Sometimes, this is a cool thing to be able to do! Let’s say we have an app that we want every employee in our organisation to be able to access. Ah, the solution! Share with everyone in the organisation! That’s it!
But hold on… is that really the right approach? I now have questions for you…
- Are there contractors with accounts in your tenants?
- Are there guests in your tenant that this could affect?
- Are there service accounts people have access to that shouldn’t be able to access your app and make changes without it being someone’s user account for audit purposes?
Ah! Doesn’t seem like quite a great solution now… and perhaps, the route of sharing with more appropriate AAD groups which cover membership scenarios such as all employees, is a better solution 🤔
But hold on… what if I want to enforce this solution? What if I want to prevent those cases of contractors suddenly having access to apps they shouldn’t have access to? Well I’m here with a solution for that!
In this short and simple blog post, we’re going to take a look at how you can change a setting in your tenant to prevent makers from sharing their apps with the entire organisation or ‘everyone in your tenant’.
Prerequisites
To make the changes we’re going to make in this blog post you’ll need to pass the following prerequisites…
- Have a Power Platform Admin, Dynamics 365 Admin or Global Administrator AAD role.
- Have the Power Apps Administration PowerShell module installed
Connect to Power Apps via PowerShell
Okay so the first thing we need to do is make a connection to our Power Platform tenant. You can do this by running the command below. This will open up a prompt to authenticate using SSO.
Add-PowerAppsAccount
Next we’ll run the command to disable the ability to share with everyone in the organisation.
We’ll do this with the following short script…
$settings = Get-TenantSettings
$settings.powerPlatform.powerApps.disableShareWithEveryone = $True
Set-TenantSettings -RequestBody $settings
Once you’ve run this, makers will no longer be able to share with everyone in your organisation.
What can admins do now?
The only exception to people not being able to share with everyone in the organisation is admins. This doesn’t mean environment level system administrators. They still cannot share with everyone in the organisation.
However, anyone with one of the following roles assigned in AAD, will be able to share with everyone in the organisation still.
- Power Platform Admin
- Dynamics 365 Admin
- Global Administrator