Security in Common Data Service

This section provides information on how Common Data Service, the underlying data platform for Power Apps, handles security from user authentication to authorization that allows users to perform actions with data and services. Conceptually, security in Common Data Service is there to ensure users can do the work they need to do with the least amount of friction, while still protecting the data and services. Security in Common Data Service can be implemented as a simple security model with broad access all the way to highly complex security models where users have specific record and field level access.

The following is a high-level overview of how security model is implemented in Common Data Service.

  • Users are authenticated by Azure Active Directory (Azure AD).
  • Licensing is the first control-gate to allowing access to Power Apps components.
  • Ability to create applications and flows is controlled by security roles in the context of environments.
  • A user's ability to see and use apps is controlled by sharing the application with the user. Sharing of canvas apps is done directly with a user or Azure AD group but is still subject to Common Data Service security roles. Sharing of model-driven apps is done via Common Data Service security roles.
  • Environments act as security boundaries allowing different security needs to be implemented in each environment.
  • Flows and Canvas apps use connectors, the specific connections credentials and associated service entitlements determine permissions when apps use the connectors.
  • Environments with Common Data Service add support for more advanced security models that are specific to controlling access to data and services in the Common Data Service environment.


To learn about how to help secure and govern Power Platform apps like Power Automate, check out the Microsoft Learn: Introduction to Power Automate security and governance.

See also

What is Common Data Service?
Security concepts in Common Data Service
Data loss prevention policies
Block access by location with Azure AD Conditional Access
Cross-tenant inbound and outbound restrictions
Control user access to environments: security groups and licenses