PowerApps – Share Canvas App with External Users


Introduction
Have you ever got a need to share your Canvas App with external organization users? It\’s a very common business requirement, where you may want to share your app with external users.
For example, You are designing a Canvas App for the Sales Person who works in your organization. However, there are some users like external business partners, vendors, contractors, etc who are not actually part of your organization but they still work for you, and therefore you want them to access your canvas apps.
There are various organizations like Uber, Amazon, Subway, Macdonald, etc who work in the same fashion. They not only work with the users who are part of their organization but also work with their vendors and partners as well.
Today, I am going to share #PowerGuide28 where you\’ll learn how to share your app with external organization users using the Azure AD B2B collaboration.

What is Azure AD B2B?
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company\’s applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don\’t have Azure AD or an IT department.
A simple invitation and redemption process lets partners use their own credentials to access your company\’s resources.
With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. Guest users sign in to your apps and services with their own work, school, or social identities.
  • The partner uses their own identities and credentials; Azure AD is not required.
  • You don\’t need to manage external accounts or passwords.
  • You don\’t need to sync accounts or manage account lifecycles.

Pre-Requisites
  • Azure Active Directory  Subscription (Trial is also fine)
  • Power Platform Environment (Trial is also fine)
  • Canvas App (create a new app or use an existing one that you want to share with external users)

Solution Design

Implementation Steps

Go to Azure Portal https://portal.azure.com and Open Active Directory.

Click on Users from the left panel

Click on + New guest User
Choose the Invite user option and fill out all external user details to whom you want to share the canvas app. and hit the Invite button

Open newly created guest user

Click on Licenses from the left panel.

Click on +Assignments and assign an appropriate license to the guest user.

Go to https://make.powerapps.com and share the canvas app with the guest user.


Important Note: Guests can only be assigned the User role, and not the Co-owner role, for apps shared with them. That means, they cant edit the app, they can only run the app.
Test and Demo
Open the invitation email and Accept the Invitation.

Open the app that is being shared with you.

Considerations and limitations for guest access

  • Guests can only be assigned the User role, and not the Co-owner role, for apps shared with them.
  • Power Apps can\’t recognize guests that authenticate by using Azure AD direct federation or email one-time passcode authentication.
  • Power Apps per-app plans are scoped to apps in a specific environment, so they can\’t be recognized across tenants.
Useful Resources


Hope you found this Tip helpful

Stay tuned for #PowerGuideTip29

Cheers

PowerApps Portal – Control Azure AD User Access

Introduction:

Hi Everyone,

Welcome to the Power Guide Blog series. Hope you all are doing great and staying safe!
In the past few days, I have got several queries regarding controlling the PowerApps Portal access to a particular group/subsidiaries or business unit.
Let\’s understand this with the help of the following business use case.
As we all know that PowerApps Portal supports Azure AD authentication, which allows all Azure AD users to directly login to the portal without being registered on the portal. However, sometimes we want to restrict portal access only to a specific group of users instead of all Azure AD users.
For example, Power Guide is an organization that has two departments let say: Helpdesk and HR Department. The helpdesk department has around 50 support agents who need PowerApps Portals access to handle queries and resolution of tickets. However, the HR department requires to have access only to Microsoft Teams. Now, If the organization wants to give portal access only to the Helpdesk department, not to the HR department then how can you handle that scenario?
In this article, I will share PowerGuideTip27 and will tell you a tip to handle such scenarios using Azure AD Conditional Access Policies.
What is Azure AD Conditional Access
Check this article to know about Microsoft\’s Azure AD Conditional Access.
Pre Requisites:
  • Azure AD Subscription (Trial is also fine)
  • Dynamics 365 License (Trial is also fine)
  • PowerApps Portals (of any type)
Implementations Steps:
1. Create a Dynamics 365 Free Trial.
2. Create a trial (subscription-based) environment in the Power Platform admin center.
3. Install PowerApps Portal (ignore if you already have). Click here for the installation steps.
4. Configure Azure AD Conditional Access Policy.

Step 1: Go to https://portal.azure.com/ and sign with your Dynamics 365 trial credentials

Note: Make sure you have Global Administrator rights.

Step 2: Click on View under Manage Azure Active Directory.

Step 3:  Click on Properties 


Step 4: Click on Manage Security defaults 

Step 5: Turn Off the Enable Security defaults settings and choose My organization is using Conditional Access. Click Save


Step 6: Click on Security.


Step 7: Click on Conditional Access



Step 8: Click on + New Policy.


Note: if the + New Policy option is disabled, that means you don\’t have an Azure AD Premium P2 subscription. Click on the -> arrow and Activate it.

Step 9: Give the policy name



Step 10: Click on 0 users and groups selected under Assignment.


Include – Users whom you want to restrict from accessing the portal
Exclude – User whom you want to give access to the portal

Under Include >  Select users and groups > choose Users and group checkbox > Search the user or group that you want to keep out of this policy and then Select to add them in the Include list.

Under Exclude >  Select users and groups > choose Users and group checkbox > Search the user or group that you want to keep out of this policy and then Select to add them in the Exclude list.

Note: If you have fewer users, then you can search and choose them individually from the list, otherwise create a security group, add all these users in that group and then search the group name and choose the group from the list. By doing that, this policy will be applied to all the members of that particular group.

Step 11: Click on No cloud apps or actions selected under Cloud apps or actions

Click on Include and Choose Select apps.

Search and choose all those apps that you want to restrict and apply this policy to.
Since we want to restrict only PowerApps Portal, therefore we will search Microsoft CRM Portals and add only that to the Include list.
Similarly, if you also want to restrict PowerApps and Power Automate then you can search for PowerApps and Microsoft Flow app respectively, and add them too to the include list

Note: Choose Microsoft PowerApps and Microsoft Flow apps only if you want to restrict Model-driven apps, Canvas apps, and Power Automate along with PowerApps Portals.

Step 12: Click on Grant under Access controls > choose Block Access >  Select


Step 13: Finally Turn On the Enable policy and Hit Create to create the policy,




Test and Demo


Hope you found this PowerGuideTip helpful.

Stay tuned for the next interesting Power Guide Tip. 

Cheers.

Power Automate – Check String Variable is Empty or Null

Introduction

Hi Everyone,

In this PowerGuideTip26, I\’ll show you – How to perform a Null check in String Variable or check whether the string variable has value or not in Power Automate.
There are many business use cases, where you need to check in the condition step, whether the string variable has data or not.
In the following example, I am Initializing a String Variable (UserRole) and in a later stage, I am setting a value in it. And in the Condition step (As shown below), I want to check whether this string variable contains data or not. If contains data or not null then proceed with Process A, else proceed with Process B
Algorithm
If UserRole is Empty or UserRole is Empty = true
then perform process A
else perform process B

Used following expression in the condition for String Null check.
empty(variables(\’UserRole\’))

PowerApps – Get Dynamics 365 Logged In User Role in Canvas App

 

Introduction

Hi Everyone,

Hope you are doing great and staying safe.
Today, in this blog post I am going to share PowerGuideTip25, where I\’ll demonstrate how to read Dynamics 365 security role using Power Automate and Integrate it with PowerApps – Canvas App.

There are umpteen business use cases, where we need to design the app/flow/process based on the Dynamics 365 security role. One of the best examples is:
Role-based Canvas App, where we need to navigate the user to different-2 screens or perform different process/flow based on the role assigned in the CRM application.
Business Requirement
  • Create a mobile app for the Sales Team.
  • Sales Agent will login into the app to track his/her daily appointment, track customer location, capture meeting notes, and assign tasks to the sales manager for approval
  • Sales Manager will log into the app in order to track the sales team\’s performance and approve the request made by a sales agent. 
Pre-Requisites
  • PowerApps License (PerApp or Per User) or can use Trial as well.
  • Dynamics 365 License or use Trial as well.
  • Must have two users. One user must have a Sales Person Role and another user must have a Sales Manager role to test the flow.
  • Download the Power Automate from my GIT Repository.
Solution Architecture

Steps to Implement

Download Power Automate from GIT HUB
Download the Power Automate from my GIT HUB repository.
Steps to Use the Power Automate Solution

  • Click on My Flows from the Left Panel and Click Import
  • Browse the downloaded Power Automate zip file and Hit Upload.
Note: Change the Common Data Service (Current Environment) connection

Design a Canvas App
I have designed a sample canvas app for Sales Agent and Sales Manager.

