Power Platform Canvas App only environment, app user permissions

Question

I have been building canvas apps as part of solutions on non-default environments for a while.

Recently a customer required that the app be shared (to run, not edit) with an AAD security group's members.

The SG setup is as follows; Image of SG setup

I imagined this to be simple and indeed I was able to 'Share' the canvas app with the SG.

However, users were unable to access the app even via a direct URL unless I gave them individual access.

I have spent many hours perusing the documentation and it seems that it is all aimed at 'Dynamics/CDS' environments.

The only way that i was able to share the app to them using the SG, was to create an environment DB add then to set the SG as the env SG.

Is that the correct approach? It seems counter-intuitive because, according to MS, if an SG is not set to an environment, then all users can access the env?

Answer 1

First, make sure the group you are sharing with is really a security group or security-enabled M365 group.

You can't share an app with a distribution group in your organization or with a group outside your organization.
...
You can share an app with Microsoft 365 groups. However, the group must have security enabled

You can do that at Azure Portal:

1. Go to Azure AD Active Directory > Groups (direct URL)
2. Click [Columns] and add Security enabled column to the list
3. Find the group and make sure it is security-enabled

Also, make sure users have permissions to access and other resources

For a shared app to function as you expect, you must also manage permissions for the data source or sources on which the app is based, such as Microsoft Dataverse or Excel. You might also need to share other resources on which the app depends, such as flows, gateways, or connections.

Source: https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app