The Power Apps Consent Popup: A Necessary Evil?

Published by Valentin Mazhar on , last updated on

Share

Have you ever seen the Power Apps consent popup below when you open a Canvas App for the first time?

screenshot of the connection consent message in PowerApps

Yes, I am sure you did. And who else did? Everyone who ever used a Canvas App. Let’s dig a little more into this popup, the problem with it, and what to do and not do!

What is this Power Apps Consent Popup?

Makers can add connectors to their Power Apps Canvas Apps to integrate with other services, such as SharePoint, Outlook, and the other 1000+ connectors available on the platform today. In most situations, the user using the App will authenticate and use their own connections. It means that App will perform the connectors-related actions on behalf of the user using the App. Let’s take an example, if a user uses an App which sends an email when they click on a button, that email will be sent from that user’s mailbox.

In other words, the App gains permissions to perform actions on behalf of the user, hence the consent popup. The App is asking for confirmation from the user that they are happy to provide such permissions to the App. The App will only be able to use such permissions while the user is using the App. It will also only be able to use them according to the configuration of the App by the App Maker. Microsoft official documentation provides more information on this.

To sum up, whenever a user uses a Canvas Apps and click “Allow” on this Power Apps consent popup, they are confirming that:

  • They are ok for the App to use their connections while they use the App,
  • They trust the App Maker(s) to use these connections for legitimate reasons while they are using the App.

It is a very similar principle whenever you use a mobile or web App which needs permissions over your camera or microphone.

What is the Problem with this permission consent dialog?

The main issue that is regularly being reported is the confusion and concerns of the end users. Think about it… People are constantly being reminded that they need to be very careful (and they do) when they browse on the web, read their emails, and click on anything to avoid being hacked. Companies are launching regular phishing campaigns to educate their users which at least is working for one thing: people are getting afraid of clicking on any link, let alone “Allow” buttons.

Let’s imagine a story. Alex receives a link via email from a shared mailbox. The email asks Alex to open an App to complete a request. After careful consideration, they believe it is safe to open the link and click on it (even though not many links are as scary as the Power Apps ones…). The first thing they see when they open the link is a consent popup to allow connections 😱. This is a red flag for Alex. Wanting to be safe, Alex clicks on the “View permissions” button to understand what permissions they would be giving…

Screenshot of the outlook detailed information in the Power Apps Consent Popup

😱😱😱. Let’s make sure Alex understands what they are reading. By clicking Allow, they are allowing the App to access all their emails, write as many emails as they want on Alex’s behalf, and fully manage their contacts and events. And this is just for the Outlook connector. It cannot be right, can it? It actually is. And for Alex, this is pretty scary. So Alex responds to the shared mailbox, and explain that they are not comfortable granting these permissions. What a pain for the App Maker who then needs to explain to Alex how they are using the connections in the App and why this is safe. If you consider that this App was shared with thousands of employees and that roughly 10% of them are having a similar freak out, you can imaging the additional time it is going to take…

This is not an imaginary scenario, this is happening and is happening a lot.

The quick fix to avoid problems with the Canvas Apps Consent Dialog

If you browse on the web to find some solutions about this you will find a specific one and you will find it many times: bypass the Power Apps consent popup. It is possible to use PowerShell to turn off this consent popup when users open this App. Here is the official Microsoft documentation about this and here is a detailed step-by-step article from Matthew Devaney to make it happen. A few things to note about this approach:

  • Only a user with the System Administrator role on the environment can run this command,
  • If the Maker updates the App and adds new connectors, the consent will start showing again for the additional connectors. The System Admin will have to run the PowerShell command again to stop this popup once more.

Why you should not systematically bypass consent for all Power Apps

The possibility of bypassing this consent is great, but… I would advise against systematically using it. Here is why.

Let’s go back to Alex. They are concerned because they do not want to grant all these permissions to the App. Is it really the right solution to do it anyway without even informing them? And let’s not pretend that these permissions are not actually serious… In this article David Wyatt shows how a Maker with bad intentions can very easily use a Power Apps to hack all the emails of the users using the App in only a few seconds. This is only one example, but we could imagine many more.

Let’s list a few scenarios that could go wrong:

  • A user with bad intentions could use an App to gain access over confidential information. We all hope there are not many of those, and they probably aren’t, but one is enough to do some damage…
  • A user with good intentions who begins with the platform and misconfigures an App. You probably don’t want to use an App only to realize later that thousands of people have received some weird messages from your mailbox, or that you deleted some important files.
  • A user with good intentions who downloads an App package from the web, originating from a person with bad intentions. It wouldn’t surprise me if such scenarios were to happen more frequently. The platform is very popular, and hackers will sooner or later realize that they can create solutions causing a lot of issues once a user installs them on their not-so-well-configured-tenant.

Seeing this Power Apps consent popup is a way for users to be aware of the connections in use when they use the App. They should be sure that they can trust the App Maker and have a right to ask how the App will use their connections.

Power Apps permission consent – wish list for Microsoft

So how to best manage this situation? Well, maybe there could be less confusion if this consent was handled differently. I am not saying it is an easy thing to do, just that Microsoft could improve the user experience, however complex this might be. A few ideas below:

  • The details could show how the App is actually using these permissions. At the moment the popup details show all the things that the App could potentially do according to the connectors capabilities. It would be great if the popup was indicating the the specific actions that were configured in the App and could be done on their behalf.
  • The consent could only show when the App needs the permissions. The App might only need some permissions when the user clicks on a specific button. Waiting for the button to be clicked to show the consent prompt would allow to provide additional context to the user so that they understand what will happen if they Allow.
  • There could be an option for the Maker to declare how the App is using the connections by customizing the consent message. Even if it is still declarative, it would allow the Makers to add more context and clarify for end users.
  • Finally… I would love to have a tenant admin feature to allow/or block the possibility for system admins to bypass consent for the Apps on their environments. This would allow tenant admins / CoEs to enforce a process to bypass the Apps consent, as suggested below.

Power Apps permission consent – recommendations for Admins and CoEs

Here are a few recommendations for admins and CoEs:

  • This is not new… But whether you use the “bypass consent” feature, you will want to make sure to establish proper tenant restrictions,
  • Establish a consistent process prior to bypassing the consent dialog for any Power Apps. It could be a brief code review process for instance. There could be an expiration date after which the consent bypass would be removed and the Maker would need to go through the process again. The CoE Kit can be used as a foundation for the inventory,
  • Educate your Makers about the meaning of the consent dialog content as well as the connectors behavior. The objective is not to scare them, but make them understand that every time they use a Power Apps, whether they see a message or not, chances are that the App is using their connections. There is no reason to worry if the creator of the App is trustworthy.

Power Apps permission consent – recommendations for Makers

Moving on to the Makers…

  • Make it as easy as possible for your users. Have a brief Q&A page somewhere explaining what this message is and how the App will be using the connections. Include this in the message when you first share the link of the App.
  • Remember that concerns are legitimate. As frustrating as it can be when you know that you are not doing anything wrong with the connectors, remember that people are being asked to be extra-vigilant and that the consent message can be worrying.

Share
Categories: Governance

2 Comments

Jeff · October 4, 2023 at 8:33 am

Well done for your blog around governance / security 🙂

I think there are not a lot that covers this topic ! I hope I find time to do the same as I lead a Power Platform COE before !

Thanks for sharing & keep going 🙂

    Valentin Mazhar · October 4, 2023 at 10:14 am

    Thanks Jeff! I agree, I did not find so much content about the admin/governance side of the platform so far… Hopefully this can help some other CoEs 🙂

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *