Securing the Power Platform - What are my options

Editor's Notes

• #1: Power Platform y Teams: ¿Qué platos tengo en mi menú?
• #4: La importancia de la protección de datos y plataformas Capas de Seguridad en la Power Platform Gestión de Acceso al Dato, Seguridad del Dato y Prevención de Fuga de Datos Cumplimiento de regulaciones y normativas Conclusiones
• #5: Growing sophistication of attacks Drive to leverage data to unlock AI-driven scenarios Data access demands from an increasingly dynamic workforce Evolving regulatory and legal requirement
• #6: How can I control and limit access to data? How can I prevent data exfiltration? How can I stay compliant with regulations? How can I protect my data from external threats? How can I gain visibility into user activity? How can I assess the risk?
• #7: How can I protect my data from external threats? Identity management Network Security How can I control and limit access to data? How can I prevent data exfiltration? How can I gain visibility into user activity? User access management Data level security Prevent data exfiltration Increased visibility How can I stay compliant with regulations? Data encryption Compliance How can I assess the risk?
• #10: Power Platform Security Hub
• #11: Authentication: Full support for Microsoft Entra-based identities and access controls Security group native integration Automatically block access if suspicious activities are detected Conditional Access Make decisions and enforce organization policies regarding user/group membership, IP location, device, risk detection, etc. Tenant Isolation Restrict to/from cross tenant connections established via Power Platform applications and flows. Allow rules based on business needs Continuous Access Evaluation Force user re-authentication as response to events such: password change/reset, user account deleted , auth token refresh, MFA enabled, etc. Current scope: Dataverse, model driven apps
• #14: Restrict cross-tenant inbound and outbound access - Power Platform | Microsoft Learn
• #17: Conditional Access Tenant Isolation
• #20: Approved host names & IP ranges Filter inbound and outbound traffic Service tags Use in network access controls on Network Security Groups (NSGs) or Azure Firewall instead of approved IP ranges Minimize the complexity of frequent updates to network security rules IP Firewall IP firewall in Power Platform environments - Power Platform | Microsoft Learn Prevents malicious users, outside allowed IP ranges, from accessing your data – Mitigate insider threats like data exfiltration: A malicious user who tries to download data from Dataverse using a client tool like Excel or Power BI from a disallowed IP location is blocked from doing so in real time. Prevent token replay attacks: If a user steals an access token and tries to use it to access Dataverse from outside allowed IP ranges, Dataverse denies the attempt in real time. Current scope: Dataverse IP Cookie Binding Safeguarding Dataverse sessions with IP cookie binding - Power Platform | Microsoft Learn Prevents attackers using cookies to impersonate an authorized user Current scope: Dataverse Network Isolation Virtual Network support overview - Power Platform | Microsoft Learn Helps you route all network traffic from Power Platform environments to your v-Net without routing through internet. Scope supported: Dataverse plugins, selected connectors
• #21: Approved host names & IP ranges Filter inbound and outbound traffic Service tags Use in network access controls on Network Security Groups (NSGs) or Azure Firewall instead of approved IP ranges Minimize the complexity of frequent updates to network security rules IP Firewall IP firewall in Power Platform environments - Power Platform | Microsoft Learn Prevents malicious users, outside allowed IP ranges, from accessing your data – Mitigate insider threats like data exfiltration: A malicious user who tries to download data from Dataverse using a client tool like Excel or Power BI from a disallowed IP location is blocked from doing so in real time. Prevent token replay attacks: If a user steals an access token and tries to use it to access Dataverse from outside allowed IP ranges, Dataverse denies the attempt in real time. Current scope: Dataverse IP Cookie Binding Safeguarding Dataverse sessions with IP cookie binding - Power Platform | Microsoft Learn Prevents attackers using cookies to impersonate an authorized user Current scope: Dataverse Network Isolation Virtual Network support overview - Power Platform | Microsoft Learn Helps you route all network traffic from Power Platform environments to your v-Net without routing through internet. Scope supported: Dataverse plugins, selected connectors
• #24: IP Firewall IP Cookie binding
• #26: Tenant Access Only licensed users with a valid Microsoft Entra ID can log into the system. Environment Access Environment is the security boundary and the unit of governance management Recommended to assign security groups to environments to manage user access Resources Access: Access to co-own components – edit, share, use Access to run components – use only no edit
• #27: Govern Maker Access Secure the default environment Establish an environment strategy Limit sharing with everyone, configure specific limits Establish data loss prevention policies. Don’t forget about the new connectors. Govern custom connectors usage. Enable tenant isolation. Route makers to dedicated environments. Share best practices with maker onboarding. Govern Guests Access Everyone includes all users in Entra ID, including guests Guests are treated as any other users in the tenant Assess if guests making apps in your organization is required. Disable if guests are not expected to be makers. Disable guest access to Power Platform resources using Conditional Access Disable share with everyone Control access using roles and permissions Govern administrator roles assignment to guests
