Power Platform security: Three trusted guards

Power platform security

Security brings trust to the business and is the foremost and fundamental pillar that must be ensured before thinking about the rest of the platform capabilities of the solution. Natively integrated with Azure Active Directory for identity and access management, there are a few steps that are absolutely necessary for your power platform security. In this blog, I have covered few recommendations summarised in three steps, that will help you to secure your business and personal productivity applications alike. The first step gives control over who can access the environment and is authorised to perform operations on the resources (apps, flows, connectors and the data). In the second step, we need to log all the activities that users perform after gaining access to the environment. The last step is to have guardrails to protect the data from accidental or intentional misuse without compromising the promise of being the citizen application platform.

Environment level access control

At every environment level, we can define the security group which provides the first layer of security. If no security group is assigned, it means it is open for all the users in your tenant. This is completely fine with the default (personal productivity) environment but is not encouraged for other environments especially hosting critical business applications (Dynamics 365 or other restricted Power Apps). The next layer of security is controlled by the permissions and the roles that the users are assigned. Even though it is fully configurable to control access at every resource level (entity and fields), it is worthy to look into the standard roles that comes with the CDS enabled environment.

Security RoleDescription
System AdministratorComplete ability to customize and administer the environment.
Full read write access to data in the database
The role cannot be modified
Care should be taken in assigning this to the right people
System CustomizerFull permission to customize the environment
Data access is focused only on data owned by the user
Role can be modified but it is not recommended to modify
Environment MakerCreate new resources in the environment including apps, connections, gateways and Power Automates
There is no default privileges to data included
Role can be modified but it is not recommended to modify
Common Data Service UserBasic user role, with ability to run apps and perform common tasks but no ability to customize the system
The data access is focused on Read access to most Common Data Model core entities with full access to records owned by the user (i.e. ‘self’ privileges)
Good role to copy to make a custom security role for users
Default security roles

Enable Audit log

Microsoft 365 Security and Compliance Centre is the one-stop solution for comprehensive logging across all Microsoft services. Power Platform activities are also recorded and stored in the compliance centre. The only prerequisite for enabling the audit log is to have Microsoft 365 Enterprise E3 or E5 licenses. The steps to enable the logging and then to access to reports are documented here. With auditing enabled, you can have peace of mind if someone having access perform some naughty activities.

Data Loss Prevention policy

The last leg of the security is from within. With 300+ connectors and growing in the power platform, it is extremely important to put the guardrails in place to protect the makers’ community from unintended exposure of data to the external services. With the ability to block connectors, the restrict-all and allow only known connectors is the safest approach. For example, block social media, dropbox etc and just keep Microsoft Standard connectors unless there is a business case to allow. Default environment needs further restrictions and the critical business data like Azure-hosted assets, SQL Server should be blocked. Lastly, for the dedicated environments specialised policy can be applied depending on requirements, for example, less restrictive for marketing and combination of selected connectors for Finance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: