Streamlining External User Access to Power Apps with Azure AD Security Groups

Power Apps can be shared with users outside your own tenant, but the setup differs from internal users. External collaborators, such as auditors, consultants, or vendors, need to be invited as guest users in Azure Active Directory and must be assigned appropriate licenses to run the app. A best practice is to place all external users into a dedicated security group and manage both app sharing and license assignments through that group. This approach keeps maintenance low and reduces the risk of missing permissions.

In this article, we'll walk through the process using a fictional scenario: Contoso Manufacturing wants to share an Inventory Auditing app with external auditors from AuditPro Inc. The app reads and writes to a SharePoint list called InventoryItems. We'll set up the necessary Azure AD objects, assign licenses, and grant access to both the app and its data source.

Step 1: Add the External User as a Guest in Azure AD

External users must exist as guest objects in your tenant before they can access any resources. To create a guest user, navigate to the Azure Active Directory admin center (not the Microsoft 365 admin center). From the left menu, go to Users > All users, then click New user > Invite external user.

Fill in the details:

Email address: The external user's existing email, e.g., alex.ross@auditpro.com
Display name: Alex Ross
Personal message: "You've been invited to access Contoso's Inventory Auditing app."

An invitation email will be sent automatically. The user does not need to accept it immediately; they can simply use the link later when they first log in. However, if you want to pre-configure everything, you can send the invite now.

Repeat this for each external user who requires access. Alternatively, you can use bulk invite or directory synchronization, but for small groups manual addition is fine.

Step 2: Create an Azure AD Security Group for External Users

Now we'll create a group to collect all external auditors. Open the Azure portal and go to Azure Active Directory > Groups > New group.

Configure the group:

Group type: Security
Group name: Contoso External Auditors
Group description: External auditors from AuditPro Inc. who need access to the Inventory Auditing app.
Membership type: Assigned
Owners: Add yourself (or a responsible administrator)
Members: Click No members selected and add the guest user(s) you invited in Step 1.

Click Create.

Automation Tip

If you have many external users to add, you can use PowerShell to bulk-add members to the group. The following snippet adds each user by their UserPrincipalName:

powershellAdd users to group (PowerShell)

$groupName = "Contoso External Auditors"
$users = @("alex.ross@auditpro.com", "jane.doe@auditpro.com")
foreach ($user in $users) {
  Add-AzureADGroupMember -ObjectId (Get-AzureADGroup -SearchString $groupName).ObjectId -RefObjectId (Get-AzureADUser -Filter "UserPrincipalName eq '$user'").ObjectId
}

The group appears in the list. Now every time you add a new guest user to this group, they will automatically inherit the permissions and license we configure in the next steps.

Step 3: Assign a Power Apps License to the Group

Guest users cannot be licensed individually via the Microsoft 365 admin center because that interface hides the license assignment option for guest accounts. Instead, we apply a license to the security group, and Azure AD will automatically assign that license to each member of the group.

From the group's page, select Licenses > Assignments. Click + Assign and choose the appropriate licensing plan.

What license should you choose? The answer depends on the connectors used in your app:

Apps using only standard connectors (SharePoint, Office 365, etc.) allow guests to use the free "Power Apps for Microsoft 365" license if they already have a qualifying Microsoft 365 license from their home tenant. Otherwise, you need a Power Apps per user plan or Power Apps per app plan.
If your app uses premium connectors (Dataverse without a "Microsoft 365" plan, Azure SQL, etc.), a Power Apps per user plan with premium features is required.

For our scenario: the Inventory Auditing app uses only SharePoint (a standard connector). The external auditors do not have a Microsoft 365 license from AuditPro, so we assign the Power Apps per app plan – which covers one app per user – or a Power Apps per user plan if they need multiple apps. Check the Microsoft Power Apps licensing guide for current details.

Select the license SKU from the list and click Save. The license will be provisioned to all members of the group shortly.

License Assignment Timing

It may take a few minutes for the license to become active. You can check the assignment status in the group's Licenses blade.

