Managing Power Apps Offline Access with M365 Security Groups
Table of contents:
This post is a result of a challenge I faced sometime ago during a project, which goal was creation of a Power App using offline capabilities.
The situation
Customer asked me to build an app, that will be working offline. I immediately took a look at the new Power Apps offline features which are using Microsoft Dataverse for storing data. The new functionality is absolutely brilliant and despite that it’s in a preview, works very stable, setup is done within minutes, and you really don’t need to configure many additional settings to make it work. Fantastic!
Anyways, to be able to use this new features, you have to:
- Put an app and tables in a solution,
- Configure tables to allow them to work in offline mode,
- Grant security roles to users,
- Create a mobile offline profile, and configure it.
This all is pretty easy, however there are some security considerations:
- The app must be shared with users (so they can use it),
- Users must be added to the environment where the app is deployed and they must be granted specific security roles, so they can use the offline profile,
- Users must be added to the offline profile, so that they can use offline capabilities of the app.
And so this again may sound like a pretty easy admin work, but imagine the group of users is dynamic, and you are getting a request to add new/ remove existing each day? Managing them in 3 (or more!) places may easily turn into a nightmare 😉
The solution
What grabbed my attention, was a label inside the field, that is used to add users to a mobile offline profile. It reads “or team name”. I started looking what kind of team is meant here.
It turned out, this is not a Microsoft Teams team, this is not Microsoft 365 Group either. It wasn’t even a Security group! I was a little confused and lost, as I couldn’t find any solution. And then customer pointed me to “Teams”, that can be configured on the environment level:
Jackpot! That was the place. Ok, so what you have to do: First I create a regular, Security group in Microsoft Entra ID (this could be Microsoft 365 Group either) and map it to the new team in the environment:
Then you select the Security or Office group of your choice and lastly – decide what members from the group will be assigned access:
Then, select the created Team, then select “Manage security roles” to grant its members permissions to access tables within the Mobile offline profile – Environment maker is minimum (or if you did create a custom security role, then assign it):
Finally, navigate back to the Mobile Offline Profile configuration and add your newly created team as the “Users with offline access”:
To close the loop, navigate to the app that uses offline capabilities, and share it with the Security group as well:
And that’s it! This way, you don’t really need to navigate to three separate places to handle users’ access, grant them security roles and share the app. You can simply do it from either a Microsoft 365 Group membership page, or via Microsoft Entra ID Security group membership. All the rest is done automatically for you.
I really hope you find this post useful. Let me know in comments if this solutions let you to save significant amount of work too! 🙂
Divine
Hi, I am using this feature. However, I need to manage users role based on the Team Group they belong to. While this works online on PowerApps web, the role does not work on mobile correctly. Also, I can’t retrieve users within a Team Group when on Mobile.
Any idea why this is happening?
Tomasz Poszytek
Sorry, I don’t know what the reason of such behavior could be.