Solved: PERMISSIONS: PowerApps for App Makers- Remove User...

ericonline · ‎08-22-2019

Hello,

Using the PowerApps for App Makers action "Edit App Role Assignment":

I'm able to add a new user to a PowerApp (basically share the app with them)
I'm not able to delete a user from having access to a PowerApp ("unshare").

Sharing: (works):

Unsharing: (doesn't work):

Error message says:

{
  "error": {
    "code": "AzureResourceManagerRequestFailed",
    "message": "The request failed with error: 'The Principal ID 'some.one@company.com' is not valid. Principal ID must be a GUID.'. The tracking Id is '1111111-11111-11111-1111-11111111'.",
    "details": [
      {
        "code": "MultipleErrorsOccurred",
        "message": "There were multiple errors from the API Hubs service. Please see the details for more information.",
        "details": [
          {
            "code": "InvalidPrincipalId",
            "message": "The Principal ID 'some.one@company.com' is not valid. Principal ID must be a GUID."
          }
        ]
      },
      {
        "code": "FullNonLocalizedError",
        "message": "{\"error\":{\"code\":\"InvalidPrincipalId\",\"message\":\"The Principal ID 'some.one@company.com' is not valid. Principal ID must be a GUID.\"}}"
      }
    ]
  }
}

What "Principal ID" is PowerApps looking for here?
Why does users email work for sharing an app, but not for unsharing?

Thank you

RezaDorrani · ‎08-23-2019

Hi @ericonline

Ok I think I got it

Here you go

https://github.com/rdorrani/Microsoft-Flow/blob/master/EditAppRoleAssignmentByEmailAddress_201908231...

Regards,

Reza Dorrani

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

View solution in original post

RezaDorrani · ‎08-22-2019

Hi @ericonline

do get user profile first using o365 users connection

then use the dynamic content "Id" property

I just tested it and it works 🙂

Regards,

Reza Dorrani

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

ericonline · ‎08-22-2019

Hi @RezaDorrani ,

Thank you for the prompt assistance. It really helps keep momentum when working through a problem.

I was able to use O365 to get the id of user, but the Delete action is not working. User still has permissions to the app:

Flow action:

Results: (Flow successfully runs, but user still has permissions to the app):

User still has permissions:

What else needs to be done to remove user permissions to an app?

RezaDorrani · ‎08-22-2019

Hi @ericonline

weird - worked for me

clear your browser cache and check the permissions again

ericonline · ‎08-22-2019

Newp... same results in Incognito Mode.
Do you have any other fields populated besides, App Name, API Version, Filter Query, Content-Type and UserID in the Delete field?

RezaDorrani · ‎08-22-2019

Hi @ericonline

ericonline · ‎08-22-2019

@RezaDorrani
Hm... Is the Output a blank array upon successfully removing a user?
This is what my results look like:

RezaDorrani · ‎08-22-2019

Hi @ericonline

Yes blank output - same as yours

Is your app and flow in the same environment?

Are you the system administrator for the envrionment?

ericonline · ‎08-22-2019

Yep:

Both the Flow and the App are both in our DEV env
I am admin for the DEV env

RezaDorrani · ‎08-22-2019

Hi @ericonline

Try sharing the app with some more test users

and try removing them from Flow

for the office365users get user profile action - hardcode their user name in there to and test

ericonline · ‎08-22-2019

@RezaDorrani , I appreciate the ideas...

Same result after hardcoding the O365 Get Profile email.
Flow is successful...

Users still have permissions on the application:

Going to try to recreate the Flow and see if that "shakes it loose".

ericonline · ‎08-22-2019

@RezaDorrani , so here is the only way I could get this to work. I'm surprised that the O365 id worked for you and curious why it doesn't work for me/my org.

Findings:

The O365 Get User Profile "id" value is not equal to the PowerApps "id" value returned from Get App Role Assignments

Example:

O365 Get User Profile id:
- ```
f325151a-a53f-4g75-b3d7-b6c634b928hj
```

Get App Role Assignments id:

/providers/Microsoft.PowerApps/apps/ae111t1i-11a4-1d01-b1v1-2e3c482603f7/permissions/viral-g8x3a2po-12ee-421a-b678-98456789fda4

What works:

If I hardcode the entire Get App Role Assignments id into the "delete id" field (yes, the entire path including "/" ' s), I can remove the user permission from the PowerApp

What I need:

To figure out how filter the email addresses from Get App Role Assignments by the email address of the person selected for removal
Grab their PowerApps id
Pass that to Edit App Role Assignment

ericonline · ‎08-23-2019

@RezaDorrani ,

I'm struggling to compare the email address for the person whom I need to remove permissions for against the response from Get App Assignments. I need to pull in the ID from there.
Any ideas?

