PowerApps: Azure Active Directory Groups

Why?

Managing users and groups: an IT thing, an HR thing, a business ownership thing 🤔. With Azure Active Directory this is as flexible as you would like it to be, so once your organization has finally come to an agreement on who will manage which users in which groups ➡ then how can PowerApps make use of these groups?

What?

An approach of how you can make use of the Azure Active Directory Groups to make controls (in)visible.

How?

First thing to mention is that the Azure AD connector (as well as some of the other connectors) has a limit on the number of requests that someone can have within a certain amount of time. The result when this rate limit has been reached is a notification like: AzureAD.GetGroup failed: { “statusCode”: 429, “message”: “Rate limit is exceeded. Try again in 20 seconds.”}.

These throttling limits are documented in the General connector pages and are something you have to take into consideration per connector to make sure your users are not bothered with this notification (or an error as those users might experience it 🤐). This could be done by placing the request(s) in your PowerApp on the right moment in the right place.

1) In my scenario I have three Azure AD Groups:

  1. An Office365 Group: O365Group PowerApps Access
    My account IS NOT a member of this group.
  2. A Security Group: SecGroup PowerApps Access
    My account IS a member of this group.
  3. An Office365 Group: O365Group SharePoint
    My account IS a member of this group.

I added a security group in there to show that the type of group does not matter at the moment. How I prevent the throttling limit from being reached is by loading the groups I need in a collection:

ClearCollect(
    colGroups,
    AddColumns(AddColumns(
        Table(
            {colGroupsGroupId: "8057fc8d-1f48-410f-b0fd-920ccbb1a549",LookupName:"O365 PAa",Process:"-1-2-4-5-"},
            {colGroupsGroupId: "a21395fb-54e2-4282-825b-316beb6d807f",LookupName:"SC PAa",Process:"-1-3-"},
            {colGroupsGroupId: "e11cdea5-942e-4876-a617-e15d4d101f14",LookupName:"O365 SP",Process:"-4-5"}
        ),
        "colGroupsDisplayName",
        AzureAD.GetGroup(colGroupsGroupId).displayName,
        "colGroupsGroupMembers",
        AzureAD.GetGroupMembers(colGroupsGroupId).value
    ),"concatGroupMembers",Concat(colGroupsGroupMembers,Lower(mail)&";"))
)

This ClearCollect is adding columns because the Specific Azure AD Connector uses different actions for different parts of information. What I do:

  • There is a base Table:
    • I typed in the Object ID / Group ID of the Azure AD Groups and placed them in the colGroupsGroupId of the collection. (this data could also be placed in a SharePoint List or Excel File for easier maintenance)
    • Because I have been creating business applications for a while, I expect some business owner to add and remove groups and therefore I add a unique identifier LookupName that formulas in the PowerApp will use. So if a new group is added or replaced, I would just have to change one Group ID here and not in every control related to that group.
    • Process is an extra level of diversity I added to show that you can have multiple (layers of) conditions. In my case I did not only want to check on the membership of a specific group but I also needed to support a scenario where a person could be a member of multiple groups and if a person would be a member of any group related to Process 1, the control would be (in)visible.
  • Then I add an AzureAD.GetGroup formula to get the displayName in a separate column colGroupsDisplayName so the (user friendly) display name can be used.
  • Then I add an AzureAD.GetGroupMembers formula to get the members of the group in a separate column colGroupsGroupMembers in nested table so every member is an own record.
  • Finally I add an extra column concatGroupMembers to get all mail properties of every member in one big string using a concat formula on the previous added column.

2) When the collection is loaded you can use this collection throughout the rest of the PowerApp. Here are some handy formulas using this collection:

  • To show all Azure AD Groups of your collection just reference the colGroups collection in the Items property of a Gallery:
  • To show the displayName and include the number of members in that Azure AD group:
colGroupsDisplayName&" ("&CountRows(ThisItem.colGroupsGroupMembers)&")"
  • To show if the current user is a member of any of these displayed groups, I added an icon and made the Color property of the added icon dynamic:
If(Lower(User().Email) in Lower(Concat(ThisItem.colGroupsGroupMembers,mail&" + ")),Green,RGBA(0, 0, 0, 0))
  • To make a control visible if someone is a member of a specific group using. I am using the LookupName column we added for flexible maintenance and in this example I want to show a control if someone is a member of the group with the LookupName equal to O365 PAa:
If(Lower(User().Email) in Lower(Concat(First(Filter(colGroups,LookupName="O365 PAa")).colGroupsGroupMembers,mail&" + ")),true,false)
  • To check if someone is in a group that fits a specific condition. I am using the Process column and the concatGroupMembers column we added for this purpose and in this example I want to show a control if someone is member of a group where -1- is in the Process column:
If(Lower(User().Email) in Lower(Concat(Filter(colGroups,"-1-" in Process),concatGroupMembers)),true,false)

Got any other example interesting in this context? Leave a comment 👇

9 thoughts on “PowerApps: Azure Active Directory Groups

  1. Hi
    You have hard coded all the groups what if i want to retrieve groups based on the logged user ?? I dont want to hard code. I just want to display all the members of the logged user group who is actually the owner of group.

    1. Hi Alex, could you be more specific?
      I added the whole ClearCollect formula through the GitHub control and below this control, I tried to explain every step.
      Please let me know if any specific step / part is unclear for me to improve 👍

        1. 😁
          I guess the GitHub Control is not showing on certain devices / browsers / settings. I will replace it with a default Code Control just to be sure that the ClearCollect formula can be seen.

Leave a comment