Power Platform
May 19, 2023

Transform Power Platform Management and Governance​

Introduction:

Globally today, customers are familiar with Microsoft Power Platform - Microsoft’s business suite of applications that enables individuals who don’t have coding experience and in-depth software programming skills to build apps, flows, automate processes and even create external-facing websites.

Power Platform now consists of 5 different tools — Power BI, Power Apps, Power Automate, Power Virtual Agents, Power Pages (formerly power app portals) — which together grant users the ability to generate reports, build and automate apps, build chatbots, and create user-friendly websites in-house.

Today, users of these tools have access to hundreds of connectors (and growing!) and Dataverse to create a business-focused definition of their organization’s data for use within Microsoft 365, Azure, Dynamics 365 environments, and many other services. Applications built with the Power Platform can also connect to any custom-built data connectors. With AI Builder, which is easy to connect, developers can simplify management and governance, and harness the ability to extend their apps by using built-in Azure API connectors.

With such wide-ranging access come certain challenges, especially when it comes to best practices, guidance, and governance. Although the main appeal of Power Platform is that it democratizes programming for a new generation of citizen developers, users can potentially gain access to sensitive data. Therefore, it’s imperative for organizations that use Power Platform to implement a strong data governance strategy, to ensure data security, and that these tools are being used appropriately and responsibly.

Considering the above, here are 6 best practices that we recommend to our readers:

1. Establish a team structure for your environments

  • This is an important first step before you build out your Power Platform environment. If you work in a large organization, assign your administrators the Power Platform service admin role, which will grant them full access to Power Apps, Power Automate, and Power BI, and restrict the creation of new trial and production environments to only those administrators.
  • Next, designate the default environment as a “personal productivity” environment for your business groups. Users can use this environment to build simple apps and flows to test Power Platform’s capabilities without connecting to Dataverse or customer data. Be sure to give this default environment a distinctive name, so that users don’t mistake it for a non-default environment.
  • Any mission-critical applications should be built in a non-default environment but, in the interest of security, it’s vital that you establish a policy for requesting access to or the ability to create non-default environments. To that end, it’s best to restrict non-default environment privileges to specific business groups.

2. Set up Data Loss Prevention (DLP) policies

  • DLP policies are designed to enforce which of Microsoft’s connectors can access important business data. These connectors fall into one of three categories:  
  1. Business Data Only (BDO)  
  1. No Business Data (NBD) allowed
  1. Blocked
  • BDO connectors have access to important client data and are used by trusted apps. To protect that client data, connectors in the BDO group can be used only with other BDO connectors in the same app or flow. If you don’t want makers to use a specific connector, you can block it.

Tenant admins can define and design policies in such a way that they apply to all environments within your tenant, specific environments within your tenant, all environments within your tenant except one, and so on. For example, if you want to allow makers to use Microsoft connectors for business purposes, you can create a policy that spans all environments and classifies all Microsoft connectors as “Business Data.”

Once you’ve established a team structure for your environment and set up DLP policies, the next step is to start monitoring activity across your tenant.

3. Leverage out-of-the-box activity logs and analytics

  • It’s important to monitor who is using your power apps and flows and how they’re using them, both to understand user adoption and to ensure security policies are effective. You can use the Office 365 Security & Compliance Center to access full logs and audit records for Power Apps and Power Automate. These logs and records will provide you with a full account of users, activities, and timelines:

  • To access logs and audit records, you must have an Office 365 E3 license or greater and have enabled security and compliance audits at an organization level.
  • Office 365 also enables you to use an application programming interface (API) to query this data. If you use a third-party monitoring tool, you can use this API to access activity log data for reporting purposes.

With logging out of the way, the next area to focus is analytics. If you currently use Dynamics 365 with Dataverse, the Power Platform Admin center offers full logs around API calls and performance within your Dataverse environment. By logging into the Power Platform Admin Center and navigating to the Analytics tab, you can track:

  • Common Data Services: Who is using the system, and which tables and entities they’re using.
  • Power Automate: The number of flows runs over a maximum period of 28 days as well as usage statistics for the various flows. You can also see when certain flows were created, how many flows are in each environment within your tenant, and so on.
  • Power Apps: How many times apps have been launched over a maximum period of 28 days, user location, app version, and so on.
4. Build a Center of Excellence

Rather than start from scratch, consider downloading the Power Platform Center of Excellence (CoE) Starter Kit, which is a “collection of templatized best practices” designed with administration and governance in mind. This starter kit includes the following components:

With a clear picture of the apps within your environment, and DLP policies to ensure governance, the next step is to use that knowledge to act.

5. Establish and automate your audit process

One of the amazing things about Power Automate is that you can use it to automate your audit and alert process. In Power Automate, you can create your own workflows using management connectors that either permit or restrict behavior based on your organization’s DLP policies. There are several free audit workflow templates that you can use, courtesy of Microsoft, including the audit workflow in the Power Platform CoE Starter Kit.

