Share a canvas app with your organization
After you build a canvas app that addresses a business need, specify which users in your organization can run the app and who can modify and even re-share it. Specify each user by name, or specify a security group in Azure Active Directory (Azure AD). If everyone would benefit from your app, specify that your entire organization can run it.
For a shared app to function as you expect, you must also manage permissions for the data source or sources on which the app is based, such as Microsoft Dataverse or Excel. You might also need to share other resources on which the app depends, such as flows, gateways, or connections.
Give your app a meaningful name and a clear description, so that people know what your app does and they can easily find it in a list. Select Settings > specify a name, and then enter a description.
Whenever you make changes, you must save and publish the app again if you want others to see those changes.
Share an app
Sign in to Power Apps.
On the left pane, select Apps.
Select the app that you want to share by selecting its icon.
On the command bar, select Share.
Select More Commands (...), and then select Share from the drop-down menu.
Specify by name or alias the users or security groups in Azure AD with whom you want to share the app.
To allow your entire organization to run the app (but not modify or share it), enter Everyone in the sharing panel. Users will be able to find this app by setting the apps list filter to "Org apps".
You can share an app with a list of aliases, friendly names, or a combination of those (for example, Meghan Holmes <firstname.lastname@example.org>) if the items are separated by semicolons. If several people have the same name but different aliases, the first person found will be added to the list. A tooltip appears if a name or alias already has permission or can't be resolved.
You can't share an app with a distribution group in your organization or with a group outside your organization.
If you want to allow users to edit and share the app, select the Co-owner check box.
In the sharing UI, you can't grant Co-owner permission to a security group if you created the app from within a solution. However, its possible to grant co-owner permission to a security group for apps in a solution by using the Set-PowerAppRoleAssignment cmdlet.
Regardless of permissions, no two people can edit an app at the same time. If one person opens the app for editing, other people can run it but not edit it.
If your app connects to data for which users need access permissions, specify security roles as appropriate.
For example, your app might connect to a table in a Dataverse database. When you share such an app, the sharing panel prompts you to manage security for that table.
For more information about managing security for a table, go to Manage table permissions.
If your app uses connections to other data sources—such as an Excel file hosted on OneDrive for Business—ensure that you share these data sources with the users you shared the app with.
For more information about sharing canvas app resources and connections, go to Share canvas app resources.
If you want to help people find your app, select the Send an email invitation to new users check box.
At the bottom of the share panel, select Share.
If you sent an email invitation, users can also run the app by selecting the link in the invitation email:
- If a user selects the link on a mobile device, the app opens in Power Apps Mobile.
- If a user selects the link on a desktop computer, the app opens in a browser.
Co-owners who receive an invitation get another link that opens the app for editing in Power Apps Studio.
To change permissions for a user or a security group
- To allow co-owners to run the app but no longer edit or share it, clear the Co-owner check box.
- To stop sharing the app with that user or group, select the Remove (x) icon.
Security group considerations
All existing members of the security group inherit the app permissions. New users joining the security group will inherit the security group permissions on the app. Users leaving the group will no longer have access through that group, but those users can continue to have access either by having permissions assigned to them directly or through membership in another security group.
Every member of a security group has the same permissions for an app as the overall group does. However, you can specify greater permissions for one or more members of that group to allow them greater access. For example, you can give Security Group A permission to run an app. And then, you can also give User B, who belongs to that group, Co-owner permission. Every member of the security group can run the app, but only User B can edit it. If you give Security Group A Co-owner permission and User B permission to run the app, that user can still edit the app.
Share an app with Microsoft 365 groups
You can share an app with Microsoft 365 groups. However, the group must have security enabled. Enabling security ensures that the Microsoft 365 group can receive security tokens for authentication to access apps or resources.
To check whether a Microsoft 365 group has security enabled
Ensure that you have access to the Azure AD cmdlets.
Go to Azure portal > Azure Active Directory > Groups, select the appropriate group, and then copy the Object Id.
Connect to Azure AD by using the
Get the group details by using
Get-AzureADGroup -ObjectId <ObjectID\> | select *.
In the output, ensure that the property SecurityEnabled is set to True.
To enable security for a group
If the group isn't security-enabled, you can use the PowerShell cmdlet Set-AzureADGroup to set the SecurityEnabled property to True:
Set-AzureADGroup -ObjectId <ObjectID> -SecurityEnabled $True
You must be the owner of the Microsoft 365 group to enable security. Setting the SecurityEnabled property to True doesn't affect how Power Apps and Microsoft 365 features work. This command is required because the SecurityEnabled property is set to False by default when Microsoft 365 groups are created outside of Azure AD.
Manage table permissions for Dataverse
If you create an app based on Dataverse, you must also ensure that the users you share the app with have the appropriate permissions for the table or tables used by the app. Particularly, those users must belong to a security role that can do tasks such as creating, reading, writing, and deleting relevant records. In many cases, you'll want to create one or more custom security roles with the exact permissions that users need to run the app. You can then assign the role to each user as appropriate.
- You can assign security roles to individual users and security groups in Azure AD, but not to Microsoft 365 groups.
- If a user isn't in the Dataverse root business unit, you can share the app without providing a security role, and then set the security role directly.
To assign a role, you must have System administrator permissions for a Dataverse database.
To assign a security group in Azure AD to a role
In the sharing panel under Data permissions, select Assign a security role.
Select the Dataverse roles that you want to apply to the selected Azure AD users or groups.
When you share an app that's based on an older version of Dataverse, you must share the runtime permission to the service separately. If you don’t have permission to do this, see your environment administrator.
Submit and view feedback for