Showing results for 
Search instead for 
Did you mean: 
Helper III
Helper III

Understanding Custom Environments and Security roles

I've been trying to understand how Power Apps environments and security roles work. I'd welcome any commentary/sanity check  upon this strategy:


We've initially create 3 new environments: dev, test and prod for "approved" apps.
All have a CDS and individual security group


My intention is to:

add all users to prod but only with a security role which allows the running of apps: CDS user

add users as required to dev and test environments but the former users have the "Environment Maker" role, to allow the creation of apps in dev and the latter only have the "CDS User" role

To do this, it appears that I have to add the users first to the relevant security groups, thus making them enabled, then allocate the security roles


Obviously there is more than just this but if someone could confirm that this is an appropriate method and correct procedure, this would be really helpful.


Presumably the same approach should be taken with corporate Flows?


Thanks Bill

Community Support
Community Support

Hi @BillYoung-arm ,

You not only could assign security role to a single user one by one, but also could assign security role to a security group.

Then all the users in the security group will have this permission.

What's more, if you want to assign security role to a security group, you need to create a security group.

Now let me explain how to assign permission of environment:

1)login in power platform:

2)choose the environment that you want

3)create a security role


 4)if you want to assign role to a single person, choose this:



if you want to assign role to a whole group, choose this:


5)If you choose "users", just select the user that you want, choose "manage role". 




If you choose "teams", firstly you need to create a security group.


 choose all the users that you want to assign roles, make them in the same group.

After you create security group successfully, assign role to this group.




Best regards,


Community Support Team _ Phoebe Liu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Thanks Phoebe

The problem appears to be that new users added to the already linked Security group aren't displaying in the "Users" list, despite being added 24 hours ago.

I can see the user in the SG in the M365 Admin Center, has an E5 licence and that the SG is linked to the environment, so this doesn't seem to make sense. Perhaps there's something else that needs to be done?

Any advice would be great

Cheers Bill


Hi all!

Following a Christmas break, I'm still trying to pursue an understanding of custom environments

As mentioned previously, I’m trying to create a custom Power Apps Production environment in which all of our staff can view and run apps from, yet they don’t have any maker rights to amend those apps. We additionally will have custom Test and Dev environments to support this.

I now believe that I have to create the custom environment without a Security group. It seems SGs can't be nested. Adding "Everyone" didn't work but creating one without an SG, added all tenancy users as "Enabled users" to the environment.

As they were subseqently all also members of the Team and "Business Unit" I thought that this would solve my problem. I then created a “min priv apps use” Role (as shown here: and assigned both this and the CDS user roles to the Team (I believe that only the first one should necessary).


My Dynamics colleagues tell me that this is usual, as the Enabled Users inherit the roles from the Team they are a member of, even though this isn’t apparent on their individual records. However, when tested, I would then expect that all “Enabled Users” are able to see that custom environment listed in their Power Apps studio. This isn’t the case


At the moment, I believe that I’ve tried every possible configuration. However, I’m not clear if:

a/ I’m trying to create an inappropriate environment configuration or

b/ I’m doing something wrong in the creation/set up


With regard to a/:

Can anyone confirm that this is a common approach and configuration?

If so, could you outline the steps to achieve this?

If you have other comments or suggestions, that would be great also

Thanks again all

Helpful resources

Power Apps News & Annoucements carousel

Power Apps News & Announcements

Keep up to date with current events and community announcements in the Power Apps community.

Community Call Conversations

Introducing the Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Power Apps Community Blog Carousel

Power Apps Community Blog

Check out the latest Community Blog from the community!

Users online (2,910)