Managing Governance for the Microsoft Power Platform
By now, most Microsoft customers are familiar with Power Platform, the company’s business application platform that enables individuals who don’t have experience with coding and software programming to build apps and flows. Power Platform consists of four different tools — Power BI, Power Apps, Power Automate, and Power Virtual Agents — which grant users the ability to generate reports, build and automate apps, and even build chatbots.
Each of these tools has access to over 275 connectors, which means they can get into Common Data Service (CDS), Office 365, Azure, any Dynamics 365 environment, and many other services. Applications built with the Power Platform can also connect to any custom built customer connectors, and Microsoft recently added the ability to connect to the new AI Builder.
With such wide-ranging access comes certain challenges, especially when it comes to governance. Although the main sell for Power Platform is that it democratizes programming for a new generation of citizen developers, users could potentially have access to sensitive data. Therefore, it’s imperative that organizations that use Power Platform implement a strong data governance strategy to ensure the security of that data, and that these tools are being used appropriately and responsibly.
Keep reading to discover key best practices for formulating a foolproof Power Platform data governance strategy.
Secure Your Tenant
A tenant refers to the container in which all of your different environments sit; each of these environments also acts as a container for any apps or flows you build in Power Apps, as well for your CDS resources. You can have as many environments as you want within your tenant, provided you have sufficient storage space. For Dynamics 365 users, this concept is very similar to development, sandbox, and production environments, each of which is a different CDS environment.
This information is important because it reflects how your data is structured: Connectors and controls exist within an environment, which exists within a tenant. All of this needs to be secured with things like security roles and permissions to ensure that users have access only to the tools and environments they need and are restricted from the ones they don’t.
A quick word about environments before we dig into best practices: An environment is tied to a geographic location that is configured at the time that the environment is created and can be used to target different audiences and/or for different purposes. Every tenant includes a default environment in which all licensed Power Apps and Power Automate users can create apps and flows. Non-default environments, on the other hand, offer more control around permissions, and the creation of non-default environments can be restricted to service administrators using the Power Platform admin center.
Bearing all of this in mind, let’s look at our first best practice.
Best Practice: Establish a Team Strategy for Your Environment.
This is an important first step that should take place before you start building out your use of the Power Platform. If you work in a large organization, assign your administrators the Power Platform service admin role, which will grant them full access to Power Apps, Power Automate, and Power BI, and restrict the creation of net-new trial and production environments to those administrators.
Next, designate the default environment as a “personal productivity” environment for your business groups. Users can use this environment to build simple apps and flows to test out Power Platform’s capabilities without connecting to CDS or customer data. Be sure to give this default environment a distinctive name, so that users don’t mistake it for a non-default environment.
Any mission-critical applications should be built in a non-default environment but, in the interest of security, it’s vital that you establish a process for requesting access to or the ability to create non-default environments in order to enforce safety protocols. To that end, it’s best to restrict non-default environment privileges to specific business groups.
Best Practice: Set up Data Loss Prevention Policies.
Data loss prevention (DLP) policies are designed to enforce which of Microsoft’s 275+ connectors are allowed to access important business data. These connectors fall into one of two categories: Business Data Only (BDO) or No Business Data (NBD) allowed. BDO connectors have access to important client data and are used by trusted apps. In order to protect that client data, connectors in the BDO group can only be used with other BDO connectors in the same app or flow.
Tenant admins can define and design policies in such a way that they apply to all environments within your tenant, specific environments within your tenant, all environments within your tenant except one, and so on. In order to build a DLP policy, create a policy that spans all environments and classifies all Microsoft connectors as “Business Data.”
Monitor Your Tenant’s Activity
Once you’ve established a team strategy for your environment and set up DLP policies, the next step is to start monitoring activity across your tenant.
Best Practice: Leverage Out-of-the-Box Activity Logs and Analytics.
It’s important that you be able to see who’s using which apps and how they’re using them, both for the sake of user adoption and security. To that end, you can log into the Office 365 Security & Compliance Center to access full logs and audit records for Power Apps and Power Automate. These logs and records will provide you with a full account of which users did the following and when:
|Power Apps||Power Automate|
|· Created app
· Edited/saved app (draft)
· Published app
· Deleted app
· Restored an app from an app version
· Launched app
· Marked app as featured
· Marked app as hero
· Edited app permissions
· Deleted app permissions
|· Created flow
· Edited flow
· Deleted flow
· Edited permissions
· Deleted permissions
· Started a paid trial
· Renewed a paid trial
It’s important to note that, in order to access these logs and audit records, you must have an Office 365 E3 license or greater and have enabled security and compliance audits at an organization level.
That said, Office 365 also enables you to use an application programming interface (API) to query this data. If you use a third-party monitoring tool, you can use this API to access that Activity Logging data for reporting purposes.
With logging out of the way, the next area to focus on is analytics. If you currently use Dynamics with CDS, the Power Platform Admin center offers full logs for organizational insights around API calls and performance within your CDS environment. By logging into the Power Platform Admin center and navigating to the Analytics tab, you can see the following:
- Common Data Services: Find out who is using the system, and which tables and entities they’re using.
- Power Automate: View the number of flow runs over a maximum period of 28 days, as well as usage stats for various flows. You can also find out when certain flows were created, how many flows there are in each environment within your tenant, and so on.
- Power Apps: See how many times apps have been launched over a maximum period of 28 days, where in the world users who are launching the app are located, what version of the app they’re using, and so on.
Best Practice: Build a Center of Excellence.
Rather than start from scratch, consider downloading the Power Platform Center of Excellence (CoE) Starter Kit, which is a “collection of templatized best practices” designed with administration and governance in mind. This starter kit includes the following:
|DLP strategy & visibility||· DLP Editor
· DLP Customizer
Catalog tenant resources w/ Power Automate & Power BI
· CDS Entities: Environments, Apps, Flows
· Sync Resources Template
· Sync Audit Logs
· Power BI Dashboard
· Custom Connect for Office 365 Audit Logs
· Power Platform Admin View
Alert & Action
App audit example process
· Develop Compliance Center
· Flow Compliance Detail Request
· Business Process Flow for Auditing Resources
· App Catalog
· Set New App Owner
· Auto Archive & Clean up
· Find Flows & Apps That Use Certain Connects & Notify Admin
Evangelism & Training
· Welcome Email
· Training in a Day Management
· Training in a Day Notifications
· Newsletter with Product Updates
Standards & Components
Guide best practices
· Template Catalog
Alert and Act on That Activity
Thanks to the best practices in the two previous section, you now have a clear picture of all of the apps within your environment, and you’ve built a comprehensive DLP strategy that simultaneously encourages users to be creative and ensures good data governance. The next step is to use that knowledge to take action.
Best Practice: Establish and Automate Your Audit Process.
One of the amazing things about Power Automate is that you can use it to automate your audit and alert process. In Power Automate, you can create your own workflows using management connectors that either permit or restrict behavior based on your organization’s DLP policies. For example, you could use Power Automate to create an attestation process for assets in the default environment. There are a number of free audit workflow templates that you can use, courtesy of Microsoft, including the audit workflow in the Power Platform CoE Starter Kit.
As a word of advice, consider using PowerShell cmdlets when automating your audit process. Not only will these cmdlets give you full visibility into all activity in Power Apps and Power Automate, you can also use them to pull in the metadata you need to build reports and alerts. Best of all, they’re flexible, so you can build whatever policies you need in order to meet administrative and governance requirements.
Best Practice: Welcome New Makers and Identify Champions.
Whenever you detect that a new flow has been created, check to see whether that maker is part of the makers Active Directory group. If they aren’t, that means they’re a new maker, and you should send them a welcome email that lists company and public resources. You should also invite them to join your organization’s internal Yammer or Teams Club in order to share best practices. You can find a free welcome email template in the Power Platform CoE Starter Kit.
In addition to welcoming new makers, you’ll also want to identify Power Platform champions who can help empower new users within your existing user base. When identifying champions, look for individuals who:
- Are diligent in their work
- Understand your company’s vision for data governance
- Demonstrate interest in the Power Platform
- Have a positive attitude
- Are well-regarded by other users
- Possess leadership qualities
When it comes to choosing Power Platform champions, keep in mind that people skills and managerial know-how are just as important technical expertise.
To review, let’s go over our list of Power Platform governance best practices:
- Establish a team strategy for your environment.
- Set up data loss prevention policies.
- Leverage out-of-the-box activity logs and analysis.
- Build a Center of Excellence (with the Power Platforms CoE Starter Kit).
- Establish and automate your audit processes.
- Welcome new makers and identify champions.
For more information about the Microsoft Power Platform and how to ensure good data governance among Power Platform users, check out Hitachi Solutions’ free on-demand webinar, Rise of the Citizen App Creator: How to Manage Governance with Power Apps and Power Automate. If you have any questions, contact Hitachi Solutions directly to talk to one of our Power Platform specialists.