6. Welcome new makers and identify champions

Whenever you detect a new flow, check to see whether that maker is part of the maker's Active Directory group. If they aren’t, that means they’re a new maker, and you should send them a welcome email that lists the company and public resources. You should also invite them to join your organization’s internal Yammer/Teams/SharePoint Club to share best practices. You can find a complimentary welcome email template in the Power Platform CoE Starter Kit.

In addition to welcoming new makers, you’ll also want to identify Power Platform champions who can help empower new users within your existing user base. When identifying champions, look for individuals who:


  • Are diligent in their work
  • Understand your company’s vision for data governance
  • Demonstrate interest in the Power Platform
  • Have a positive attitude
  • Are well-regarded by other users
  • Possess leadership qualities

Real-World Example: Governance in Action for one of our Financial Services clients

Our client, a financial services company, adopted Power Platform to accelerate their digital transformation. Initially, the lack of governance led to uncontrolled app creation and data sharing, exposing the client to compliance risks. By implementing a comprehensive governance framework, including RBAC, DLP policies, and managed environments, the client achieved:

  • Enhanced Security: Sensitive financial data was secured with strict access controls and DLP policies, reducing the risk of data breaches.
  • Operational Efficiency: Standardized development practices and automated workflows streamlined app creation and updates, saving time and resources.
  • Compliance Assurance: Regular audits and automated compliance checks ensured adherence to regulatory requirements and internal policies.
  • Responsible Innovation: Business units were empowered to create solutions within a controlled environment, aligning innovation with organizational goals.

Conclusion:

By following the above best practices, you can streamline the overall Power Platform governance area. There is more collaboration, ownership within groups and the organization can save on resources. End to End security is also managed so that sensitive data isn't compromised. With these best practices, Everling's team helped lay a strong foundation in data governance for a few of our financial services clients and made significant impact in below areas:

  • The team was able to save costs by 40% by ensuring teams are using approved connectors & not everyone has access to premium connectors.
     
  • End to end data security was ensured by ensuring all deployment and migration is handled properly.  
  • There was clear ownership defined for all apps and nothing was left orphaned/unattended.

For more insights and personalized assistance on Power Platform management and governance, get in touch with our team of experts. We’re here to help you succeed in your digital transformation journey.  

Background

Introduction:

Globally today, customers are familiar with Microsoft Power Platform - Microsoft’s business suite of applications that enables individuals who don’t have coding experience and in-depth software programming skills to build apps, flows, automate processes and even create external-facing websites.

Power Platform now consists of 5 different tools — Power BI, Power Apps, Power Automate, Power Virtual Agents, Power Pages (formerly power app portals) — which together grant users the ability to generate reports, build and automate apps, build chatbots, and create user-friendly websites in-house.

Today, users of these tools have access to hundreds of connectors (and growing!) and Dataverse to create a business-focused definition of their organization’s data for use within Microsoft 365, Azure, Dynamics 365 environments, and many other services. Applications built with the Power Platform can also connect to any custom-built data connectors. With AI Builder, which is easy to connect, developers can simplify management and governance, and harness the ability to extend their apps by using built-in Azure API connectors.

Background

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

Situation

With such wide-ranging access come certain challenges, especially when it comes to best practices, guidance, and governance. Although the main appeal of Power Platform is that it democratizes programming for a new generation of citizen developers, users can potentially gain access to sensitive data. Therefore, it’s imperative for organizations that use Power Platform to implement a strong data governance strategy, to ensure data security, and that these tools are being used appropriately and responsibly.

Considering the above, here are 6 best practices that we recommend to our readers:

1. Establish a team structure for your environments

  • This is an important first step before you build out your Power Platform environment. If you work in a large organization, assign your administrators the Power Platform service admin role, which will grant them full access to Power Apps, Power Automate, and Power BI, and restrict the creation of new trial and production environments to only those administrators.
  • Next, designate the default environment as a “personal productivity” environment for your business groups. Users can use this environment to build simple apps and flows to test Power Platform’s capabilities without connecting to Dataverse or customer data. Be sure to give this default environment a distinctive name, so that users don’t mistake it for a non-default environment.
  • Any mission-critical applications should be built in a non-default environment but, in the interest of security, it’s vital that you establish a policy for requesting access to or the ability to create non-default environments. To that end, it’s best to restrict non-default environment privileges to specific business groups.

2. Set up Data Loss Prevention (DLP) policies

  • DLP policies are designed to enforce which of Microsoft’s connectors can access important business data. These connectors fall into one of three categories:  
  1. Business Data Only (BDO)  
  1. No Business Data (NBD) allowed
  1. Blocked
  • BDO connectors have access to important client data and are used by trusted apps. To protect that client data, connectors in the BDO group can be used only with other BDO connectors in the same app or flow. If you don’t want makers to use a specific connector, you can block it.

