cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Super User
Super User

Designated App Owner AD Best Practices

Hello, 

 

Calling @timl@wyotim, @Anonymous, @mr-dang@v-monli-msft@CarlosFigueira and all PowerAppers. 

 

I'd like to show our admins the power of the PowerApp community by crowdsourcing some experiences here if possible.

 

We're doing longetivity planning for PowerApps within our organization and I'd love some community input on the best practices for the following considerations:

 

  • Is anyone utilized AD "service accounts" or the like, for app authoring instead of individual user accounts? 
    • Ex: "powerapps@mycompany.com" vs. "eric@mycompany.com"
    • If so, what are some considerations before embarking?
      • AD Security
      • Account permission issues
      • Connector issues
      • Governance experience, etc.
  • Is anyone utilizing different PowerApps environments for specific purposes? 
    • Ex1: Dev, Trial, Prod
    • Ex2: Environment for each department or team
    • If so, what are some considerations before creating these env's?
      • We found one already: On-prem Data Gateway only works in the Default env. 

Your insights are really appreciated!


Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Community Champion
Community Champion

Re: Designated App Owner AD Best Practices

Hi Eric,

These are good questions. Setting up multiple environments for Dev, UAT, Prod, etc. is a good best practice. I would recommend it. I am also in favor of service accounts. I had wished you were able to join us last Wednesday and Thursday--many of these topics had come up.

 

I'm not sure what everyone's handle is on the forum (those who were at the events), but perhaps one of them can share more granularity about service accounts and using environments. Depending on details of setup, some sensitive content might be better suited for PM or email.

 

@emckinney81 @MartinLee @Anonymous

 

Here's some briefs on what's coming up for admins:

https://docs.microsoft.com/en-us/business-applications-release-notes/October18/powerapps/trusted-enterprise-grade-platform-for-administrators

 

And a shortcut to all the notes about the Road Map:

https://aka.ms/businessapplicationsreleasenotes

 

Brian

Microsoft Employee
@8bitclassroom

View solution in original post

17 REPLIES 17
Highlighted
Anonymous
Not applicable

Re: Designated App Owner AD Best Practices

Hi ericonline

I am currently using an AD 'service account' for the purpose of publishing and sharing apps within my company (power.apps@xxx.com). Considerations were:

 

  • Account needs to have sufficient O365 license to ensure the account can use anything it needs including PowerApps, Flow, SharePoint, Power BI, etc...  we provided an E3 license. 
  • The benefit is that 'Power Apps' now appears as an app author not my individual name.
  • Key reason was that IT can now support PowerApps through this account, rather than everything running through my individual account.
  • Account needs to be granted permission to anything it uses, specifically the database. I primarily work with SharePoint lists so I just share those with this account.

I actually develop the apps on my account and once they are 'finished' I extract them and import them into the Power.Apps account which is very simple. For example, Flows associated with the app are automatically extracted and recreated. 

I am currently publishing all apps within the same environment.

 

So far this is working very well! 🙂

 

Anonymous
Not applicable

Re: Designated App Owner AD Best Practices

Hi ericonline

I am currently using an AD 'service account' for the purpose of publishing and sharing apps within my company (power.apps@xxx.com). Considerations were:

 

  • Account needs to have sufficient O365 license to ensure the account can use anything it needs including PowerApps, Flow, SharePoint, Power BI, etc...  we provided an E3 license. 
  • The benefit is that 'Power Apps' now appears as an app author not my individual name.
  • Key reason was that IT can now support PowerApps through this account, rather than everything running through my individual account.
  • Account needs to be granted permission to anything it uses, specifically the database. I primarily work with SharePoint lists so I just share those with this account.

I actually develop the apps on my account and once they are 'finished' I extract them and import them into the Power.Apps account which is very simple. For example, Flows associated with the app are automatically extracted and recreated. 

I am currently publishing all apps within the same environment.

