Power Platform

Governance and
Administration
John Landgrave
Microsoft Corporation
Business Applications Platform Architect
 AN OVERVIEW OF SECURING YOUR MONITORING AND
MICROSOFT POWER ENVIRONMENTS MANAGING THE POWER
PLATFORM ARCHITECTURE PLATFORM

Agenda

GETTING STARTED WITH THE POWER PLATFORM DEVOPS BUILDING A CENTER OF

POWER PLATFORM AND DEPLOYMENT EXCELLENCE
GOVERNANCE TOOLKIT TECHNIQUES
 AN OVERVIEW OF SECURING YOUR MONITORING AND
MICROSOFT POWER ENVIRONMENTS MANAGING THE POWER
PLATFORM ARCHITECTURE PLATFORM

Agenda

GETTING STARTED WITH THE POWER PLATFORM DEVOPS BUILDING A CENTER OF

POWER PLATFORM AND DEPLOYMENT EXCELLENCE
GOVERNANCE TOOLKIT TECHNIQUES
Know your environments

CDS CDS CDS

 • Environments are tied to a geographic location that is
configured at the time the environment is created.

• Environments can be used to target different audiences

and/or for different purposes such as dev, test and
production.
Know your
• Every tenant has a default environment, created
environments automatically

• Common Data Service for Apps (CDS) databases are

created in the context of environments; one per
environment
PowerApps Environments are built on Azure
PowerApps
Default
Environment

PowerApps

Flows

Azure AD Logic Apps Functions

Microsoft Azure Management API Storage
Office 365 Tenant and Default Environment
Office 365 PowerApps
Tenant Default
Environment

PowerApps

Flows

Azure AD Logic Apps Functions

Microsoft Azure Management API Storage
Default Environment embedded connections
Office 365 PowerApps
Tenant Default
Environment

SharePoint PowerApps

Teams Flows

Exchange

Excel

Azure AD Logic Apps Functions

Microsoft Azure Management API Storage
Environment Permissions in Default
Office 365 PowerApps
Tenant Default
Environment

SharePoint PowerApps

Teams Flows

Exchange
Makers: All
Licensed
Excel Users: None

Azure AD Logic Apps Functions

Microsoft Azure Management API Storage
Using On Premise Data
Office 365 PowerApps
Tenant Default
Environment

SharePoint PowerApps

Teams Flows

Exchange
Makers: All
Licensed
Excel Users: None

Azure AD Data Logic Apps Functions

Gateway(s) Management API Storage
Microsoft Azure

On Premise Databases Web API

Gateway(s) SharePoint Data File Storage On Premise Systems
 AN OVERVIEW OF SECURING YOUR MONITORING AND
MICROSOFT POWER ENVIRONMENTS MANAGING THE POWER
PLATFORM ARCHITECTURE PLATFORM

Agenda

GETTING STARTED WITH THE POWER PLATFORM DEVOPS BUILDING A CENTER OF

POWER PLATFORM AND DEPLOYMENT EXCELLENCE
GOVERNANCE TOOLKIT TECHNIQUES
Provisioning New Environments
Office 365 PowerApps PowerApps PowerApps
Tenant Default Environment Environment
Active Environment (no CDS) (with CDS)
Directory

SharePoint PowerApps Canvas Apps Canvas Apps Model Driven Apps

Teams Flows Flows Flows Business Process Flows

Managed by CDS (AD Groups)

Exchange AD Managed Environment Admin: Creator
Makers: All Makers: Admin Environment Makers: None
Licensed Users: None System Customizer: None
Excel Users: None CDS User: None

Azure AD Data Logic Apps Functions

Gateway(s) Management API Storage
Microsoft Azure

On Premise Databases Web API

Gateway(s) SharePoint Data File Storage On Premise Systems
Environment Data Loss Prevention
Office 365 PowerApps PowerApps PowerApps
Tenant Default Environment Environment
Active Environment (no CDS) (with CDS)
Directory

SharePoint PowerApps Canvas Apps Canvas Apps Model Driven Apps

Office Connector Connector Connector
Teams Flows Flows Flows Business Process Flows
DLP DLP DLP DLP
Managed by CDS (AD Groups)
Exchange AD Managed Environment Admin: Creator
Makers: All Makers: Admin Environment Makers: None
Licensed Users: None System Customizer: None
Excel Users: None CDS User: None

Azure AD Data Logic Apps Functions

Gateway(s) Management API Storage
Microsoft Azure

On Premise Databases Web API

Gateway(s) SharePoint Data File Storage On Premise Systems
 Prevent data leakage
with DLP policies

• Data loss prevention policies (DLP)

enforce rules for which connectors can
be used together by classifying
connectors as either Business Data only
or No Business Data allowed.

• Simply, if you put a connector in the

business data only group, it can only be
used with other connectors from that
group in the same app.

