Guest User Permission Model for Canvas and Model-Driven Apps in Microsoft Power Platform

In today’s digitally connected world, businesses frequently collaborate with external partners, vendors, and contractors. As a result, enabling secure, flexible access for external users is more critical than ever. Microsoft Power Platform — particularly Canvas and Model-Driven Apps — empowers organizations to build low-code, high-impact business applications. However, managing access for users outside the organization requires a clear understanding of guest user permissions and security models.

Microsoft Entra ID (formerly Azure Active Directory) plays a central role in this process. It allows external users — also known as "guest users" — to securely access resources in a host tenant without being full members of the organization. This article walks through how the guest user permission model works in both Canvas and Model-Driven Apps, outlines key differences, and offers best practices for successful deployment.

Understanding Guest Users in Microsoft Entra ID

Microsoft Entra ID supports B2B (Business-to-Business) collaboration scenarios by allowing organizations to invite and manage users from other domains as guests. These users retain their identities in their home tenant but gain controlled access to applications and resources in the host tenant.

Key Concepts:

• Guest vs. Member Users: Guest users differ from member users in their object types and default permissions. While they can access shared resources, their access is typically more limited and governed by specific roles.
• Invitation Process: An organization invites a guest by sending an email invitation through Entra ID. Upon acceptance, the guest user becomes part of the tenant directory and can be assigned roles or licenses.
• Access Management: Admins can manage guest users via Entra ID just like internal users — assigning security groups, conditional access policies, and monitoring user activity through audit logs and reports.
• Authentication: Guests log in using their credentials from their home directory (e.g., another Microsoft 365 tenant, Gmail with Microsoft account, etc.), ensuring a seamless sign-in experience.

This Entra-based guest model ensures that access is federated and secure, enabling trusted collaboration without compromising organizational boundaries.

Guest User Access in Canvas Apps

Canvas Apps in Power Apps offer a rich UI and pixel-perfect design flexibility. They are often used for internal tools, but you can also extend access to external users through the guest user model. Here's how it works:

Sharing Mechanism:

Canvas apps can be shared with guests in your Entra ID directory by using the standard “Share” feature in Power Apps Studio. However, sharing the app alone is not enough — guests must also have access to any connected resources like Microsoft Dataverse, SharePoint, or custom APIs.

Required Permissions:

• Guest users need to be explicitly granted permission to the app and all underlying data sources.
• If the app connects to Dataverse, the user must be assigned a security role within that environment that grants access to the tables the app uses.

Licensing:

• Power Apps licenses are not automatically included for guest users.
• Options include:

Best Practices:

• Use security groups to manage app access at scale.
• Limit guest access to only required environments and resources.
• Monitor usage and apply conditional access policies (MFA, session control) to enforce security.

Canvas Apps provide flexibility, but securing data and ensuring compliance takes careful planning, especially when dealing with external collaborators.

Guest User Permissions in Model-Driven Apps

Model-Driven Apps are built on Microsoft Dataverse, making them more structured and data-centric compared to Canvas Apps. Guest access in these apps requires a deeper configuration of roles and security permissions.

Dataverse and Security Roles:

Dataverse uses a role-based security model. For a guest user to access a Model-Driven App:

• They must be assigned a security role in the Dataverse environment.
• This role must grant the necessary table-level (entity-level) permissions (Read, Write, Append, etc.).

Microsoft offers an out-of-the-box "Guest User" security role, but it may need customization depending on your app’s data model and business logic.

Licensing and Role Assignment:

Just like in Canvas Apps, licensing is essential. Assign either:

• A Power Apps per user license (suitable for broader access), or
• A per app license for access to a specific app.

Real-World Considerations:

• Avoid over-permissioning. Start with minimal access and expand as needed.
• If a guest requires access to multiple apps, consider assigning them to a custom security role for consistency.
• Use Application Users or Service Principals for automated access, rather than regular guest users.

