PowerShell support for Power Apps

With PowerShell cmdlets for app creators and administrators, you can automate many of the monitoring and management tasks that are only possible manually today in Power Apps.

Cmdlets

Cmdlets are functions written in PowerShell script language that execute commands in the Windows PowerShell environment. Running these Power Apps cmdlets will allow you to interact with your Business Application Platform without having to go through the admin portal in a web browser. You can combine these cmdlets with other PowerShell functions to write complex scripts that can optimize your workflow. Note that you can still use the cmdlets if you're not an admin on the tenant, but you will be limited to the resources you own. Cmdlets that start with the word 'Admin' are designed to be used by an administrative user account.

Cmdlets are available on the PowerShell gallery as two separate modules:

For information on the Power Apps admin module, see Get started using the Power Apps admin module and Microsoft.PowerApps.Administration.PowerShell.

Note

Regarding Dynamics 365 Government Community Cloud (GCC) level 2 support:

The default endpoint is "prod". If a user wants to run a PowerShell script targeting a GCC environment, the -Endpoint parameter needs to be changed to "usgov" for GCC Moderate, or "usgovhigh" for GCC High, or "dod" for GCC DOD.

Add-PowerAppsAccount -Endpoint "usgov" 

Requirements

PowerShell in this topic requires PowerShell version 5.x. To check the version of PowerShell running on your machine, run the following command:

$PSVersionTable.PSVersion

If you have an outdated version, see Upgrading existing Windows PowerShell.

Important

The modules described in this document, use .NET Framework. This makes it incompatible with PowerShell 6.0 and later, which uses .NET Core.

Installation

To run the PowerShell cmdlets for app creators, do the following:

  1. Run PowerShell as an administrator.

    Run PowerShell as an administrator.

  2. Import the necessary modules using the following commands:

    Install-Module -Name Microsoft.PowerApps.Administration.PowerShell
    Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber
    

    Alternatively, if you don't have admin rights on your computer, you can use the following to use these modules:

    Save-Module -Name Microsoft.PowerApps.Administration.PowerShell -Path
    Import-Module -Name Microsoft.PowerApps.Administration.PowerShell
    Save-Module -Name Microsoft.PowerApps.PowerShell -Path
    Import-Module -Name Microsoft.PowerApps.PowerShell
    
  3. If you are prompted to accept the change to InstallationPolicy value of the repository, accept [A] Yes to all modules by typing 'A' and pressing Enter for each module.

    Accept InstallationPolicy value.

  4. Before accessing any of the commands, you have the option to provide your credentials using the following command. These credentials are refreshed for up to ~8 hours before you're required to sign in again to continue using the cmdlets.

    # This call opens prompt to collect credentials (Azure Active Directory account and password) used by the commands 
    Add-PowerAppsAccount
    
    # Here is how you can pass in credentials (avoiding opening a prompt)
    $pass = ConvertTo-SecureString "password" -AsPlainText -Force
    Add-PowerAppsAccount -Username user@contoso.com -Password $pass
    

Power Apps cmdlets for app creators

Prerequisite

Users with a valid Power Apps license can perform the operations in these cmdlets, but they will only have access to the resources (for example, apps, flows, etc.) that have been created or shared with them.

Cmdlet list - Maker Cmdlets

Note

We have updated some of the cmdlets function names in the latest release in order to add appropriate prefixes to prevent collisions. See the table below for an overview of what has changed.

