From b11c14c571ed49c911d344c59783ecce4afb1486 Mon Sep 17 00:00:00 2001 From: Siddharth Vaghasia Date: Wed, 1 Oct 2025 15:32:26 +0530 Subject: [PATCH 1/4] Created new command to remove permission of user from PowerApp --- .../PowerApps/RemovePowerAppPermission.cs | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs diff --git a/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs b/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs new file mode 100644 index 000000000..75ff3fb0d --- /dev/null +++ b/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs @@ -0,0 +1,81 @@ +using PnP.PowerShell.Commands.Base; +using PnP.PowerShell.Commands.Base.PipeBinds; +using PnP.PowerShell.Commands.Utilities; +using PnP.PowerShell.Commands.Utilities.REST; +using System; +using System.Management.Automation; + +namespace PnP.PowerShell.Commands.PowerPlatform.PowerApps +{ + [Cmdlet(VerbsCommon.Remove, "PnPPowerAppPermission")] + public class RemovePowerAppPermission : PnPAzureManagementApiCmdlet + { + [Parameter(Mandatory = false)] + public PowerPlatformEnvironmentPipeBind Environment; + + [Parameter(Mandatory = true)] + public PowerAppPipeBind Identity; + + [Parameter(Mandatory = true)] + public string User; + + [Parameter(Mandatory = false)] + public SwitchParameter AsAdmin; + + [Parameter(Mandatory = false)] + public SwitchParameter Force; + + protected override void ExecuteCmdlet() + { + var environmentName = ParameterSpecified(nameof(Environment)) ? Environment.GetName() : PowerPlatformUtility.GetDefaultEnvironment(ArmRequestHelper, Connection.AzureEnvironment)?.Name; + if (string.IsNullOrEmpty(environmentName)) + { + throw new PSArgumentException("Environment not found.", nameof(Environment)); + } + + var appName = Identity.GetName(); + if (string.IsNullOrEmpty(appName)) + { + throw new PSArgumentException("PowerApp not found.", nameof(Identity)); + } + + LogDebug("Acquiring access token for Microsoft Graph to look up user"); + var graphAccessToken = TokenHandler.GetAccessToken($"https://{Connection.GraphEndPoint}/.default", Connection); + LogDebug("Microsoft Graph access token acquired"); + + Model.AzureAD.User graphUser; + if (Guid.TryParse(User, out Guid identityGuid)) + { + LogDebug($"Looking up user through Microsoft Graph by user id {identityGuid}"); + graphUser = Utilities.AzureAdUtility.GetUser(graphAccessToken, identityGuid, azureEnvironment: Connection.AzureEnvironment); + } + else + { + LogDebug($"Looking up user through Microsoft Graph by user principal name {User}"); + graphUser = Utilities.AzureAdUtility.GetUser(graphAccessToken, User, azureEnvironment: Connection.AzureEnvironment); + } + + if (graphUser == null) + { + throw new PSArgumentException("User not found.", nameof(User)); + } + + var payload = new + { + delete = new[] + { + new + { + id = graphUser.Id.Value, + } + } + }; + if (Force || ShouldContinue($"Remove PowerApp permission for user with id '{graphUser.Id.Value}' from app '{appName}'?", Properties.Resources.Confirm)) + { + string baseUrl = PowerPlatformUtility.GetPowerAppsEndpoint(Connection.AzureEnvironment); + LogDebug($"Removing user {graphUser.Id.Value} permissions from PowerApp {appName} in environment {environmentName}"); + PowerAppsRequestHelper.Post($"{baseUrl}/providers/Microsoft.PowerApps{(AsAdmin ? "/scopes/admin/environments/" + environmentName : "")}/apps/{appName}/modifyPermissions?api-version=2022-11-01", payload); + } + } + } +} From 9e64ff30f4f62f3d7eb2946ef2bd20873b02838c