• #29: Gobern User Access Implement security access using a layered approach Use explicit authentication for shared connections Cleanup of deleted users/reassign owned records Licensing is not a security control Sharing limits Microsoft Entra security groups User access diagnostics and troubleshooting Diagnose user access related issues by invoking ‘Run diagnostics’ in PPAC Identify license, security role, security group or Microsoft Entra related issues Get appropriate pointers to resolve the underlying problem Auto-synchronization of user information in Microsoft Entra Govern Admin Access: Limit Power Platform administrator roles Privilege Identity Management – Power Platform preview Enforce on-demand, just-in-time administrative access when needed Minimize number of privileged users (admins) and duration of access Reduce risks of authorized user impact on sensitive data Reduce risks of malicious user getting access
• #31: Disable Guest Access at the environment level Configuring PIM to be a PP Admin Diganostics & Troubleshooting: Troubleshoot common user access issues for environments - Power Platform | Microsoft Learn
• #32: Dataverse Security Users are associated with an environment either directly or just in-time via an Azure AD Group Access to apps, data and services is by association with one or more security roles Each security role grants discrete privileges to tables in Dataverse Dataverse data can be secured down to the column-level and records can be shared Role based security OOB and custom roles Extensible and customizable Row-level controls Action-based controls Granular level of access Fine-Grain Controls Record level sharing Hierarchical and matrix data access structure Column level security Segregate data in ‘folder’ business unit Collaborate with Teams Record and user access auditing Microsoft Purview Integration Automatically scan, classify and label sensitive data within your data estate and allows you define policies to prevent loss Define policies to keep data estate secure, reduce data exposure, and better protect sensitive data. Empower data consumers to discover valuable, trustworthy data.
• #33: DLP Environment / tenant-wide guardrails to prevent makers from exposing organizational data DLP in design Time Prevent makers from building apps and flows that leverage blocked connectors. Extended DLP to support prevent creating new connections to blocked connectors. Connector Action Control Providing admins fine grain control over which actions within a connector are permitted within the environment. User Granular Consent Users consents to specific permissions required to establish connections to data sources. Accurate and concise description of what the connector will be executing prior to connection creation specific to actions executed in the application.
• #34: Restrict cross-tenant inbound and outbound access - Power Platform | Microsoft Learn
• #36: Dataverse Audit User access and activity (records changes) Monitor system jobs Audit delete jobs Manage log records Activity Logging Dataverse, Power Apps, Power Automate, Connector*, DLP activity Internal and external audit Audit changes to records and user access Admin Activity Logging Activities performed on Environments by the Power Platform Administrator Lifecycle operations, property and setting change activities, security and permission change activities Microsoft 365 Purview Audit Capture, record, discover and retain your organization's unified audit log
• #37: Data Policies Setup Dataverse Audit Purview Audit
• #38: Secure Your Power Platform Deployment best practices Limit sharing to business users that need to access the app Licensing is not a security control Route makers to dedicated developer environments Assign security groups to environments Mange @scale with proper environment strategy and corresponding data exfiltration prevention policies & ALM Configure solution checker to automate analysis against best practices rules and identify solution issues Educate makers regarding organization’s best practices with maker welcome content Leverage Dataverse fine grain security controls Assign administrator roles judiciously Leverage analytics, audit and threat detection solutions to get deep visibility into activity on the platform
• #39: Microsoft Managed Key Encryption - last and strongest line of defense in a multi-layered data security strategy Available out of the box for all data/storage types Customer Managed Key Self-manage the encryption key Maintain control over your data Prevent access to customer content when you revoke the key access to our services, at any time Private link Azure managed-HSM Automatic key rotation Protection for data in transit Protects user from interception of their communication and helps ensure transaction integrity Protects from bulk interception of data Protects from interception or loss of data in transit between users
• #40: JIT access policies Time bound access from secured station by personnel with security clearance Multiple layers of approval Audit Customer Lockbox Extendss JIT with customer approval Bound to specific environment, user and duration OOB audit available to end user Data residency: Tenant home geo default Multi-geo support (at environment level) to enable global presence Data resiliency ensured within geo Data Privacy: GDPR compliant Microsoft Trust Center Government Hosting Address evolving requirements of the public sector Available based on eligibility criteria Additional restrictions to data access Compliance standards National, regional and industry-specific regulations for data collection and use E.g., FedRamp, FERPA, HIPAA, SOC, IRS 1075, SEC Regulation, FISC (Japan), FACT (UK), etc.
• #41: Data Privacy: GDPR compliant Microsoft Trust Center Government Hosting Address evolving requirements of the public sector Available based on eligibility criteria Additional restrictions to data access Compliance standards National, regional and industry-specific regulations for data collection and use E.g., FedRamp, FERPA, HIPAA, SOC, IRS 1075, SEC Regulation, FISC (Japan), FACT (UK), etc.
• #42: Customer Lockbox
• #43: Use Power Platform Trust Center for latest on security, privacy, compliance, and transparency. Govern Microsoft access to sensitive data with CMK and Lockbox Govern AI access to sensitive data using Dataverse security controls