Security and governance considerations

Article
10/06/2022

Many customers wonder how can Power Platform be made available to their broader business and supported by IT? Governance is the answer. It aims to enable business groups to focus on solving business problems efficiently while complying with IT and business compliance standards. The following content is intended to structure themes often associated with governing software and bring awareness to capabilities available for each theme as it relates to governing Power Platform.

Theme	Common questions related to each theme for which this content answers
Architecture	What are the basic constructs and concepts of Power Apps, Power Automate, and Microsoft Dataverse? How do these constructs fit together at design time and runtime?
Security	What are the best practices for security design considerations? How do I leverage our existing user and group management solutions to manage access and security roles in Power Apps?
Alert and Action	How do I define the governance model between citizen developers and managed IT services? How do I define the governance model between central IT and the business unit admins? How should I approach support for non-default environments in my organization?
Monitor	How are we capturing compliance / auditing data? How can I measure adoption and usage within my organization?

Architecture

It's best to familiarize oneself with Environments as the first step to building the right governance story for your company. Environments are the containers for all resources used by a Power Apps, Power Automate and Dataverse. Environments Overview is a good primer which should be followed by What is Dataverse?, Types of Power Apps, Microsoft Power Automate, Connectors, and On-premises Gateways.

Security

This section outlines mechanisms that exist to control who can access Power Apps in an environment and access data: licenses, environments, environment roles, Microsoft Entra ID, Data Loss Prevention policies and admin connectors that can be used with Power Automate.

Licensing

Access to Power Apps and Power Automate starts with having a license. The type of license a user has determines the assets and data a user can access. The following table outlines differences in resources available to a user based on their plan type, from a high level. Granular licensing details can be found in the Licensing overview.

Plan	Description
Microsoft 365 Included	This allows users to extend SharePoint and other Office assets they already have.
Dynamics 365 Included	This allows users to customize and extend customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), they already have.
Power Apps plan	This allows: making enterprise connectors and Dataverse accessible for use. users to use robust business logic across application types and administration capabilities.
Power Apps Community	This allows a user to use Power Apps, Power Automate, Dataverse and customer connectors in a single for individual use. There's no ability to share apps.
Power Automate Free	This allows users to create unlimited flows and do 750 runs.
Power Automate plan	See Microsoft Power Apps and Microsoft Power Automate Licensing Guide.

Environments

After users have licenses, environments exist as containers for all resources used by Power Apps, Power Automate and Dataverse. Environments can be used to target different audiences and/or for different purposes such as developing, testing and production. More information can be found in the Environments Overview.

Secure your data and network

Power Apps and Power Automate do not provide users with access to any data assets that they don't already have access to. Users should only have access to data that they really require access to.
Network Access control policies can also apply to Power Apps and Power Automate. For environment, one can block access to a site from within a network by blocking the sign-on page to prevent connections to that site from being created in Power Apps and Power Automate.
In an environment, access is controlled at three levels: Environment roles, Resource permissions for Power Apps, Power Automate, etc. and Dataverse security roles (if a Dataverse data base is provisioned).
When Dataverse is created in an environment the Dataverse roles will take over for controlling security in the environment (and all environment admins and makers are migrated).

The following principals are supported for each role type.

Environment type	Role	Principal Type (Microsoft Entra ID)
Environment without Dataverse	Environment role	User, group, tenant
	Resource permission: Canvas app	User, group, tenant
	Resource permission: Power Automate, Custom Connector, Gateways, Connections¹	User, group
Environment with Dataverse	Environment role	User
	Resource permission: Canvas app	User, group, tenant
	Resource permission: Power Automate, Custom Connector, Gateways, Connections¹	User, group
	Dataverse role (applies to all model-driven apps and components)	User

¹Only certain connections (like SQL) can be shared.

Note

In the Default environment, all users in a tenant are granted access to the Environment Maker role.
Microsoft Entra tenant Global Administrators have admin access to all environments.

FAQ - What permissions exist at an Microsoft Entra tenant level?

Today, Microsoft Power Platform admins can do the following:

Download the Power Apps & Power Automate license report
Create DLP policy scoped only to 'All Environments' or scoped to include/exclude specific environments
Manage and assign licenses via Office admin center
Access all environment, app, and flow management capabilities for all environments in the tenant available through:
- Power Apps Admin PowerShell cmdlets
- Power Apps management connectors
Access the Power Apps and Power Automate admin analytics for all environments in the tenant:
- https://aka.ms/paadminanalytics
- https://aka.ms/flowadminanalytics

Consider Microsoft Intune

Customers with Microsoft Intune can set mobile application protection policies for both Power Apps and Power Automate apps on Android and iOS. This walkthrough highlights setting a policy via Intune for Power Automate.

Consider location-based conditional access

For customers with Microsoft Entra ID P1 or P2, conditional access policies can be defined in Azure for Power Apps and Power Automate. This allows granting or blocking access based upon: user/group, device, location.

Creating a Conditional Access Policy

Sign in to https://portal.azure.com.
Select Conditional Access.
Select + New Policy.
Selectusers and groups selected.
Select All cloud apps > All cloud apps > Common Data Service to control access to customer engagement apps.
Apply conditions (user risk, device platforms, locations).
Select Create.

Prevent data leakage with data loss prevent policies

Data loss prevention policies (DLP) enforce rules for which connectors can be used together by classifying connectors as either Business Data only or No Business Data allowed. Simply, if you put a connector in the business data only group, it can only be used with other connectors from that group in the same application. Power Platform admins can define policies that apply to all environments.

FAQ

Q: Can I control, on the tenant level, which connector is at all available, for example No to Dropbox or Twitter but Yes to SharePoint?

A: This is possible by utilizing the connectors classification capabilities and assigning the Blocked classifier to one or more connectors that you want to keep from being used. Note that there are a set of connectors that can’t be blocked.

Q: What about Sharing connectors between users? For example, the connector for Teams is a general one that can be shared?

A: Connectors are available to all users. With the exception of premium or custom connectors which need either an additional license (premium connectors) or have to be explicitly shared (custom connectors)

Alert and action

In addition to monitoring, many customers want to subscribe to software creation, usage or health events so they know when to perform an action. This section outlines a few means to observe events (manually and programmatically) and perform actions triggered by an event occurrence.

Build Power Automate flows to alert on key audit events

An example of alerting that can be implemented is subscribing to Microsoft 365 Security and Compliance Audit Logs.
This can be achieved through either a webhook subscription or polling approach. However, by attaching Power Automate to these alerts, we can provide administrators with more than just email alerts.

Build the policies you need with Power Apps, Power Automate, and PowerShell

These PowerShell cmdlets place full control in the hands of admins to automate the governance policies necessary.
The Management connectors provide the same level of control but with added extensibility and ease-of-uses by leveraging Power Apps and Power Automate.
The following Power Automate templates for administration connectors exist for ramping up quickly:
Use this blog and app template ramp up quickly on the administration connectors.
Additionally, it's worth checking out content shared in the Community Apps Gallery, here's another example of an administrative experience built using Power Apps and admin connectors.

FAQ

Problem Currently, all users with Microsoft E3 licenses can create apps in the Default environment. How can we enable Environment Maker rights to a select group, for example. 10 persons to create apps?

Recommendation The PowerShell cmdlets and Management connectors provide full flexibility and control to administrators to build the policies they want for their organization.

Monitor

It's well understood that monitoring as a critical aspect of managing software at scale, this section highlights a couple of means to get insight in Power Apps and Power Automate development and usage.

Review the audit trail

Activity logging for Power Apps is integrated with Office Security and Compliance center for comprehensive logging across Microsoft services like Dataverse and Microsoft 365. Office provides an API to query this data, which is currently used by many SIEM vendors to use the Activity Logging data for reporting.

View the Power Apps and Power Automate license report

Go to the Power Platform admin center.
Select Analytics > Power Automate or Power Apps.
View Power Apps and Power Automate admin analytics

You can get information about the following:
- Active User and App usage - how many users are using an app and how often?
- Location – where is the usage?
- Service Performance of connectors
- Error reporting – which are the most error prone apps
- Flows in use by type and date
- Flows created by type and date
- Application-level auditing
- Service Health
- Connectors used

View what users are licensed

You can always look at individual user licensing in the Microsoft 365 admin center by drilling into specific users.

You can also use the following PowerShell command to export assigned user licenses.

Get-AdminPowerAppLicenses -OutputFilePath '<licenses.csv>'

Exports all the assigned user licenses (Power Apps and Power Automate) in your tenant into a tabular view .csv file. The exported file contains both self-service sign-up internal trial plans as well as plans that are sourced from Microsoft Entra ID. The internal trial plans are not visible to admins in the Microsoft 365 admin center.

The export can take a while for tenants with a large number of Power Platform users.

View app resources used in an Environment

In the Power Platform admin center, select Environments in the navigation menu.
Select an Environment.
Optionally, the list of resources used in an Environment may be downloaded as a .csv.