cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Super User
Super User

PERMISSIONS: PowerApps for App Makers- Remove User Permissions?

Hello,

Using the PowerApps for App Makers action "Edit App Role Assignment":

 

  • I'm able to add a new user to a PowerApp (basically share the app with them)
  • I'm not able to delete a user from having access to a PowerApp ("unshare").

Sharing: (works):

image.png

Unsharing: (doesn't work):

image.png

Error message says:

 

{
  "error": {
    "code": "AzureResourceManagerRequestFailed",
    "message": "The request failed with error: 'The Principal ID 'some.one@company.com' is not valid. Principal ID must be a GUID.'. The tracking Id is '1111111-11111-11111-1111-11111111'.",
    "details": [
      {
        "code": "MultipleErrorsOccurred",
        "message": "There were multiple errors from the API Hubs service. Please see the details for more information.",
        "details": [
          {
            "code": "InvalidPrincipalId",
            "message": "The Principal ID 'some.one@company.com' is not valid. Principal ID must be a GUID."
          }
        ]
      },
      {
        "code": "FullNonLocalizedError",
        "message": "{\"error\":{\"code\":\"InvalidPrincipalId\",\"message\":\"The Principal ID 'some.one@company.com' is not valid. Principal ID must be a GUID.\"}}"
      }
    ]
  }
}
  • What "Principal ID" is PowerApps looking for here?
  • Why does users email work for sharing an app, but not for unsharing?

Thank you

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @ericonline 

 

Ok I think I got it

 

Here you go

 

https://github.com/rdorrani/Microsoft-Flow/blob/master/EditAppRoleAssignmentByEmailAddress_201908231...

 

Regards,

Reza Dorrani

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

View solution in original post

19 REPLIES 19
Dual Super User II
Dual Super User II

Hi @ericonline 

 

do get user profile first using o365 users connection

 

then use the dynamic content "Id" property

 

I just tested it and it works 🙂

 

Regards,

Reza Dorrani

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

Hi @RezaDorrani , 

Thank you for the prompt assistance. It really helps keep momentum when working through a problem. 

I was able to use O365 to get the id of user, but the Delete action is not working. User still has permissions to the app:

Flow action:

image.png

Results: (Flow successfully runs, but user still has permissions to the app):

image.png

User still has permissions:

image.png

What else needs to be done to remove user permissions to an app?

Hi @ericonline 

 

weird - worked for me

 

clear your browser cache and check the permissions again

Newp... same results in Incognito Mode.
Do you have any other fields populated besides, App Name, API Version, Filter Query,  Content-Type and UserID in the Delete field? 

Hi @ericonline 

 

Capture.PNG

@RezaDorrani 
Hm... Is the Output a blank array upon successfully removing a user?
This is what my results look like:

image.png

Hi @ericonline 

 

Yes blank output - same as yours

 

Capture.PNG

 

 

Is your app and flow in the same environment?

Are you the system administrator for the envrionment?

 

Yep:

  • Both the Flow and the App are both in our DEV env
  • I am admin for the DEV env

Hi @ericonline 

 

Try sharing the app with some more test users 

 

and try removing them from Flow

 

for the office365users get user profile action - hardcode their user name in there to and test

@RezaDorrani , I appreciate the ideas...

Same result after hardcoding the O365 Get Profile email.
Flow is successful...

image.png

Users still have permissions on the application:

image.png

Going to try to recreate the Flow and see if that "shakes it loose".

@RezaDorrani , so here is the only way I could get this to work. I'm surprised that the O365 id worked for you and curious why it doesn't work for me/my org.

