Developer and End user experience to use PowerApps with on-premise data gateway (part 2)
In last article, we know how a PowerApps developer publish their app.
Now the end users can see the published app in PowerApps list.
According to MS article here, If you create and share an app that includes data from an on-premises source, the on-premises data gateway itself and certain types of connections to that gateway will be shared automatically.
What is it means? It means the app have saved the connection information. e.g. the target server name and server type, the connection string, etc. But it doesn’t save the login/password. Therefore, user need to key in his or her login and password first time the app is opened.
On the first time open the app, he or she will see screen like below:
Click “Sign in” button, then input the internal AD login and password:
After press “Create” button, the username and password will be saved in M365 cloud under the user’s space. The button is named “create” because it is actually “creating” a Connection under the user.
Finally, click “Allow” to allow the app use the saved credential. Now he or she should be able to sign-in the app.
The experience looks good and reasonable, right? Not really.
For test purpose, I reset my internal AD password, open the app again. There is no error, no prompt for change password. I can still see the data. Everything no change!
I guess it is because the login token is not yet expire. But how long it will be expired? I have submitted a ticket to Microsoft and they said they don’t know.
Then, after a day, I opened my app again. Still there is no error no prompt. However, this time the app is showing empty data.
It is not good. Right? We expected, when user’s account become invalid, he or she should be prompted to retype password.
It is what I got from Microsoft support: “your work or school account must be added into AAD to have the access to SharePoint, and there is no validation if you are connecting to SharePoint since it is the first party APIs will automatically log in with your already logged canvas app credential.”
What I got is, when we are using SharePoint connector (both SharePoint on-premise and SharePoint online use the same connector) PowerApps will only use the saved credential try to login SharePoint, regardless it is on-premise or online.
I have consulted MS support for workaround and unfortunately no. Since it is “by design” how could they prepare workaround? Below are my suggestions regarding this matter.
Suggestion 1 : check the AD log
Although the PowerApp do not prompt the user, the attempt to login on-premise AD is actually logged. Check the event ID 4776 in your domain controller server with your “on-premise data gateway” as source workstation.
If you see event log like above, you can then follow up with the end user.
By the way, you may wonder whether any log exist in the on-premise data gateway server. Yes it has event log but it is not useful. The log is recording which user is login via gateway. But it will not record login is success or fail. As my capture below, the user type in a wrong password in PowerApp but you cannot see it is recorded anywhere in the log.
Suggestion 2 : Ask the end user login PowerApps studio to reset connection
I think this tip only suitable to advance users. But it is most straight forward one.
Ask the end user login PowerApps studio (https://make.powerapps.com/). Open Data > Connections. Here you will find the SharePoint connections are already exist. Look for the one with on-premise login. Select it, Edit the connection. Here user can retype the correct username and password. You need to guide him to choose the right gateway.
After update the connection, ask the user kill the app in his mobile. Then user should be able to reopen the app and see all the data.
