cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict users from creating PowerApps in default environment

As it has been described in the Environments Overview article, "Whenever a new user signs up for PowerApps, they are automatically added to the Maker role of the default environment". Which gives all the users the authority to create apps in this default environment and the admin literally has no way to restrict users from doing so. Which can be a nightmare in bigger enterprises from governance prespective.

 

Like in all other environments,the admin should have power to grant or restrict users App Maker role in default environment as well.

Status: Declined

Unfortunately maker restrictions in the default environment would/could negatively impact other services which depend on that environment such as integrations with SharePoint Online.

 

Additional comments on this topic were made by Manas at our webinar here:

https://www.youtube.com/watch?v=9Sy_vT5kIts 

 

Thank you for your patience, as we work to entend capabilities and governance across environments.

 

Audrie

Comments
Level: Powered On

This is so very frustrating. I agree with a comment above that this is one of the most exciting products or tools that Microsoft has developed and this restriction absolutely kills our ability to use this product. I urge you to reconsider and develop some clear lines between app creation and consumption.

Level 8

I would have to agree with Microsoft on this. Yes, we have to be proactive in monitoring the environment and the tools to do that...are a bit lacking. So I created my own PowerApp to manage PowerApps, Flows, Environments, etc.

Now people might say, why? Seems like a lot of work to do all of that. Ok, well let's reverse it. Lets block everyone and require them to request access. Ok, so then we need to build a system to request access to make a PowerApp. Seems like a lot of work to allow people to customize a SharePoint list. So then people might say, let's only allow SharePoint list forms to be created! Well when they create a SharePoint List app, they can still connect to any data source...

So instead of trying to block people, I am monitoring. I have over 345 apps created at our organization in 6 months. How many are shared with anyone? 32. How many are shared with more than 10 people? 5. Seems to be a pretty low risk to me so far. I have a flow that sends me an email with all of the new Flows and PowerApps created weekly. I also check Flow runs weekly, found one last week that ran 1.25 million times in 11 days, so I granted myself access and disabled it. Reviewed it, told the user how to fix it. I talked with our Global Security team and we decided that for now, only apps shared with more than 15 users (which we can change that number later on) will we be concerned with at this time. Those apps will require a design document, acceptance of our data usage and security policy, approval from their manager, and finally approval from our team. There will be a full Application LifeCycle Management system in place that our team will build to ensure critical apps are built following best practices, our guidelines, and in a supportable fashion by the developer and IT.

 

Our organization has over 15k+ people, so we are not a small company. PowerApps empowers users to update simple forms in SharePoint with additional custom logic and possibly data from other locations. IT needs to quit being the road-block to the business, instead figure out the best way to empower them. Otherwise rogue IT will occur because your users are disgruntled. They now see us as a bureacracy of red tape that slows everything down.

 

Think outside the box, instead of saying "No", figure out a way to say "Yes".

 

*Gets off soap-box*

 

 

Level: Power Up

@Hayes3dcan you provide additional documentation on how you've set up your monitoring solution?  I work for a global company of about 150k users and we are currently planning our O365 rollout.  I would love to allow our users to utilize PowerApps, but I can see the concerns of the other commenters.

Level 8

@GaryJ I highly recommend the following solution created by Microsoft: https://powerapps.microsoft.com/en-us/blog/introducing-the-powerapps-center-of-excellence-starter-ki...

 

I have deprecated my custom solution in favor of theirs as I believe most people will be using it. Less work for me to tweak things than make this from scratch by myself.

It will create custom entities in CDS and then a PowerBI report can pull from it to display the data. Super helpful to get a 5,000 foot view of the environment and then you can drill down into the information if needed. There is a Managed Solution which you cannot modify most of it and an Un-Managed Solution that you can modify, but any changes would get over-written if there was an update that you tried to push into it.

 

I have modified the canvas apps and entities for additional requirements that I have so I will have to always update it manually in the future. Not a big deal, I like digging into things and tweak them to exactly what we need.

Level: Powered On

Any chance Microsoft will be reconsidering their stance on this?  In the GCC, we need tighter controls over ability to create new apps and flows... especially since you cannot remove connectors.  Although we have governance in the D365 and CDS custom instances, that governance is essentially useless if users are able to bypass their custom environment security roles in the default environment.

 

for example:

we don’t allow any users (except specific, privileged users) to create new apps in D365.  However, general user can go to default environment and create a Flow or PowerApp to the D365 environment using CDS connector....bypassing our D365 security model.  

 

We can’t roll out PowerApps and Flow until we can provide governance, and the default environment seems be anti-governance.