App has 4 screens – 
  • Landing Screen – where the user will be landed after a successful login.
  • Profile Screen – Display logged-In user information 
  • Error Screen – This screen will display an \”Insufficient Permissions\” message if a user doesn\’t have the appropriate role assigned in the CRM Application
  • My Roles – This screen will display all security roles assigned to the logged-in canvas app user.
App Flow:
  • Sales Agent or Sales Manager will log in to the app.
  • If Sales Person has Sales Person security role assigned in D365, Redirect the user to Profile Screen else Redirect to Error Screen
  • If Sales Manager has Sales Manager security role assigned in D365, Redirect the user to Profile Screen else Redirect to Error Screen

Add the following expression on OnSelect property of the \’Login as Sales Person\’ button.
// Call Power Automate
Set(FlowOutput,GetD365UserRole.Run(LookUp(Users,domainname=User().Email).systemuserid));

// Check if Power Automate Output contains \’sales person\’ then Navigate to profile Screen else Navigate to Error Screen.
If(IsMatch(FlowOutput.userrole,\”sales person\”,Contains & IgnoreCase),Navigate(ProfileScreen,ScreenTransition.Cover),Navigate(ErrorScreen,ScreenTransition.Cover))
Add the following expression on OnSelect property of the \’Login as Sales Manager\’ button.
// Call Power Automate
Set(FlowOutput,GetD365UserRole.Run(LookUp(Users,domainname=User().Email).systemuserid));

// Check if Power Automate Output contains \’sales manager\’ then Navigate to profile Screen else Navigate to Error Screen
If(IsMatch(FlowOutput.userrole,\”sales manager\”,Contains & IgnoreCase),Navigate(ProfileScreen,ScreenTransition.Cover),Navigate(ErrorScreen,ScreenTransition.Cover))

Use the following expression on OnSelect property of \’View my Roles\’ button.

 Navigate(MyRoles,ScreenTransition.CoverRight);

Add List Screen and change it\’s Layout to \’Title\’ type.

Set following expression on \’Items\’ property of List screen
Split(FlowOutput.userrole,\”,\”);
This expression will split the security role list (returned from power automate in comma separated format) to table

Error Screen
Test & Demo

Automate Dynamics 365 & Power Platform Deployment using Azure DevOps CI/CD



Introduction

Hello Everyone,

Today in this Power Guide Mentorship Program, I am going to share #PowerGuideTip24, which will help you to Automate the Dynamics 365 and Power Platform Deployment using Azure DevOps CI/CD.
I have already been delivered a session on Dynamics 365 Azure DevOps Implementation in Dubai Submit, Feb 2020. You can find the recordings and Slide Deck of the session here.
I have also delivered Power Community Session recently on – Automate the PowerApps Portal Deployment using Azure DevOps CI/CD. You can find that session recording here.
If you are new to Dynamics 365 and Azure DevOps, I would recommend you to first listen and go through my above-mentioned recordings and slide deck. This will help you to know the Fundamentals of Azure DevOps and CICD.
Today, In this article. I am going to share the end to end steps to implement Azure DevOps and CI/CD to automate the Dynamics 365 and Power Platform Components.
Business Requirement

Automate Dynamics 365 Solution, Power Platform, and Configuration Data Deployment

Pre-Requisites
  • Dynamics 365 Source Instance – Dev
  • Dynamics 365 Target Instance – SIT/UAT/PRE-PROD/PROD
  • Azure DevOps Subscription – Can create trial using this link and refer to this article for instructions
  • Azure Subscription –  for Dynamics 365 Service Connection – Can use the trial as well
  • Need to have a solution available in your Dynamics 365 Source Instance
  • Need to have some configuration (Master) data available in your source instance
  • Dynamics 365 Instance (Source and Destination both) Administrator rights
  • Schema File Available – if you want to deploy master data or portal configuration as well.
Implementation Flow
  • Dynamics 365 Solution Deployment


  • Dynamics 365 Master Data (or Portal Configuration Data) Deployment
Implementation Steps 

Repository Permissions

There is some security to set up to allow our pipeline to be able to upload the configuration to source control. We need to allow the Project Collection Build Service to have contributed access to the repository.
  1. Click the Gear Icon in the bottom left corner to get access to Project Settings
  2. Choose Repositories
  3. Click on the Permissions tab
  4. Search Project Collection Build Service
  5. Add the Project Collection Build Service
  6. Once you have added the Project Collection Build Service, choose “Allow” on the Contribute Permission. (from the Right panel)
  8. Now Search Build Service user (Project Name + “Build Service”)
  9. Change Contribute to “Allow”


Create a CI (Build) Pipeline –

After the Azure DevOps service is set up for your organization, create a new Azure DevOps project by clicking on \’+ New project\’.

