Restricting Power Apps users from viewing or updating the SharePoint List content from SharePoint GUI

There are many developers & power users using SharePoint lists as a data source to store data submitted from a Power App. There should be various reasons for this, please find mine below

• Enterprise users with license (E5, E3, E1) has access to Power App & SharePoint as a service
• SharePoint is a standard connector & not a premium one which means the user would be able to access SharePoint with the license they have assigned. Its not required for the users to have an additional license (App based license or user based license) to access the premium connectors like Azure SQL etc
• There are many triggers & actions available for SharePoint connector

Let’s say on the Power App you have developed or developing has many custom logics on different screens. For e.g data being stored on different lists on click of a button in a Power App screen/form. If the user has to store data to SharePoint from Power App, user should have at the least edit/contribute access which means the user to be added on the out of the box site members group.

If the power app user gets to know the SharePoint site url which is connected as a data source in the Power App, the user would be able to access all the lists from the site by going to the Site contents page or by directly going to the list view url. This might create an issue because the user might edit, create or delete an item from the SharePoint interface rather from the Power Apps interface. As an app owner, you would like to avoid this. There is a way to avoid this by creating a custom permission level for the app users in SharePoint. Please find the steps below

1. Go to the Site Permissions
2. Click Permission Levels on the Ribbon
3. Click an existing permission level “Contribute” from the list.
4. You will be navigated to Edit Permission level for “Contribute”
5. Scroll the page to the bottom & click on the button “Copy Permission Level”
6. Name the permission level as “Power Apps – Custom Permission” & give some meaningful description
7. Remove/Uncheck the permission “View Application Pages” under the category “List Permissions”
8. Scroll down and click “Create” button

The custom permission level is ready, let’s assign this to a new SharePoint group. Find steps below to create a new group & assign the custom permission level to the group

1. Go to the Site Permissions
2. Click “Create Group” on the ribbon
3. Name it as “Power App Users”
4. Change the Owner field to the Site Owners group – Optional Step
5. Scroll down & select the Permission level created above
6. Click Create

The group is ready, add the power app users to this group. This access will not allow the members of this group to access the Site contents (Application Page), view forms or views (Allitems.aspx) but they would be able to create/update from Power Apps. Technically the user would still be able to access/modify the list content programmatically using CSOM/JSOM etc, but the GUI in SharePoint is blocked. They will receive an access denied message while trying to access the list view/form or site contents page.

Note:
After the users are added to the group which has the restricted permission level, make sure the users are not part of others groups like Members, Visitors etc. You can confirm this from the Check Permissions on the link https://domain.sharepoint.com/sites/sitename/_layouts/15/user.aspx

Summary: You can play around with the different types of permissions while creating the permission level for Power Apps users, grant only the required permissions. A site owner will have access to create or update permission level. Microsoft has very detailed documentation on permission levels. In a SharePoint site, the permissions are inherited from the Site>Lists>Item. Based on the need, the permissions can be broken at any level. Hope you find this post useful. Let me know if there is any comments or feedback by posting a comment below.