Change the original Owner of a Power App & Flow

Has there been a requirement or a need to change the owner/creator of the PowerApps or a Flow built by your organizational users? There could be various reasons for this request

  • App/flow creator would have left the organization
  • App/flow creator would have changed role within the organization
  • Handing over the app to the operations team…

By the time I am writing this post there are no Powershell command or actions available in Flow/PowerApp to change the original Owner of the flow but still you would be able to assign a Owner for the flow created by an user who has left the Organization from the Flow Admin center, I will cover the steps on this post. The good news is Microsoft has plans to release this feature as per this user voice request.

Prerequisite: Environment Admin or Power Platform Admin

Change the Owner of a Power App:

There are different ways to change the Owner of Power Apps using

  1. Power Shell
  2. Flow
  3. Power App

PowerShell cmdlets for PowerApps:

There is a PowerApps cmdlet for Administrators Set-AdminPowerAppOwner which allows you change the Owner of the App

Prerequisite: The following modules should be installed. It requires Administrator access on the workstation to install the modules

Install-Module -Name Microsoft.PowerApps.Administration.PowerShell
Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber

If you don’t have admin access, then you can import the modules to your workstation using the following commands

Save-Module -Name Microsoft.PowerApps.Administration.PowerShell -Path
Import-Module -Name Microsoft.PowerApps.Administration.PowerShell
Save-Module -Name Microsoft.PowerApps.PowerShell -Path
Import-Module -Name Microsoft.PowerApps.PowerShell

Power Shell cmdlet for changing the Owner:

# This call opens prompt to collect credentials (Azure Active Directory account and password) used by the commands 
Add-PowerAppsAccount
Set-AdminPowerAppOwner -AppName '6aac46a2-a0f3-43f3-a2fb-51111785437c' -AppOwner '4cea7f11-c013-4bee-a6d1-ae3381a7f386' -EnvironmentName 'Default-2r6e8761-108d-417e-9bb4-e7c4e3ba2e23'
  1. EnvironmentName is the environment of the PowerApp you would like to change the Owner. To get the environment name, the powershell command will help Get-PowerAppEnvironment
  2. App Name is the App ID of the PowerApp. To get this information run the command Get-PowerApp ‘Name of the powerapp’
  3. AppOwner is the Azure Active directory object id of the new Owner. It is the Unique id of the user in the tenant, you can get this information in multiple ways. To get it from flow, the following action would help. The outputs of this action should have the attribute Id which is the id of the user to be passed on the Powershell command.

The old owner will get viewer access to the app but you can get it changed if required. For other Powershell cmdlets for PowerApps & flow refer this article from Microsoft.

PowerShell Tip:

To get help on any Power shell cmdlet, type Get-Help cmdletname (e.g get-help Set-AdminPowerAppOwner). To get some examples type get-help Set-AdminPowerAppOwner -examples

PowerApps for Admin Connector in Flow:

There is a preview action by the name “Set App Owner” under the connector PowerApps for admin which also helps you to change the owner of the PowerApp

PowerApps for Admin Connector in PowerApp:

The same connector used in the flow can also be used in PowerApp to change the owner for the powerapp. There is a Powerapps tool Connector Browser Tool from Microsoft to test the PowerApps for Admin connector which can be used to change the Owner of the app. The app is available as a package for download from this link, the link to the blogpost from Microsoft. You can select any actions, after entering values for the parameters click Submit.

You can test connector for Flow as well on this tool.

Assign an Owner for a Flow created by an user who has left Organization:

This can be done by connecting to the Flow Admin center, click the environment which has the flow

Click resources & then click Flows

Then look for the flow which needs the update, click the flow & click Manage sharing to add Owner

You can also export the flow as a package & then recreate it to have a new Owner. Follow this blogpost from Microsoft.

Summary: On this post, I’ve covered different ways to update the owner for PowerApps & Flow using Powershell & Admin connector in Flow & PowerApps. Hope you find this post useful & informational. Let me know if there is any comments or feedback below.

