Building C# and C++ Apps with GitHub Copilot CLI and Visual Studio 2026
July 2, 2026From Game to Operations: Exporting a Foundry-Designed Workforce as a Portable Bundle
July 2, 2026Introduction
External collaboration is a common requirement for business applications built on Microsoft Power Platform. Organizations may need to provide controlled access to vendors, partners, contractors, or external business users without creating full internal user accounts.
Microsoft Entra ID B2B guest access enables this scenario by allowing external users to be invited into the resource tenant and then granted access to specific Power Platform resources. For apps that use Microsoft Dataverse, access is still governed by licensing, environment-level guest access settings, and Dataverse security roles.
This blog walks through the configuration flow to enable a guest user to access Canvas apps and Model-driven apps in Microsoft Power Platform using Microsoft Entra ID.
Scenario
In this scenario, an external user needs access to a Power Platform environment and must be able to access a Dataverse-backed app, such as a Model-driven app or a Canvas app that connects to Dataverse.
The configuration involves the following areas:
- Microsoft Entra ID external collaboration
- Guest user invitation and acceptance
- Power Platform environment user access
- Power Apps licensing
- Environment-level guest access setting
- Dataverse security roles
- App access validation
Step 1: Enable external sharing in Microsoft Entra ID
Start by validating that external collaboration is enabled in Microsoft Entra ID.
In the Microsoft Entra admin center, go to: External Identities → External collaboration settings
Review the guest collaboration settings and ensure that the required guest access method is allowed for your organization.
Depending on your organization’s preference and security model, guest access can be enabled through:
- B2B collaboration invitation
- B2B direct connect, where applicable for the scenario
For this walkthrough, the guest user is added through the B2B invitation flow.
Step 2: Add the external user as a guest user
Add the external user as a guest user in the Microsoft Entra tenant.
In Microsoft Entra ID, invite the external user by sending a guest invitation. The guest user must exist in the resource tenant before Power Platform and Dataverse access can be assigned.
Sharing an app with guest users must be done in the resource tenant – the tenant where the app actually resides. The user’s original tenant, by contrast, is referred to as the home tenant.
Step 3: Ask the guest user to accept the invitation
The guest user must accept the invitation before they can access resources in the tenant.
Once the invite is accepted, the user becomes available as a guest account in the resource tenant and can be assigned access to Power Platform resources.
Step 4: Add the guest user to the environment and assign security roles
Once the guest user has accepted the invitation, the next step is to add them to the required environment and assign the appropriate security roles. Both of these actions are performed in the Microsoft Power Platform admin center (PPAC), so they can be completed back-to-back.
Add the user to the environment:
Navigate to Environments → Settings → Users → Add user, then select the guest user and add them to the target environment. This makes the user available in the environment so that security roles and app-level access can be configured.
Assign Dataverse security roles:
With the user added, assign the appropriate Microsoft Dataverse security roles. Security roles determine what a user can and cannot access within Dataverse – for example, an external vendor can be scoped to only the tables, records, and actions required for their specific task, without any administrative privileges.
Follow the principle of least-privilege access: grant only the permissions the guest user needs to complete their intended business process.
Step 5: Assign a Power Apps license
Next, assign the required Microsoft Power Apps license to the guest user. In this walkthrough, a Power Apps Premium license was assigned from the Microsoft 365 admin center.
Per Microsoft’s official documentation, accessing an app that connects to Microsoft Dataverse requires the guest user to hold a license with Power Apps use rights matching the app’s capability level.
Step 6: Enable guest user access in the Power Platform environment
Next, enable guest access for the environment.
Go to:
Power Platform admin center → Security → Identity and access → Guest access
Then:
- Select the required environment.
- Select Manage guest access.
- Turn off the Block guest user access toggle.
This allows Microsoft Entra B2B guest users to access Dataverse data in that environment
Step 8: Validate access with the guest user
After completing the configuration, validate the access using the guest user account.
In this validation, the guest user was able to sign in to the CRM environment and perform actions aligned with the assigned security role.
Summary
Guest user access for Canvas apps and Model-driven apps in Microsoft Power Platform can be configured using Microsoft Entra ID B2B collaboration and Power Platform security controls.
For Dataverse-backed apps, the important point is that guest access is governed by multiple layers. The user must be invited and accepted as a guest, added to the environment, licensed appropriately, allowed through the environment guest access setting, and assigned the right Dataverse security roles.
Once these controls are configured correctly, external users can access the required app and perform only the actions permitted by their assigned role.
References
- Share a canvas app with guest users – Power Apps
- Control guest access to Microsoft Power Platform environments
- Identity and access management – Power Platform
- Sharing a model-driven app – assigning security roles and privileges
- Share a canvas app with your organization
- Security in Microsoft Dataverse