• Tenant admins can define policies that

apply to all environments
 A Global Tenant Admin or Power Platform
Service Admin can manage all environments

An Environment Admin can manage any

environment for which they have been granted
Admin rights (creator has admin by default)
Administration
Permissions Currently (Entitlement Model) - any admin must
also have a P2 license assigned for them to
administer or create an environment

Future (Capacity Model) – admins don’t need a

P2 license to administer an environment, but
they must have the admin privilege
 Entitlement Model

• Must have a P2 license (including a Trial License)

• Can create up to 2 environments per P2 license

Capacity Model

Environment • Any PowerApps licensed user can create an

environment

Creation • You can restrict this by using PowerShell to configure

the DisableEnvironmentCreationByNonAdminUsers
setting at the tenant level
• Only the Tenant Admin or members of the
PowerPlatform Admin Group will be able to create
new environments (if non-admins are disabled)
• Each environment requires 1GB of space before
provisioning a new environment
 PowerApps and Flow do not provide users with
access to any data assets that they don’t already
PowerApps have access to. Users should only have access to
data that they really require access to.

and Flow
don’t escalate Network Access control policies can also apply to
privilege PowerApps and Flow. Blocking access to a site
from within a network by blocking the sign-on
page will also prevent connections to that site
from being created in PowerApps & Flow.
 Conditional Access

• Available for PowerApps and Microsoft Flow

PowerApps & • Azure AD Premium Required
• Scenario coverage:
Flow are • Grant/Block access based upon:
Azure AD • User/Group
applications • Device
• Location

Microsoft Application Management

(MAM) support
 AN OVERVIEW OF SECURING YOUR MONITORING AND
MICROSOFT POWER ENVIRONMENTS MANAGING THE POWER
PLATFORM ARCHITECTURE PLATFORM

Agenda

GETTING STARTED WITH THE POWER PLATFORM DEVOPS BUILDING A CENTER OF

POWER PLATFORM AND DEPLOYMENT EXCELLENCE
GOVERNANCE TOOLKIT TECHNIQUES
Monitoring and Management

Proactive Management Reactive Management

Use Power Platform Admin Center to monitor Monitor environments and remove assets or
activity permissions based on policies
Restrict user permissions in Premium Monitor audit records in Office Security and
environments Compliance Center
Configure DLP Policies PowerShell cmdlets or Flows using management
Use Active Directory to restrict access to data or connectors
systems
 Power Platform Admin Center is the
central management hub for all Power
Platform activity
Power (admin.powerplatform.microsoft.com)
Platform
Admin Center Other Management interfaces will go
away later this year (e.g.
admin.powerapps.com, D365 Security
Center)
 DEMO
Power Platform Admin Center
 • How do I turn off individual plan sign-up (trials, Flow
Free, community plans)?
• How do I restrict app creation in default env?
• How do I throttle environment creation?
• How do I control which makers are approved to use a
connector?
How can I lock down <action
X> to only <user Y> or lock • How do I control which apps are shared to a tenant?
down access to <data source • How do I control access to data in a service in scope for a
Z>? user’s job but prevent access to data out of scope of
their job?
• How do I enable an app to only read data through
certain connectors and not write?
• How do I prevent use of a connector before it’s approved
to be used?
• How do I control who can use a connector?
 PowerShell cmdlets for app creators (preview) PowerShell cmdlets for administrator (preview)

Read environments Read, update, and delete environments & Common Data Service databases
Read, update, and delete environment permissions

Read, update, and delete a canvas app Read, update, and remove canvas apps
Read, update, and delete canvas app permissions Read, update, and delete canvas app permissions

Build the Read, update, and delete a flow

Read, update, and delete flow permissions
Read, update, and delete flows
Read, update, and delete flow permissions
policies you Read and respond to flow approvals

need with Read and delete connections Read and delete connections
PowerApps, Read, update, and delete connection permissions Read, update, and delete connection permissions

Microsoft Flow, Read and delete connectors Read and delete custom connectors
Read, update, and delete custom connector permissions Read, update, and delete custom connector permissions
and PowerShell
Read a user's PowerApps user settings, user-app settings, and notifications
Read & delete a user's Microsoft Flow settings

Create, read, update & delete data loss prevention policies for your organization

The new PowerShell Cmdlets place full control in the hands of admins to
automate the governance policies necessary -
aka.ms/powerappspowershell.
 Microsoft Flow Management Connector

Build the Flow Management Connector for Admins

policies you
need with PowerApps Management Connector for Admins
PowerApps,
Microsoft Flow, PowerApps Management Connector for App Makers
and PowerShell
Power platform for Admins

The new Management connectors provide the same level control but with
added extensibility and ease-of-use by leveraging PowerApps and Flow.
 Control capabilities
# Capability Implementation
Reactive – Flow
1 How do I restrict app/flow creation in default env?
aka.ms/restrictappcreators
Reactive – Flow
2 How do I throttle environment creation?
aka.ms/restrictedenvcreators

