Top
PowerApps

End user receives pop-up asking for permission when launching PowerApps


I’m a big fan of working with PowerApps and creating business solutions using that tool. Until last week I wasn’t aware, that when I use specific permissions to access data sources (SharePoint in that case) inside my app, the end user who is going to use that app will be asked for permissions, to be able to use that application.

The message users were seeing was as following:

PowerApps app needs user permissions
Prompt for permissions

This situation is usually a “no go” from business owners, who are asking “why is this showing” and claiming, that when a regular, end user sees it, he is not going to click anything because of the confusion. Well, they are right.

Solution?

I was looking the internet for some of the solutions, information, how to impersonate such connection or elevate permissions for it, so that user is not asked to grant them on his own. I found, that there is an idea already submitted: https://powerusers.microsoft.com/t5/PowerApps-Ideas/Delegate-to-Administrator-Allow-access-window-when-sharing/idi-p/98739 about allowing to make connections on behalf of a specific account. Cool, but that’s an idea only.

Then I found this topic: https://powerusers.microsoft.com/t5/General-Discussion/End-Users-receive-pop-up-asking-for-permission-when-launching/td-p/31906/ and the solution described using PowerShell Cmdlets for PowerApps (described here: https://docs.microsoft.com/en-us/powerapps/administrator/powerapps-powershell).

I tried them, and it works! Below a step by step, so that you can get rid of these popups forever.

PowerApps cmdlets installation

Important! From 2019-01-07 the cmdlets have been split into two groups: administrator and maker. To run any of the administrator cmdlet account must have PowerApps P2 license assigned.

Source: https://powerapps.microsoft.com/en-us/blog/gdpr-admin-powershell-cmdlets/

Important! You have to have administration account on your machine and be a Global Administrator of your Office 365 tenant, to follow the installation and execution steps!

  • Download the PowerShell Scripts file.
  • Unzip the file into a folder.
  • Open Windows PowerShell as an administrator.
  • Set the location path of your PowerShell console to the folder, where you unzipped the scripts (using the “cd” command).

You need now to elevate/ change Execution Policy level of the scripts on your machine. Type the below in PowerShell window:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

Next, as the Microsoft team is saying, that there is a known issue today that may also require to manually unblock the PowerShell, copy and paste the following command:

dir . | Unblock-File

Next, import necessary modules:

Import-Module .\Microsoft.PowerApps.Administration.PowerShell.psm1 -Force 
Import-Module .\Microsoft.PowerApps.PowerShell.psm1 -Force

PowerApps cmdlets execution

This call will open a prompt to collect the credentials (AAD account & password) that will be used by the commands. Provide your Global Admin credentials. It is going to be valid for the next 8 hours:

Add-PowerAppsAccount
Prompt for credentials for PowerApps Cmdlets
Prompt for credentials

Next open the details page of the PowerApps app you would like to “enhance” and copy its App ID:

PowerApps app id
Obtaining PowerApps App ID

Be sure, that the Global Admin account, if different to yours, also has “Co-owner” access to the app or is the “Owner” (and has PowerApps P2 license assigned). In case not, share the app with that account:

Sharing PowerApps app with user as "Co-owner"
Sharing PowerApps app with user as “Co-owner”

Now copy, replace “APP-ID” with yours and execute the following Cmdlet, to bypass requesting for permissions:

Set-AdminPowerAppApisToBypassConsent -AppName APP-ID -ApiVersion 2017-05-01
Correctly executed Cmdlet
Correctly executed Cmdlet

If all went fine, you should now see the “Code: 200” and “Description: OK”. Starting now, when your end users are going to open the app, they will not see that prompt for permissions again.

Disclaimer: before executing the Cmdlet I have republished the app using the Global Admin account. Haven’t checked if all would work without that. Nevertheless, once the Cmdlet was run, I have been developing the app with my regular account, published it several times and the prompt is not showing up anymore.


Tomasz Poszytek

Hi, I am Tomasz. I am expert in the field of process automation and business solutions' building using Power Platform. I am Microsoft MVP and Nintex vTE.

8 Comments
  • Anton

    I’m not seeing where to download the powershell scripts. The link may have been changed or the content since this blog was posted. Could you elaborate or update your notes? Thank you!!!

    May 24, 2019 at 8:09 pm Reply
  • Manish

    Thank you for the articles.
    I had a question regarding the permissions.
    Do these commnads give the logged in user elevated permissions on the data sources being used by the powerapp?
    e.g., if the powerapp has a sharepoint connection and performs both read and write operation. If the logged in user only has read permission on sharepoint, will this powershell allow for elevated permissions to write to the sharepoint list as well?

    Regards,
    Manish

    March 11, 2020 at 5:16 am Reply
    • Tomasz Poszytek

      No, they don’t give elevated permissions. They just make that this message to consciously allow app to use connection on user’s behalf is not shown and this approval is done by default.
      To read about elevated permissions try this post: Elevated permissions in Microsoft Flow.

      March 11, 2020 at 4:49 pm Reply
  • Arun

    Would this work for ‘Dynamics 365 Finance & Operation’ connector as well.

    May 26, 2020 at 1:20 pm Reply
    • Tomasz Poszytek

      Hi, this should work for any connectors used by Power App.

      May 28, 2020 at 1:42 pm Reply
  • jahnavi

    I am using Outlook connector in power apps to send mails by logged i user.How to revoke other permissions such as create,delete permissions e.tc. for the end users which are not necessary

    July 29, 2020 at 6:45 pm Reply
    • Tomasz Poszytek

      You can’t. End-user has full permissions to their mailbox. So does connection created on their behalf.

      July 30, 2020 at 8:22 pm Reply

Post a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.