Purpose Cmdlet
Add a canvas app to a Microsoft Dataverse solution Set-PowerAppAsSolutionAware
Read environments Get-PowerAppEnvironment (previously Get-PowerAppsEnvironment)
Get-FlowEnvironment
Read, update, and delete a canvas app Get-PowerApp (previously Get-App)
Remove-PowerApp (previously Remove-App)
Publish-PowerApp (previously Publish-App)
Set-AppDisplayName (previously Set-PowerAppDisplayName)
Get-PowerAppVersion (previously Get-AppVersion)
Restore-PowerAppEnvironment (previously Restore-AppVersion)
Read, update, and delete canvas app permissions Get-AdminPowerAppRoleAssignment (previously Get-AppRoleAssignment)
Remove-AdminPowerAppRoleAssignment (previously Remove-AppRoleAssignment)
Read, update, and delete a flow Get-AdminFlow
Enable-AdminFlow
Disable-AdminFlow
Remove-AdminFlow
Read, update, and delete flow permissions Get-AdminFlowOwnerRole
Set-AdminFlowOwnerRole
Remove-AdminFlowOwnerRole
Read and respond to flow approvals Get-AdminFlowApprovalRequest
Remove-AdminFlowApprovals
Read and delete connections Get-AdminPowerAppConnection (previously Get-Connection)
Remove-AdminPowerAppConnection (previously Remove-Connection)
Read, update, and delete connection permissions Get-AdminPowerAppConnectionRoleAssignment (previously Get-ConnectionRoleAssignment)
Set-AdminPowerAppConnectionRoleAssignment (previously Set-ConnectionRoleAssignment)
Remove-AdminPowerAppConnectionRoleAssignment (previously Remove-ConnectionRoleAssignment)
Read, and delete connectors Get-AdminPowerAppConnector (previously Get-Connector)
Remove-AdminPowerAppConnector (previously Remove-Connector)
Add, read, update, and delete custom connector permissions Get-AdminPowerAppConnectorRoleAssignment (previously Get-ConnectorRoleAssignment)
Get-PowerAppConnectorRoleAssignment (previously Set-ConnectorRoleAssignment)
Remove-PowerAppConnectorRoleAssignment (previously Remove-ConnectorRoleAssignment)
Read, add, and remove policy URL patterns Get-PowerAppPolicyUrlPatterns
New-PowerAppPolicyUrlPatterns
Remove-PowerAppPolicyUrlPatterns
Read, register, and remove management apps Get-PowerAppManagementApp
Get-PowerAppManagementApps
New-PowerAppManagementApp
Remove-PowerAppManagementApp
Read, create, update, and import protection keys Get-PowerAppRetrieveAvailableTenantProtectionKeys
Get-PowerAppGenerateProtectionKey
Get-PowerAppRetrieveTenantProtectionKey
New-PowerAppImportProtectionKey
Set-PowerAppTenantProtectionKey

Power Apps cmdlets for administrators

For information on Power Apps cmdlets for admins, see Get started with PowerShell for Power Platform Administrators

Tips

  • Use Get-Help 'CmdletName' to get a list of examples.

    Get-Help command.

  • To cycle through the possible options for input tags, click on the tab key after typing out the dash (-) character, after the cmdlet name.

Example commands:

Get-Help Get-AdminPowerAppEnvironment
Get-Help Get-AdminPowerAppEnvironment -Examples
Get-Help Get-AdminPowerAppEnvironment -Detailed

Operation examples

Below are some common scenarios that show how to use new and existing Power Apps cmdlets.

Environments commands

Use these commands to get details on and update environments in your tenant.

Display a list of all environments

Get-AdminPowerAppEnvironment

Returns a list of each environment across your tenant, with details of each (e.g., environment name (guid), display name, location, creator, etc).

Display details of your default environment

Get-AdminPowerAppEnvironment –Default

Returns the details for only the default environment of the tenant.

Display details of a specific environment

Get-AdminPowerAppEnvironment –EnvironmentName 'EnvironmentName'

Note: The EnvironmentName field is a unique identifier, which is different from the DisplayName (see first and second fields in the output in the following image).

Get-AdminEnvironment command.

Power Apps commands

These operations are used to read and modify Power Apps data in your tenant.

Display a list of all Power Apps

Get-AdminPowerApp

Returns a list of all Power Apps across the tenant, with details of each (e.g., application name (guid), display name, creator, etc).

Display a list of all Power Apps that match the input display name

Get-AdminPowerApp 'DisplayName'

Returns a list of all the Power Apps in your tenant that match the display name.

Note: Use quotation characters (") around input values that contain spaces.

Feature an application

Set-AdminPowerAppAsFeatured –AppName 'AppName'

Featured applications are grouped and pushed to the top of the list in the Power Apps mobile player.

Note: Like environments, the AppName field is a unique identifier, which is different from the DisplayName. If you want to perform operations based on the display name, some functions will let you use the pipeline (see next function).

Make an application a Hero app, using the pipeline

Get-AdminPowerApp 'DisplayName' | Set-AdminPowerAppAsHero

A Hero app will appear at the top of the list in the Power Apps mobile player. There can only be one Hero app.

The pipeline (represented as the '|' character between two cmdlets) takes the output of the first cmdlet and passes it as the input value of the second, assuming the function has been written to accommodate the pipeline feature.

Note: an app must already be a featured app before it is changed to a hero.

Display the number of apps each user owns

Get-AdminPowerApp | Select –ExpandProperty Owner | Select –ExpandProperty displayname | Group

You can combine native PowerShell functions with the Power Apps cmdlets to manipulate data even further. Here we use the Select function to isolate the Owner attribute (an object) from the Get-AdminApp object. We then isolate the name of the owner object by pipelining that output into another Select function. Finally, passing the second Select function output into the Group function returns a nice table that includes a count of each owner's number of apps.

Get-AdminPowerApp command.

Display the number of apps in each environment

Get-AdminPowerApp | Select -ExpandProperty EnvironmentName | Group | %{ New-Object -TypeName PSObject -Property @{ DisplayName = (Get-AdminPowerAppEnvironment -EnvironmentName $_.Name | Select -ExpandProperty displayName); Count = $_.Count } }

Get-AdminPowerApp environment.

Download Power Apps user details

Get-AdminPowerAppsUserDetails -OutputFilePath '.\adminUserDetails.txt' –UserPrincipalName 'admin@bappartners.onmicrosoft.com'

The above command will store the Power Apps user details (basic usage information about the input user via their user principal name) in the specified text file. It will create a new file if there is no existing file with that name, and overwrite the text file if it already exists.

Export a list of assigned user licenses

Get-AdminPowerAppLicenses -OutputFilePath '<licenses.csv>'

Exports all the assigned user licenses (Power Apps and Power Automate) in your tenant into a tabular view .csv file. The exported file contains both self-service sign up internal trial plans as well as plans that are sourced from Azure Active Directory. The internal trial plans are not visible to admins in the Microsoft 365 admin center.

The export can take a while for tenants with a large number of Microsoft Power Platform users.

Note

Output of the Get-AdminPowerAppLicenses cmdlet only includes licenses for users that have accessed Power Platform services (for example, Power Apps, Power Automate, or Power Platform admin center). Users that have had licenses assigned in Azure AD (typically via the Microsoft 365 admin center) but have never accessed Power Platform services will not have their licenses included in the generated .csv output. Furthermore, since the Power Platform licensing services caches the licenses, updates made to license assignments in Azure AD can take up to seven days to reflect in the output for users that haven't accessed the service recently.

Set logged in user as the owner of a canvas app

Set-AdminPowerAppOwner –AppName 'AppName' -AppOwner $Global:currentSession.userId –EnvironmentName 'EnvironmentName'

Changes the owner role of a PowerApp to the current user, and replaces the original owner as a "can view" role type.

Note: The AppName and EnvironmentName fields are the unique identifiers (guids), not the display names.

Display a list of deleted canvas apps in an environment

Get-AdminDeletedPowerAppsList -EnvironmentName 'EnvironmentName'

This displays all canvas apps that were recently deleted and may still be recovered.

Recover a deleted canvas app

Get-AdminRecoverDeletedPowerApp -AppName 'AppName' -EnvironmentName 'EnvironmentName'

This recovers a canvas app that is discoverable via Get-AdminDeletedPowerAppsList cmdlet. Any canvas app that isn't displayed in Get-AdminDeletedPowerAppsList isn't recoverable.

Designate SharePoint custom form environment

The following cmdlets can be used to specify and verify which environment SharePoint custom forms are saved to, instead of the default environment. When the designated environment for SharePoint custom forms changes, this is the environment where newly created custom forms are saved. Existing custom forms don't automatically migrate to different environments as these cmdlets are used. The ability for a user to create a custom form in a designated environment requires that user to have the Environment Maker role. Users can be granted the Environment Maker role in the Power Platform admin center.

Note, any environment which isn’t the default environment, can be deleted. If the designated SharePoint custom form environment is deleted the custom forms are deleted with it.

Get-AdminPowerAppSharepointFormEnvironment  

This returns the EnvironmentName for the environment currently designated for newly created SharePoint custom forms. If an environment has never been designated, the default environment is returned.

Set-AdminPowerAppSharepointFormEnvironment –EnvironmentName 'EnvironmentName' 

This designates the environment newly created SharePoint custom forms save to, instead of the default environment. Existing custom forms don't automatically migrate to the newly designated environment. Only production environments may be designated for SharePoint custom forms.

Reset-AdminPowerAppSharepointFormEnvironment  

This resets the default environment as the designated environment to save SharePoint custom forms.

Display tenant setting for ability to share apps with ‘Everyone’

$settings = Get-TenantSettings 
$settings.PowerPlatform.PowerApps.disableShareWithEveryone 

This setting controls whether users with the Environment Maker security role can share canvas apps with 'Everyone in an organization'. When the setting is set to ‘true’, only users with an admin role (Dynamics 365 admin, Power Platform Service admin, Azure AD tenant admin) can share apps with ‘Everyone in an organization’.

