Top
PowerApps

End user receives pop-up asking for permission when launching PowerApps


I’m a big fan of working with PowerApps and creating business solutions using that tool. Until last week I wasn’t aware, that when I use specific permissions to access data sources (SharePoint in that case) inside my app, the end user who is going to use that app will be asked for permissions, to be able to use that application.

The message users were seeing was as following:

PowerApps app needs user permissions
Prompt for permissions

This situation is usually a “no go” from business owners, who are asking “why is this showing” and claiming, that when a regular, end user sees it, he is not going to click anything because of the confusion. Well, they are right.

Solution?

I was looking the internet for some of the solutions, information, how to impersonate such connection or elevate permissions for it, so that user is not asked to grant them on his own. I found, that there is an idea already submitted: https://powerusers.microsoft.com/t5/PowerApps-Ideas/Delegate-to-Administrator-Allow-access-window-when-sharing/idi-p/98739 about allowing to make connections on behalf of a specific account. Cool, but that’s an idea only.

Then I found this topic: https://powerusers.microsoft.com/t5/General-Discussion/End-Users-receive-pop-up-asking-for-permission-when-launching/td-p/31906/ and the solution described using PowerShell Cmdlets for PowerApps (described here: https://docs.microsoft.com/en-us/powerapps/administrator/powerapps-powershell).

I tried them, and it works! Below a step by step, so that you can get rid of these popups forever.

PowerApps cmdlets installation

Important! You have to have administration account on your machine and be a Global Administrator of your Office 365 tenant, to follow the installation and execution steps!

Source: https://powerapps.microsoft.com/en-us/blog/gdpr-admin-powershell-cmdlets/
  • Download the PowerShell Scripts file.
  • Unzip the file into a folder.
  • Open Windows PowerShell as an administrator.
  • Set the location path of your PowerShell console to the folder, where you unzipped the scripts (using the “cd” command).

You need now to elevate/ change Execution Policy level of the scripts on your machine. Type the below in PowerShell window:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

Next, as the Microsoft team is saying, that there is a known issue today that may also require to manually unblock the PowerShell, copy and paste the following command:

dir . | Unblock-File

Next, import necessary modules:

Import-Module .\Microsoft.PowerApps.Administration.PowerShell.psm1 -Force 
Import-Module .\Microsoft.PowerApps.PowerShell.psm1 -Force

PowerApps cmdlets execution

This call will open a prompt to collect the credentials (AAD account & password) that will be used by the commands. Provide your Global Admin credentials. It is going to be valid for the next 8 hours:

Add-PowerAppsAccount
Prompt for credentials for PowerApps Cmdlets
Prompt for credentials

Next open the details page of the PowerApps app you would like to “enhance” and copy its App ID:

PowerApps app id
Obtaining PowerApps App ID

Be sure, that the Global Admin account, if different to yours, also has “Co-owner” access to the app or is the “Owner” (and has PowerApps P2 license assigned). In case not, share the app with that account:

Sharing PowerApps app with user as "Co-owner"
Sharing PowerApps app with user as “Co-owner”

Now copy, replace “APP-ID” with yours and execute the following Cmdlet, to bypass requesting for permissions:

Set-AdminPowerAppApisToBypassConsent -AppName APP-ID -ApiVersion 2017-05-01
Correctly executed Cmdlet
Correctly executed Cmdlet

If all went fine, you should now see the “Code: 200” and “Description: OK”. Starting now, when your end users are going to open the app, they will not see that prompt for permissions again.

Disclaimer: before executing the Cmdlet I have republished the app using the Global Admin account. Haven’t checked if all would work without that. Nevertheless, once the Cmdlet was run, I have been developing the app with my regular account, published it several times and the prompt is not showing up anymore.


Tomasz Poszytek

Hi, I am Tomasz. I am expert in the field of process automation and business solutions' building using Power Platform. I am Microsoft MVP and Nintex vTE.

38 Comments
  • Anton

    I’m not seeing where to download the powershell scripts. The link may have been changed or the content since this blog was posted. Could you elaborate or update your notes? Thank you!!!

    May 24, 2019 at 8:09 pm Reply
  • Manish

    Thank you for the articles.
    I had a question regarding the permissions.
    Do these commnads give the logged in user elevated permissions on the data sources being used by the powerapp?
    e.g., if the powerapp has a sharepoint connection and performs both read and write operation. If the logged in user only has read permission on sharepoint, will this powershell allow for elevated permissions to write to the sharepoint list as well?