 

So far this is working very well! 🙂

 

Highlighted
Anonymous
Not applicable

Re: Designated App Owner AD Best Practices

Hi ericonline

I am currently using an AD 'service account' for the purpose of publishing and sharing apps within my company (power.apps@ooo.com). Considerations were:

 

  • Account needs to have sufficient O365 license to ensure the account can use anything it needs including PowerApps, Flow, SharePoint, Power BI, etc...  we provided an E3 license. 
  • The benefit is that 'Power Apps' now appears as an app author not my individual name.
  • Key reason was that IT can now support PowerApps through this account, rather than everything running through my individual account.
  • Account needs to be granted permission to anything it uses, specifically the data source. I primarily work with SharePoint lists so I just share those with this account.

I actually develop the apps on my account and once they are 'finished' I extract them and import them into the Power.Apps account which is very simple. For example, Flows associated with the app are automatically extracted and recreated. 

I am currently publishing all apps within the same environment.

 

So far this is working very well! 🙂

 

Highlighted
Super User
Super User

Re: Designated App Owner AD Best Practices

Awesome feedback, thank you @Anonymous!. 

 

Can I ask you: 

  • Do you have any governance around the use of the service account? 
  • I know our security dept does NOT like to use generic accounts.
  • How have you all addressed this piece?
Highlighted
Community Champion
Community Champion

Re: Designated App Owner AD Best Practices

Hi Eric,

These are good questions. Setting up multiple environments for Dev, UAT, Prod, etc. is a good best practice. I would recommend it. I am also in favor of service accounts. I had wished you were able to join us last Wednesday and Thursday--many of these topics had come up.

 

I'm not sure what everyone's handle is on the forum (those who were at the events), but perhaps one of them can share more granularity about service accounts and using environments. Depending on details of setup, some sensitive content might be better suited for PM or email.

 

@emckinney81 @MartinLee @Anonymous

 

Here's some briefs on what's coming up for admins:

https://docs.microsoft.com/en-us/business-applications-release-notes/October18/powerapps/trusted-enterprise-grade-platform-for-administrators

 

And a shortcut to all the notes about the Road Map:

https://aka.ms/businessapplicationsreleasenotes

 

Brian

Microsoft Employee
@8bitclassroom

View solution in original post

Highlighted
Anonymous
Not applicable

Re: Designated App Owner AD Best Practices

Hi ericonline,

 

Yes we were having the same discussion around security/governance, but the need to run apps through a generic account was simply unavoidable. You could restrict the account to not have access to the network, or force the O365 license to only run predefined applications (PowerApps, Flow, whatever the account needs access to) to reduce the security concerns. 

 

I think security will never be happy with generic accounts and the best you can do is limit what someone 'could' do with it if they gained access.. 😉 

 

Will be interesting to hear the recommendations and tips of others.

Highlighted
Super User
Super User

Re: Designated App Owner AD Best Practices

Thank you again for the great feedback. 

 

Continuing the convo if you have the time: 

  • If the service account (for lack of a better term) doesn't have network access, do you know if it can still be used to author a PowerApp that has Flows or Sends Emails? 
Highlighted
Anonymous
Not applicable

Re: Designated App Owner AD Best Practices

Hi ericonline

 

Good point..  this was just one of the suggested solutions I received from our security guys, which I dismissed in our case since the apps need access to SharePoint. We essentially restrict what applications the account can run, if it can only run PowerApps and access the data source the security concerns are reduced I guess. 😉

Highlighted
Super User
Super User

Re: Designated App Owner AD Best Practices

Great resources. Thank you very much @mr-dang.

Helpful resources

Announcements
secondImage

New Return to Workplace

Reopen responsibly, monitor intelligently, and protect continuously with solutions for a safer work environment.

Experience what’s next for Power Apps

Join us for an in-depth look at the new Power Apps features and capabilities at the free Microsoft Business Applications Launch Event.

Check this Out

Helpful information

Featuring samples like Return to the Workplace and Emergency Response Applications

secondImage

Power Platform 2020 release wave 2 plan

Features releasing from October 2020 through March 2021

Top Solution Authors
Top Kudoed Authors
Users online (9,622)