| Concept | Type | Primary purpose | PAC Primary Owner | PAC Co-Owner | P Apps Primary Owner | P Apps Co-Owner | Who Can Edit | Admin portals to manage |
|---|---|---|---|---|---|---|---|---|
| User account | User | Human sign-in identity | Yes | Yes | Yes | Yes | User/Admin | Microsoft 365 admin center, Entra admin center |
| Service account | User | Non-human usage of a user identity | Yes | Yes | Yes | Yes | Admin | Microsoft 365 admin center, Entra admin center |
| Shared mailbox | User | Shared email inbox with delegated access | No | No | No | No | Admin | Microsoft 365 admin center, Exchange admin center, Entra admin center |
| Security group | Group | Access control boundary | No | Yes | No | Yes | Admin or User/Admin | Microsoft 365 admin center, Entra admin center |
| Microsoft 365 group | Group | Collaboration boundary | No | Yes | No | No | User/Admin | Microsoft 365 admin center, Entra admin center, Teams admin center |
https://learn.microsoft.com/en-us/power-automate/change-cloud-flow-owner
https://learn.microsoft.com/en-us/powershell/module/microsoft.powerapps.administration.powershell/set-adminflowownerrole?view=pa-ps-latest&utm_source=chatgpt.com
https://learn.microsoft.com/en-us/power-platform/admin/power-automate-licensing/faqs?utm_source=chatgpt.com
Great hypothesis. Here’s exactly how App A using a Security Group vs App B using a Distribution Group tends to break in real life.
Contents
- 1 Setup
- 2 What trouble you’ll see with App B
- 2.1 Trouble 1: You often can’t even select the distribution group in Power Apps sharing
- 2.2 Trouble 2: Environment access restriction can’t use a distribution group
- 2.3 Trouble 3: Membership changes become slow and messy because it is Exchange-mastered
- 2.4 Trouble 4: Even if you try to “use it anyway,” it won’t behave like authorization
- 3 What trouble App A avoids
- 4 Bottom line
Setup
- App A: access controlled via Entra security group
- App B: access “controlled” via Exchange distribution group that shows up in Entra but is Exchange-managed
Key fact
Power Platform access control expects a security principal. A distribution group is mainly for email distribution, not permissions. Microsoft 365 admin docs describe DGs as for broadcasting info, not permissions. (Microsoft Learn)
What trouble you’ll see with App B
Trouble 1: You often can’t even select the distribution group in Power Apps sharing
When you share a canvas app, Power Apps supports sharing to security groups, and Microsoft documentation and community guidance call out that distribution groups aren’t supported for app sharing. (Microsoft Learn)
What the client experiences
- In the Share panel, they search for the DG and it doesn’t appear, or it appears but fails when applying.
- They end up manually sharing to individual users, which becomes a maintenance nightmare.
Trouble 2: Environment access restriction can’t use a distribution group
For controlling who can be a member of an environment, Microsoft’s feature is explicitly security groups. There isn’t a “distribution group” option for this control. (Microsoft Learn)
What the client experiences
- They try to “lock down” an environment using a DG and discover they can’t.
- Result: either the environment stays open, or they rebuild the access model using security groups later.
Trouble 3: Membership changes become slow and messy because it is Exchange-mastered
With a DG, the people who can update membership are usually Exchange admins or delegated owners, and changes are managed in Exchange tooling and processes. That adds friction compared to a normal Entra security group. Microsoft’s group comparison explains DGs are managed around mail behaviors and Exchange-defined rules for dynamic DGs. (Microsoft Learn)
What the client experiences
- “Please add 40 users by today” turns into an Exchange ticket.
- Joiner mover leaver automation is harder to standardize.
Even though the DG exists in Entra, it typically isn’t the kind of group used for permission evaluation. In practice you get “works for emailing, fails for access.”
What the client experiences
- People who are “in the DG” still get access denied because the app or environment access control never actually recognized it as an authorization group.
What trouble App A avoids
Using an Entra security group is the “happy path” for:
- restricting environment membership (Microsoft Learn)
- sharing apps to a group (Microsoft Learn)
So App A behaves predictably:
- the group shows up when sharing
- membership changes flow through normal IAM processes
- environment access restriction works cleanly
Bottom line
App B’s trouble is not “the logic breaks.”
It’s operations and governance break: you can’t consistently use a DG as the access-control object, so you get sharing issues, environment restriction issues, and admin bottlenecks.
If you tell me which access control you mean (share app vs restrict environment vs Dataverse roles), I can give you the exact “supported group types” for that specific control.