Many customers wonder how can Power Platform be made available to their broader business and supported by IT? Governance is the answer. It aims to enable business groups to focus on solving business problems efficiently while complying with IT and business compliance standards. The following content is intended to structure themes often associated with governing software and bring awareness to capabilities available for each theme as it relates to governing Power Platform.
| Theme | Common questions related to each theme for which this content answers |
|---|---|
| Architecture |
|
| Security |
|
| Alert and Action |
|
| Monitor |
|
Architecture
It’s best to familiarize oneself with Environments as the first step to building the right governance story for your company. Environments are the containers for all resources used by a Power Apps, Power Automate and Dataverse. Environments Overview is a good primer which should be followed by What is Dataverse?, Types of Power Apps, Microsoft Power Automate, Connectors, and On-premises Gateways.
Security
This section outlines mechanisms that exist to control who can access Power Apps in an environment and access data: licenses, environments, environment roles, Azure Active Directory, Data Loss Prevention policies and admin connectors that can be used with Power Automate.
Licensing
Access to Power Apps and Power Automate starts with having a license. The type of license a user has determines the assets and data a user can access. The following table outlines differences in resources available to a user based on their plan type, from a high level. Granular licensing details can be found in the Licensing overview.
| Plan | Description |
|---|---|
| Microsoft 365 Included | This allows users to extend SharePoint and other Office assets they already have. |
| Dynamics 365 Included | This allows users to customize and extend customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), they already have. |
| Power Apps plan | This allows:
|
| Power Apps Community | This allows a user to use Power Apps, Power Automate, Dataverse and customer connectors in a single for individual use. There’s no ability to share apps. |
| Power Automate Free | This allows users to create unlimited flows and do 750 runs. |
| Power Automate plan | See Microsoft Power Apps and Microsoft Power Automate Licensing Guide. |
Environments
After users have licenses, environments exist as containers for all resources used by Power Apps, Power Automate and Dataverse. Environments can be used to target different audiences and/or for different purposes such as developing, testing and production. More information can be found in the Environments Overview.
Secure your data and network
- Power Apps and Power Automate do not provide users with access to any data assets that they don’t already have access to. Users should only have access to data that they really require access to.
- Network Access control policies can also apply to Power Apps and Power Automate. For environment, one can block access to a site from within a network by blocking the sign-on page to prevent connections to that site from being created in Power Apps and Power Automate.
- In an environment, access is controlled at three levels: Environment roles, Resource permissions for Power Apps, Power Automate, etc. and Dataverse security roles (if a Dataverse data base is provisioned).
- When Dataverse is created in an environment the Dataverse roles will take over for controlling security in the environment (and all environment admins and makers are migrated).
The following principals are supported for each role type.
| Environment type | Role | Principal Type (Azure AD) |
|---|---|---|
| Environment without Dataverse | Environment role | User, group, tenant |
| Resource permission: Canvas app | User, group, tenant | |
| Resource permission: Power Automate, Custom Connector, Gateways, Connections1 | User, group | |
| Environment with Dataverse | Environment role | User |
| Resource permission: Canvas app | User, group, tenant | |
| Resource permission: Power Automate, Custom Connector, Gateways, Connections1 | User, group | |
| Dataverse role (applies to all model-driven apps and components) | User |
1Only certain connections (like SQL) can be shared.
