Responding to Data Subject Rights (DSR) requests to export Power Apps customer data

The "right of data portability" allows a data subject to request a copy of his or her personal data in an electronic format (that is, a structured, commonly used, machine readable and interoperable format) that may be transmitted to another data controller:

Below is a summary of the types of personal data that Power Apps can store for a specific user and which experiences you can use to find and export it.

Resources containing personal data Website access PowerShell access
Environment Power Apps Admin center Power Apps cmdlets
Environment permissions** Power Apps Admin center Power Apps cmdlets
Canvas App Power Apps Admin center
Power Apps Portal
Power Apps cmdlets
Canvas App permissions Power Apps Admin center
Power Apps Portal
Power Apps cmdlets
Gateway Power Apps Portal*** On-premises gateway cmdlets
Gateway permissions Power Apps Portal***
Custom connector App creator: Available
Admin: Available
Custom connector permissions App creator: Available
Admin: Available
Connection App creator: Available
Admin: Available
Connection permissions App creator: Available
Admin: Available
Power Apps user settings, user-app settings, and notifications App creator: Available
Admin: Available

** With the introduction of Common Data Service, if a database is created within the environment, environment permissions and model-driven app permissions are stored as records within the Common Data Service database environment. For guidance on how to respond to DSR requests for users that use Common Data Service, see Responding to Data Subject Rights (DSR) requests for Common Data Service customer data.

*** An administrator can access these resources from the Power Apps portal only if the owner of the resource has explicitly granted him or her access. If the administrator has not been granted access, he or she will need to leverage the Power Apps Admin PowerShell cdmlets.

Prerequisites

For users

Any user with a valid Power Apps license can perform the user operations outlined in this document using the Power Apps portal or App creator cmdlets.

For admins

To perform the administration operations outlined in this document using the Power Apps Admin center, Power Automate Admin Center, or Power Apps Admin PowerShell cdmlets, you'll need the following:

Step 1: Export personal data contained within environments created by the user

Power Apps Admin center

Administrators can export all environments created by a specific user from the Power Apps Admin center by following these steps:

  1. From the Power Apps Admin center, select each environment in your organization.

    Admin Center Landing Page

  2. If the environment was created by the user from the DSR request, go to the Details page, copy the details, and then paste them into a document editor, such as Microsoft Word.

    Environment details

PowerShell cmdlets for app creators

Users can export the environments they have access to in Power Apps by using the Get-PowerAppsEnvironment function in the Power Apps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-PowerAppsEnvironment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all of the environments that have been created by a user by using the Get-AdminEnvironment function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "7557f390-5f70-4c93-8bc4-8c2faabd2ca0"
Get-AdminEnvironment -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 2: Export the user's environment permissions

Users can be assigned permissions (such as Environment Admin, Environment Maker, etc.) in an environment, which are stored in Power Apps as a role assignment. With the introduction of Common Data Service, if a database is created within the environment, the role assignments are stored as records within the Common Data Service database environment. For more information, see Administer environments within Power Apps.

For environments without a Common Data Service database

Power Apps Admin center

Administrators can export a user's environment permissions from the Power Apps Admin center by following these steps:

  1. From the Power Apps Admin center, select each environment in your organization. You must be an Microsoft 365 Global admin or an Azure Active Directory Global Administrator to be able to review all environments created within your organization.

    Admin Center Landing Page

  2. Select Security.

    If your environment does not have a Common Data Service database, you'll see a section for Environment Roles.

  3. Select both Environment Admin and Environment Maker separately, and then using the search bar, search for the user's name.

    Environment roles page

  4. If the user has access to either role, go to the Users page, copy the details, and then paste them into a document editor, such as Microsoft Word.

PowerShell cmdlets for admins

Administrators can export all environment role assignments for a user across all environments without a Common Data Service database by using the Get-AdminEnvironmentRoleAssignment function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminEnvironmentRoleAssignment -UserId $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Important

This function only works for environments that do not have a Common Data Service database environment.

For environments with a Common Data Service database

With the introduction of the Common Data Service, if a database is created within the environment, role assignments are stored as records within the Common Data Service database environment. For information on how to remove personal data from a Common Data Service database environment, see Common Data Service User personal data removal.  

Step 3: Export personal data contained within canvas apps created by the user

Power Apps portal

A user can export an app from the Power Apps portal. For step-by-step instructions on how to export a canvas app, see Exporting a canvas app.

Power Apps Admin center

An administrator can export apps created by a user starting from the Power Apps Admin center by following these steps:

  1. From the Power Apps Admin center, select each environment in your organization. You must be an Microsoft 365 Global admin or an Azure Active Directory Global Administrator to be able to review all environments created within your organization.

    Admin Center Landing Page

  2. Select Resources, and then select Apps.

  3. Using the search bar, search for the user's name, which brings up any apps that user created within this environment:

    Search apps

  4. Select Share for each of the apps created by that user and give yourself Can edit access to the app:

    Select app share

    Give a user access

  5. Once you have access to each of the user's apps you can export a canvas app from the Power Apps portal. For step-by-step instructions on how to export an app, see Exporting a canvas app.

PowerShell cmdlets for admins

Administrators can export apps created by a user by using the Get-AdminApp function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminApp -Owner $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 4: Export the user's permissions to canvas apps

Whenever an app is shared with a user, Power Apps stores a record called a role assignment that describes the user's permissions (CanEdit or CanUser) to the application. For more information, see Share an app.

PowerShell cmdlets for app creators

Users can export the app role assignments for all apps that they have access to by using the Get-RoleAssignment function in the Power Apps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-AppRoleAssignment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Power Apps Admin center

Administrators can export app roles assignments for a user from the Power Apps Admin center by following these steps:

  1. From the Power Apps Admin center, select each environment in your organization. You must be an Microsoft 365 Global admin or an Azure Active Directory Global Administrator to be able to review all environments created within your organization.

    Admin Center Landing Page

  2. For each environment, select Resources, and then select Apps.

  3. Select Share for each of the apps in the environment.

    Select share

  4. If the user has access to the app, go to the app's Share page, copy the details, and then paste them into a document editor, such as Microsoft Word.

    Admin app share page

PowerShell cmdlets for admins

Administrators can export all app role assignments for a user across all apps in their tenant by using the Get-AdminAppRoleAssignment function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminAppRoleAssignment -UserId $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 5: Export personal data contained within connections created by the user

Connections are used in conjunction with connectors when establishing connectivity with other APIs and SaaS systems. Connections include references to the user who created them and, as a result, can be deleted to remove any references to the user.

PowerShell cmdlets for app creators

Users can export all of the connections they have access to by using the Get-Connection function in the Power Apps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-Connection | ConvertTo-Json | out-file -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all connections created by the user using the Get-AdminConnection function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminConnection -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 6: Export the user's permissions to shared connections

PowerShell cmdlets for app creators

Users can export the connection role assignments for all connections that they have access to by using the Get-ConnectionRoleAssignment function in the Power Apps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-ConnectionRoleAssignment | ConvertTo-Json | Out-file -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all connection role assignments for a user using the Get-AdminConnectionRoleAssignment function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminConnectionRoleAssignment -PrincipalObjectId $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 7: Export personal data contained within custom connectors created by the user

Custom Connectors supplement the existing out-of-box connectors and allow for connectivity to other APIs, SaaS, and custom-developed systems.

Power Apps App creator PowerShell cmdlets

Users can export all custom connectors they've created by using the Get-Connector function in the Power Apps App creator PowerShell cmdlets:

Add-PowerAppsAccount  
Get-Connector -FilterNonCustomConnectors | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all custom connectors created by a user using the Get-AdminConnector function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminConnector -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 8: Export the user's permissions to custom connectors

PowerShell cmdlets for app creators

Users can export all connector role assignments for the custom connectors to which they have access by using the Get-ConnectorRoleAssignment function in the Power Apps App creator PowerShell cmdlets:

Add-PowerAppsAccount  
Get-ConnectorRoleAssignment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all custom connector role assignments for a user using the Get-AdminConnectorRoleAssignment function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminConnectorRoleAssignment -PrincipalObjectId $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 9: Export Power Apps Notifications, User Settings, and User-App Settings

Power Apps sends several types of notifications to users, including when an app is shared with them and when a Common Data Service export operation has completed. A user's notification history is visible to them within the Power Apps portal.

Power Apps also stores several different user preferences and settings that are used to deliver the Power Apps runtime and portal experiences, including when a user last opened an application, pinned an app, etc.

PowerShell cmdlets for app creators

Users can export their own Power Apps notifications, user settings, and user-app settings using the Get-AdminPowerAppsUserDetails function in the Power Apps App creator PowerShell cmdlets:

Add-PowerAppsAccount  
Get-AdminPowerAppsUserDetails -WriteToFile -OutputFilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export the Power Apps notifications, user settings, and user-app settings for a user using the Get-AdminPowerAppsUserDetails function in the Power Apps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminPowerAppsUserDetails -WriteToFile -OutputFilePath "UserDetails.json" -UserPrincipalName name@microsoft.com

Step 10: Export personal data contained for a user-stored gateway or in the user's gateway permissions

Power Apps Portal

Users can export the personal data stored within the gateway service from the Power Apps portal by following these steps:

  1. From the Power Apps portal, within the default environment for your tenant, select Gateways, and then select Details for each gateway to which you have access.

    Gateway landing page

  2. On the Details page, if the gateway details contain any personal data, copy the details, and then paste them into a document editor, such as Microsoft Word.

    Gateway details

  3. Select Share, copy the contents of the page, and then paste it into a document editor, such as Microsoft Word.

    Select Share

Gateway PowerShell cmdlets

There are also PowerShell cmdlets that allow you to retrieve, manage, and delete your personal gateways. For more information, see On-premises gateway cmdlets.

Administrators

See What is an on-premises data gateway? for guidance around managing gateways for your organization.

Step 11: Export the user's personal data in Power Automate

Power Apps licenses always include Power Automate capabilities. In addition to being included in Power Apps licenses, Power Automate is also available as a standalone service. For guidance on how to respond to DSR requests for users that use the Power Automate service, see Responding to GDPR Data Subject Requests for Power Automate.

Important

We recommend that administrators complete this step for Power Apps users.

Step 12: Export the user's personal data in Common Data Service environments

Anyone with a Power Apps license, provided there is 1GB available database capacity, can create Common Data Service environments and create and build apps on Common Data Service; this includes the Power Apps Community Plan, which is a free license that allows users to try out Common Data Service in an individual environment. To see which Common Data Service capabilities are included in each Power Apps license, see the Power Apps Pricing page.

For guidance on how to respond to DSR requests for users that use Common Data Service, see Responding to Data Subject Rights (DSR) requests for Common Data Service customer data.

Important

We recommend that administrators complete this step for Power Apps users.