Mon Sep 17 00:00:00 2001 From: Siddharth Vaghasia Date: Wed, 8 Oct 2025 16:42:50 +0530 Subject: [PATCH 2/4] Modified Remove Permissions Command according to requirement. --- .../PowerApps/RemovePowerAppPermission.cs | 87 +++++++++++++++---- 1 file changed, 69 insertions(+), 18 deletions(-) diff --git a/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs b/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs index 75ff3fb0d..3fafc0c6d 100644 --- a/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs +++ b/src/Commands/PowerPlatform/PowerApps/RemovePowerAppPermission.cs @@ -1,4 +1,5 @@ -using PnP.PowerShell.Commands.Base; +using Microsoft.SharePoint.Client; +using PnP.PowerShell.Commands.Base; using PnP.PowerShell.Commands.Base.PipeBinds; using PnP.PowerShell.Commands.Utilities; using PnP.PowerShell.Commands.Utilities.REST; @@ -16,9 +17,15 @@ public class RemovePowerAppPermission : PnPAzureManagementApiCmdlet [Parameter(Mandatory = true)] public PowerAppPipeBind Identity; - [Parameter(Mandatory = true)] + [Parameter(Mandatory = false)] public string User; + [Parameter(Mandatory = false)] + public string Group; + + [Parameter(Mandatory = false)] + public SwitchParameter Tenant; + [Parameter(Mandatory = false)] public SwitchParameter AsAdmin; @@ -39,25 +46,68 @@ protected override void ExecuteCmdlet() throw new PSArgumentException("PowerApp not found.", nameof(Identity)); } - LogDebug("Acquiring access token for Microsoft Graph to look up user"); - var graphAccessToken = TokenHandler.GetAccessToken($"https://{Connection.GraphEndPoint}/.default", Connection); - LogDebug("Microsoft Graph access token acquired"); + if (string.IsNullOrEmpty(User) && string.IsNullOrEmpty(Group) && !Tenant.IsPresent) + { + throw new PSArgumentException("Either User, Group, or Tenant must be specified."); + } - Model.AzureAD.User graphUser; - if (Guid.TryParse(User, out Guid identityGuid)) + if ((Tenant.IsPresent && (!string.IsNullOrEmpty(User) || !string.IsNullOrEmpty(Group))) || + (!string.IsNullOrEmpty(User) && !string.IsNullOrEmpty(Group))) { - LogDebug($"Looking up user through Microsoft Graph by user id {identityGuid}"); - graphUser = Utilities.AzureAdUtility.GetUser(graphAccessToken, identityGuid, azureEnvironment: Connection.AzureEnvironment); + throw new PSArgumentException("Specify only one of User, Group, or Tenant."); } - else + + string graphAccessToken = TokenHandler.GetAccessToken($"https://{Connection.GraphEndPoint}/.default", Connection); + LogDebug("Microsoft Graph access token acquired"); + + var graphRequestHelper = new ApiRequestHelper(GetType(), Connection, $"https://{Connection.GraphEndPoint}/.default"); + + string entityId = null ; + + if (!string.IsNullOrEmpty(User)) { - LogDebug($"Looking up user through Microsoft Graph by user principal name {User}"); - graphUser = Utilities.AzureAdUtility.GetUser(graphAccessToken, User, azureEnvironment: Connection.AzureEnvironment); + LogDebug("Processing User parameter"); + Model.AzureAD.User graphUser; + if (Guid.TryParse(User, out Guid userGuid)) + { + LogDebug($"Looking up user through Microsoft Graph by user id {userGuid}"); + graphUser = Utilities.AzureAdUtility.GetUser(graphAccessToken, userGuid, azureEnvironment: Connection.AzureEnvironment); + } + else + { + LogDebug($"Looking up user through Microsoft Graph by user principal name {User}"); + graphUser = Utilities.AzureAdUtility.GetUser(graphAccessToken, User, azureEnvironment: Connection.AzureEnvironment); + } + + if (graphUser == null) + { + throw new PSArgumentException("User not found.", nameof(User)); + } + + entityId = graphUser.Id.ToString(); } + else if (!string.IsNullOrEmpty(Group)) + { + LogDebug("Processing Group parameter"); - if (graphUser == null) + var graphGroup = Guid.TryParse(Group, out Guid groupGuid) + ? Utilities.AzureADGroupsUtility.GetGroup(graphRequestHelper, groupGuid) + : Utilities.AzureADGroupsUtility.GetGroup(graphRequestHelper, Group); + + if (graphGroup == null) + { + throw new PSArgumentException("Group not found.", nameof(Group)); + } + + entityId = graphGroup.Id.ToString(); + } + else if (Tenant.IsPresent) { - throw new PSArgumentException("User not found.", nameof(User)); + LogDebug("Processing Tenant parameter"); + + string TenantGUID = TenantExtensions.GetTenantIdByUrl(Connection.Url, Connection.AzureEnvironment); + entityId = $"tenant-{TenantGUID}"; + LogDebug($"Tenant ID resolved: {entityId}"); } var payload = new @@ -66,16 +116,17 @@ protected override void ExecuteCmdlet() { new { - id = graphUser.Id.Value, + id = entityId, } } }; - if (Force || ShouldContinue($"Remove PowerApp permission for user with id '{graphUser.Id.Value}' from app '{appName}'?", Properties.Resources.Confirm)) + + if (Force || ShouldContinue($"Remove PowerApp permission for entity with id '{entityId}' from app '{appName}'?", Properties.Resources.Confirm)) { string baseUrl = PowerPlatformUtility.GetPowerAppsEndpoint(Connection.AzureEnvironment); - LogDebug($"Removing user {graphUser.Id.Value} permissions from PowerApp {appName} in environment {environmentName}"); + LogDebug($"Removing entity {entityId} permissions from PowerApp {appName} in environment {environmentName}"); PowerAppsRequestHelper.Post($"{baseUrl}/providers/Microsoft.PowerApps{(AsAdmin ? "/scopes/admin/environments/" + environmentName : "")}/apps/{appName}/modifyPermissions?api-version=2022-11-01", payload); } } } -} +} \ No newline at end of file From 4fdac33a8aa746675921086924f1dc78d289a61c Mon Sep 17 00:00:00 2001 From: Siddharth Vaghasia Date: Mon, 24 Nov 2025 17:37:42 +0530 Subject: [PATCH 3/4] added documentation file --- documentation/Remove-PnPPowerAppPermission.md | 181 ++++++++++++++++++ 1 file changed, 181 insertions(+) create mode 100644 documentation/Remove-PnPPowerAppPermission.md diff --git a/documentation/Remove-PnPPowerAppPermission.md b/documentation/Remove-PnPPowerAppPermission.md new file mode 100644 index 000000000..6968acddb --- /dev/null +++ b/documentation/Remove-PnPPowerAppPermission.md @@ -0,0 +1,181 @@ +--- +Module Name: PnP.PowerShell +schema: 2.0.0 +applicable: SharePoint Online +online version: https://pnp.github.io/powershell/cmdlets/Remove-PnPPowerAppPermission.html +external help file: PnP.PowerShell.dll-Help.xml +title: Remove-PnPPowerAppPermission +--- + +# Remove-PnPPowerAppPermission + +## SYNOPSIS + +**Required Permissions** + +* Azure: management.azure.com +* PowerApps: service.powerapps.com +* Microsoft Graph: User.Read.All, Group.Read.All + +Removes user, group and (Everyone in organization) permissions from a Power App + + +## SYNTAX + +```powershell +Remove-PnPPowerAppPermission [-Environment ] -Identity [-User ] [-Group ] [-Tenant] [-AsAdmin] [-Force] [-Verbose] +``` + +## DESCRIPTION +This cmdlet removes user, group, or (Everyone in organization) permissions from a PowerApp using the -User, -Group, or -Tenant parameter. Only one of these parameters can be specified