Securing the Power Platform

Securing any platform can be difficult but with the below it’s easy!

Securing the Power Platform can sometimes be an after thought when adopting the new technology. Employees start using functionality like Power Apps and Power Automate to help make their processes slicker and reduce manual overhead. However, IT teams see this and start to worry about governance, access control and data security. The last thing IT wants are new applications that haven’t had prior approval (Shadow IT) because of limited accountability and an unknown capacity to support. Due to this uncertainty and lack of control, IT teams typically restrict platform access, limiting features and functionality for the wider organisation.

However, securing the Power Platform in the right way means this lockdown on access isn’t required and it shouldn’t impact existing applications. The below is a common example we’ve seen with numerous clients:

Client Example

“Employees are creating Power Apps from SharePoint Online lists. Some employees have also started using Power Automate to create workflows that process their data. Some of these workflows interact with 3rd party services. We don’t know where to start when securing the Power Platform.”


When using this technology for the first time, employees will use the default environment. The default environment enables employees to create applications and workflows from other Microsoft 365 products (e.g. SharePoint Online). All employees with user accounts in the organisation will have access to this environment as an “Environment Maker”. This means that all applications deployed into the Power Platform exist in one location. As standard, the IT team can view these applications through the Power Platform Admin Centre giving them additional visibility.

The Power Platform Admin Centre enables platform administrators to view all environments (including the default environment). On selecting an environment, an administrator and view all deployed Dynamics 365 apps, Portals, Power Apps and Flows. In addition to this, the administrator can view recent environment operations, configure security roles, and view all users that have access to the environment. This is where we can start having increased visibility of applications deployed into the environment.

Securing the Power Platform is made easier still using Data Policies. These policies enable an administrator to group connectors (e.g SharePoint Online) as Business, Non-Business or Blocked. A connector can only be used in a Power App where other connectors exist in the same group. This way, any business data is blocked from accessing non-business sources. If we apply the above our example, we can view existing SharePoint Online based Power Apps through the Admin Centre and can configure data sources (e.g. 3rd party connector) as business connectors. Already we’ve made IT aware of recent deployments and secured the platform.

Useful Links and Resources

The final points to cover when securing the Power Platform can be found in the Microsoft adoption best practices documentation. This document includes a set of steps to help secure the platform and handle adoption:

Below is a seperate link to a case study where the above has been put into practice:

About the author