Image of PowerApps and SharePoint security

Securing Your SharePoint Lists in PowerApps

Jason The
Jason The
May 15, 2020

Simple tips to help Microsoft 365 Administrators and Power Users make sure their SharePoint lists stay secured when working in PowerApps.

Securing Your SharePoint Lists in PowerApps

Simple tips to help Microsoft 365 Administrators and Power Users make sure their SharePoint lists stay secured when working in PowerApps.

Jason The
Jason The
May 15, 2020
Logo of Microsoft Teams
+
Logo of SharePoint
Logo of Microsoft 365
Logo of OneDrive for Business

Drive Your SharePoint from Vision to Launch

We take a deep dive into your organization to assess, plan, and execute the optimal SharePoint solution to serve your current and future needs.
Learn More

So you made a PowerApp...

You are the local Microsoft 365 Power User on your team. You can easily whip up powerful solutions to solve complex business problems using your arsenal of tools: SharePoint lists, PowerApps, Power Automate and, of course, Excel. But are your solutions secure?

You’ve developed a Vacation Requests PowerApp that uses SharePoint lists as a data source:

  • Vacation Requests (Custom SharePoint List), stores all employee leave requests
  • Approval Tasks (SharePoint Task List), stores all approval tasks assigned as part of each leave request

The following business rules exist in your PowerApp:

  • Each employee has the ability to see other employees’ vacation requests.
  • Each employee can modify their request if it hasn’t been approved.

But there's a potential risk

What’s preventing an employee from creating their own PowerApp that connects to the same SharePoint lists as data sources, and accidentally changing the data?

Your SharePoint lists have the following permissions in place:

  • Vacation Requests, all employees have the Contribute permission level (can add/edit list items)
  • Approval Tasks, all employees have the Contribute permission level (can add/edit list items)

Your PowerApp has logic to prevent employees from editing their own approved requests, but if someone created their own PowerApp, they technically already have the necessary permissions in place to manipulate that same SharePoint list data, without being held back by any business rules (e.g. Modifying requests after they’re already approved, modifying another employee’s request, setting their own requests as approved, etc.).

We could reduce the permissions that each employee has to each list, but that could jeopardize required business functionality. Also, can the robustness of the solution’s security be increased, without making the solution overly-complicated?

How can we prevent this?

There may be multiple methods (to varying degrees of robustness) to address the above problem scenario, but the following method is described as a simple solution that may help to prevent similar undesired scenarios.

To get started, you’ll need to have a few things handy:

  • “Manage Lists” permission in the SharePoint Online site where your list is located
  • Access to SharePoint Designer OR Powershell

If you don’t have these, check with your Administrator and see if they can help.

Ways to hide lists in SharePoint

When connecting to a SharePoint list through PowerApps, if your lists don’t appear, this makes it that much more difficult to be able to connect to these lists and use them as data sources. By setting your SharePoint lists to Hidden, you must know the name of the lists to be able to use them as a data sources in both PowerApps and Power Automate.

To hide your SharePoint lists:

Method 1: Open Windows Powershell ISE

Screenshot of Open Windows Powershell ISE

Or

Method 2: Connect to your site in SharePoint Designer, your list settings have the “Hide from browser” setting.

Screenshot of how to hide from browser setting.

Final note

While solutions like these can help to incrementally increase the security of your Power Platform solutions, it is always recommended to plan and implement a robust governance plan surrounding the creation, use, and administration of your PowerApps and Power Automate environments. At Bloom Software, we work with clients to establish a model that enables true Citizen Developers to contribute to the organization through the use of the Power Platform, while maintaining the security and integrity of your critical business data.

Jason The

Principal Architect

Jason is a SharePoint Solutions Architect and Developer with a strong focus on design and user experience. Providing guidance on corporate strategy related to IT systems involving the SharePoint platform. With over ten years of knowledge designing desktop, mobile and web applications, he brings familiarity with various technologies and user interfaces which allows him to manage projects from conception to delivery.

Recent Posts

Getting Started with Styling in Power Apps

Looks like you're using an older browser, so our website may not be displaying as intended. We recommend using a modern browser like Microsoft Edge to get the best experience!

  2021 Year in Review: Let's take a look at some of our highlights from this year!