In our organization we wanted to try the guest sharing functionality in PowerApps and Flow, as described in the following article:
But what we encountered a different behavior as expected, while sharing Apps to guest in our tenant.
Here is a description of our test:
So since opening the very same App was possible with multiple other accounts on the same tenant. The App seems not to be broken, rather it seems to be there is an issue with the guest access or licensing.
Our first request here would be:
If the user did not have rights to open the app, an according error message shall be displayed.
We tested all this with different Accounts on different tenants with and without a license.
We are guessing here, but it seems like each guest needs to have a Microsoft tenant with a PowerApps and Flow license to access any other PowerApps and Flow in any other tenant, where he might be a guest.
In our opinion this limits any kind of collaboration planned with our customer, since we can’t expect guest to have a Microsoft tenant or even Licenses for PowerApps and Flow.
So, is this guess correct? That means a guest needs to have a valid license on their own tenant?
Is this the expected behavior, in your point of view?
Solved! Go to Solution.
I'm still experiencing the issue.
1. I created a guest account for a private e-mail for testing purposes.
2. I granted this account access to the PowerApp and the SharePoint Site and Libraries which the app connects to.
3. I assigned a PowerApps Plan 2 Trial license via Azure Active Directory to the account. [ <--- Does this even work? ]
4. Copied the link, logged in with the guest account to our tenant. Pasted the link.
Still experiencing this beaviour:
The app is using a Flow. So do I maybe have to assign a Flow license additionally?
Is it true that...
- a guest in our tenant needs to have a O365/PowerApps P1/PowerApps P2 license assigned in THEIR OWN tenant
- a guest in our tenant needs to have a O365/PowerApps P1/PowerApps P2 license assigned in OUR tenant
...in order to use a (standalone) app hosted at our tenant?
May this be the reason for the behaviour we're seeing with the guest opening the app?
Hi, @simb55 .
Whatever license is required to run the app by an internal user in the tenant must be assigned to the user in either their home or guest tenant. For instance, if the app only requires the PowerApps Included with Office license, then it's fine if the user has that license assigned in either their home or the guest tenant.
Yes, assigning a license in https://portal.azure.com in the Azure Active Directory blades works.
If you're available for a ~30 minute call, would you mind sending me a private message with a handful of times that you're available?
we are still investigating into this issue.
We cretaed a guest user for an account, that has an E5-license asigned in his own tenant and added this user to a security group. We gave this group access to both, the SharePoint site where we embedded our app and the app itself.
The user is now able to log into our organizations Office 365 and also to open the SharePoint site, that we gave access to.
When opening the app, however, an error still occurs:
"You do not have a valid Power Apps-plan. For access to Power Apps you will need a Power Apps-plan, assigend to you BY YOUR OWN ORGANIZATION or the organization that you are a guest in."
As mentioned above, this user hold an E5-license in his own tenant, which includes the 'PowerApps for Office 365' permissions. I do not understand, why he is not able to open the app.
Adding my 5c.
When inviting guest users in through the azure portal, an email is sent to the guest user. For the best experience, get the guest user to open the invitation link and sign in. Once the the guest user has signed in, they shouldn't have the unexpected behavior when opening the app.
So the key thing to take away here. Get the guest user to sign in first via the invitation email.
What's really going to bug you later is the fact that guest users cant see the app listed on their mobile devices.
Hello @Raynok1 ,
unfortunately, this does not work out for me.
I just tested this for our use case. Here is what I did:
- Created a new user in the external tenant and gave him a E5 license
- Invited the external user via our organizations Azure AD
- Logged in as the guest user to the external tenant, opened the invitation mail and klicked the link/accepted the invitation
- Gave permissions to the external user to acces the app via PowerApps -> MyApp -> Share
- Tried to open the app as the guest user
--> Still the same old error. >You need a PowerApps-Plan to open this app<
alaugMFST stated in a private message, that this would be a bug on Microsofts side and that they would be aware of it and are working on it actively.
Our workaround right now is, that we export an app to the tenant of the guest user(s) that we want to use our app, that includes a single Button that triggers the Launch() function OnSelect and links to our app. We advise those users, to navigate to our app this way.
That is, because everything works just fine, once the target guest user started/built an app in his home tenant.
Okay, Process of elimination.
1.) Duplicate the app in the tenant hosting the app.
2.) Remove the flow connection and associated buttons, etc.
3.) Publish the duplicated app and share it with the external user.
4.) If the problem persists then remove the SharePoint connection. Repeat step 3.
5.) If the problem persists then create a new app with no connections and complete step 3.
6.) If it works then add one connection at a time with step 3 to test.
Note for step 6, maybe its related to the security group. Instead assign the guest user directly, without the security group.
Are you using Online SharePoint or on premise SharePoint as your app source?
Sorry, I know its lengthy.
PS. Thank you for the tip, "Launch button pointing to the intended app", didn't think of that. Nice.
Hi again, thanks for your reply and effort,
I have done all the steps, but unfortunately it does not even work for thefreshly created, blank PowerApp.
Unless the external user opened/created an app in his own tenant first. Then it all works nice and easy.
You mentioned that they have to open a Powerapp that has a launch button that opens the external app. So technically they opened an internal Powerapp before attempting to opening the external Powerapp via the launch button. (Sounds like some AD attributes being applied in the background and we'll never know if its done first either by opening apps or when closing an app or creating an app first)
Could even be time period between account creation and attempting to to open the external app. Is there a time to sync attributes thing in the background. Maybe your workaround fast tracks it all. The rabbit hole of note.
This would also bug me, least you have a workaround.