Looking for a feasible solution which can enable admins to sync the permissions between Canvas App and SharePoint. We are using Canvas App has client facing list form with SharePoint as its data source. Now we need to ensure whenever the canvas app is shared to user, the data source, in this case SharePoint list is also shared automatically. We also need to ensure if any user gets added to SharePoint list then they must be automatically added to Canvas App permission.
The most straightforward way to achieve this would be through a security group (or a security-enabled M365 group):
Whenever you make changes to the security group, new members automatically gain access to the app and the site/list. When you remove members, they also lose access to app and site/list - unless they have individual permissions for the app and/or site/list.
You can find more information here: https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app#security-group-considerations
Hi @joe_hannes_col ,
Thank you for your response. I suggested the same solution before coming here for answers. But our client does not want to go via that route since it would mean that site owners had to manage additional security group apart from maintaining the members in the SharePoint site. Also security groups are maintained by a separate team and every time for adding new members, we have to rely on them. Neat solution though it does not make the cut 🙂
If you used the security group to manage the users for both the Power App and SharePoint, you would not have to manage security of the SharePoint list separately, right? If you change the owner of an M365 group, this person can manage the users without the central IT, if your client would allow for that.
Another option would be to set up a scheduled flow that regularly checks the permissions of your Canvas Apps through the Power Apps for Makers connector: https://docs.microsoft.com/en-us/connectors/powerappsforappmakers/#get-app-role-assignments
If you detect a change, e.g. by comparing it to a SharePoint list you fill with your known Canvas App users, you could then use Graph API to grant additional permissions to these new members: https://docs.microsoft.com/en-us/graph/api/site-list-permissions?view=graph-rest-1.0&tabs=http
You could use the same approach to check SharePoint permissions and grant Canvas Apps permissions.
This would be way more complex then using a Security Group though 😉