3 How do I control which apps are shared to a tenant? Reactive – Flow

Reactive – Flow
4 How do I prevent use of a connector before it’s approved to be used?
aka.ms/newconnectornotification

Reactive – Flow
5 How do I control who can use a connector? aka.ms/restrictflowconnector
aka.ms/restrictappconnector
N/A – DLP only provide control at the connector-level
How do I control access to data in a service in scope for a user’s job but prevent
6 access to data out of scope of their job? But you can automate DLP policy creation
E.g. Allow access to Enterprise storage in Box but prevent access to personal storage in Box.
aka.ms/dlppowershellscript
How do I enable an app to only read data through certain connectors and not
7 write? N/A
E.g. Read-only from Twitter and write to SharePoint.
 DEMO
Remove App Permissions until Admin Approves App
Review the audit trail

• Activity Logging integrated with

Office Security and Compliance
center for comprehensive logging
across Microsoft services like
Dynamics 365 and Office 365
• The audit records are stored in
O365 Security and Compliance
center.
• Office provides an API to query
this data, which is currently used
by many SIEM vendors to use the
Activity Logging data for
reporting
 Which activity logs are supported?

Microsoft Flow PowerApps

• Created flow • Created app
• Edited flow • Edited/save app (draft)
• Deleted flow • Published app
• Edited permissions • Deleted app
• Deleted permissions • Restored an app from app version
• Started a paid trial • Launched app
• Renewed a paid trial • Marking app as featured
• Marking app as hero
• Edited app permissions
• Deleted app permissions
 AN OVERVIEW OF SECURING YOUR MONITORING AND
MICROSOFT POWER ENVIRONMENTS MANAGING THE POWER
PLATFORM ARCHITECTURE PLATFORM

Agenda

GETTING STARTED WITH POWER PLATFORM DEVOPS BUILDING A CENTER OF

THE POWER PLATFORM AND DEPLOYMENT EXCELLENCE
GOVERNANCE TOOLKIT TECHNIQUES
 Open Source, Community Driven
effort

Power PowerApps, Flows, PowerShell

Platform Scripts and PowerBI Dashboards
Governance NO SUPPORT other than
Toolkit community-based support

https://aka.ms/GovernanceToolkit
 SQL Server tables for:
Governance • Environments
Toolkit • Flows
Overview • PowerApps
• PowerApps Connections

Environment Inventory Flow

PowerBI Dashboard

Platform Manager PowerApp

 Demo
Governance Toolkit
 AN OVERVIEW OF SECURING YOUR MONITORING AND
MICROSOFT POWER ENVIRONMENTS MANAGING THE POWER
PLATFORM ARCHITECTURE PLATFORM

Agenda

GETTING STARTED WITH THE POWER PLATFORM DEVOPS BUILDING A CENTER OF

POWER PLATFORM AND DEPLOYMENT EXCELLENCE
GOVERNANCE TOOLKIT TECHNIQUES
 Canvas Apps and Flows can be built and managed
individually
• Export the PowerApp or Flow from one environment and
import to another
• No automation for export or import
• Connections are recreated manually

DevOps – Solutions
Current State • Solutions are the DevOps packaging unit going forward
• Solution developers and testers need P1 or higher licenses
• Model Driven Application artifacts and CDS Entities are
defined in solutions
• PowerShell script to tag existing Canvas apps and Flows as
solution-aware
• Create all artifacts (including Canvas apps and Flows) from
within a solution
 Solutions will have parameters soon

• Parameterized deployment of connections and flows

• Post Install processes

Power Platform Solutions will participate in

DevOps – Azure DevOps pipeline
Future State
“Treat environments like cattle, not pets”

• Create dev environment

• Check out existing solution
• Work on solution and check back in
• Delete dev environment
 AN OVERVIEW OF SECURING YOUR MONITORING AND
MICROSOFT POWER ENVIRONMENTS MANAGING THE POWER
PLATFORM ARCHITECTURE PLATFORM

Agenda

GETTING STARTED WITH THE POWER PLATFORM DEVOPS BUILDING A CENTER OF

POWER PLATFORM AND DEPLOYMENT EXCELLENCE
GOVERNANCE TOOLKIT TECHNIQUES
 Customer Adoption Maturity Center of Excellence

Multiple Production Apps

First Production App

Proof of Concepts (PoCs)
Briefings & Demos
 Professional IT developers
• Enables high productivity app development
Who is • Reduces time to develop and deploy
building • Centrally managed and rolled out

solutions with Citizen developers

the Power • Lower barrier of entry for app development
Platform? • Power users in business units close to the
problem building solutions for their teams
• Often with IT oversight or in an approved
sandbox
Responsibilities of a
Center of Excellence
1. Administration and governance
2. Evangelism and training
3. App development & technical support
4. Data + API Strategy
5. ALM + Infrastructure automation
6. Tools + Best practices
7. End user Support
Questions?