Power Pages Complete Guide
From Basics to Advanced — Web API, Auth, Liquid, Scenarios & Cheat Sheet
Table of Contents
- Basic Questions
- Security & Access
- Data & Forms
- Customization & Code
- Advanced — Web API
- Advanced — Custom Authentication
- Advanced — Performance Tuning
- Advanced — ALM & CI/CD
- Scenario-Based — Troubleshooting
- Scenario-Based — Web API Debugging
- Scenario-Based — Portal Design
- Scenario-Based — Security Scenarios
- Liquid Templating — Advanced Patterns
- Liquid Templating — Web Templates
- Liquid Templating — Performance
- Liquid Templating — Gotchas & Traps
- Liquid Cheat Sheet
1. Basic Questions
What is Microsoft Power Pages?
Power Pages is a low-code SaaS platform for building secure, data-driven external-facing websites. It is part of the Microsoft Power Platform and connects to Dataverse as its backend data store.
What are the main components of a Power Pages site?
Pages, Web templates, Table lists, Table forms, Web roles, Site settings, Content snippets, and Entity permissions. Together they control layout, data access, and security.
What is Dataverse and why is it important in Power Pages?
Dataverse is the cloud data platform that backs Power Pages. All data rendered on the portal — tables, forms, lists — is stored and retrieved from Dataverse. Role-based security on Dataverse tables controls what portal users can see or edit.
What is the difference between Power Pages and Power Apps portals?
Power Pages is the rebranded and evolved version of Power Apps portals (announced 2022). It adds a dedicated design studio, Pages workspace, Copilot features, and a new standalone licensing model, while retaining all portal functionality.
What tools are used to build Power Pages sites?
Three main tools:
- Design Studio — WYSIWYG low-code editor in browser.
- Power Pages Management App — advanced configuration in model-driven app.
- Power Platform CLI / VS Code extension — code-first development and ALM.
What are Content Snippets?
Content Snippets are reusable text/HTML fragments managed in the portal back-end. They allow non-developers to edit labels, messages, and static text across the site without touching templates. Referenced in Liquid as {% snippets['snippet_name'] %}.
What are Site Settings and give two examples?
Site Settings are key-value configuration pairs that control portal behavior. Examples:
Authentication/Registration/Enabled— enables/disables user self-registration.Webapi/<tablename>/enabled— enables the Web API for a specific table.
2. Security & Access
What are Web Roles in Power Pages?
Web Roles group portal users and control what they can access. Every authenticated user is assigned one or more web roles. Two built-in roles exist: Authenticated Users (all logged-in users) and Anonymous Users (not logged in).
What are Table Permissions and why are they critical?
Table Permissions define CRUD access on Dataverse tables for a specific web role. Without proper table permissions, users see no data even if the page is accessible. They support scopes: Global, Contact, Account, Parent, and Self.
What is the difference between Page-level security and Table Permissions?
- Page-level security controls who can navigate to a page (via web role on the page).
- Table permissions control what data a user can read/write from Dataverse.
Both layers must be configured for secure, functional data access.
What authentication providers does Power Pages support?
Azure AD (Entra ID), Azure AD B2C, SAML 2.0, OpenID Connect, OAuth 2.0 providers (Google, Facebook, LinkedIn, Twitter), and local identity (email + password). Multiple providers can be enabled simultaneously.
3. Data & Forms
What is a Table List (Entity List)?
A Table List renders rows from a Dataverse table on a page as a grid or gallery. It supports filtering, sorting, searching, and actions like create/edit/delete (subject to table permissions).
What is a Table Form (Basic Form) vs a Multi-step Form (Advanced Form)?
- Table Form (Basic Form): Single-step form bound to one Dataverse form. Used for simple create/edit/read operations.
- Multi-step Form (Advanced Form): Wizard-style form spanning multiple steps/tables. Supports conditional branching and sequential data capture.
How does Power Pages handle file attachments in forms?