RezaDorrani · ‎08-23-2019

Hi @ericonline

Get App Role Assignments id:

/providers/Microsoft.PowerApps/apps/ae111t1i-11a4-1d01-b1v1-2e3c482603f7/permissions/viral-g8x3a2po-12ee-421a-b678-98456789fda4

So from the above string - which part you need?

RezaDorrani · ‎08-23-2019

Hi @ericonline

Ok I think I got it

Here you go

https://github.com/rdorrani/Microsoft-Flow/blob/master/EditAppRoleAssignmentByEmailAddress_201908231...

Regards,

Reza Dorrani

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

View solution in original post

ericonline · ‎08-23-2019

Hi @RezaDorrani ,

Believe it or not, I have to pass the entire value to the Edit App Assignment action to remove user permissions.

The challenge:

Here is the user that should have their permissions deleted:

Another.Guy@mycompany.com

Here is an example response from Get App Assignment:

[
  {
    "name": "redacted",
    "id": "/providers/Microsoft.PowerApps/apps/veryLongString/permissions/alsoLongString",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "Owner",
      "principal": {
        "id": "notTheCorrectID",
        "displayName": "Cool, Someone",
        "email": "someone.cool@mycompany.com",
        "type": "User",
        "tenantId": "redacted"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/redacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  },
  {
    "name": "viral-longString",
    "id": "/providers/Microsoft.PowerApps/apps/redacted/permissions/viral-longString",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "CanView",
      "principal": {
        "email": "Another.Guy@mycompany.com",
        "type": "User"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/readacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  },
  {
    "name": "viral-longString2",
    "id": "/providers/Microsoft.PowerApps/apps/redacted/permissions/viral-longString2",
    "type": "Microsoft.PowerApps/apps/permissions",
    "properties": {
      "roleName": "CanView",
      "principal": {
        "email": "Another.Guy2@mycompany.com",
        "type": "User"
      },
      "scope": "/providers/Microsoft.PowerApps/environments/redacted/apps/redacted",
      "notifyShareTargetOption": "NotSpecified",
      "inviteGuestToTenant": false
    }
  }
]

How do I pull the entire ID out of the JSON for the given email address using Flow?

I've tried Parse JSON after the Get App Assignment action, but can't quite figure out the ForAll/etc. to use.

ericonline · ‎08-23-2019

@RezaDorrani ! @RezaDorrani ! @RezaDorrani !

FilterArray worked perfectly. I'm going to study that one as learning to manipulate JSON with WDL is an absolute critical skill.

Thank you very much for your expertise. Hope this thread serves others as well.

One baffler is why the O365 id worked in your tenant but not mine...

RezaDorrani · ‎08-23-2019

Hi @ericonline

Glad it worked out

In my case both the O365 user profile id and the user app based id match (that could be the reason)

ericonline · ‎08-23-2019

I'm having some issues with the method we devised. It is not working as intended. Seems like a new but related topic so moved it to a new thread here.

ericonline · ‎08-23-2019

Had to pull out PowerShell to see what was going on with the ID's. Findings below.

Within my org's tenant, all app Users are assigned a PowerApps ID aptly prefixed with "viral-".
These are NOT equal to the Users O365 ID.
Example Users PowerApps ID:

/providers/Microsoft.PowerApps/apps/APP_ID/permissions/viral-longHexDecimalString

All app Owners are assigned a PowerApps ID that IS equal to the Users O365 ID.
I suspect you were adding/removing yourself (as an owner) from the test app.
Or your tenant is not being provisioned with the "viral-" prefix on PowerApps ID's, but rather the users O365 ID

PERMISSIONS: PowerApps for App Makers- Remove User Permissions?

Helpful resources

Power Platform Community Conference

Power Platform ISV Studio