    Regards,
    Manish

    March 11, 2020 at 5:16 am Reply
    • Tomasz Poszytek

      No, they don’t give elevated permissions. They just make that this message to consciously allow app to use connection on user’s behalf is not shown and this approval is done by default.
      To read about elevated permissions try this post: Elevated permissions in Microsoft Flow.

      March 11, 2020 at 4:49 pm Reply
  • Arun

    Would this work for ‘Dynamics 365 Finance & Operation’ connector as well.

    May 26, 2020 at 1:20 pm Reply
    • Tomasz Poszytek

      Hi, this should work for any connectors used by Power App.

      May 28, 2020 at 1:42 pm Reply
  • jahnavi

    I am using Outlook connector in power apps to send mails by logged i user.How to revoke other permissions such as create,delete permissions e.tc. for the end users which are not necessary

    July 29, 2020 at 6:45 pm Reply
    • Tomasz Poszytek

      You can’t. End-user has full permissions to their mailbox. So does connection created on their behalf.

      July 30, 2020 at 8:22 pm Reply
  • Mel

    Hi, I would like to know, for example the when I connected my powerapp to outloook 365, it asks for permission to use my email to read, delete, update and send emails, but I just want outlook to have permission to send email and disable the delete update and read emails, is it possible to control the permissions at granular level using these methods ? If yes, do you know any blog or tutorial where I can find them. Thanks

    August 6, 2020 at 10:06 am Reply
    • Tomasz Poszytek

      No, it’s not. Because it is asking user to grant permission on their behalf. But it doesn’t matter. As long as your app is not performing delete actions, then despite the fact user grants those permissions, app won’t delete anything.

      August 7, 2020 at 8:21 am Reply
  • Hameed Khan

    Hi Tomasz,
    Correct me if I’m wrong , from what I can understand by reading this is that this solution is for when the powerapp is a standalone app and not when it is a customized form from a sharepoint list.
    If so, does the solution still apply for a customized form?

    Another issue that my end users face is the permission popup window disappears before they can react to it. The popup appears when they want to view the sharepoint item.
    Any help with the above mentioned issue would be helpful.

    Thanks and Regards
    Hameed

    September 10, 2020 at 11:59 am Reply
    • Tomasz Poszytek

      Hi, that PowerShell cmdlet should work both for standalone and for SharePoint customized form. Each app has its own guid, that you need to pass as the parameter.
      Regarding the other issue, I truly don’t know how to help. First of all, it should appear once, but be visible, as long as user clicks confirmation.

      September 10, 2020 at 2:18 pm Reply
      • Hameed Khan

        Hi,
        I wanted to try the steps mentioned for suppressing the permission popup for the custom form but I can’t find the APP ID for it.
        Please help me in this.

        Regards
        Hameed

        September 16, 2020 at 10:40 am Reply
  • Hameed Khan

    Thanks for the reply Tomasz.
    I will need to arrange all the requirements for the Powershell cmdlet and will try after I have them.

    I was able to figure out the other issue and solved it. The reason behind that issue – I was trying to navigate to a particular screen after loading the forms , this order made it so that the popup got hidden/disappeared because the command to navigate to screen was running right after the popup appears.

    Regards
    Hameed

    September 10, 2020 at 2:56 pm Reply
  • Hameed Khan

    Hi Tomasz,
    My O365 tenant admin ran the cmdlets command after he published the app from his account and the popup was not appearing for the users.
    But after some days the popup reappeared for the users.
    What could be the reason behind the reappearance of this popup
    1. Because I published the app from different account than the one which ran the commands?
    2. Refreshing the data connections in the app?
    3. MFA of our tenant?
    Any ideas why this happened and how to avoid this?

    September 23, 2020 at 2:26 pm Reply
    • Tomasz Poszytek

      I would say this is related to significant changes in your app, so change of data connection/ source may have triggered it. Or maybe someone used cmdlet to Clear-AdminPowerAppApisToBypassConsent.

      September 23, 2020 at 2:36 pm Reply
  • Andy T

    Hi Tomasz,
    Excellent write-up! A few quick questions…
    a. On the step that says to download the PowerShell Scripts from the URL (https://docs.microsoft.com/en-us/power-platform/admin/powerapps-powershell#installation), where is the package to download? I believe a previous person asked about it but I still can’t find the spot to download it ๐Ÿ™‚
    b. Can this be done on a SPOnline Management Shell to?

    Thanks much!

    October 21, 2020 at 1:04 am Reply
    • Tomasz Poszytek

      Hi, thank you!
      So first you need to start PowerShell console as instructed under the shared link. SPOOnline Shell should work too. Nevertheless once started simply follow the described steps, so type Install-Module and console should get the modules automatically.

      October 22, 2020 at 11:17 am Reply
  • Alejandro

    Hey Tomasz thanks fot the post,

    We followed all the instructions and we get the 200 response.
    But the Power BI consent still popping up every time we open the app.

    Any other solution?

    Thanks

    November 6, 2020 at 4:34 pm Reply
    • Tomasz Poszytek

      Honestly not. It should remove all prompts for consent. Maybe Power Bi is above it. Hard to say.

      November 9, 2020 at 11:51 am Reply
  • Sarath Subramaniam

    Hello,

    I have 10 data sources in my Canvas App. Out of the 10, I cannot povide SharePoint list permission to the app-users to a data source/list, due to security reasons.
    Is there a way I can create an elevated connection targeting this one data source alone? Instead of elevating the entire app. Any solutions?

    Thanks,
    Sarath

    April 9, 2021 at 6:53 am Reply
    • Tomasz Poszytek

      Yeah, possibly somehow using Power Automate and child flows. So that this specific scenario is handled by Flow, not directly via Power Apps.

      April 28, 2021 at 11:24 am Reply
  • Daniel Cieckiewicz

    Hi Tomek,

    I deployed this script on my environment and SP/CDS/O365 connectors dissapeared from the list but my custom connector I made for integration is still visible and everyone sees also Approvals connector which is default MS connector. Is there a way to make it dissapear as well?

    April 26, 2021 at 12:14 pm Reply
  • Anthony

    I published a PowerApp that uses SharePoint, Outlook, Office 365 user and Approval connections. After running the script successfully, it removed all the prompts except for Approvals? Do you know why? Have you encountered such an issue?

    April 27, 2021 at 8:10 pm Reply
  • Jomon Abraham

    Thanks for the simple yet helpful article. Once the PowerShell script is run, Can the global admin stop being a co-owner of the app or stop having access to the data (say, SharePoint list for instance).

    November 26, 2021 at 4:07 am Reply
    • Tomasz Poszytek

      Global admin can be removed as a co-owner from the app. This must be done by the app’s owner. However, speaking about the data, that is more complex, as global admin can literally have access anywhere ๐Ÿ™‚

      December 5, 2021 at 11:11 pm Reply
  • Steve Wedge

    Thanks for the article, it proved very helpful. I don’t have a GA account on the tenant where I was trying this out, but am a PowerApps Admin and I can confirm that I was able to successfully set the property on a number of Apps. When tested the new user did not receive the prompts which had previously been seen, so this appears to be successfully applying the required change to the App config without having a Global Admin account.

    April 12, 2022 at 2:34 pm Reply
    • Steve Wedge

      I should also add that if this is attempted with an account with the PowerApps Admin role which is not licensed for PowerApps, then the operation will fail with a 403 Forbidden error message

      April 12, 2022 at 2:39 pm Reply
  • Kannan

    My 2 cents. You can use XrmToolBox FetchXML and query Canvasapp table to check if bypass consent status is set to true after running this script

    June 14, 2023 at 6:26 am Reply
  • Jennifer

    New to Powershell – I’m not having any luck with the file download. Please advise more what I need to do to find these and download? I’m getting the files not found and tried Get-PSRepository but can’t get further to get files. Any help appreciated.

    July 19, 2023 at 5:40 pm Reply
  • Jennifer

    And one other question… I think I got the files to work, but now for the Set-AdminPowerAppApisToBypassConsent command it is asking for an Environment Name? How do I find this and what would this be? Thank you.

    July 19, 2023 at 6:03 pm Reply
    • Tomasz Poszytek

      Hey, the environment name is the GUID that you can find when navigating e.g. to Power Automate portal – the one that is straight after the /environments/ part of the URL.

      August 2, 2023 at 1:04 pm Reply
  • Jennifer

    I keep getting a 204 status code and -ApiVersion is not recognized but I’m using the default given in your example and Microsoft documentation. Any ideas? Thank you.

    July 19, 2023 at 6:51 pm Reply

Post a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.