Welcome to the Power Guide Blog series. Hope you all are doing great and staying safe!
In the past few days, I have got several queries regarding controlling the PowerApps Portal access to a particular group/subsidiaries or business unit.
Let’s understand this with the help of the following business use case.
As we all know that PowerApps Portal supports Azure AD authentication, which allows all Azure AD users to directly login to the portal without being registered on the portal. However, sometimes we want to restrict portal access only to a specific group of users instead of all Azure AD users.
For example, Power Guide is an organization that has two departments let say: Helpdesk and HR Department. The helpdesk department has around 50 support agents who need PowerApps Portals access to handle queries and resolution of tickets. However, the HR department requires to have access only to Microsoft Teams. Now, If the organization wants to give portal access only to the Helpdesk department, not to the HR department then how can you handle that scenario?
In this article, I will share PowerGuideTip27 and will tell you a tip to handle such scenarios using Azure AD Conditional Access Policies.
What is Azure AD Conditional Access
Check this article
to know about Microsoft’s Azure AD Conditional Access.
- Azure AD Subscription (Trial is also fine)
- Dynamics 365 License (Trial is also fine)
- PowerApps Portals (of any type)
Create a trial (subscription-based) environment in the Power Platform admin center.
Install PowerApps Portal (ignore if you already have). Click here for the installation steps.
Configure Azure AD Conditional Access Policy.
Note: Make sure you have Global Administrator rights.
Step 2: Click on View under Manage Azure Active Directory.
Step 3: Click on Properties
Step 4: Click on Manage Security defaults
Step 5: Turn Off the Enable Security defaults settings and choose My organization is using Conditional Access. Click Save
Step 6: Click on Security.
Step 7: Click on Conditional Access
Step 8: Click on + New Policy.
Note: if the + New Policy option is disabled, that means you don’t have an Azure AD Premium P2 subscription. Click on the -> arrow and Activate it.
Step 9: Give the policy name
Step 10: Click on 0 users and groups selected under Assignment.
Include – Users whom you want to restrict from accessing the portal
Exclude – User whom you want to give access to the portal
Under Include > Select users and groups > choose Users and group checkbox > Search the user or group that you want to keep out of this policy and then Select to add them in the Include list.
Under Exclude > Select users and groups > choose Users and group checkbox > Search the user or group that you want to keep out of this policy and then Select to add them in the Exclude list.
Note: If you have fewer users, then you can search and choose them individually from the list, otherwise create a security group, add all these users in that group and then search the group name and choose the group from the list. By doing that, this policy will be applied to all the members of that particular group.
Step 11: Click on No cloud apps or actions selected under Cloud apps or actions
Click on Include and Choose Select apps.
Search and choose all those apps that you want to restrict and apply this policy to.
Since we want to restrict only PowerApps Portal, therefore we will search Microsoft CRM Portals and add only that to the Include list.
Similarly, if you also want to restrict PowerApps and Power Automate then you can search for PowerApps and Microsoft Flow app respectively, and add them too to the include list
Note: Choose Microsoft PowerApps and Microsoft Flow apps only if you want to restrict Model-driven apps, Canvas apps, and Power Automate along with PowerApps Portals.
Step 12: Click on Grant under Access controls > choose Block Access > Select
Step 13: Finally Turn On the Enable policy and Hit Create to create the policy,
Test and Demo
Hope you found this PowerGuideTip helpful.
Stay tuned for the next interesting Power Guide Tip.