Create a new Repository to store Dynamics 365 Extracted solution files



Click on New Pipeline to Create your first CI (Build) Pipeline in Azure DevOps

Click on Use the classic Editor

Choose your Repository Type, Team Project, Repository Name, and Branch and then Hit Continue


Click on Empty Job in order to create a Pipeline from scratch

Click on \’+\’  and search Power Platform Build Tools and Hit \’Get it Free\’




Click on \’+\’  and search Power Platform Build Tools and Hit \’Get it Free\’
Once the Installation of the Tool is finished in your Azure DevOps instance. Search Power Platform Tool Installer task and click on Add

Add Power Platform Export Solution Task

Now In order to Export the solution from your Source Dynamics 365 Instance, You need to choose the authentication type in order to make the connection with your instance. 

To do that, you have two choices of Authentication Type:

(a) Username/password (no MFA support) – In this Authentication Type, you\’ll have to provide the username and password in order to make the connection with your CRM instance, however, it doesn\’t support two-factor or Multi-Factor authentication.
So if you want to connect the CRM Instance using username and password. Here is the format of the connection string
Connection String Format:  
AuthType=Office365; Url=https://powerguide.crm11.dynamics.com; UserName=arpit@powerguide.onmicrosoft.com;Password=Pass@word1
Note: Replace the red part with your CRM Instance details.
Check my this article for more details.


(b) Service Principal/Client Secret (supports MFA) –  In this Authetication Type, you\’ll have to perform two steps to complete the authetication 
  • Azure App Registration
    • To register an App in Azure, follow my this article. Go to the \’Azure AD App Registration\’ section and perform Step 1 to Step 6.
    • In Step 7, instead of clicking on Microsoft Graph, click on Dynamics CRM and Opt User_Impersionation Permission and then Hit Add Permission.
    • Step 8 will remain the same.
    • One additonal step is to capture the Azure AD Tenant ID as well for later use
    • If you find any trouble performing the above steps. Please watch this video.
                                            
    • After performing all the above steps. Don\’t forget to Capture the Application ID, Client Secret Key and Azure AD Tenant ID for later use.
  • Application User Creation in Dynamics 365 Source Instance
    • Go to Security > User > Select Application Users View > Click on New
    • Choose Application User form and fill User Name, Application ID, Full Name and Primary Email (as highlighted below) and Hit Save.
                                                    
    • Once you save the record, Application ID URI and Azure AD Object ID will get automatically autopopulated from your Azure Tenant
    • Give System Administrator Security Role to the user.
Once you are done with Azure AD App Registration and Application User Creation, It\’s time to make the Service Connection in your Azure DevOps.
To do that, Hit on +New to create a new Service Connection for your Dynamics 365 Dev Instance

Fill the details as shown below and Hit Save.

Add Power Platform Unpack Solution task

 Fill the details as shown below.

Add Command Line task

Add following Command Lines to Push the Extracted Solution Zip files to the Repository

echo commit all changes
git config user.email \”arpit.crmconsultant@gmail.com\”
git config user.name \”arpit.crmconsultant@gmail.com\”
git checkout master
git add –all
git commit -m \”solution init\”
echo push code to new repo
git -c http.extraheader=\”AUTHORIZATION: bearer $(System.AccessToken)\” push origin master
Note: Replace the highlighted username with your Azure DevOps User Account Name

Add Publish Artifacts Task in order to push your solution zip file to the Artifacts. Fill the details as shown below

Create a Variable to hold Solution Name. This variable name, we have already been used \’$(SolutionName)\’ in all the above steps.

You can configure the Trigger point of your Build Pipeline.

If you want to trigger this Pipeline as soon as you commit the changes to your Master Repository, Choose Enable Continous Integration. Or you can schedule the pipeline to be run at a specific time as well.

Save the Pipeline
                               

Run Pipeline

You can opt for Enable System Diagnostic to log/troubleshoot the error in case you face any issues while running the pipeline.

Once CI Pipeline Build gets successful. Click on Artifacts to view the Solution Zip file (as ashown below)

Solution Zip file (Dynamics 365 Dev Solution) is available in Artifacts

Go to your Repository > Solution Zip file has been extracted to multiple files based on solution components

Create a CD (Release) Pipeline –


Click on Releases under Pipeline and click on +New release pipeline in order to create the Release Pipeline.

Provide Artifacts Location, so that your release pipeline could download the solution zip file from that location. (as per below)

Provide Release Pipeline Trigger point. 