at a time, and at least one must be provided. + +## EXAMPLES + +### Example 1 +```powershell +Remove-PnPPowerAppPermission -Identity f07c34a9-a586-4e58-91fb-e7ea19741b61 -User username@tenant.onmicrosoft.com +``` +Removes the specified user permission from the specified PowerApp located in the default environment + +### Example 2 +```powershell +Remove-PnPPowerAppPermission -Identity f07c34a9-a586-4e58-91fb-e7ea19741b61 -User 6844c04a-8ee7-40ad-af66-28f6e948cd04 +``` +Removes the specified user permission from the specified PowerApp located in the default environment + +### Example 3 +```powershell +Remove-PnPPowerAppPermission (Get-PnPPowerPlatformEnvironment -Identity "myenvironment") -Identity f07c34a9-a586-4e58-91fb-e7ea19741b61 -User username@tenant.onmicrosoft.com -AsAdmin +``` +Removes the specified user permission from the specified PowerApp as an admin in the specified environment + +### Example 4 +```powershell +Remove-PnPPowerAppPermission (Get-PnPPowerPlatformEnvironment -Identity "myenvironment) -Identity f07c34a9-a586-4e58-91fb-e7ea19741b61 -User username@tenant.onmicrosoft.com -AsAdmin -Force +``` +Removes the specified user permission from the specified PowerApp as admin, without asking for confirmation, in the specified environment + +### Example 5 +```powershell +Remove-PnPPowerAppPermission -Identity "bde2309e-fabc-42ad-9c9e-723db313b1b0" -Group "c6c4b4e0-cd72-4d64-8ec2-cfbd0388ec16" -Force +``` +Removes the specified group's permission for the PowerApp without prompting using group id + +### Example 6 +```powershell +Remove-PnPPowerAppPermission -Identity "bde2309e-fabc-42ad-9c9e-723db313b1b0" -Group "Finance Team" +``` +Removes the specified group's permission for the PowerApp using group's display name + +### Example 7 +```powershell +Remove-PnPPowerAppPermission -Identity "bde2309e-fabc-42ad-9c9e-723db313b1b0" -Tenant +``` +Removes the (Everyone in organization) permission for the PowerApp using -Tenant parameter + +## PARAMETERS + +### -Environment +The name of the Power Platform environment or an Environment instance. If omitted, the default environment will be used. + +```yaml +Type: PowerPlatformEnvironmentPipeBind +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: The default environment +Accept pipeline input: True +Accept wildcard characters: False +``` + +### -Identity +The Name, Id or instance of the PowerApp to add the permissions to. + +```yaml +Type: PowerPlatformPipeBind +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -User +The user principal name or Id of the user to remove its permissions from the PowerApp. + +```yaml +Type: String +Parameter Sets: (All) + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Group +The group display name or Id of the group to remove its permissions from the PowerApp. + +```yaml +Type: String +Parameter Sets: (All) + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tenant +The (Everyone in organization) permission to remove from the PowerApp + +```yaml +Type: String +Parameter Sets: (All) + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsAdmin +If specified, the permission will be removed as an admin. If not specified only the Apps to which the current user already has access can be modified. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Providing the Force parameter will skip the confirmation question. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## RELATED LINKS + +[Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp) \ No newline at end of file From 2228a6a05ea4d41ca52b3fe436293f46f753a5e2 Mon Sep 17 00:00:00 2001 From: Siddharth Vaghasia Date: Mon, 24 Nov 2025 17:42:22 +0530 Subject: [PATCH 4/4] updated documentation --- documentation/Remove-PnPPowerAppPermission.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/documentation/Remove-PnPPowerAppPermission.md b/documentation/Remove-PnPPowerAppPermission.md index 6968acddb..07f0b560b 100644 --- a/documentation/Remove-PnPPowerAppPermission.md +++ b/documentation/Remove-PnPPowerAppPermission.md @@ -33,43 +33,43 @@ This cmdlet removes user, group, or (Everyone in organization) permissions from ### Example 1 ```powershell -Remove-PnPPowerAppPermission -Identity f07c34a9-a586-4e58-91fb-e7ea19741b61 -User username@tenant.onmicrosoft.com +Remove-PnPPowerAppPermission -Identity 9b2f87e6-4c3d-48c0-a2b6-c1b4e3e57f0f -User username@tenant.onmicrosoft.com ``` Removes the specified user permission from the specified PowerApp located in the default environment ### Example 2 ```powershell -Remove-PnPPowerAppPermission -Identity f07c34a9-a586-4e58-91fb-e7ea19741b61 -User 6844c04a-8ee7-40ad-af66-28f6e948cd04 +Remove-PnPPowerAppPermission -Identity 9b2f87e6-4c3d-48c0-a2b6-c1b4e3e57f0f -User 6844c04a-8ee7-40ad-af66-28f6e948cd04 ``` Removes the specified user permission from the specified PowerApp located in the default environment ### Example 3 ```powershell -Remove-PnPPowerAppPermission (Get-PnPPowerPlatformEnvironment -Identity "myenvironment") -Identity f07c34a9-a586-4e58-91fb-e7ea19741b61 -User username@tenant.onmicrosoft.com -AsAdmin +Remove-PnPPowerAppPermission (Get-PnPPowerPlatformEnvironment -Identity "myenvironment") -Identity 9b2f87e6-4c3d-48c0-a2b6-c1b4e3e57f0f -User username@tenant.onmicrosoft.com -AsAdmin ``` Removes the specified user permission from the specified PowerApp as an admin in the specified environment ### Example 4 ```powershell -Remove-PnPPowerAppPermission (Get-PnPPowerPlatformEnvironment -Identity "myenvironment) -Identity f07c34a9-a586-4e58-91fb-e7ea19741b61 -User username@tenant.onmicrosoft.com -AsAdmin -Force +Remove-PnPPowerAppPermission (Get-PnPPowerPlatformEnvironment -Identity "myenvironment) -Identity 9b2f87e6-4c3d-48c0-a2b6-c1b4e3e57f0f -User username@tenant.onmicrosoft.com -AsAdmin -Force ``` Removes the specified user permission from the specified PowerApp as admin, without asking for confirmation, in the specified environment ### Example 5 ```powershell -Remove-PnPPowerAppPermission -Identity "bde2309e-fabc-42ad-9c9e-723db313b1b0" -Group "c6c4b4e0-cd72-4d64-8ec2-cfbd0388ec16" -Force +Remove-PnPPowerAppPermission -Identity "3f4a2c1d-0e9d-4c1e-8b55-9e3c7f0ba7e2" -Group "c6c4b4e0-cd72-4d64-8ec2-cfbd0388ec16" -Force ``` Removes the specified group's permission for the PowerApp without prompting using group id ### Example 6 ```powershell -Remove-PnPPowerAppPermission -Identity "bde2309e-fabc-42ad-9c9e-723db313b1b0" -Group "Finance Team" +Remove-PnPPowerAppPermission -Identity "3f4a2c1d-0e9d-4c1e-8b55-9e3c7f0ba7e2" -Group "Finance Team" ``` Removes the specified group's permission for the PowerApp using group's display name ### Example 7 ```powershell -Remove-PnPPowerAppPermission -Identity "bde2309e-fabc-42ad-9c9e-723db313b1b0" -Tenant +Remove-PnPPowerAppPermission -Identity "3f4a2c1d-0e9d-4c1e-8b55-9e3c7f0ba7e2" -Tenant ``` Removes the (Everyone in organization) permission for the PowerApp using -Tenant parameter