Tenant admins can define and design policies in such a way that they apply to all environments within your tenant, specific environments within your tenant, all environments within your tenant except one, and so on. For example, if you want to allow makers to use Microsoft connectors for business purposes, you can create a policy that spans all environments and classifies all Microsoft connectors as “Business Data.”

Once you’ve established a team structure for your environment and set up DLP policies, the next step is to start monitoring activity across your tenant.

3. Leverage out-of-the-box activity logs and analytics

  • It’s important to monitor who is using your power apps and flows and how they’re using them, both to understand user adoption and to ensure security policies are effective. You can use the Office 365 Security & Compliance Center to access full logs and audit records for Power Apps and Power Automate. These logs and records will provide you with a full account of users, activities, and timelines:

  • To access logs and audit records, you must have an Office 365 E3 license or greater and have enabled security and compliance audits at an organization level.
  • Office 365 also enables you to use an application programming interface (API) to query this data. If you use a third-party monitoring tool, you can use this API to access activity log data for reporting purposes.

With logging out of the way, the next area to focus is analytics. If you currently use Dynamics 365 with Dataverse, the Power Platform Admin center offers full logs around API calls and performance within your Dataverse environment. By logging into the Power Platform Admin Center and navigating to the Analytics tab, you can track:

  • Common Data Services: Who is using the system, and which tables and entities they’re using.
  • Power Automate: The number of flows runs over a maximum period of 28 days as well as usage statistics for the various flows. You can also see when certain flows were created, how many flows are in each environment within your tenant, and so on.
  • Power Apps: How many times apps have been launched over a maximum period of 28 days, user location, app version, and so on.

Situation

4. Build a Center of Excellence

Rather than start from scratch, consider downloading the Power Platform Center of Excellence (CoE) Starter Kit, which is a “collection of templatized best practices” designed with administration and governance in mind. This starter kit includes the following components:

Solution

With a clear picture of the apps within your environment, and DLP policies to ensure governance, the next step is to use that knowledge to act.

5. Establish and automate your audit process

One of the amazing things about Power Automate is that you can use it to automate your audit and alert process. In Power Automate, you can create your own workflows using management connectors that either permit or restrict behavior based on your organization’s DLP policies. There are several free audit workflow templates that you can use, courtesy of Microsoft, including the audit workflow in the Power Platform CoE Starter Kit.

6. Welcome new makers and identify champions

Whenever you detect a new flow, check to see whether that maker is part of the maker's Active Directory group. If they aren’t, that means they’re a new maker, and you should send them a welcome email that lists the company and public resources. You should also invite them to join your organization’s internal Yammer/Teams/SharePoint Club to share best practices. You can find a complimentary welcome email template in the Power Platform CoE Starter Kit.

In addition to welcoming new makers, you’ll also want to identify Power Platform champions who can help empower new users within your existing user base. When identifying champions, look for individuals who:


  • Are diligent in their work
  • Understand your company’s vision for data governance
  • Demonstrate interest in the Power Platform
  • Have a positive attitude
  • Are well-regarded by other users
  • Possess leadership qualities

Real-World Example: Governance in Action for one of our Financial Services clients

Our client, a financial services company, adopted Power Platform to accelerate their digital transformation. Initially, the lack of governance led to uncontrolled app creation and data sharing, exposing the client to compliance risks. By implementing a comprehensive governance framework, including RBAC, DLP policies, and managed environments, the client achieved:

  • Enhanced Security: Sensitive financial data was secured with strict access controls and DLP policies, reducing the risk of data breaches.
  • Operational Efficiency: Standardized development practices and automated workflows streamlined app creation and updates, saving time and resources.
  • Compliance Assurance: Regular audits and automated compliance checks ensured adherence to regulatory requirements and internal policies.
  • Responsible Innovation: Business units were empowered to create solutions within a controlled environment, aligning innovation with organizational goals.

Conclusion:

By following the above best practices, you can streamline the overall Power Platform governance area. There is more collaboration, ownership within groups and the organization can save on resources. End to End security is also managed so that sensitive data isn't compromised. With these best practices, Everling's team helped lay a strong foundation in data governance for a few of our financial services clients and made significant impact in below areas:

  • The team was able to save costs by 40% by ensuring teams are using approved connectors & not everyone has access to premium connectors.
     
  • End to end data security was ensured by ensuring all deployment and migration is handled properly.  
  • There was clear ownership defined for all apps and nothing was left orphaned/unattended.

For more insights and personalized assistance on Power Platform management and governance, get in touch with our team of experts. We’re here to help you succeed in your digital transformation journey.  

Results

Types of Journeys

Tech Stack