Security brings trust to the business and is the foremost and fundamental pillar that must be ensured before thinking about the rest of the platform capabilities of the solution. Natively integrated with Azure Active Directory for identity and access management, there are a few steps that are absolutely necessary for your power platform security. In this blog, I have covered few recommendations summarised in three steps, that will help you to secure your business and personal productivity applications alike. The first step gives control over who can access the environment and is authorised to perform operations on the resources (apps, flows, connectors and the data). In the second step, we need to log all the activities that users perform after gaining access to the environment. The last step is to have guardrails to protect the data from accidental or intentional misuse without compromising the promise of being the citizen application platform.
Environment level access control
At every environment level, we can define the security group which provides the first layer of security. If no security group is assigned, it means it is open for all the users in your tenant. This is completely fine with the default (personal productivity) environment but is not encouraged for other environments especially hosting critical business applications (Dynamics 365 or other restricted Power Apps). The next layer of security is controlled by the permissions and the roles that the users are assigned. Even though it is fully configurable to control access at every resource level (entity and fields), it is worthy to look into the standard roles that comes with the CDS enabled environment.
| Security Role | Description |
| System Administrator | Complete ability to customize and administer the environment. Full read write access to data in the database The role cannot be modified Care should be taken in assigning this to the right people |
| System Customizer | Full permission to customize the environment Data access is focused only on data owned by the user Role can be modified but it is not recommended to modify |
| Environment Maker | Create new resources in the environment including apps, connections, gateways and Power Automates There is no default privileges to data included Role can be modified but it is not recommended to modify |
| Common Data Service User | Basic user role, with ability to run apps and perform common tasks but no ability to customize the system The data access is focused on Read access to most Common Data Model core entities with full access to records owned by the user (i.e. ‘self’ privileges) Good role to copy to make a custom security role for users |
Enable Audit log
Microsoft 365 Security and Compliance Centre is the one-stop solution for comprehensive logging across all Microsoft services. Power Platform activities are also recorded and stored in the compliance centre. The only prerequisite for enabling the audit log is to have Microsoft 365 Enterprise E3 or E5 licenses. The steps to enable the logging and then to access to reports are documented here. With auditing enabled, you can have peace of mind if someone having access perform some naughty activities.
Data Loss Prevention policy
The last leg of the security is from within. With 300+ connectors and growing in the power platform, it is extremely important to put the guardrails in place to protect the makers’ community from unintended exposure of data to the external services. With the ability to block connectors, the restrict-all and allow only known connectors is the safest approach. For example, block social media, dropbox etc and just keep Microsoft Standard connectors unless there is a business case to allow. Default environment needs further restrictions and the critical business data like Azure-hosted assets, SQL Server should be blocked. Lastly, for the dedicated environments specialised policy can be applied depending on requirements, for example, less restrictive for marketing and combination of selected connectors for Finance.
Faraz Qureshi ~ fq365.cloud 