Click on Trigger Icon and Turn On the Enable Continous deployment trigger (as shown below)

Click on Stages in order to add the Tasks to import the solution in your Target Dynamics 365 Instance.

To do that, click on Empty Job


Add Power Platform Tool Installer Task and Leave it as is.


Add Power Platform Solution Import Task and Fill the details as shown below

Note: You need to create a new Service Connection in order to connect with your Target Dynamics 365 Instance, same as the steps we have performed earlier to connect the Source Dynamics 365 Instance.


Set Solution Input File path. Click on Browse and choose the pah as per below and Hit Ok.


Declare the Variable for Solution Name (like we did in Build Pipeline)

Save the Pipeline

Watch this Video of CI and CD Pipeline Setup and Demo
If you find any difficulties to understand any of the above steps, you can watch this video to set up your pipeline
Deploy Dynamics 365 Master Data (or Portal Configuration Data) using Azure DevOps CI/CD
While working in Dynamics 365, you might need to use some master data in your Dynamics 365 Instance, that remains unchanged in all the instances (Dev/SIT/UAT/PROD, etc). For Example Country, State, City, etc.
In PowerApps Portals also, everthing we do in order to design the Portal is part of configuration only. We create records in Dynamics 365 like Web Pages, Entity Forms, Entity List, Web Template, etc. Hence, this configuration is also kind of Master data because it also remains unchanged in all the target instances as well
In order to deploy above both types of configuration data in your target instance, we usually use the Configuration Migration Tool. However, that is a manual activity.
To automate the configuration data using Azure DevOps CICD, please perform the following steps:
Important Note: 
1. I have created separate CI/CD Pipelines for Configuration Data Deployment, however, you can use a single CI and CD Pipeline also in order to deploy your Dynamics 365 Solution and Configuration Data in the target instance. (based on your business needs).
2. Currently Microsoft\’t Power Platform Build Tools doesn\’t provide the capabilities to Export/Import the Configuration records/data from/to CRM. Hence, we\’ll use Wael Hamze\’s Power DevOps Tools for this requirement.
3. Please have a look my this article, where I have demonstrated the PowerApps Portal CI/CD Pipeline creation using Azure DevOp.
Create Repository –

 I have created a Repository to store the Schema File. You can reuse the same repository that we have created in the earlier step. Schema file contains the list of all entities, those records have to be exported from the Source Dynamics 365 Instance.
If you are deploying the PowerApps Portal configuration. You can get the Portal Schema File from here. If it doesn\’t work due to any reason, you can create your own schema file as well for the selected Portal Entities.
Create a new Repository and Create a new Folder \’Portal Configuration\’ inside it.

Browse the location and Upload the Schema File in the \’Portal Configuration\’ folder.


 Note: We\’ll use this schema file in our CI Pipeline to export the configuration data.

Create a CI (Build) Pipeline –

Create a new Build (CI) Pipeline to export the Dynamics 365 Configuration (Master) Data


Install Power DevOps Tools


Add Power DevOps Tool Installer Task and leave it as is.

Add Ping Environment Task

Note: This tool doesn\’t allow to use of the Service Connection like the way we had used in Power Platform Build Tools. However, you can use the following connection string to make the connection with your Dynamics 365 Source Instance.
Application ID and Client Secret of Source Dynamics 365 Instance, we have already been captured in the earlier steps.


Add Export Configuration Migration Data Task. Browse to the  \’Portal Configuration\’ folder in the Repository and select the Schema file.

Note: It\’s always a good practice to keep the confidential information like username, password, client id, secret key in variables and enable the security so that it couldn\’t be comporomised.

Add Publish Artifacts Task


Publish Artifacts is required to push the exported data.zip file to Build Artifacts.

Declare Variable to store Dynamics 365 Souree Instance URL, Application ID, and Client Secret Key.


Note: Make the variable value confidential by clicking on Lock Icon (scroll roght)

Create CD (Release) Pipeline –
Configure Release Pipeline Artifacts Location and Trigger Point


Add Power DevOps Tool Installer Task and leave as is.


Add Ping Environment Task and Fill the details as per below

Add Import Configuration Migration Data Task and Fill the details as per below


Declare Variable to store Dynamics 365 Target Instance URL, Application ID, and Client Secret Key.


Make the variable value confidential by clicking on Lock Icon (as shown below)
Video of CI/CD Pipeline Setup –

Hope this article helps you make your Dynamics 365 Deployment process smooth and automatic. Please do share your feedback. Cheers