Many of you have been asking for access to PowerApps and Flow control through PowerShell. This week we have released an extended version of the PowerApps PowerShell script functions (cmdlets) that provide admin access to resources on their instance of PowerApps, Flow, and the Business Application Platform in the PowerShell environment.
- 2019-01-07: Cmdlets are now available on the PowerShell gallery as two separate modules: Administrator (link) and Maker (link).
- 2019-04-29: Updated cmdlet names
Cmdletsare functions written in PowerShell script language that execute commands in the Windows PowerShell environment. Running these PowerApps cmdlets will allow you to interact with your Business Application Platform without having to go through the admin portal in a web browser. You can combine these cmdlets with other PowerShell functions to write complex scripts that can optimize your workflow. Note that you can still use the cmdlets if you’re not an admin on the tenant, but you will be limited to the resources you own. Cmdlets that start with the word ‘Admin’ are designed to be used by an administrative user account.
- Run PowerShell as an administrator
- Execute the following import commands:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShellInstall-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber
- If you are prompted to accept the change to InstallationPolicy value of the repository, accept [A] Yes to all modules by typing in ‘A’ and hitting enter for each module.
- Before accessing any of the commands, you have the option to provide your credentials using the following command. These credentials are refreshed for up to ~8 hours before you’re required to sign in again to continue using the cmdlets.
# This call opens prompt to collect credentials (AAD account & password) used by the commandsAdd-PowerAppsAccount
# Here is how you can pass in credentials (avoiding opening a prompt)$pass = ConvertTo-SecureString "password" -AsPlainText -ForceAdd-PowerAppsAccount -Username foo@bar.com -Password $pass
Prerequisite
App creators
Users with a valid PowerApps license can perform the operations in these cmdlets, but they will only have access to the resources (for example, apps, flows, etc.) that have been created or shared with them.
Administrators
To perform the administration operations in the admin cmdlets, you’ll need the following:
- A paid PowerApps Plan 2 license or a PowerApps Plan 2 trial license. You can sign-up for a 30-day trial license at https://web.powerapps.com/trial. Trial licenses can be renewed if they’ve expired.
- Office 365 Global Administrator or Azure Active Directory Global Administrator permissions if you need to search through another user’s resources. (Note that Environment Admins only have access to those environments and environment resources for which they have permissions.)
Cmdlet list
Maker Cmdlets
Purpose | Cmdlet |
Read environments | Get-PowerAppEnvironmentGet-FlowEnvironment |
Read, update, and delete a canvas app | Get-PowerApp (Previously Get-App)Remove-PowerAppPublish-PowerAppSet-PowerAppDisplayNameGet-PowerAppVersionRestore-PowerAppVersion |
Read, update, and delete canvas app permissions | Get-PowerAppRoleAssignmentSet-PowerAppRoleAssignmentRemove-PowerAppRoleAssignment |
Read, update, and delete a flow | Get-FlowGet-FlowRunEnable-FlowDisable-FlowRemove-Flow |
Read, update, and delete flow permissions | Get-FlowOwnerRoleSet-FlowOwnerRoleRemove-FlowOwnerRole |
Read and respond to flow approvals | Get-FlowApprovalRequestGet-FlowApprovalRespondTo-FlowApprovalRequest |
Read and delete connections | Get-PowerAppConnectionRemove-PowerAppConnection |
Read, update, and delete connection permissions | Get-PowerAppConnectionRoleAssignmentSet-PowerAppConnectionRoleAssignmentRemove-PowerAppConnectionRoleAssignment |
Read and delete a connector | Get-PowerAppConnectorRemove-PowerAppConnector |
Read, update, and delete custom connector permissions | Get-ConnectorRoleAssignmentSet-PowerAppConnectorRoleAssignmentRemove-PowerAppConnectorRoleAssignment |
Admin Cmdlets
Read, update, and delete environments and Common Data Service databases
