Implementing Role Based Protection In Your PowerApps App
Sudhesh Suresh, Program Manager , Monday, December 4, 2017
An extremely typical question our customers ask is, how do you implement role based access control within my app. In other words, how do I make particular features or displays of my application available simply to the authorized people in my organization. As an example, make Admin display available only to the users whom are part of an Active Directory Group “Administrators” or make administration views available only to the users from the Active Directory Group “Managers” (as shown in the picture below).
In this blog post, I’ll demonstrate ways to find the Active Directory group out account of the signed in individual and consequently make decision to show/ hide certain features.
Advanced Level Steps
We’ll use customized connector function of PowerApps for connecting to Microsoft Graph API for listing the Active Directory Groups that the consumer belongs to*. After getting the list of groups through this customized connector in PowerApps, we are able to easily check if the consumer belongs to a group that is particular properly set the visibility of particular controls or screens.
Following will be the steps that are broad
Step 1 enroll a software within the Azure Active Directory and demand permission to utilize the Graph that is right API)
Step 2 Grant Permission asked for above (a working Directory Admin needs to do that)
Step three include this software being a customized connector in PowerApps environment
Step make use of the custom connector in your PowerApps software
- Checkout their documentation and http://datingmentor.org/ldssingles-review/ graph explorer if you never used Microsoft Graph before, I strongly recommend that you. I find Graph Explorer dead handy to explore what’s out there and even test out the output for the specific APIs before using this in my own rule.
- Graph API our company is using right here, lists the groups that the user is direct user of. Therefore, it’ll miss the combined group membership through nested group account. Because of this web log, we’re keeping it easy by just checking for direct account. There are various other Graph APIs for finding group that is nested t . But you’ll need to know group id (you can’t use group name for making use of that API). The concept can be used by you outlined in this blog to utilize this other API (after finding group id from the graph explorer). When there is sufficient interest, I’ll do another blog post showing utilizing the other graph api.
Step 1 Join An App Within The Azure Active Directory and Request Permission To Utilize The Right Graph API(s)
These steps are similar to the steps documented in this exemplory instance of custom api.
1. Register to the Azure portal. When you have a lot more than one Azure Active Directory tenant, ensure you’re logged to the proper directory by considering your username in the upper-right corner.
2. Ch se Azure Active Directory -> App Registration
3. Select Brand New application enrollment.
4. For Registering a brand new App, usage values that are following
Name Any Name that you want to utilize ( I used “GraphAPIDemo”)
Application type Online app/ API
Sign-on URL https //login.windows
5. Once it’s created, ch se this newly developed app. Note the application down id (it’ll be utilized as customer Id in the later step of incorporating this API as custom connector in PowerApps environment). After noting down the application id, click “Settings” menu at the very top.
6. From Settings, click on Reply URLs, add following hit and url save
Note- This url might not work with non US locations. In the event that you get error, you’ll have to return and include your location url that is specific. I’ll go in greater information regarding that mistake at a step that is laterwhere you enroll this as custom connector in PowerApps environment).
7. From Settings, simply click on Keys
8. Enter a description for the key, select the expiry period, and hit Save. a key that is new will be produced. Put in writing that value. You’ll need this secret that is key later action while registering this API as custom API in PowerApps. (Note- very important to see down this key in this step if you come back to this screen later because you won’t be able to see this key. )
9. Get back to Settings, click on necessary Permissions
10. Within the permissions that are required click on Add then pick an API
11. In the next display screen, select Microsoft Graph
12. Select Select Permissions
13. Under “Delegated Permissions”, check after people
· View User’s Fundamental Profile
· View User’s Email Address
В· Access Directory As Signed In User
В· Browse Directory Information
В· Browse All Teams
· Read All User’s Basic Profile
В· Sign in and read User Profile
Step 2 Grant The Permissions Requested In The Earlier Step (A Working Directory Admin Has To Try This)
This task can be carried out only by the admin of this directory that is active. You will find 2 ways to try this
Ask the admin towards the Azure portal, head to Azure Active Directory -> App Registrations -> and select the software you registered into the step that is previous. Go to settings -> Required Permissions, and click on Grant Permissions key towards the top
Deliver the url that is following the Active Directory Admin (its typically some body from your IT Department). In the url below, put the client id (or application id) you noted while registering the app within the active directory. On clicking this url, your Active Directory Tenant Admin will get the prompt to permission that is grant.
Step three Add This Registered App Being A Custom Connector In Your PowerApps Environment
1. Go to https //web.powerapps and then click on gear icon regarding the top right, and select “Custom Connectors”.
Note- you sign in to the active directory tenant where you registered this app in the first step if you are part of multiple Active Directory Tenants, make sure.
2. As s n as you arrive at Customer Connectors screen, simply click on “Create custom connector” and select the possibility to “Import an Open API File”
3. You’ll get after dialogue package. By importing an OpenAPI file, you’re essentially importing a Swagger file. Use the Swagger file we created for this scenario (save yourself it to your drive that is local utilize it for uploading OpenAPI file). For Custom Connector name, utilize any title you want. We utilized DirectGroupMembership.
4. “General Information” step is immediately filled using the information within the swagger file. Take a moment to change the icon, description but change that is don’t and Base Url.
5. Simply Click Keep. Within the protection action, Swagger file will help immediately ch se Authentication Type as OAuth2.0 and select the Identity Provider as “Azure Active Directory”. Keep all the given information as automatically filled. You just need certainly to fill the information that is following