Hi @ericonline 

do get user profile first using o365 users connection

then use the dynamic content "Id" property

I just tested it and it works 🙂

Regards,

Reza Dorrani

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

Hi @RezaDorrani , 

Thank you for the prompt assistance. It really helps keep momentum when working through a problem. 

I was able to use O365 to get the id of user, but the Delete action is not working. User still has permissions to the app:

Flow action:

Results: (Flow successfully runs, but user still has permissions to the app):

User still has permissions:

What else needs to be done to remove user permissions to an app?

Hi @ericonline 

weird - worked for me

clear your browser cache and check the permissions again

Newp... same results in Incognito Mode.
Do you have any other fields populated besides, App Name, API Version, Filter Query,  Content-Type and UserID in the Delete field? 

Hi @ericonline 

@RezaDorrani 
Hm... Is the Output a blank array upon successfully removing a user?
This is what my results look like:

Hi @ericonline 

Yes blank output - same as yours

Is your app and flow in the same environment?

Are you the system administrator for the envrionment?

Yep:

• Both the Flow and the App are both in our DEV env
• I am admin for the DEV env

Hi @ericonline 

Try sharing the app with some more test users 

and try removing them from Flow

for the office365users get user profile action - hardcode their user name in there to and test

@RezaDorrani , I appreciate the ideas...

Same result after hardcoding the O365 Get Profile email.
Flow is successful...

Users still have permissions on the application:

Going to try to recreate the Flow and see if that "shakes it loose".

@RezaDorrani , so here is the only way I could get this to work. I'm surprised that the O365 id worked for you and curious why it doesn't work for me/my org.

Findings: 

• The O365 Get User Profile "id" value is not equal to the PowerApps "id" value returned from Get App Role Assignments

Example: 

• O365 Get User Profile id:

  • f325151a-a53f-4g75-b3d7-b6c634b928hj

• Get App Role Assignments id:

  • /providers/Microsoft.PowerApps/apps/ae111t1i-11a4-1d01-b1v1-2e3c482603f7/permissions/viral-g8x3a2po-12ee-421a-b678-98456789fda4

What works:

• If I hardcode the entire Get App Role Assignments id into the "delete id" field (yes, the entire path including "/" ' s), I can remove the user permission from the PowerApp

What I need:

• To figure out how filter the email addresses from Get App Role Assignments by the email address of the person selected for removal
• Grab their PowerApps id
• Pass that to Edit App Role Assignment

@RezaDorrani , 

I'm struggling to compare the email address for the person whom I need to remove permissions for against the response from Get App Assignments. I need to pull in the ID from there. 
Any ideas?

Hi @ericonline 

Get App Role Assignments id:

• /providers/Microsoft.PowerApps/apps/ae111t1i-11a4-1d01-b1v1-2e3c482603f7/permissions/viral-g8x3a2po-12ee-421a-b678-98456789fda4

  So from the above string - which part you need?

Hi @RezaDorrani , 

Believe it or not, I have to pass the entire value to the Edit App Assignment action to remove user permissions. 

The challenge:

Here is the user that should have their permissions deleted: 

Another.Guy@mycompany.com

Here is an example response from Get App Assignment:

[
  {
    "name": "redacted",
    "id": "/providers/Microsoft.PowerApps/apps/veryLongString/permissions/alsoLongString",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "Owner",
      "principal": {
        "id": "notTheCorrectID",
        "displayName": "Cool, Someone",
        "email": "someone.cool@mycompany.com",
        "type": "User",
        "tenantId": "redacted"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/redacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  },
  {
    "name": "viral-longString",
    "id": "/providers/Microsoft.PowerApps/apps/redacted/permissions/viral-longString",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "CanView",
      "principal": {
        "email": "Another.Guy@mycompany.com",
        "type": "User"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/readacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  },
  {
    "name": "viral-longString2",
    "id": "/providers/Microsoft.PowerApps/apps/redacted/permissions/viral-longString2",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "CanView",
      "principal": {
        "email": "Another.Guy2@mycompany.com",
        "type": "User"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/redacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  }
]

How do I pull the entire ID out of the JSON for the given email address using Flow?

I've tried Parse JSON after the Get App Assignment action, but can't quite figure out the ForAll/etc. to use.

@RezaDorrani ! @RezaDorrani ! @RezaDorrani !

FilterArray worked perfectly. I'm going to study that one as learning to manipulate JSON with WDL is an absolute critical skill. 

Thank you very much for your expertise. Hope this thread serves others as well.

One baffler is why the O365 id worked in your tenant but not mine...

Hi @ericonline 

Glad it worked out 

In my case both the O365 user profile id and the user app based id match (that could be the reason)

I'm having some issues with the method we devised. It is not working as intended. Seems like a new but related topic so moved it to a new thread here.

Had to pull out PowerShell to see what was going on with the ID's. Findings below.

• Within my org's tenant, all app Users are assigned a PowerApps ID aptly prefixed with "viral-".
• These are NOT equal to the Users O365 ID. 
• Example Users PowerApps ID:

/providers/Microsoft.PowerApps/apps/APP_ID/permissions/viral-longHexDecimalString

• All app Owners are assigned a PowerApps ID that IS equal to the Users O365 ID.
• I suspect you were adding/removing yourself (as an owner) from the test app.
• Or your tenant is not being provisioned with the "viral-" prefix on PowerApps ID's, but rather the users O365 ID