Read, update, and delete environments and Common Data Service databases | New-AdminPowerAppEnvironmentSet-AdminPowerAppEnvironmentDisplayNameGet-AdminPowerAppEnvironmentRemove-AdminPowerAppEnvironmentNew-AdminPowerAppCdsDatabaseGet-AdminPowerAppCdsDatabaseLanguagesGet-AdminPowerAppCdsDatabaseCurrenciesGet-AdminPowerAppEnvironmentLocationsRemove-LegacyCDSDatabase *New* |
Read, update, and delete environment permissions (does not work in environment with CDS for Apps database) | Get-AdminPowerAppEnvironmentRoleAssignmentSet-AdminPowerAppEnvironmentRoleAssignmentRemove-AdminPowerAppEnvironmentRoleAssignment |
Read and remove canvas apps | Get-AdminPowerAppRemove-AdminPowerAppGet-AdminPowerAppConnectionReferences |
Read, update, and delete canvas app permissions | Get-AdminPowerAppRoleAssignmentSet-AdminPowerAppRoleAssignmentRemove-AdminPowerAppRoleAssignmentSet-AdminPowerAppOwner |
Read, update, and delete Flows, Owner Roles, and Approvals | Get-AdminFlowEnable-AdminFlowDisable-AdminFlowRemove-AdminFlowGet-AdminFlowOwnerRoleSet-AdminFlowOwnerRoleRemove-AdminFlowOwnerRoleRemove-AdminFlowApprovals |
Read and delete connections | Get-AdminPowerAppConnectionRemove-AdminPowerAppConnection |
Read, update, and delete connection permissions | Get-AdminPowerAppConnectionRoleAssignmentSet-AdminPowerAppConnectionRoleAssignmentRemove-AdminPowerAppConnectionRoleAssignment |
Read and delete custom connectors | Get-AdminPowerAppConnectorRemove-AdminPowerAppConnector |
Read, update, and delete custom connector permissions | Get-AdminPowerAppConnectorRoleAssignmentSet-AdminPowerAppConnectorRoleAssignmentRemove-AdminPowerAppConnectorRoleAssignment |
Set canvas app as hero | Set-AdminPowerAppAsHeroClear-AdminPowerAppAsHero |
Set canvas app as featured | Set-AdminPowerAppAsFeaturedClear-AdminPowerAppAsFeatured |
Set canvas app to bypass api consent | Set-AdminPowerAppApisToBypassConsentClear-AdminPowerAppApisToBypassConsent |
Read a user’s PowerApps user settings, user-app settings, and notifications | Get-AdminPowerAppsUserDetails |
Returns a list of app connection references | Get-AdminPowerAppConnectionReferences |
Read & delete a user’s Microsoft Flow settings, which are not visible to user, but that support flow execution | Get-AdminFlowUserDetailsRemove-AdminFlowUserDetails |
Create, read, update & delete data loss prevention policies for your organization | Get-AdminDlpPolicyAdd-AdminDlpPolicyRemove-AdminDlpPolicySet-AdminDlpPolicyAdd-ConnectorToBusinessDataGroupRemove-ConnectorFromBusinessDataGroup |
Tips
- Use Get-Help ‘CmdletName’ to get a list of examples.
- To cycle through the possible options for input tags, click on the tab key after typing out the dash (-) character, after the cmdlet name.
Operation examples
Below are some common scenarios that show how to use new and existing PowerApps cmdlets.
Environments Commands
Use these commands to get details on and update environments in your tenant.
Display a list of all environments
Get-AdminEnvironment
This returns a list of each environment across your tenant, with details of each (e.g., environment name (guid), display name, location, creator, etc).
Display details of your default environment
Get-AdminEnvironment –Default
Returns the details for only the default environment of the tenant.
Display details of a specific environment
Get-AdminEnvironment –EnvironmentName ‘EnvironmentName’
Note: The EnvironmentName field is a unique identifier, which is different from the DisplayName (see first and second fields in the output in the following image).
PowerApps Commands
These operations are used to read and modify PowerApps data in your tenant.
Display a list of all PowerApps
Get-AdminPowerApp
Returns a list of all PowerApps across the tenant, with details of each (e.g., application name (guid), display name, creator, etc).
Display a list of all PowerApps that match the input display name
Get-AdminPowerApp 'DisplayName'
Returns a list of all the PowerApps in your tenant that match the display name.
Note: Use quotation characters (”) around input values that contain spaces.
Feature an application
Set-AdminPowerAppAsFeatured –AppName 'AppName'
Featured applications are grouped and pushed to the top of the list in the PowerApps mobile player.Note: Like environments, the AppName field is a unique identifier, which is different from the DisplayName. If you want to perform operations based on the display name, some functions will let you use the pipeline (see next function).
