Governance considerations

Many customers wonder: How can Power Apps and Power Automate be made available to their broader business and supported by IT? Governance is the answer. It aims to enable business groups to focus on solving business problems efficiently while complying with IT and business compliance standards. The following content is intended to structure themes often associated with governing software and bring awareness to capabilities available for each theme as it relates to governing Power Apps and Power Automate.

Theme Common questions related to each theme for which this content answers
Architecture
  • What are the basic constructs and concepts of Power Apps, Power Automate, and Common Data Service?

  • How do these constructs fit together at design time and runtime?
Security
  • What are the best practices for security design considerations?

  • How do I leverage our existing user and group management solutions to manage access and security roles in Power Apps?
Alert and Action
  • How do I define the governance model between citizen developers and managed IT services?

  • How do I define the governance model between central IT and the business unit admins?

  • How should I approach support for non-default environments in my organization?
Monitor
  • How are we capturing compliance / auditing data?

  • How can I measure adoption and usage within my organization?

Architecture

It's best to familiarize oneself with Environments as the first step to building the right governance story for your company. Environments are the containers for all resources utilized by a Power Apps, Power Automate and Common Data Service. Environments Overview is a good primer which should be followed by Common Data Service, Types of Power Apps, Microsoft Power Automate, Connectors, and On-premises Gateways.

Security

This section outlines mechanisms that exist to control who can access Power Apps in an environment and access data: licenses, environments, environment roles, Azure Active Directory, Data Loss Prevention policies and admin connectors that can be used with Power Automate.

Licensing

Access to Power Apps and Power Automate starts with having a license, the type of license a user has determines the assets and data a user can access. The following table outlines differences in resources available to a user based on their plan type, from a high-level. Granular licensing details can be found in the Licensing overview.

Plan Description
Microsoft 365 Included This allows users to extend SharePoint and other Office assets they already have.
Dynamics 365 Included This allows users to customize and extend model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer Service, they already have.
Power Apps plan This allows:
  • making enterprise connectors and Common Data Service accessible for use.
  • users to use robust business logic across application types and administration capabilities.
Power Apps Community This allows a user to use Power Apps, Power Automate, Common Data Service and customer connectors in a single for individual use. There is no ability to share apps.
Power Automate Free This allows users to create unlimited flows and perform 750 runs.
Power Automate plan See Microsoft Power Apps and Microsoft Power Automate Licensing Guide.

Environments

After users have licenses, environments exist as containers for all resources utilized by Power Apps, Power Automate and Common Data Service. Environments can be used to target different audiences and/or for different purposes such as developing, testing and production. More information can be found in the Environments Overview.

Secure your data and network

  • Power Apps and Power Automate do not provide users with access to any data assets that they don't already have access to. Users should only have access to data that they really require access to.
  • Network Access control policies can also apply to Power Apps and Power Automate. For environment, one can block access to a site from within a network by blocking the sign-on page to prevent connections to that site from being created in Power Apps and Power Automate.
  • In an environment, access is controlled at three levels: Environment roles, Resource permissions for Power Apps, Power Automate, etc… and Common Data Service security roles (if a Common Data Service data base is provisioned).
  • When Common Data Service is created in an environment the Common Data Service roles will take over for controlling security in the environment (and all environment admins and makers are migrated).

The following principals are supported for each role type.

Environment type Role Principal Type (Azure AD)
Environment without Common Data Service Environment role User, group, tenant
Resource permission: Canvas app User, group, tenant
Resource permission: Power Automate, Custom Connector, Gateways, Connections1 User, group
Environment with Common Data Service Environment role User
Resource permission: Canvas app User, group, tenant
Resource permission: Power Automate, Custom Connector, Gateways, Connections1 User, group
Common Data Service role (applies to all model-driven apps and components) User

1Only certain connections (like SQL) can be shared.

Note

  • In the Default environment, all users in a tenant are granted access to the Environment Maker role.
  • Azure AD tenant Global Administrators have admin access to all environments.

FAQ - What permissions exist at an Azure AD tenant level?

Today, Power Platform admins can perform the following:

  1. Download the Power Apps & Power Automate license report
  2. Create DLP policy scoped only to 'All Environments' or scoped to include/exclude specific environments
  3. Manage and assign licenses via Office admin center
  4. Access all environment, app, and flow management capabilities for all environments in the tenant available through:
    • Power Apps Admin center
    • Power Apps Admin PowerShell cmdlets
    • Power Apps management connectors
  5. Access the Power Apps and Power Automate admin analytics for all environments in the tenant:

Consider Microsoft Intune

Customers with Microsoft Intune can set mobile application protection policies for both Power Apps and Power Automate apps on Android and iOS. This walkthrough highlights setting a policy via Intune for Power Automate.

Consider location-based conditional access

For customers with Azure AD Premium, conditional access policies can be defined in Azure for Power Apps and Power Automate. This allows granting or blocking access based upon: user/group, device, location.

Creating a Conditional Access Policy

  1. Sign-in to https://portal.azure.com
  2. Select Azure Active Directory
  3. Select Conditional Access.
  4. Select + New Policy
  5. Select user and groups
  6. Select the cloud apps - select Common Data Service to control access to model-driven apps in Dynamics 365 (such as Dynamics 365 Sales and Dynamics 365 Customer Service)
  7. Apply conditions (user/group, device, location)

Prevent data leakage with data loss prevent policies

Data loss prevention policies (DLP) enforce rules for which connectors can be used together by classifying connectors as either Business Data only or No Business Data allowed. Simply, if you put a connector in the business data only group, it can only be used with other connectors from that group in the same application. Power Platform admins can define policies that apply to all environments.

FAQ

Q: Can I control, on the tenant level, which connector is at all available, e.g. No to Dropbox or Twitter but Yes to SharePoint)?

A: This is not possible. Customers can subscribe to Audit events to perform corrective action if there are flows that have been built that create concerns for customers. In fact, a very large Power Apps customer has leveraged this approach to apply another level of governance.

Q: What about Sharing connectors between users? E.g. the connector for Teams is a general one that can be shared (?)

A: Connectors are available to all users. With the exception of premium or custom connectors which need either an additional license (premium connectors) or have to be explicitly shared (custom connectors)

Alert and action

In addition to monitoring, many customers want to subscribe to software creation, usage or health events so they know when to perform an action. This section outlines a few means to observe events (manually and programmatically) and perform actions triggered by an event occurrence.

Leverage the Power Apps and Microsoft Power Automate admin center

Environment and app management requires a Power Apps plan or a Power Automate plan. You can do the following:

  1. View and manage environments.
  2. View and manage all apps and flows within an environment.

Build Power Automate flows to alert on key audit events

  1. An example of alerting that can be implemented is subscribing to Microsoft 365 Security and Compliance Audit Logs.
  2. This can be achieved through either a webhook subscription or polling approach. However, by attaching Power Automate to these alerts, we can provide administrators with more than just email alerts.

Build the policies you need with Power Apps, Power Automate, and PowerShell

  1. These PowerShell cmdlets place full control in the hands of admins to automate the governance policies necessary.
  2. The Management connectors provide the same level of control but with added extensibility and ease-of-uses by leveraging Power Apps and Power Automate.
  3. The following Power Automate templates for administration connectors exist for ramping up quickly:
    1. List new Power Automate Connectors
    2. Get List of new Power Apps, Power Automate flows and Connectors
    3. Email me a weekly summary of Office 365 Message Center notices
    4. Access Office 365 Security and Compliance Logs from Power Automate
  4. Use this blog and app template ramp up quickly on the administration connectors.
  5. Additionally, it's worth checking out content shared in the Community Apps Gallery, here's another example of an administrative experience built using Power Apps and admin connectors.

FAQ

Problem Currently, all users with Office E3 licenses can create apps in the Default environment. How can we enable Environment Maker rights to a select group, for example. 10 persons to create apps?

Recommendation The PowerShell cmdlets and Management connectors provide full flexibility and control to administrators to build the policies they want for their organization.

Monitor

It's well understood that monitoring as a critical aspect of managing software at scale, this section highlights a couple of means to get insight in Power Apps and Power Automate development and usage.

Review the audit trail

Activity logging for Power Apps is integrated with Office Security and Compliance center for comprehensive logging across Microsoft services like Common Data Service and Microsoft 365. Office provides an API to query this data, which is currently used by many SIEM vendors to use the Activity Logging data for reporting.

Download the Power Apps and Power Automate license report

  1. https://admin.powerapps.com/tenant/userLicenses
  2. View Power Apps and Power Automate admin analytics
    1. Available now in preview from the new Power Platform admin center.
    2. One can get information along the following lines:
      1. Active User and App usage - how many users are using an app and how often?
      2. Location – where is the usage?
      3. Service Performance of connectors
      4. Error reporting – which are the most error prone apps
      5. Flows in use by type and date
      6. Flows created by type and date
      7. Application-level auditing
      8. Service Health
      9. Connectors used

View app resources used in an Environment

  1. In the Power Apps Admin center, select Environments in the navigation menu.
  2. Select an Environment.
  3. Optionally, the list of resources used in an Environment may be downloaded as a .csv.