Best Practices for Power Platform Governance

Microsoft Power Apps is an important part of Microsoft 365’s appeal. It is a leader in the low-code solutions space and empowers millions of users to do more at work while enabling organizations to meet their business challenges. The Power Platform suite consists of Power BI, Power Apps, Power Automate, and Power Virtual Agents. These solutions have access to over 300 connectors provided by Microsoft and third-party organizations including Common Data Service (CDS), Microsoft 365, Azure, Dynamics 365 environment, custom-built connectors as well as the new AI builder.

The platform and its components are used by a diverse set of users including employees who are familiar with Microsoft Excel and hardcore developers who develop applications in Node.js. While such wide-ranging access increases productivity but it also comes with additional risks of exposing sensitive data. While the democratized access to data enables employees to easily build apps, flows, and dashboards; it can lead to major security concerns for organizations as well. However, organizations can prevent data loss scenarios, manage risks better, stay on top of compliance issues, and maintain customer trust by adopting certain Microsoft Power Platform governance best practices.

Best Practices for Power Platform Governance

1: Manage Microsoft Power Platform Environments Better

Environments are a vital consideration when trying to secure and govern Power Platform usage. It acts as a security container for apps and flows to run within. The default setting in Power Platform allows anyone to create a new environment, but, Administrators can control the rights to create and manage their environment by changing the settings in the Admin Center. Below are some key points that ensure better management of the Microsoft Power Platform environment:

  • Power Platform Admin Center enables organizations to create additional environments, based on different roles, security requirements, or target audiences. For instance, organizations can create a separate environment for testing, development, marketing, and so on. It ensures that only the designated team members can access the apps, flows, and resources in a particular environment, keeping the environment secured from unauthorized access.
  • Apps in an environment can access the database which is their environment and not the Microsoft Dataverse database which is in another environment.
  • The Power Platform Admin Center enables the organizations to choose which region they want their environment to reside in while creating it. This approach allows organizations to store data closer to actual users and to maintain and meet compliance requirements for their geography. Selecting a region enables Admin Analytics to ensure that the organizational data generated in one region does not leave the region, keeping it protected.
2: Data Loss Prevention (DLP) Policies

DLP policies enable organizations to construct rules that permit and prevent connectors from communicating with each other within the same flow. Microsoft accomplishes this task by creating two data groups: Business data only and No business data allowed. The purpose of these two data groups is to put connectors that have the same data profile in the same data group. Grouping connectors mean that they can communicate with each other within the same data group but are not able to communicate across data groups. Organizations can follow the below information to leverage DLP policies to secure Power Platform instances.

  • Connectors having the same data profile belong to the same data group and can not communicate with connectors belonging to another data group. Consequently, connectors belonging to the Business data group cannot interact with Non-business data group connectors. If users want to create a flow that includes two connectors from different groups, they will need to move one of the connectors to the other data group.
  • Organizations can specify one data group to be the default data group. You need to select the data policy you want to make default and choose the “Edit Policy” button at the top of the Admin Center page. To change the default data group, go to Connectors and choose the Set default group button in the upper-right corner of the same page.
  • Power Platform’s DLP policies belong to two scopes: environment and tenant. An environment-scoped DLP policy only applies to that specific environment, whereas a tenant-scoped DLP policy applies to all environments in that tenant. When creating a new DLP policy, policy authors have a few options that they can choose from, including the ability to “Add all environments” (tenant), “Add multiple environments”, and “Exclude certain environments”.
  • Organizations can apply multiple DLP policies to their environment, which delivers additional governance scenarios. However, when multiple DLP policies have been implemented, the most restrictive policy is applied.
  • How an organization configures its DLP policies largely depends on its existing environment architecture and cyber security principles. For some organizations, these principles may allow the mixing of business-related connectors with consumer-based services. Other organizations might choose to strictly prevent business-related connectors from connecting with consumer-based services.
  • Organizations should carefully consider before designating a default data group. Regardless of which data group an organization designates, administrators should pay attention to new connectors that are being deployed into environments so they can place them into the appropriate data group.
3: Microsoft Power Platform Center of Excellence Starter Kit

Microsoft Power Platform Center of Excellence (COE) Starter Kit is a great tool for organizations to increase the visibility of what their users are doing in their instance. It is a set of apps, flows, a custom connector, and a Power BI dashboard that allows organizations to govern their Microsoft Power Platform environments. The tool can be leveraged to identify users who are building applications and services that introduce risk to the organization. It can also be used to empower and encourage users who are automating workloads within sanctioned systems and services. The Power Platform Starter Kit delivers various important tools and features to administrators such as:

  • DLP Editor: Helps an administrator to explore existing DLP policies and evaluate the impact of moving a connector from one data group to another. If a change to a data group has an impact on an existing app, that will be highlighted in the Affected Power Apps list. Then, an administrator can send an email, through an in-app experience, to the owner of that application and warn them of the upcoming change.
  • Power BI Dashboard: Brings all insights required to govern Power Platform together by using Dataverse and a Power BI dashboard. The dashboard can be leveraged to identify the total number of apps and flows that have been created, the number of environments that have been created, and the type of environment, gain insights into the usage of apps, including the number of sessions and users that the app has been shared with and various other details.
  • App Audit: Enables admins to identify overshared or often used resources and gather further information, like business justification and business impact of an outage, for those apps. Situations might also occur where people create temporary applications for proof-of-concept purposes. These apps can clutter an environment if they are not cleaned up. With App Audit, the users can be prompted to attest to their application to ensure that it addresses business justification requirements.
  • App Catalog: Acts as a catalog that helps with the discoverability of apps. Users can explore featured apps and browse apps by category. The app catalog can be a great entry point to launch apps for end users and makers can explore to see if an application already exists before they create another app that provides similar functionality.

Govern, Secure and Build Better

As the pace of digital transformation continues to accelerate, more and more organizations are relying on Power Platform to build, analyze and automate swiftly. Organizations can utilize various features in the Power Platform Admin Center to keep their instance well-governed and secure. As a Microsoft Gold Partner, AgreeYa has been helping organizations across the globe secure and govern their Microsoft 365 suite. Our experts can help organizations leverage Power Platform to analyze, automate and modernize without any risks of exposing sensitive data. Want to learn more? Contact us now.

Our Offerings

  • Software Product Engineering

    Our technical prowess, domain expertise, consulting capabilities, and industry-proven methodologies help enterprises in ...

  • Cloud Enablement

    We provide cloud enablement services that bring together enterprise cloud services, cloud infrastructure, managed cloud ...

  • Customer Experience & Web Design

    AgreeYa’s digital Customer Experience (CX) services help organizations unlock growth by reimagining Experience. We use...