Findings: 

  • The O365 Get User Profile "id" value is not equal to the PowerApps "id" value returned from Get App Role Assignments

Example: 

  • O365 Get User Profile id:
    • f325151a-a53f-4g75-b3d7-b6c634b928hj
  • Get App Role Assignments id:
    • /providers/Microsoft.PowerApps/apps/ae111t1i-11a4-1d01-b1v1-2e3c482603f7/permissions/viral-g8x3a2po-12ee-421a-b678-98456789fda4

What works:

  • If I hardcode the entire Get App Role Assignments id into the "delete id" field (yes, the entire path including "/" ' s), I can remove the user permission from the PowerApp

What I need:

  • To figure out how filter the email addresses from Get App Role Assignments by the email address of the person selected for removal
  • Grab their PowerApps id
  • Pass that to Edit App Role Assignment

@RezaDorrani , 

I'm struggling to compare the email address for the person whom I need to remove permissions for against the response from Get App Assignments. I need to pull in the ID from there. 
Any ideas?

Hi @ericonline 

 

Get App Role Assignments id:

  • /providers/Microsoft.PowerApps/apps/ae111t1i-11a4-1d01-b1v1-2e3c482603f7/permissions/viral-g8x3a2po-12ee-421a-b678-98456789fda4

    So from the above string - which part you need?

Hi @ericonline 

 

Ok I think I got it

 

Here you go

 

https://github.com/rdorrani/Microsoft-Flow/blob/master/EditAppRoleAssignmentByEmailAddress_201908231...

 

Regards,

Reza Dorrani

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

View solution in original post

Hi @RezaDorrani , 

Believe it or not, I have to pass the entire value to the Edit App Assignment action to remove user permissions. 

The challenge:

Here is the user that should have their permissions deleted: 

Another.Guy@mycompany.com

Here is an example response from Get App Assignment:

[
  {
    "name": "redacted",
    "id": "/providers/Microsoft.PowerApps/apps/veryLongString/permissions/alsoLongString",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "Owner",
      "principal": {
        "id": "notTheCorrectID",
        "displayName": "Cool, Someone",
        "email": "someone.cool@mycompany.com",
        "type": "User",
        "tenantId": "redacted"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/redacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  },
  {
    "name": "viral-longString",
    "id": "/providers/Microsoft.PowerApps/apps/redacted/permissions/viral-longString",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "CanView",
      "principal": {
        "email": "Another.Guy@mycompany.com",
        "type": "User"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/readacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  },
  {
    "name": "viral-longString2",
    "id": "/providers/Microsoft.PowerApps/apps/redacted/permissions/viral-longString2",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "CanView",
      "principal": {
        "email": "Another.Guy2@mycompany.com",
        "type": "User"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/redacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  }
]

How do I pull the entire ID out of the JSON for the given email address using Flow?

I've tried Parse JSON after the Get App Assignment action, but can't quite figure out the ForAll/etc. to use.

 

@RezaDorrani ! @RezaDorrani ! @RezaDorrani !

FilterArray worked perfectly. I'm going to study that one as learning to manipulate JSON with WDL is an absolute critical skill. 

Thank you very much for your expertise. Hope this thread serves others as well.

 

One baffler is why the O365 id worked in your tenant but not mine...

Hi @ericonline 

 

Glad it worked out 

 

In my case both the O365 user profile id and the user app based id match (that could be the reason)

 

 

I'm having some issues with the method we devised. It is not working as intended. Seems like a new but related topic so moved it to a new thread here.

Had to pull out PowerShell to see what was going on with the ID's. Findings below.

  • Within my org's tenant, all app Users are assigned a PowerApps ID aptly prefixed with "viral-".
  • These are NOT equal to the Users O365 ID. 
  • Example Users PowerApps ID:

 

/providers/Microsoft.PowerApps/apps/APP_ID/permissions/viral-longHexDecimalString
  • All app Owners are assigned a PowerApps ID that IS equal to the Users O365 ID.
  • I suspect you were adding/removing yourself (as an owner) from the test app.
  • Or your tenant is not being provisioned with the "viral-" prefix on PowerApps ID's, but rather the users O365 ID

Helpful resources

Announcements
Community Conference

Power Platform Community Conference

Check out the on demand sessions that are available now!

MPA Community Blog

Power Automate Community Blog

Check out the community blog page where you can find valuable learning material from community and product team members!

Top Solution Authors
Top Kudoed Authors
Users online (9,053)