Automate the provision of Azure AD Account & License assignment – Part 1

A decade back I was part of a team to automate the On & Offboarding process of employees for a customer using .NET framework, it had a module to provision user accounts in an on-premise environment. I still remember having used couple of dll’s for Active directory 2003 & exchange 2007 to create AD & Email account. It was not easy but nowadays with the Office 365 in place its so easy to create account & enable different Office 365 services (Exchange, SharePoint, Yammer etc) for a user in Azure Active directory. This example will be applicable for the Organization which does not have On-premise Active directory. Organizations having On-premise active directory, the user account’s will be synchronized from On-premise AD to Azure AD. On this post I am going show you how to

  1. Create Azure AD account & assign license using Power Automate
  2. Assign License using Graph Endpoint

Create Azure AD account & assign license using Power Automate:

There is a Power Automate action Create user under the connector Azure AD which helps us to create account in Azure AD but there is no action as of now to assign individual license to a user but we can overcome this by adding the user to the AD security group which has a license assigned to it.

There is a flow action Add user to group under the same connector for adding the user to the security group, all the members of the group will get the license assigned on that group. The Azure AD connector does not return custom attributes of Azure AD. For e.g you can’t assign a value to a custom AD attribute with the Create user action, if you want to assign a custom attribute or an attribute which is not exposed in the Create User action then the account has to be created using PowerShell. There are ways to call a PowerShell script from Azure Automation Runbooks with the help of a flow action.

Other Azure AD actions apart from the above screenshot which could be of use are

  • Create group
  • Get group members
  • Get groups of a user
  • Get user
  • Remove Member from Group
  • Update user

There are templates available in Power automate template section which helps you create account based on the information from the SharePoint List, based on HTTP request etc

Prerequisite:

  • Permissions on Azure AD:
    • Group.ReadWrite.All
    • User.ReadWrite.All
    • Directory.ReadWrite.All
  • Security group with license assigned

For assigning a license to Security group, go to Azure AD Admin center. Follow this documentation from Microsoft to assign license to a group.

You can also turn off certain services from the license to the group, for e.g Turning off the Power App service for the user

You can also use dynamic groups for assigning license to a user, if you have dynamic group based license assignment to a user then you could ignore the step on the flow to add user to the security group. Dynamic groups works based on rules to determine group membership, for e.g if a user has an AD attribute set for Department. In this case the AD user created with certain department will get automatically added to the group which will in turn assign a license to the user.

Let’s now create the flow, I have used an Instant flow with trigger Manually Trigger a flow. Add the action Create user from the connector Azure AD

Now add the action Add user to group, the Group Id should be for the Security group which has a license assigned to it. The User Id field should be dynamic value Id from the previous action Create user.

To get the group Id, go to Azure AD

Run the flow. Once the flow runs successful the user account will be provisioned on Azure Ad with a license.

Assign License using Graph Endpoint:

There is a beta graph endpoint to assign license to a user. Find the Microsoft documentation for more information

All types of license (E5, E3, PowerApps, Power etc) has a Service Plan id also called as SKU id. Find the list of SKU id’s on this link if your tenant has procured the license for the service

 To get the available service plan or SKU ID, make a GET call to the endpoint https://graph.microsoft.com/v1.0/subscribedSkus & also from the beta endpoint of the user https://graph.microsoft.com/beta/me

Once the sku id are available based on the type of license to be assigned, you will have to make a POST call to

Endpoint URL: https://graph.microsoft.com/beta /users/testuser10@mydevashiq.onmicrosoft.com/assignLicense

Request Body:

{
  "addLicenses": [
        {
            "disabledPlans": [],
            "skuId": "b05e124f-c7cc-45a0-a6aa-8cf78c946968"
        },
        {
            "disabledPlans": [],
            "skuId": "a403ebcc-fae0-4ca2-8c8c-7a907fd6c235"
        }
  ],
  "removeLicenses": []
}

The first SKU id is for Enterprise Mobility & Power BI (Free)

To remove the license for a user, use the collection removeLicenses. This graph endpoint to assign license can also be called from a Flow.

Summary: You can also use a HTTP request trigger in the Flow for integrating with other applications. On next post I will write about creating account in On-premise Active Directory. Hope you find this post useful & informational. Let me know if there is any comments or feedback below.