Pitfalls to Avoid:

• Not assigning the guest to a security role in Dataverse (they’ll get access denied errors).
• Ignoring cross-tenant policy restrictions — ensure your organization allows B2B collaboration in Entra ID settings.
• Overlooking license enforcement — apps will not run properly if the guest isn’t licensed.

Licensing and Compliance Considerations

Granting access to guest users in Power Platform doesn’t just hinge on permissions—it also depends on having the right licenses in place. Microsoft Entra ID B2B users can access Power Apps if properly licensed, but the nuances vary depending on whether they’re using Canvas or Model-Driven Apps, and whether their access is regular or occasional.

License Options for Guest Users:

• Power Apps Per App Plan: This is suitable when guests only need access to one or two apps. It’s affordable and straightforward.
• Power Apps Per User Plan: Ideal for guests who need broader access to multiple apps and Dataverse environments.
• Power Apps Pay-As-You-Go: This newer model allows usage-based billing via an Azure subscription. It’s great for fluctuating or infrequent guest access, and organizations only pay for actual usage.

Host vs. Home Tenant Licensing:

A common question is whether the license should be in the guest’s home tenant or the host tenant. Microsoft supports either model, but the safest route is assigning the license from the host tenant to ensure compliance and smooth operation, especially when using premium connectors or Dataverse.

Compliance Considerations:

• Data Residency and Privacy: Since external users are accessing organizational data, it's important to understand how data is stored and accessed across tenant boundaries.
• Conditional Access: Apply Entra ID Conditional Access policies to enforce MFA, limit sessions, or restrict access based on location/device.
• Audit Logs and Monitoring: Enable logging to track guest user activity. Power Platform Admin Center and Microsoft Purview (formerly Compliance Center) can help.

Always align licensing strategy with organizational policies on data security, collaboration, and financial control to avoid unintended compliance risks.

Common Scenarios and Use Cases

The ability to invite and manage external collaborators opens up several powerful use cases for organizations building solutions on Power Platform. Whether you're working with clients, vendors, or partners, enabling guest access can streamline collaboration and improve project efficiency.

Partner Collaboration:

Organizations often collaborate with external agencies or consultants. By inviting them as guest users, you can:

• Share task-tracking Canvas apps.
• Provide access to internal portals or dashboards.
• Limit data access to relevant business units or projects.

Portal vs. App Access:

Sometimes, it’s better to use Power Pages (formerly Power Apps Portals) for external users. These allow anonymous or authenticated access without needing Entra ID accounts, especially useful for broader audiences. However, if deeper integration or interactive functionality is needed, guest access to actual Canvas or Model-Driven apps may be more appropriate.

Dev/Test/Prod Environments:

Guest users are useful in testing scenarios where external QA testers or business users need early access to apps before deployment. Set up sandbox environments and grant role-based permissions so that guests can test without impacting production data.

Training and Support:

Some organizations invite external trainers or consultants to help build apps or train internal users. You can grant them temporary access to apps or environments and revoke it once the engagement ends.

These scenarios demonstrate the flexibility and power of guest access—but they also reinforce the importance of solid governance to manage it all.

Conclusion and Best Practices

Power Platform is built for collaboration, and with the support of Microsoft Entra ID, sharing apps with guest users has never been more secure or scalable. However, success depends on understanding and implementing the right permission models, licensing strategies, and governance controls.

Quick Best Practice Checklist:

• Use security groups to manage access at scale.
• Always assign Dataverse security roles for Model-Driven Apps.
• Validate licensing—per app, per user, or pay-as-you-go.
• Apply Conditional Access and MFA to all guest accounts.
• Regularly review and audit guest access.

Understanding the differences between Canvas and Model-Driven App permission models—and how Entra ID supports B2B collaboration—helps ensure that your external users can be productive while your data stays protected.

Source URL: Guest User Permission Model for Canvas and Model-Driven Apps in Microsoft Power Platform (with Entra ID)