Make an application a Hero app, using the pipeline
Get-AdminPowerApp 'DisplayName' | Set-AdminPowerAppAsHero
A Hero app will appear at the top of the list in the PowerApps mobile player. There can only be one Hero app.The pipeline (represented as the ‘|’ character between two cmdlets) takes the output of the first cmdlet and passes it as the input value of the second, assuming the function has been written to accommodate the pipeline feature.Note: an app must already be a featured app before it is changed to a hero.
Display the number of apps each user owns
Get-AdminPowerApp | Select –ExpandProperty Owner | Select –ExpandProperty displayname | Group
You can combine native PowerShell functions with the PowerApps cmdlets to manipulate data even further. Here we use the Select function to isolate the Owner attribute (an object) from the Get-AdminApp object. We then isolate the name of the owner object by pipelining that output into another Select function. Finally, passing the second Select function output into the Group function returns a nice table that includes a count of each owner’s number of apps.
Display the number of apps in each environment
Get-AdminPowerApp | Select -ExpandProperty EnvironmentName | Group | %{ New-Object -TypeName PSObject -Property @{ DisplayName = (Get-AdminPowerAppEnvironment -EnvironmentName $_.Name | Select -ExpandProperty displayName); Count = $_.Count } }
Download PowerApps user details
Get-AdminPowerAppsUserDetails -OutputFilePath '.\adminUserDetails.txt' –UserPrincipalName ‘admin@bappartners.onmicrosoft.com’
The above command will store the PowerApps user details (basic usage information about the input user via their user principal name) in the specified text file. It will create a new file if there is no existing file with that name, and overwrite the text file if it already exists.
Set logged in user as the owner of a PowerApp
Set-AdminPowerAppOwner –AppName 'AppName'-AppOwner $Global:currentSession.userId –EnvironmentName 'EnvironmentName'
Changes the owner role of a PowerApp to the current user, and replaces the original owner as a “can view” role type.Note: The AppName and EnvironmentName fields are the unique identifiers (guids), not the display names.
Flow Commands
Use these commands to view and modify data related to Microsoft Flow.
Display all Flows
Get-AdminFlow
Returns a list of all flows in the tenant.
Display Flow Owner Role details
Get-AdminFlowOwnerRole –EnvironmentName 'EnvironmentName'–FlowName ‘FlowName’
Returns the owner details of the specified Flow.Note: Like Environments and PowerApps, FlowName is the unique identifier (guid), which is different from the display name of the Flow.
Display Flow user details
Get-AdminFlowUserDetails –UserId $Global:currentSession.userId
Returns the user details regarding Flow usage. In this example we’re using the user Id of the current logged in user of the PowerShell session as input.
Remove Flow user details
Remove-AdminFlowUserDetails –UserId 'UserId'
Deletes the details on a Flow user completely from the Microsoft database. All Flows the input user owns must be deleted before the Flow user details can be purged.Note: The UserId field is the Object ID of the user’s Azure Active Directory record, which can be found in the Azure Portal ( https://portal.azure.com) under Azure Active Directory > Users > Profile > Object ID. Must be an admin to access this data from here.
Export all Flows to a CSV file
Get-AdminFlow | Export-Csv -Path '.\FlowExport.csv'
This command exports all the Flows in your tenant into a tabular view .csv file.
Api Connection Commands
View and manage API connections in your tenant.
Display all native Connections in your default environment
Get-AdminPowerAppEnvironment -Default | Get-AdminConnection
Displays a list of all Api Connections you have in the default environment. Native connections are found under the Data > Connections tab in the maker portal.
Display all Custom connectors in the tenant
Get-AdminPowerAppConnector
Returns a list of all custom connector details in the tenant.
Data Loss Prevention (DLP) Policy Commands
These cmdlets will control the DLP policies on your tenant.
Display all Policies
Get-AdminDlpPolicy
Returns a list of all the Policies.
Display a filtered list of policies
Get-AdminDlpPolicy 'DisplayName'
Uses the display name to filter the policies
Display all ‘Business data only’ Api connectors in a policy
Get-AdminDlpPolicy 'PolicyName'| Select –ExpandProperty BusinessDataGroup
Lists the Api connections that are in the Business data only (or BusinessDataGroup field) in an input policy.
Add a Connector to the ‘Business data only’ group
Add-ConnectorToBusinessDataGroup -PolicyName 'PolicyName' –ConnectorName 'ConnectorName'
Adds a connector to the ‘Business data only’ group in a given DLP policy. See the list of connectors by DisplayName and ConnectorName (used as input) here.
Denise Moran
See more articles from this author