Note, regardless of this tenant settings value makers with the sharing privilege can share apps with security groups of any size. This control only determines whether the ‘Everyone’ shorthand may be used when sharing.

Change tenant setting for ability to share apps with ‘Everyone’

$settings = Get-TenantSettings 
$settings.powerPlatform.powerApps.disableShareWithEveryone = $True 
Set-TenantSettings -RequestBody $settings
Surface your organization’s governance error message content

If you specify governance error message content to appear in error messages, it will be included in the error message displayed when makers observe they don’t have permission to share apps with 'Everyone'. See PowerShell governance error message content commands..

Power Automate commands

Use these commands to view and modify data related to Power Automate.

Display all flows

Get-AdminFlow

Returns a list of all flows in the tenant.

Display flow owner role details

Get-AdminFlowOwnerRole –EnvironmentName 'EnvironmentName' –FlowName 'FlowName'

Returns the owner details of the specified flow.

Note: Like Environments and PowerApps, FlowName is the unique identifier (guid), which is different from the display name of the flow.

Display flow user details

Get-AdminFlowUserDetails –UserId $Global:currentSession.userId

Returns the user details regarding flow usage. In this example we're using the user Id of the current logged in user of the PowerShell session as input.

Remove flow user details

Remove-AdminFlowUserDetails –UserId 'UserId'

Deletes the details on a flow user completely from the Microsoft database. All flows the input user owns must be deleted before the flow user details can be purged.

Note: The UserId field is the Object ID of the user's Azure Active Directory record, which can be found in the Azure Portal under Azure Active Directory > Users > Profile > Object ID. You must be an admin to access this data from here.

Export all flows to a CSV file

Get-AdminFlow | Export-Csv -Path '.\FlowExport.csv'

Exports all the flows in your tenant into a tabular view .csv file.

API connection commands

View and manage API connections in your tenant.

Display all native Connections in your default environment

Get-AdminPowerAppEnvironment -Default | Get-AdminPowerAppConnection

Displays a list of all API connections you have in the default environment. Native connections are found under the Data > Connections tab in the maker portal.

Display all custom connectors in the tenant

Get-AdminPowerAppConnector

Returns a list of all custom connector details in the tenant.

Data loss prevention (DLP) policy commands

Note

The ability to block connectors by using a three-way classification—Business, Non-Business, and Blocked—in addition to DLP policy UI support in the Power Platform admin center are currently in public preview. There is new DLP policy PowerShell support for three-way DLP policy classification, which is also in public preview. Legacy DLP policy support for two-way classification (Business and Non-Business), along with admin center UI and PowerShell support for two-way classification, are currently generally available and will continue to be available for the foreseeable future. More information: Connectors documentation

These cmdlets control the DLP policies on your tenant.

Create a DLP policy

New-DlpPolicy

Creates a new DLP policy for the signed-in admin's tenant.

Retrieve a list of of DLP objects

Get-DlpPolicy

Gets policy objects for the signed-in admin's tenant.

Update a DLP policy

Set-DlpPolicy

Updates details of the policy, such as the policy display name.

Remove a policy

Remove-DlpPolicy

Deletes a DLP policy.

DLP resource exemption cmdlets

These cmdlets allow you to exempt or unexempt a specific resource from a DLP policy.

Retrieve existing exempt resource list for a DLP policy

Get-PowerAppDlpPolicyExemptResources -TenantId -PolicyName 

Create a new exempt resource list for a DLP policy

New-PowerAppDlpPolicyExemptResources -TenantId -PolicyName -NewDlpPolicyExemptResources 

Update the exempt resource list for a DLP policy

Set-PowerAppDlpPolicyExemptResources -TenantId -PolicyName -UpdatedExemptResources 

Remove the exempt resource list for a DLP policy

Remove-PowerAppDlpPolicyExemptResources -TenantId -PolicyName 

To exempt a resource from a DLP policy you need the following information:

  • Tenant ID (GUID)
  • DLP policy ID (GUID)
  • Resource ID (ends with a GUID)
  • Resource type

You can retrieve the resource ID and type using PowerShell cmdlets Get-PowerApp for apps and Get-Flow for flows.

