Blog

Apps - What happens to canvas apps when the owner/employee leaves an organisation?

When an employee leaves an organisation, what happens to the apps that they've built? Can other employees continue to edit and access the apps?

When an employee leaves an organisation, it's important that other employees can still access the apps that were created and owned by the employee. This post walks through the life cycle of an app, starting from when an employee creates an app to the time that the employee leaves the organisation. We also look at how to change the owner of an app.

An employee creates an app and becomes the owner

To demonstrate, let's take the fictional user "Pradeep Gupta". Pradeep creates a Canvas app. Because Pradeep creates the app, he automatically becomes the "Owner" of the app. The app owner has full control of the app, including the ability to edit, share, and delete the app.   

As part of the app development process, Pradeep shares the app with "Sally Smith" and "Tim Leung", and assigns the roles "User" and "Co-owner" respectively. The difference between these roles is that a "Co-owner" has rights to edit an app, whereas a "User" has rights to run an app only.


The employee leaves and the administrator deletes the app owner

Pradeep now leaves the company. As part of this process, the Microsoft 365 administrator deletes Pradeep's account through the Microsoft 365 admin center, shown below.



There are some useful points to highlight in terms of deleting a user. 

  • It's possible to easily restore a user through the 'Deleted Users' section of the Microsoft 365 admin center, for up to 30 days after the initial deletion. Therefore if anything goes wrong, there is a possible recovery path.
  • Deleting a user deletes the user's OneDrive files. The reason why this is important is that the user might have created apps based on Excel datasources in OneDrive, and these will be deleted as part of the user deletion process. Therefore, it's good practice to reassign the ownership of OneDrive contents to another employee.

What happens to apps after the app owner is deleted?

After an administrator deletes Pradeep from the Microsoft organisation, this is what we see when we enter the app sharing settings.

Notice that the remaining users retain access to the app and in the case of "Co-owners", those users will still be able to edit and share the app. However, notice that the app is now missing an "Owner".

What can Owners do that Co-owners cannot do?

Now that our app has no owner, what's the practical impact of this? Effectively, a co-owner can do almost everything that the owner could do. However, one thing that a co-owner cannot do is delete an app (the 'delete' menu option is greyed out in the app list). Therefore, there is now no way for any of the assigned users to delete the app, although it's possible for a tenant administrator to carry out this task with Power Shell.

How to change/reset the owner of a canvas app

To set an app owner or to change the owner of an app, we can perform this action with Power Shell. Lee Zuckett (Senior Power Apps program manager at Microsoft) and Steve Jeffery recently published a great article on this topic. I was fortunate to have worked with Lee during my book project, so I would recommend his post, particularly if you want to learn more about resetting the owners of model-driven apps.

https://powerapps.microsoft.com/en-us/blog/updating-ownership-for-power-apps-apps/


In terms of our example, to reset the owner of our app, we first need to install the PowerShell Cmdlets for Power Apps. To use the Cmdlets, we require tenant admin access, the environment id, app id, and user id. My post here. describes how to retrieve the environment and app ids:

http://powerappsguide.com/blog/post/general-how-to-restore-undeleting-an-app

To reset the app owner, here are the initial Power Shell commands that we need to run.

Install-Module -Name Microsoft.PowerApps.Administration.PowerShell
Install-Module -Name Microsoft.PowerApps.PowerShell –AllowClobber
Add-PowerAppsAccount


The Set-AdminPowerAppOwner cmdlet resets the owner. Note that '$Global:currentSession.userId' value specifies the user id of the user that's currently running the Power Shell script.

Set-AdminPowerAppOwner 
       -AppName "c76e2c97-5740-4b63-a00c-bf8a83da8b40" 
       -EnvironmentName "Default-df7b308b-854f-4f83-bb6b-bcee961c8b51" 
       -AppOwner $Global:currentSession.userId


The screenshot beneath highlights the result when this cmdlet succeeds - specifically, the "error" entries will be blank.


If we now return to the app sharing screen, we now see that "Tim Leung" is now the owner of the app.

Can an app have 2 owners?

Is it possible for an app to have 2 owners? The answer is no. If we attempt to assign another owner with the Set-AdminPowerAppOwner cmdlet, it overwrites the existing owner with the new owner. 

Set-AdminPowerAppOwner 
       -AppName "c76e2c97-5740-4b63-a00c-bf8a83da8b40" 
       -EnvironmentName "Default-df7b308b-854f-4f83-bb6b-bcee961c8b51" 
       -AppOwner 217ee3ae-05c3-401d-b34a-3f86fd0b398a

The important point to note here is that when we call Set-AddPowerAppOwner cmdlet, it resets the existing owner as a "User", rather than a "Co-owner".


As a side note, one way to retrieve the user id of a specified user for use with the Set-AdminPowerAppOwner cmdlet, is to open the user in the Microsoft 365 admin center, and to retrieve the user from the address bar (shown below).


Conclusion

When an employee leaves an organisation, existing users will still be able to access and run the apps that were owned by the employee, and existing co-owners will still be able to edit the apps. Once the employee leaves, a tenant admin can use Power Shell to re-assign a new owner if this is necessary.
Previous
Next
Related posts