Files are stored as Notes (annotations) attached to the Dataverse record, or via SharePoint integration. You must enable the attachment option on the form and grant the Notes table permissions to the relevant web role.
4. Customization & Code
What is Liquid in Power Pages?
Liquid is an open-source templating language used in Power Pages web templates and content snippets to dynamically render data, conditional content, and loops. It allows server-side access to Dataverse data without custom code.
Example:
{% entitylist id: page.adx_entitylist.id %}
How can you integrate Power Automate with Power Pages?
Power Automate flows can be triggered from portal forms using the Power Pages connector (cloud flows) or by using the Web API. Common use case: send email notifications when a form is submitted.
What is the Power Pages Web API?
A RESTful API that enables client-side JavaScript to perform CRUD operations on Dataverse tables directly from the portal without a page postback. It respects table permissions. Endpoint pattern: /_api/<tablename>.
How do you deploy or migrate a Power Pages site between environments?
Using Power Platform solutions — package the portal components into a solution and deploy via Solution import, or use the Power Platform CLI commands:
pac paportal download
pac paportal upload
with source control for CI/CD.
How does caching work in Power Pages?
Power Pages caches portal metadata (templates, settings, entity lists) server-side. Changes made in the management app may not reflect immediately. Clear cache via:
<siteurl>/_services/about
or by restarting the portal from the Power Platform admin center.
5. Advanced — Web API
How do you enable the Web API for a specific table?
Create two Site Settings:
Webapi/<tablename>/enabled→trueWebapi/<tablename>/fields→ comma-separated column names (or*for all)
Then grant the appropriate Table Permission (Read/Write/Create/Delete) to the web role. Without both, the API returns 403.
What HTTP methods does the Power Pages Web API support?
GET— read records (supports$filter,$select,$orderby,$top,$expand)POST— create a recordPATCH— update an existing recordDELETE— delete a record
Base URL pattern: /_api/<tablename>(guid)
Note: PUT is not supported.
How is CSRF protection handled in Web API calls?
All write operations (POST, PATCH, DELETE) require an anti-forgery token sent in the request header as __RequestVerificationToken. Retrieve it via:
$('[name=__RequestVerificationToken]').val()
// or from:
/_api/antiforgery/token
Tip: Forgetting the anti-forgery token is the #1 reason Web API writes fail silently in demos.
How do you filter and expand related records using the Web API?
/_api/contacts?$filter=firstname eq 'John'
&$select=fullname,emailaddress1
&$expand=parentcustomerid_account($select=name)
&$top=10
Expanding requires Table Permissions on the related table too.
Can anonymous users call the Power Pages Web API?
Yes, but only if Table Permissions with the required privilege are assigned to the Anonymous Users web role. By default no permissions exist for anonymous users, so all API calls return 403.
What are the limitations of the Power Pages Web API compared to Dataverse Web API?
- No batch requests (
$batchnot supported) - No executing actions or functions directly
- No metadata endpoint (
/$metadata) - Field access restricted to columns listed in the
fieldssite setting - Rate limits apply (portal-level throttling)
- No server-side pagination tokens — use
$topand$skip
6. Advanced — Custom Authentication
How do you configure Azure AD B2C as an identity provider?
Register an app in Azure AD B2C, create user flows (sign-up/sign-in). Then set Site Settings:
Authentication/OpenIdConnect/AzureADB2C/Authority→ B2C tenant URLAuthentication/OpenIdConnect/AzureADB2C/ClientId→ app client IDAuthentication/OpenIdConnect/AzureADB2C/RedirectUri→ portal callback URL
Add the redirect URI to the B2C app registration's allowed redirect URIs.
What is contact mapping and why is it important?
When a user authenticates, Power Pages maps the external identity to a Dataverse Contact record. This mapping determines what data the user can access. Without a matching Contact, the user may authenticate but have no portal profile or table-permission scope.
How do you implement invitation-based registration?
Create an Invitation record in Dataverse linked to the Contact, set expiry and type (single/group). Send the invitation link to the user. When they redeem it, a portal identity is created and linked to the Contact.
What is the difference between local identity and external identity providers?
- Local identity: credentials stored within Power Pages using ASP.NET Identity. Supports email confirmation, password reset, and lockout.
- External providers (Azure AD, B2C, Google, etc.): authentication is delegated via OAuth/OIDC. Power Pages only receives a token and maps it to a Contact — it never stores passwords.
How do you implement MFA on Power Pages?
Power Pages itself does not provide MFA — delegate auth to an external provider that supports MFA (Azure AD Conditional Access or Azure AD B2C MFA user flows). The portal trusts the token issued after MFA is satisfied.
Tip: The correct answer is always — push MFA to the identity provider, never try to build it inside the portal.
7. Advanced — Performance Tuning
What causes slow portal page loads and how do you diagnose them?
Common causes: excessive Liquid Dataverse queries, large unbounded table lists, unoptimised fetchXML, heavy JavaScript bundles, cache misses.
Diagnose using:
- Browser DevTools Network tab
/_services/about— check cache state- Azure Application Insights (if configured)
- Power Pages telemetry in the admin centre
How does server-side caching work and how do you control it?
Power Pages caches portal metadata in memory. To clear:
- Navigate to
<site>/_services/about→ click Clear cache - Restart the portal from Power Platform admin centre
For live data, use the Web API client-side instead of server-side Liquid queries.
How do you optimise a slow Table List?
- Enable pagination — set a sensible page size (25–50)
- Use
$selectto fetch only required columns - Add filters so the Dataverse query is targeted
- Add Dataverse indexes on columns used in filter/sort
- Avoid expanding many lookups in a single list view
- Consider replacing with a client-side Web API call + JS rendering
How do you implement CDN for Power Pages assets?
Power Pages has a built-in Azure CDN integration. Enable it in the Power Platform admin centre under portal settings. Once enabled, static assets (CSS, JS, images in web files) are served from the CDN edge. Custom domain + SSL is required before CDN can be enabled.
8. Advanced — ALM & CI/CD
How do you use Power Platform CLI to manage Power Pages in source control?
# Download site content
pac paportal download --path ./portal --webSiteId <guid>
# Upload to target environment
pac paportal upload --path ./portal
# Auth with service principal
pac auth create
How do you handle environment-specific configuration during deployment?
Use deployment settings files (deploymentSettings.json) with the Power Platform Build Tools or CLI. These files override Site Setting values per environment (dev/test/prod) at import time — keeping secrets and environment URLs out of source control.
How do you automate Power Pages deployment in Azure DevOps?
Power Platform Tool InstallerPower Platform Export Solution(from source env)- Commit to repo
Power Platform Import Solution(to target env)pac paportal uploadstep via CLI task for portal content files
Use a service principal with System Administrator role on the target environment.
9. Scenario-Based — Troubleshooting
Scenario: User logs in but sees no data in the Table List. No error shown.
Diagnose in order:
- Confirm the user's web role via the Contact record in Portal Management App.
- Check Table Permissions for that web role — verify Read privilege is granted.
- Check the scope. If scope is Contact or Account, the parent relationship record must exist and be linked correctly.
- Clear the portal cache at
/_services/about. - Check if the Table List has a filter that excludes records for this user.
Root cause 90% of the time: Missing Table Permission or wrong scope.
Scenario: Form submission silently fails — page reloads, no record created.
- Open DevTools → Network tab → re-submit. Look for a non-200 POST response.
- Check Table Permissions — web role must have Create privilege.
- Check if required Dataverse fields are missing from the portal form.
- Verify form mode is set to Insert, not Edit or ReadOnly.
- Check console for JS errors blocking submission.
- Check for Dataverse business rules blocking create.
Tip: Add
?debugto the URL to surface additional error detail.
Scenario: After deploying a solution, portal still shows old content.
