to create an environment DB add then to set the SG as the env SG.
Is that the correct approach?
It seems counter-intuitive because, according to MS, if an SG is not set to an environment, then all users can access the env?
First, make sure the group you are sharing with is really a security group or security-enabled M365 group.
You can't share an app with a distribution group in your organization or with a group outside your organization.
...
You can share an app with Microsoft 365 groups. However, the group must have security enabled
You can do that at Azure Portal:
Go to Azure AD Active Directory > Groups (direct URL)
Click [Columns] and add Security enabled column to the list
Find the group and make sure it is security-enabled
Also, make sure users have permissions to access and other resources
For a shared app to function as you expect, you must also manage permissions for the data source or sources on which the app is based, such as Microsoft Dataverse or Excel. You might also need to share other resources on which the app depends, such as flows, gateways, or connections.
Source: https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app
I am working on a project that needs to have a Onedrive folder that it owns where it can store and edit certain files. This folder also needs to be accessible through Onedrive to certain users in my organization.
I have created an App Registration in Azure AD, but can't figure out what permissions and configuration I need to achieve this. I know I can give it access to authenticate to a user and edit/create files on their behalf, but I don't want the folder/files to be associated with any particular user in the organization. How can I achieve this?
You might try creating and managing items using application credentials. Also take a look to permissions and shared for more information about making it accesible to others.
Are the files you're looking to store files that are visible to users or that are "data files" for your app? We don't currently recommend building apps that only store their own proprietary files rather than operating on visible user data. (It's a little more nuanced situation when you look at lists rather than libraries of files).
In general files that are expected to be shared among users without a single user owning them would be placed in a SharePoint site. You can then manage the permissions of the site to give access to the users that need the files. OneDrive for Business is specifically intended for files owned by an individual user.
At the moment we don't have provisioning APIs available through Microsoft Graph to create a site programmatically today, but you can look at the PnP Provisioning Engine for how to automate the process with legacy APIs, or if you really just need a single site you can create the site manually and then refer to it from your application.
The Drive API is the same whether you're accessing a OneDrive for Business or SharePoint site.
I have built a web application that uses Microsoft Graph to connect to OneDrive to upload files to a user's drive.
The web application is registered in Azure under the App Registrations and is also in the Enterprise Applications, having been granted permissions by an administrator to access OneDrive.
There is a section in the Office365 Admin Console to run searches and raise email alerts, however, the user that appears to be performing the action just comes through as 'app#sharepoint', so we cannot monitor what the actual web application is doing because this is too general.
The question I have is, is there any way to specifically monitor what this app is doing, in terms of uploading files or reading files? I don't know if there is any way set the user that the Enterprise App runs under, or if there is anything that the application can pass to identify itself?
To view a report on user specific activity details on OneDrive connected to via Graph to an app registered on Azure, use GET /reports/getOneDriveActivityUserDetail(period='{period_value}') or GET /reports/getOneDriveActivityUserDetail(date={date_value}).
You will however need Reports.Read.All application permission.
Please see the following documentation for a better understanding of the usage of this query: https://learn.microsoft.com/en-us/graph/api/reportroot-getonedriveactivityuserdetail?view=graph-rest-1.0#code-try-1
Here is a situation I am currently addressing. I am working on a Web project with its security being tied up with the Active Directory. Which means technically when you add a user through the application we are adding a new user to the Active Directory on the Server. Now my question is, is this a good practise?
At this point I think of a vulnerabilty which is you could do a remote desktop on to the deployment server with the account you created through the Application (Please correct me if I am wrong). But I just want to confirm this before I could inform this to my Architect.
Any suggestions will be deeply appreciated.
Awaiting your response.
If the web application has permission to create accounts in Active Directory, then this means that the web application presumably has an account with (possibly limited) administrative rights to the Active Directory domain. That could potentially be used for all sorts of bad things if you're not careful.
If you're going to proceed, then the first step, if you haven't already done so, is to delegate administrative rights to your web application's account so that it can only create accounts within a particular OU. See this article for details, or search Google for other descriptions.
You'll probably also want to set up Group Policy and group memberships to further restrict the newly created accounts (for example, disabling Remote Desktop), and you'll want to do so in a way that doesn't rely on the web application doing the right thing (as an extra layer of security in case the web application is compromised).
ServerFault would be a better place to find out about Active Directory's security model and how to best set up these various restrictions.
Finally, if you don't need to have users automatically created within your Active Directory domain, then you should consider other approaches. If you're only looking to use Active Directory as a stable, robust source of user authentication, for example, then you can use Active Directory Lightweight Directory Services (formerly known as Active Directory Application Mode) to get Active Directory's functionality without any affect on your domain's security.
I want to create a web part which will contain a button, on click of that button I want to access the network folder and apply the business logic such as create a file/folder, delete a file/folder e.t.c.
I do have created such kind of web part but it's giving error like "Could not find a part of the path '\comp01\ibc'" while accessing the network folder. I am using a name space System.IO for file related activities. I found a weird behavior like this web part works fine on another wss server.
Is share point requires any kind of privileges to access the network folder?
I am using a windows authentication not forms based authentication.
Please help me in this regard.
Where are you trying to Create the Folder in the SharePoint Server or a Different Server?. Check if you are accessing the path using UNC \ format, make sure that the permission has been configured. Also there is a chance that impersonation is not configured to have rights to create the folder, check the App Pool User account permission. Finally you can try to run the code with elevated permission ( have this as last option)