Security in Microsoft Dataverse
This section provides information on how Microsoft Dataverse, the underlying data platform for Power Apps, handles security from user authentication to authorization that allows users to perform actions with data and services. Conceptually, security in Dataverse is there to ensure users can do the work they need to do with the least amount of friction, while still protecting the data and services. Security in Dataverse can be implemented as a simple security model with broad access all the way to highly complex security models where users have specific record and field level access.
The following is a high-level overview of how security model is implemented in Dataverse.
- Users are authenticated by Azure Active Directory (Azure AD).
- Licensing is the first control-gate to allowing access to Power Apps components.
- Ability to create applications and flows is controlled by security roles in the context of environments.
- A user's ability to see and use apps is controlled by sharing the application with the user. Sharing of canvas apps is done directly with a user or Azure AD group but is still subject to Dataverse security roles. Sharing of model-driven apps is done via Dataverse security roles.
- Environments act as security boundaries allowing different security needs to be implemented in each environment.
- Flows and Canvas apps use connectors, the specific connections credentials and associated service entitlements determine permissions when apps use the connectors.
- Environments with Dataverse add support for more advanced security models that are specific to controlling access to data and services in the Dataverse environment.
To learn about how to help secure and govern Microsoft Power Platform apps like Power Automate, check out the Microsoft Learn: Introduction to Power Automate security and governance.
What is Dataverse?
Security concepts in Dataverse
How access to a record is determined
Data loss prevention policies
Block access by location with Azure AD Conditional Access
Cross-tenant inbound and outbound restrictions
Control user access to environments: security groups and licenses