cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Super User
Super User

Designated App Owner AD Best Practices

Hello, 

 

Calling @timl@wyotim, @Anonymous, @mr-dang@v-monli-msft@CarlosFigueira and all PowerAppers. 

 

I'd like to show our admins the power of the PowerApp community by crowdsourcing some experiences here if possible.

 

We're doing longetivity planning for PowerApps within our organization and I'd love some community input on the best practices for the following considerations:

 

  • Is anyone utilized AD "service accounts" or the like, for app authoring instead of individual user accounts? 
    • Ex: "powerapps@mycompany.com" vs. "eric@mycompany.com"
    • If so, what are some considerations before embarking?
      • AD Security
      • Account permission issues
      • Connector issues
      • Governance experience, etc.
  • Is anyone utilizing different PowerApps environments for specific purposes? 
    • Ex1: Dev, Trial, Prod
    • Ex2: Environment for each department or team
    • If so, what are some considerations before creating these env's?
      • We found one already: On-prem Data Gateway only works in the Default env. 

Your insights are really appreciated!


Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
mr-dang
Level 10

Re: Designated App Owner AD Best Practices

Hi Eric,

These are good questions. Setting up multiple environments for Dev, UAT, Prod, etc. is a good best practice. I would recommend it. I am also in favor of service accounts. I had wished you were able to join us last Wednesday and Thursday--many of these topics had come up.

 

I'm not sure what everyone's handle is on the forum (those who were at the events), but perhaps one of them can share more granularity about service accounts and using environments. Depending on details of setup, some sensitive content might be better suited for PM or email.

 

@emckinney81 @MartinLee @KeithWhatling

 

Here's some briefs on what's coming up for admins:

https://docs.microsoft.com/en-us/business-applications-release-notes/October18/powerapps/trusted-ent...

 

And a shortcut to all the notes about the Road Map:

https://aka.ms/businessapplicationsreleasenotes

 

Brian

Microsoft Employee
@8bitclassroom

View solution in original post

17 REPLIES 17
Highlighted
DanielaH
Level 8

Re: Designated App Owner AD Best Practices

Hi ericonline

I am currently using an AD 'service account' for the purpose of publishing and sharing apps within my company (power.apps@xxx.com). Considerations were:

 

  • Account needs to have sufficient O365 license to ensure the account can use anything it needs including PowerApps, Flow, SharePoint, Power BI, etc...  we provided an E3 license. 
  • The benefit is that 'Power Apps' now appears as an app author not my individual name.
  • Key reason was that IT can now support PowerApps through this account, rather than everything running through my individual account.
  • Account needs to be granted permission to anything it uses, specifically the database. I primarily work with SharePoint lists so I just share those with this account.

I actually develop the apps on my account and once they are 'finished' I extract them and import them into the Power.Apps account which is very simple. For example, Flows associated with the app are automatically extracted and recreated. 

I am currently publishing all apps within the same environment.

 

So far this is working very well! 🙂

 

DanielaH
Level 8

Re: Designated App Owner AD Best Practices

Hi ericonline

I am currently using an AD 'service account' for the purpose of publishing and sharing apps within my company (power.apps@xxx.com). Considerations were:

 

  • Account needs to have sufficient O365 license to ensure the account can use anything it needs including PowerApps, Flow, SharePoint, Power BI, etc...  we provided an E3 license. 
  • The benefit is that 'Power Apps' now appears as an app author not my individual name.
  • Key reason was that IT can now support PowerApps through this account, rather than everything running through my individual account.
  • Account needs to be granted permission to anything it uses, specifically the database. I primarily work with SharePoint lists so I just share those with this account.

I actually develop the apps on my account and once they are 'finished' I extract them and import them into the Power.Apps account which is very simple. For example, Flows associated with the app are automatically extracted and recreated. 

I am currently publishing all apps within the same environment.

 

So far this is working very well! 🙂

 

DanielaH
Level 8

Re: Designated App Owner AD Best Practices

Hi ericonline

I am currently using an AD 'service account' for the purpose of publishing and sharing apps within my company (power.apps@ooo.com). Considerations were:

 

  • Account needs to have sufficient O365 license to ensure the account can use anything it needs including PowerApps, Flow, SharePoint, Power BI, etc...  we provided an E3 license. 
  • The benefit is that 'Power Apps' now appears as an app author not my individual name.
  • Key reason was that IT can now support PowerApps through this account, rather than everything running through my individual account.
  • Account needs to be granted permission to anything it uses, specifically the data source. I primarily work with SharePoint lists so I just share those with this account.

I actually develop the apps on my account and once they are 'finished' I extract them and import them into the Power.Apps account which is very simple. For example, Flows associated with the app are automatically extracted and recreated. 

I am currently publishing all apps within the same environment.

 

So far this is working very well! 🙂

 

Super User
Super User

Re: Designated App Owner AD Best Practices

Awesome feedback, thank you @DanielaH!. 

 

Can I ask you: 

  • Do you have any governance around the use of the service account? 
  • I know our security dept does NOT like to use generic accounts.
  • How have you all addressed this piece?
mr-dang
Level 10

Re: Designated App Owner AD Best Practices

Hi Eric,

These are good questions. Setting up multiple environments for Dev, UAT, Prod, etc. is a good best practice. I would recommend it. I am also in favor of service accounts. I had wished you were able to join us last Wednesday and Thursday--many of these topics had come up.

 

I'm not sure what everyone's handle is on the forum (those who were at the events), but perhaps one of them can share more granularity about service accounts and using environments. Depending on details of setup, some sensitive content might be better suited for PM or email.

 

@emckinney81 @MartinLee @KeithWhatling

 

Here's some briefs on what's coming up for admins:

https://docs.microsoft.com/en-us/business-applications-release-notes/October18/powerapps/trusted-ent...

 

And a shortcut to all the notes about the Road Map:

https://aka.ms/businessapplicationsreleasenotes

 

Brian

Microsoft Employee
@8bitclassroom

View solution in original post

DanielaH
Level 8

Re: Designated App Owner AD Best Practices

Hi ericonline,

 

Yes we were having the same discussion around security/governance, but the need to run apps through a generic account was simply unavoidable. You could restrict the account to not have access to the network, or force the O365 license to only run predefined applications (PowerApps, Flow, whatever the account needs access to) to reduce the security concerns. 

 

I think security will never be happy with generic accounts and the best you can do is limit what someone 'could' do with it if they gained access.. 😉 

 

Will be interesting to hear the recommendations and tips of others.

Super User
Super User

Re: Designated App Owner AD Best Practices

Thank you again for the great feedback. 

 

Continuing the convo if you have the time: 

  • If the service account (for lack of a better term) doesn't have network access, do you know if it can still be used to author a PowerApp that has Flows or Sends Emails? 
DanielaH
Level 8

Re: Designated App Owner AD Best Practices

Hi ericonline

 

Good point..  this was just one of the suggested solutions I received from our security guys, which I dismissed in our case since the apps need access to SharePoint. We essentially restrict what applications the account can run, if it can only run PowerApps and access the data source the security concerns are reduced I guess. 😉

Super User
Super User

Re: Designated App Owner AD Best Practices

Great resources. Thank you very much @mr-dang.

Helpful resources

Announcements
thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

sixthImage

Power Platform World Tour

Find out where you can attend!

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

fifthimage

Microsoft Learn

Learn how to build the business apps that you need.

Top Kudoed Authors
Users Online
Currently online: 221 members 4,453 guests
Please welcome our newest community members: