Delivering Efficiency so you can complete your mission with precision. 


Security and governance considerations

Many customers wonder how can Power Platform be made available to their broader business and supported by IT? Governance is the answer. It aims to enable business groups to focus on solving business problems efficiently while complying with IT and business compliance standards. The following content is intended to structure themes often associated with governing software and bring awareness to capabilities available for each theme as it relates to governing Power Platform.

ThemeCommon questions related to each theme for which this content answers
    • What are the basic constructs and concepts of Power Apps, Power Automate, and Microsoft Dataverse?
  • How do these constructs fit together at design time and runtime?
    • What are the best practices for security design considerations?
  • How do I leverage our existing user and group management solutions to manage access and security roles in Power Apps?
Alert and Action
    • How do I define the governance model between citizen developers and managed IT services?
    • How do I define the governance model between central IT and the business unit admins?
  • How should I approach support for non-default environments in my organization?
    • How are we capturing compliance / auditing data?
  • How can I measure adoption and usage within my organization?


It’s best to familiarize oneself with Environments as the first step to building the right governance story for your company. Environments are the containers for all resources used by a Power Apps, Power Automate and Dataverse. Environments Overview is a good primer which should be followed by What is Dataverse?Types of Power AppsMicrosoft Power AutomateConnectors, and On-premises Gateways.


This section outlines mechanisms that exist to control who can access Power Apps in an environment and access data: licenses, environments, environment roles, Azure Active Directory, Data Loss Prevention policies and admin connectors that can be used with Power Automate.


Access to Power Apps and Power Automate starts with having a license. The type of license a user has determines the assets and data a user can access. The following table outlines differences in resources available to a user based on their plan type, from a high level. Granular licensing details can be found in the Licensing overview.

Microsoft 365 IncludedThis allows users to extend SharePoint and other Office assets they already have.
Dynamics 365 IncludedThis allows users to customize and extend customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), they already have.
Power Apps planThis allows:

  • making enterprise connectors and Dataverse accessible for use.
  • users to use robust business logic across application types and administration capabilities.
Power Apps CommunityThis allows a user to use Power Apps, Power Automate, Dataverse and customer connectors in a single for individual use. There’s no ability to share apps.
Power Automate FreeThis allows users to create unlimited flows and do 750 runs.
Power Automate planSee Microsoft Power Apps and Microsoft Power Automate Licensing Guide.


After users have licenses, environments exist as containers for all resources used by Power Apps, Power Automate and Dataverse. Environments can be used to target different audiences and/or for different purposes such as developing, testing and production. More information can be found in the Environments Overview.

Secure your data and network

  • Power Apps and Power Automate do not provide users with access to any data assets that they don’t already have access to. Users should only have access to data that they really require access to.
  • Network Access control policies can also apply to Power Apps and Power Automate. For environment, one can block access to a site from within a network by blocking the sign-on page to prevent connections to that site from being created in Power Apps and Power Automate.
  • In an environment, access is controlled at three levels: Environment roles, Resource permissions for Power Apps, Power Automate, etc. and Dataverse security roles (if a Dataverse data base is provisioned).
  • When Dataverse is created in an environment the Dataverse roles will take over for controlling security in the environment (and all environment admins and makers are migrated).

The following principals are supported for each role type.

Environment typeRolePrincipal Type (Azure AD)
Environment without DataverseEnvironment roleUser, group, tenant
Resource permission: Canvas appUser, group, tenant
Resource permission: Power Automate, Custom Connector, Gateways, Connections1User, group
Environment with DataverseEnvironment roleUser
Resource permission: Canvas appUser, group, tenant
Resource permission: Power Automate, Custom Connector, Gateways, Connections1User, group
Dataverse role (applies to all model-driven apps and components)User

1Only certain connections (like SQL) can be shared.

Recents Posts