Related sites:
Newsletter: Perspectives on Power Platform
Company: Niiranen Advisory Oy
A while ago there was an announcement made on the PowerApps team blog about “Share canvas apps with guests in your organization”. Launched in public preview, this feature makes it (almost) as simple to share apps with a guest user as it is with internal users from your company. Basically all you need to do is invite them as guests into your tenant, by leveraging the Azure AD B2B collaboration:
Once they’re in, providing access in the PowerApps Canvas app sharing menu works the way you should already be familiar with. Guests will appear as users that appear in the search and you can do all the usual stuff, apart from making guests co-owners of your app.
The fact that you can Bring Your Own Identity in this app sharing scenario is already a big benefit. Forget about trying to create user accounts for your partners & customers, let alone manage password renewals, people leaving the partner company and all that tedious admin work. When there are no separate credentials for the different applications, you can focus your efforts on configuring the appropriate security model on your side and then automating as many steps in the Azure AD driven process as you can via group memberships etc.
(Side note: Technically BYOI probably refers only to scenarios where you log into Azure AD with something completely external like a Google account, instead of just an identity from a neighboring tenant. )
Providing application access to third parties via Azure AD B2B Collaboration has been possible for Model-driven apps for a while now, or Dynamics 365 CE like it is more commonly referenced. If you have partners that are performing telemarketing or support services that link closely to your core customer data, providing them access to your CRM directly is usually far more efficient than shipping data via Excels or handling task assignments via email.
The one negative side about this external user scenario has been that you will always need to purchase a license for these guests before they can access your apps. It doesn’t matter if they’ve got Dynamics 365 licenses back at their home tenant, since that can’t grant them access to another tenant’s environment. Boo! No one likes to pay twice for the same service, but sometimes the costs can of course be absorbed while keeping the business case valid. Especially now when there’s the $10 Per App Plan for PowerApps.
It doesn’t have to be that way, though. With the nearing GA of Canvas apps sharing across different organizations, there is now the possibility to “Bring Your Own License” (BYOL). Have a look at what the documentation says about the prerequisites for Canvas apps sharing with guests:
The guest user must have a PowerApps license assigned through one of the following tenants:
* The tenant hosting the app being shared.
* The home tenant of the guest user.
This is awesome! What this essentially means that any user that has either PowerApps or applicable Dynamics 365 licenses assigned to them in their own organization can use the powers granted by that license to operate apps in any other tenant in which he or she has been granted the rights via the respective security model of the app.
Let’s try this out. I’ve got a user account with Dynamics 365 Customer Engagement Plan license (R.I.P.) assigned to it in my production tenant. What I will do in a test tenant that represents a partner organization in this demo is to 1) provision a CDS environment, 2) install sample account data into it, 3) generate a quick Canvas app from data to work with these account entity records, 4) invite my production user as a guest into the demo tenant, and finally 5) share the Canvas app from the demo to my production user.
Steps 1-2 are just the configuration work familiar to any Dynamics 365 professional, so we can skip talking about those. Also step 3 is a matter of selecting “create new app, Canvas” and then going with the Common Data Service option with the account entity as the target table.
After saving the app, we need to make sure that our guest user is found in the Azure AD user list, pretty much like an actual local user of the tenant would:
Back in PowerApps, the sharing menu should now show us the guest user as a possible share target. Since this Canvas app is using CDS as the data source, we’re also presented with the options to set the security roles for the guest.
Click “Share” and the guest will have an invite email in a few seconds, with a link to the Canvas app:
Click the link & off we go! By the power invested in me via a Dynamics 365 license purchase by a completely different organization, I’m now fully capable to work with the CDS data via a PowerApp offered to me by a partner in their tenant.
To an outsider this whole app sharing thing might seem a bit underwhelming. “What’s the big deal? Isn’t that exactly how it should work?” YES. It should, but it hasn’t – until now. Being originally born into the internal networks of organizations, the business user software from Microsoft has suffered from the boundaries set by an invisible firewall that no longer physically exists in the era of public cloud applications. While the application platforms from MS have gradually acquired better skills to work with the outside world, the licensing model hasn’t been all too friendly for many cross-tenant scenarios.
For now, when you purchase the Per User license to Microsoft’s low-code application platform, you get a “1:N pass” for one user to access an unlimited number of PowerApps Canvas or Model-driven applications within the home tenant:
The more business scenarios you can cover with PowerApps, the cheaper the relative price you pay for the platform capabilities. The result within an organization that goes all-in on Power Platform to digitally transform themselves can be quite a high number of apps already. Now, imagine that it wouldn’t be limited just to the types of digital processes that operate within your organization’s firewall. What if there was a multi-tenant model where the Per User license could unlock collaboration scenarios with your partners or customers? This network effect could grow the number of apps even faster, as it represents a “1:N:N pass”:
Pretty exciting, don’t you think? We’re not quite yet on the level where B2C app scenarios would be within the scope of PowerApps, but this expansion into B2B collaboration area is surely a part of the strategy how Microsoft plans to grow their Power Platform business. The ability to use Canvas apps without a license in the app’s home tenant directly is an important variable to consider when planning your app strategy in the MS Cloud.
One thing to keep in mind here is that Canvas app sharing doesn’t replace the use of PowerApps Portals for external audiences, as those have different pros and cons from a feature and cost perspective. Also the usage of Model-driven apps for collaborating with external parties in complex business processes will probably still have a place in the greater Power Platform puzzle, even if this new license portability doesn’t cover them (at least not yet).
[…] there is the option for “bring your own license” available, which I’ve covered in this blog post. For Model-driven apps, this isn’t possible today. Power Apps Portals is always an option if […]