Now it's time to share the Inventory Auditing app with the security group rather than individual users. This ensures that any future external auditor added to the group automatically gains access.

Open the Power Apps maker portal, navigate to Apps, find the Inventory Auditing app, click the ellipsis (...) and select Share.

In the sharing panel, type the name of the security group: Contoso External Auditors. The portal will resolve the group from Azure AD. Check the box Send an email invitation if you want to notify current members (optional). Leave the co-owner checkbox unchecked unless you want the group to have owner permissions.

Click Share.

The app is now accessible to all members of the group. They will see it in their Power Apps mobile player or in a browser when they log into the Contoso tenant.

Step 5: Grant Data Source Permissions to the External Users

Sharing the app alone is not sufficient; the data sources (SharePoint list in our case) must also be accessible. SharePoint list permissions default to inheriting the site permissions. Unless you break inheritance, external users would need site-level access, which might be undesirable. Instead, we'll break inheritance on the specific list and grant permissions directly to the group.

Go to the SharePoint site that hosts the InventoryItems list.
Open the list, click the gear icon (Settings) and select List settings.
Under Permissions and Management, click Permissions for this list.
On the ribbon, click Stop Inheriting Permissions and confirm.
Now click Grant Permissions. In the sharing dialog, type Contoso External Auditors, set the permission level to Contribute (add and edit items), and share.

Repeat this for every SharePoint list or data source that the app uses. If your app uses Dataverse tables, you must grant the external user's Azure AD guest account direct access to the environment (as a system customizer or similar role) and ensure the table permissions are set appropriately.

SharePoint Inheritance

After breaking inheritance, the list is independent of the site. If you later need to add more external auditors, you only need to add them to the security group; the SharePoint permissions will still apply via the group. However, be aware that any future changes to site-level permissions will no longer affect this list.

Step 6: Log In as an External User

At this point, the configuration is complete. The external user, Alex Ross from AuditPro, receives the invitation email. When he clicks the link, he is taken to the Contoso login page. Since his account is a guest, he signs in using his AuditPro credentials (e.g., alex.ross@auditpro.com). On first sign-in, he is prompted to review the permissions requested by the app – he clicks Accept.

The Power Apps player opens, showing only the Inventory Auditing app (because that's the only app shared with his group). He can now view inventory records and submit audit entries directly to the SharePoint list.

Security and Performance Considerations

Delegation: When using SharePoint as a data source, be mindful of delegation limits in Power Apps. This is not specific to external users, but the same restrictions apply. Use filters and sorts that SharePoint can delegate.
Data isolation: Guest users should only have access to the specific lists or tables needed. By using a security group, you finely control this at the data source level.
Authentication: External users authenticate with their home tenant credentials. No password synchronization is required. You can also configure conditional access policies for guest users if needed.
License recycling: If an external user leaves, remove them from the security group. The license will be released back to the pool (subject to license type).

Common Mistakes and Troubleshooting

Mistake	Consequence	Solution
Adding external users as internal guests (not using invite)	Users may not be able to authenticate properly	Always use Invite external user flow
Assigning license directly to guest account	The license assignment option is unavailable	Assign via a security group as described
Sharing app with user(s) but not data source	App opens but shows errors or empty data	Grant data source permissions to the same group
Forgetting to break inheritance in SharePoint	External users need site-level access, which may be too broad	Stop inheritance on the specific list
Using wrong license SKU	User might not be able to launch the app	Check app connectors and match SKU requirements

Recommendation

Using an Azure AD security group to manage external users for Power Apps is a maintainable and scalable approach. It centralizes licensing and permissions, making onboarding and offboarding straightforward. For larger deployments, consider automating group membership via PowerShell or Azure AD Dynamic Groups with specific rules (e.g., domain-based). Always test with a real external account to verify both app access and data source permissions.

References

Power Apps licensing overview
Microsoft Learn: Share a canvas app with external users
Original reference: Matthew Devaney, "A Fool-Proof Way To Share Power Apps With External Users", https://www.matthewdevaney.com/a-fool-proof-way-to-share-power-apps-with-external-users/