Impersonate a user in Power Virtual Agents

In this article I am going to show you how to use impersonation in a Power Virtual Agent. In this example we are showing account records from Dynamics 365 Sales to which the logged on Sales user only has access to.

Original request

Another challenge from the Power Users community 🙂

How we can restrict the access to sales user so that they cant see the other’s record while chatting in PVA?

Power Users Community thread: Restrict sales user form accessing records which is not shared or assigned to user.

Microsoft Dataverse

You could use the Microsoft Dataverse Web API with an HTTP request action and use the CallerObjectID. Microsoft has a nice article on this called How to impersonate a user. You could use the Azure Active Directory (AAD) object id of the user interacting with the PVA chat bot in that request.

Delegation for Jane Doe

In this example we have Jane Doe, who only has access to two Accounts
allaccounts_janedoe

While typically without delegation an admin or the same HTTP request would show the below list.

allaccounts_serviceaccount

Setup Authentication

Before you start with the Power Automate flow and the Power Virtual Agent setup you need to make sure you enable authentication for your Power Virtual Agent. Otherwise you cannot retrieve the user id of the person which is interacting with the bot.

pvabotauth

Also don’t forget to register an App in Azure Active Directory, you will need that for the HTTP action in the flow. Like mentioned earlier, Elaiza Benitez has written a nice blogpost about this, How to authenticate as an application with Microsoft Graph API with flow.

The flow steps

Impersonate a user in Power Virtual Agents

1. Create a flow with a When Power Virtual Agents calls a flow trigger action. Add a text UserID input field to that action.
userid_input

2. Add three Initialize variable actions. Below is a table with the name, type and value for each of the variables.

NameTypeValue
EnvironmentUrlStringhttps://yourorg.crm11.dynamics.com
EntityStringaccounts
MarkDownTableString| AccountNumber | Name |

environmenturl

3. Add an Append to string variable. Use the characters below as an separator between the headers and the rows of the table.

separatemarkdown
4. Add a HTTP action. Use the GET method to interact with the Microsoft Dataverse Web API. Use the input settings from below.

getdataverserecordswithimpersonation
5. Add an Apply to Each action. Use the value collection for the Select an output from previous steps field.

applytoeach_bodyvalue

6. Add another Add an Append to string variable within the Apply to Each action.
In this action the account number and the account name are appended as a row to the table.
appendtostringvariable_row

7. Add a Return value(s) to Power Virtual Agents action
listrecords_marktdowntable

The bot steps

accounts_topic_salesbot

1. Create a new blank topic.

topicaccounts

2. Give it a name, in this case Accounts. Add some trigger phrases. Via these you can interact with your topic. And save it. Go to the authoring canvas.

3. Add an Call an action. Select the flow you created earlier. Make sure you map the Bot.UserId to the flow with the UserId field

botuserid_mapping

4. Add a message action. Use the ListRecords variable in the body of the message.

markdowntable_listrecords

Testing the final result

You can publish the bot to the Microsoft Teams channel.

After that you can test it with Jane Doe. As you can see it will only list two accounts instead of all 5 accounts.

janedoelistmyrecords

Happy testing!

You may also like...

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.