Example

To exempt flow with ID f239652e-dd38-4826-a1de-90a2aea584d9 and app with ID 06002625-7154-4417-996e-21d7a60ad624 we can run the following cmdlets:

1. PS D:\> $flow = Get-Flow -FlowName f239652e-dd38-4826-a1de-90a2aea584d9 
2. PS D:\> $app = Get-PowerApp -AppName 06002625-7154-4417-996e-21d7a60ad624 
3. PS D:\> $exemptFlow = [pscustomobject]@{ 
4. >>             id = $flow.Internal.id 
5. >>             type = $flow.Internal.type 
6. >>         } 
7. PS D:\> $exemptApp = [pscustomobject]@{ 
8. >>             id = $app.Internal.id 
9. >>             type = $app.Internal.type 
10. >>         } 
11. PS D:\> $exemptResources = [pscustomobject]@{ 
12. >>             exemptResources = @($exemptFlow, $exemptApp) 
13. >>         } 
14. PS D:\> New-PowerAppDlpPolicyExemptResources -TenantId b1c07da8-2ae2-47e7-91b8-d3418892f507 -PolicyName 65da474a-70aa-4a59-9ae1-65a2bebbf98a -NewDlpPolicyExemptResources $exemptResources 
15. 
16. exemptResources 
17. --------------- 
18. {@{id=/providers/Microsoft.ProcessSimple/environments/Default-b1c07da8-2ae2-47e7-91b8-d3418892f507/flows/f239652e-dd38-4826-a1de-90a2aea584d9; type=Microsoft.ProcessSimple/environments/flows}, @{id=/providers/Microsoft.PowerApps/apps/06002625-7154-4417-996e-21d7a60ad.. 

Governance error message content commands

The following cmdlets can be used to lead your end users to your organization’s governance reference material, including a link to governance documentation and a governance contact, when they are prompted by governance controls. For instance, when governance error message content is set it will appear in Power Apps Data Loss Prevention policy runtime enforcement messages.

Set governance error message content

New-PowerAppDlpErrorSettings -TenantId 'TenantId' -ErrorSettings @{  
  ErrorMessageDetails = @{ 
    enabled = $True  
    url = "https://contoso.org/governanceMaterial" 
  } 
  ContactDetails= @{  
    enabled = $True 
    email = "admin@contoso.com" 
  } 
} 

The governance error message URL and email can be shown independently or together. Each value’s presence in the governance error message is controlled by the ‘enabled’ field.

This governance error message content appears in the following experiences.
# Experience Availability
1 User launches a Power Apps app that’s not DLP compliant Generally available
2 Maker shares a Power Apps canvas app but doesn’t have share privilege Generally available
3 Maker shares a Power Apps canvas app with ‘Everyone’ but doesn’t have privilege to share with ‘Everyone’ Generally available
4 Maker saves a Power Apps app that’s not DLP compliant Generally available
5 Maker saves a Flow that’s not DLP compliant Not yet available

Display governance error message content

Get-PowerAppDlpErrorSettings -TenantId 'TenantId' 

Update governance error message content

Set-PowerAppDlpErrorSettings -TenantId 'TenantId' -ErrorSettings @{  
  ErrorMessageDetails = @{ 
    enabled = $True  
    url = "https://contoso.org/governanceMaterial" 
  } 
  ContactDetails= @{  
    enabled = $True 
    email = "admin@contoso.com" 
  } 
} 

Block trial licenses commands

Commands:

Remove-AllowedConsentPlans
Add-AllowedConsentPlans
Get-AllowedConsentPlans

The allowed consent plans cmdlets can be used to add or remove access to a particular type of consent plan from a tenant. "Internal" consent plans are either trial licenses or developer plans that users can sign themselves up for via Power Apps/Power Automate portals. "Ad-hoc subscription" or "Viral" consent plans are trial licenses that users can sign themselves up for via https://signup.microsoft.com or admins can assign to users via Azure Active Directory (Azure AD) or the Microsoft 365 admin portal.

By default all types of consent plans are allowed in a tenant. A common use case for these cmdlets is if a Power Platform admin wants to block users within their tenant from the ability to assign themselves trial licenses but retain the ability to assign trial licenses on behalf of users. This can be accomplished by using the Remove-AllowedConsentPlans -Types "Internal" command as well as disabling the setting AllowAdHocSubscriptions in Azure AD.

It is important to note that when using Remove-AllowedConsentPlans all existing plans of the specified type will be removed from all users in the tenant and will not be recoverable. In addition, it will block all further assignment of plans of that type. If, at a later time, the Power Platform admin wishes to re-enable plans of that type they can use Add-AllowedConsentPlans. If they want to view the current state of allowed consent plans they can use Get-AllowedConsentPlans.

Questions?

If you have any comments, suggestions, or questions, post them on the Administering Power Apps community board.

See also

Get started using the Power Apps admin module
Microsoft.PowerApps.Administration.PowerShell
Preview: Programmability and extensibility overview