This is a portal metadata cache issue. Fix:
- Navigate to
<portalurl>/_services/about - Click Clear cache
- If unresponsive, restart from Power Platform Admin Centre → Environments → Resources → Portals → Restart
- For CI/CD, add a cache-clear step post-deployment.
Scenario: User can edit records they should not be able to.
- Check if the user has a second web role with Write/Edit permission.
- Check Table Permissions on Authenticated Users built-in role — if Write is there, every logged-in user inherits it.
- Confirm scope — Global scope incorrectly set allows editing all records.
Warning: Never rely solely on hiding the Edit button. Always enforce at the Table Permission level — UI controls are bypassable via direct URL.
10. Scenario-Based — Web API Debugging
Scenario: Web API POST returns 403 Forbidden.
- Confirm Site Setting
Webapi/<tablename>/enabledistrue(exact logical name, case-sensitive). - Confirm
Webapi/<tablename>/fieldslists the columns being written, or is*. - Confirm the user's web role has a Table Permission with Create privilege.
- Check request headers — POST/PATCH/DELETE require
__RequestVerificationToken. Missing token = 403. - Clear portal cache.
- Test with Global-scope permission temporarily to isolate scope vs. permission issues.
Key distinction: 403 on GET = missing Read permission. 403 on POST = missing Create permission OR missing anti-forgery token.
Scenario: Web API GET returns empty array but records exist in Dataverse.
Empty array (not 403) means the API is enabled and Read permission exists — but scope is filtering records out.
- Check Table Permission scope. Contact scope only returns records linked to the logged-in Contact.
- Verify the relationship column is populated on the records.
- Try Global scope temporarily in dev to confirm.
Scenario: PATCH request succeeds but one field is always ignored.
- Check
Webapi/<tablename>/fields— if it's a list (not*), confirm the field is included. - Check Dataverse Field Security Profiles — update silently dropped if field-level security restricts it.
- Check for Dataverse business rules or plugins resetting the field.
- Verify you're sending the correct logical field name (lowercase, publisher prefix).
Scenario: Works in dev, returns 403 in production.
- Compare Site Settings between environments —
enabledandfieldssettings may not have been deployed to prod. - Compare Table Permissions — if not in the solution, they need to be recreated in prod.
- Check web roles — the Contact record in prod may not have the same web role assigned.
- Clear cache in prod.
Root cause: Environment parity issues. Always include Table Permissions and Site Settings in your solution or deployment checklist.
11. Scenario-Based — Portal Design
Design: Multi-role portal — customers see own cases, partners see account cases, admins see all.
Create three web roles with Table Permissions on the Case table:
| Role | Scope | Privilege |
|---|---|---|
| Customer | Contact (customerid) | Read |
| Partner | Account (customerid) | Read |
| Admin | Global | Full CRUD |
Use a single Table List on one page — the data returned automatically filters by scope. No code needed for the filtering logic.
Key insight: One page + one table list + three scopes = three different views automatically.
Design: Multi-step onboarding form spanning three tables.
Use a Multi-step Form (Advanced Form):
- Step 1: Account table, mode = Insert
- Step 2: Contact table, mode = Insert, auto-populate Account lookup from step 1
- Step 3: Custom subscription table, mode = Insert, pre-populate Account lookup via Referenced Entity
- Grant Table Permission Create on all three tables for the relevant web role.
Design: Real-time data dashboard (records reflect within seconds without page reload).
Server-side Liquid/Table Lists cannot do real-time — they render at page load only.
Use the Power Pages Web API client-side:
setInterval(async () => {
const res = await fetch('/_api/cr123_orders?$filter=...');
const data = await res.json();
// update DOM with data.value
}, 5000);
Tip: Polling every 5–10 seconds handles most "real-time" business requirements without additional infrastructure.
Design: Anonymous lead capture form — no login, no data visible.
- Basic Table Form on Lead table, mode = Insert, no authentication required.
- Grant Anonymous Users web role a Table Permission with only Create privilege — no Read, Write, or Delete.
- No Table List on any anonymous page.
- Add CAPTCHA via custom Liquid/JS integration (Google reCAPTCHA).
- Set
Authentication/Registration/Enabledtofalseif no self-registration needed.
12. Scenario-Based — Security Scenarios
Scenario: Pen test finds users can access other users' records by manipulating the GUID in the URL.
Fix: Change Table Permission scope from Global to Contact.
With Contact scope, fetching a record not linked to the user's Contact returns 403 — even with the correct GUID.
Warning: Global Read scope is the single most common security misconfiguration in Power Pages portals. Default to Contact or Account scope unless Global is explicitly required.
Scenario: Prevent portal from being used as open relay to spam Dataverse.
- Ensure only authenticated users have Create permission.
- Add CAPTCHA on public forms.
- Use Power Automate to detect unusual create volume.
- Dataverse API limits apply — 6000 requests per 5 minutes per user.
- Route public form submissions through a Power Automate HTTP trigger for extra validation.
Scenario: Company A must never see Company B data (multi-tenant portal).
- Ensure every Contact is linked to the correct parent Account.
- Ensure all data records have a lookup to the Account.
- Set all Table Permissions to Account scope.
- Use Parent scope for child records (e.g., Order Lines linked to Orders).
Tip: Account scope is the correct architecture for B2B multi-tenant portals. Contact scope works for B2C (individual consumer) portals.
Scenario: Sensitive columns (salary, SSN) must never be exposed via the Web API.
- In Site Setting
Webapi/<tablename>/fields, explicitly list only safe columns — never use*on sensitive tables. - Apply Dataverse Field Security Profiles to sensitive columns as a second layer.
- Only add permitted fields to the Dataverse form used by the portal.
Warning: Using
Webapi/table/fields = *on a table with sensitive data is a critical misconfiguration. Always use an explicit allowlist.
13. Liquid Templating — Advanced Patterns
What is the difference between {% assign %} and {% capture %}?
assignstores a simple value or object reference.capturerenders a block of Liquid/HTML into a string variable.
{% assign username = user.fullname %}
{% capture welcome_msg %}
<p>Welcome back, {{ user.fullname }}!</p>
{% endcapture %}
{{ welcome_msg }}
How do you query Dataverse records using fetchxml in Liquid?
{% fetchxml my_cases %}
<fetch top="10">
<entity name="incident">
<attribute name="title"/>
<attribute name="statecode"/>
<filter>
<condition attribute="customerid"
operator="eq" value="{{ user.id }}"/>
</filter>
</entity>
</fetch>
{% endfetchxml %}
{% for case in my_cases.results.entities %}
<p>{{ case.title }} — {{ case.statecode.label }}</p>
{% endfor %}
How do you access the currently logged-in user's details?
{% if user %}
Hello, {{ user.fullname }}
Contact ID: {{ user.id }}
Email: {{ user.emailaddress1 }}
Account: {{ user.parentcustomerid.name }}
{% else %}
<a href="/signin">Please sign in</a>
{% endif %}
Tip:
user.rolesreturns the collection of web roles. Useuser.roles | where: 'name', 'Admin' | firstto check for a specific role.
How do you conditionally show content based on web role?
{% assign is_partner = user.roles
| where: 'name', 'Partner'
| first %}
{% if is_partner %}
<a href="/partner-dashboard">Partner portal</a>
{% endif %}
Warning: This controls UI rendering only — it does not replace Table Permissions.
How do you read URL query string parameters in Liquid?
{% comment %} URL: /orders?status=active&page=2 {% endcomment %}
{{ request.params['status'] }} → active
{{ request.params['page'] }} → 2
Security Note: Never use raw query string values directly in fetchxml conditions without validation.
14. Liquid Templating — Web Templates
What is a Web Template and how does it differ from a Page Template?
- Web Template: contains the actual Liquid + HTML markup (the code layer).
- Page Template: configuration record referencing a Web Template, defining how it is used.
Chain: Web Page → Page Template → Web Template
How do you create a reusable component across multiple pages?
{%- comment -%} Web Template: "case-card" {%- endcomment -%}
<div class="card">
<h3>{{ case.title }}</h3>
<p>{{ case.statecode.label }}</p>
</div>
{%- comment -%} Parent Template {%- endcomment -%}
{% for case in my_cases.results.entities %}
{% include 'case-card' %}
{% endfor %}
How do you pass parameters into an included Web Template?
{% include 'alert-banner'
message: 'Your submission was received.'
type: 'success' %}
{%- comment -%} Web Template: "alert-banner" {%- endcomment -%}
<div class="alert alert-{{ type }}">
{{ message }}
</div>
What is the block and extends pattern in Web Templates?
{%- comment -%} Base layout Web Template {%- endcomment -%}
<html>
<body>
<header>{% block header %}Default header{% endblock %}</header>
<main>{% block content %}{% endblock %}</main>
<footer>{% block footer %}Default footer{% endblock %}</footer>
</body>
</html>
{%- comment -%} Child Web Template {%- endcomment -%}
{% extends 'base-layout' %}
{% block content %}
<h1>My Page Content</h1>
{% endblock %}
15. Liquid Templating — Performance
Why is putting multiple fetchxml blocks on one page a performance problem?
Each {% fetchxml %} is a synchronous round-trip to Dataverse during server-side rendering. Five fetchxml blocks = five blocking Dataverse calls before the user sees anything.
Fixes:
- Merge related queries using
link-entityfetchxml. - Move non-critical data fetches client-side using the Web API.
- Cache expensive results in a Content Snippet updated by a flow.
- Always use
topin fetchxml — never fetch unbounded result sets.
Target: 1–2 server-side queries max per page.
What is the N+1 fetchxml anti-pattern?
{%- comment -%} NEVER do this {%- endcomment -%}
{% for order in orders.results.entities %}
{% fetchxml lines %}
<fetch><entity name="salesorderdetail">
<filter><condition attribute="salesorderid"
operator="eq" value="{{ order.id }}"/>
</filter>
</entity></fetch>
{% endfetchxml %}
{% endfor %}
Fix: Use <link-entity> in a single fetchxml query.
How do you use link-entity in fetchxml to avoid multiple queries?
{% fetchxml orders_with_account %}
<fetch top="20">
<entity name="salesorder">
<attribute name="name"/>
<attribute name="totalamount"/>
<link-entity name="account"
from="accountid" to="customerid"
alias="acct">
<attribute name="name"/>
</link-entity>
</entity>
</fetch>
{% endfetchxml %}
{% for o in orders_with_account.results.entities %}
{{ o.name }} — {{ o['acct.name'] }}
{% endfor %}
16. Liquid Templating — Gotchas & Traps
Why does {{ value | default: 'N/A' }} sometimes still output blank?
The default filter only triggers when the value is nil, false, or "". If the Dataverse field returns an empty object (e.g., a lookup), default does not fire.
{% comment %} Safe pattern for lookups {% endcomment %}
{% if entity.parentcustomerid %}
{{ entity.parentcustomerid.name }}
{% else %}
N/A
{% endif %}
Why does modifying a variable inside a {% for %} loop not persist after the loop ends?
Liquid has block scoping — variables assigned inside a for loop do not leak out to the parent scope.
{% assign total = 0 %}
{% for item in items %}
{% assign total = total | plus: item.amount %}
{% endfor %}
{{ total }} ← always outputs 0!
Fix: Use fetchxml aggregate functions or calculate client-side with JavaScript.
How do you output a literal {{ or {% without Liquid interpreting it?
{% raw %}
Vue template: {{ message }}
Angular binding: {{ user.name }}
Handlebars: {{#each items}}
{% endraw %}
Essential when embedding JavaScript frameworks (Vue, Angular, Handlebars) inside a Web Template.
Why does {% include 'my-template' %} silently render nothing?
Three common causes:
- The Web Template name is incorrect — names are case-sensitive.
- The included template has a Liquid error — Liquid silently swallows errors in includes.
- The included template references variables not in scope at the point of inclusion.
Liquid fetchxml returns empty but XrmToolBox shows records. Why?
The portal executes fetchxml in the context of the portal application user — not as an admin.
- Table Permissions: the web role lacks Read permission on the table.
- Record ownership: with Contact scope, no records are linked to the current Contact.
- Business Unit security: the portal application user's Dataverse role may not have org-level read.
Warning: Always test fetchxml in the browser as a portal user, not as an admin in XrmToolBox.
17. Liquid Cheat Sheet
Global Objects
| Object | Description | Key Properties |
|---|---|---|
user |
Logged-in Contact record. null for anonymous. |
.fullname, .id, .emailaddress1, .parentcustomerid.name, .roles |
request |
Current HTTP request | .url, .path, .params['key'] |
page |
Current web page record | .title, .url, .parent.title |
website |
Portal website record | .name, .id |
sitemarkers |
Named page pointers | sitemarkers['Name'].url |
settings |
Site Settings values | settings['Key/Name'] |
snippets |
Content Snippets | snippets['Snippet/Name'] |
weblinks |
Web link sets (nav menus) | weblinks['Set Name'].weblinks |
Essential Tags
| Tag | Purpose |
|---|---|
{% fetchxml result %}...{% endfetchxml %} |
Query Dataverse. Results in result.results.entities |
{% include 'template-name' key: val %} |
Include another Web Template with optional params |
{% extends 'layout' %} |
Inherit from a base layout template |
{% block name %}...{% endblock %} |
Define/override a named block region |
{% assign var = value %} |
Store a value in a variable |
{% capture var %}...{% endcapture %} |
Render Liquid block into a string variable |
{% raw %}...{% endraw %} |
Output {{ }} literally — for Vue/Angular/Handlebars |
{% unless condition %} |
Render when condition is false |
{% for item in collection %} |
Loop over a collection |
{% if / elsif / else / endif %} |
Conditional rendering |
Essential Filters
| Filter | Example | Output |
|---|---|---|
date |
{{ date | date: "%d %b %Y" }} |
18 Apr 2025 |
where |
user.roles | where: 'name', 'Admin' |
Filtered array |
first / last |
collection | first |
First/last item |
map |
roles | map: 'name' |
Array of names |
join |
arr | join: ', ' |
A, B, C |
size |
entities | size |
Count |
truncate |
text | truncate: 80 |
Shortened string |
default |
value | default: 'N/A' |
Fallback (strings/nil only) |
downcase / upcase |
email | downcase |
Normalised case |
replace |
str | replace: 'a','b' |
Substituted string |
plus / minus / times / divided_by |
10 | plus: 5 |
Arithmetic result |
Critical Patterns to Memorise
{% comment %} Role check {% endcomment %}
{% assign is_admin = user.roles | where: 'name', 'Admin' | first %}
{% if is_admin %}...{% endif %}
{% comment %} Null-safe lookup {% endcomment %}
{% if entity.parentcustomerid %}
{{ entity.parentcustomerid.name }}
{% endif %}
{% comment %} Whitelist URL params {% endcomment %}
{% assign allowed = 'active,inactive' | split: ',' %}
{% assign status = request.params['status'] %}
{% if allowed contains status %}
use {{ status }} safely
{% endif %}
{% comment %} link-entity JOIN (avoid N+1) {% endcomment %}
<link-entity name="account" from="accountid"
to="customerid" alias="acct">
<attribute name="name"/>
</link-entity>
{{ entity['acct.name'] }}
Top 3 Traps
- Loop scope —
{% assign %}inside{% for %}does NOT persist after the loop. defaultfilter — fails silently on empty lookup objects. Use{% if %}guards instead.- fetchxml inside a loop — causes N+1 Dataverse queries. Always use
link-entityfor related data.
