Elevate Your SharePoint Game: Advanced ALM Techniques for Power Platform Developers

Recently, I discovered a useful trick that may already be well-known to SharePoint administrators and developers. Here, I’ll explain how Power Platform developers can benefit from it.

SharePoint Document Libraries: An Easy Way to Store Your Files

I love Microsoft Entra ID security groups. They offer a harmonious way to manage user access by assigning a user to a single group that handles provisioning across all application resources. If you’re unfamiliar with Entra ID security groups, here’s a brief explanation:

Microsoft Entra groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services. Instead of adding special permissions to individual users, you create a group that applies the special permissions to every member of that group.

This simplifies access management, avoiding the need to assign users to multiple resources individually. I integrate security groups across all my resources: environment access, Canvas apps, Dataverse teams, and SharePoint documents. SharePoint, in particular, has an advanced feature that surprised me.

A Hidden Gem: Breaking Inheritance for Document Libraries

SharePoint Document Libraries are a common choice for storing files due to their seamless API integration with Canvas Apps and Cloud Flows. However, managing files across multiple environments—like separating test documents from production documents—can be tricky. This is where the concept of “breaking inheritance” in document libraries becomes a very handy feature.

Breaking inheritance allows you to separate test and production users within the same SharePoint site. You can create dedicated folders for superusers or user acceptance testers to access test documents, while production users access only production files. This setup reduces the overhead of managing multiple SharePoint sites and enables you to dynamically reference folder paths using environment variables in Power Automate.

However, note that this setup has a limitation: you cannot convert such SharePoint sites to Microsoft Teams. Teams rely on Microsoft 365 Groups for user provisioning, which conflicts with this Entra ID-based configuration. You’ll need to share the SharePoint site URL directly with users.

Create the Sharepoint site and document libraries

Let’s set this up and see how it works:

1. Create a Team site and set the privacy settings on Private. Add yourself as an owner of the site.

   

2. Start with the default “Documents” library, but create separate libraries for test and production documents.

3. Create a test and production Document library.

4. Navigate to the site’s permissions under the cogwheel menu.

5. Go to advanced permission settings.

6. Here we create two new Sharepoint Groups.

   

   You can use the following settings as an example but it’s up to you how you want to configure your access.

   

   Do the same for the production users. You should now have the following groups:

7. Next add your Entra ID security groups as a member of these Sharepoint groups

Click on your Sharepoint group.

Click on ‘New’.

Add your Entra ID security group with users that need to have access to the test document library.

Then click on Share.

Do the same for the production Sharepoint group with the Entra ID security Group for the production users.

9. Next we are going to make sure the right Sharepoint group can access the right document library.

Click on your document library and then click on the cogwheel and on library settings.

10. Click on more library settings.

11. Click on permissions for this document library.

12. Then click on ‘Stop Inheriting Permissions’.

Click OK when a pop up appears warning you.

13. Now let’s remove the Sharepoint group that doesn’t belong in this Document Library. In my case this is the AppUsersProduction Sharepoint group.

That leaves us with the following groups for the Test Document Library.

Do the same for the production Document Library but now remove the test Sharepoint group.

14. Now a user in the EntraIDGroup_AppUsersProduction can only see the Production Document Library and the for the other group vice versa. See below images.

The left user (Johanna) is a member of the test Entra ID group and the right user (Diego) is a member of the Production Entra ID group.

The left user (Johanna) can only see the Test document library and the right user (Diego) can only see the Production document library.

Using it in Power Automate Cloud Flows

Now we can create an environment variable and use these in cloud flows to store our documents in the right document libraries. Test documents in the test library and production documents in the production libraries.

1. Create a Text environment variable.

   

2. Use this environment variable in your Sharepoint Create File step in your Cloud Flow.

Now, all files that are created will end up in the Test document library while the Production document library stays clean. When importing your solution to the next environment you can change this environment variable to the value ‘Production’ to make sure production documents land in the right document library.

Bonus tip: UX enhancement

I have a last bonus tip for a little UX enhancement for your users.

You can remove all pages from your Sharepoint site that are not needed to make it cleaner for your end users.

1. Click on Edit at the bottom of the shown pages. You need full privileges on the site for this.

2. Remove all unnecessary pages.

Final thoughts

This approach to managing SharePoint Document Libraries provides a scalable and efficient way to separate test and production environments while maintaining a unified site structure. Although there are limitations, such as incompatibility with Microsoft Teams, the benefits of reduced overhead and dynamic flexibility make this a valuable technique for Power Platform developers. Try it out in your next project and let me know if it works for you!