Should internal users NOT use the Portal forms the customers use?
In Power Pages, we are offering Multistep Forms to customers. I was planning to incorporate the response forms (approve, reject, etc. etc.) for our employees right there in the Power Pages forms. Everything secured with Web Roles, and employees logging in with their existing Azure AD accounts. My colleague says this is a bad approach, for security reasons, and that we must develop a Model-Driven Powerapp for the employees to approve/reject submissions, etc.
The sample Power Pages sites, such as the Building Permit Application sample, all use the Portal pages approach -- portal forms for both employees and customers. Am I missing something? Do we really need to build separate new PowerApps for our employees?
The choice is yours as long as the users are appropriately licenced. The Security Model that is applied via Web Roles is different to the Security Roles in Dataverse and as such you may need to be more careful and also implement additional logic so you are capturing the user who is making changes etc as part of the transactions (e..g you when you look at the Audit history you know who made the changes, as the create/update user will show as SYSTEM).