Securing customer and operational data is a key concern of organizations embarking on a digital transformation journey. In this chapter, you will learn how to design a Power Platform security model that facilitates the implementation by defining the business unit and team structures, security roles, and column security. You will also define the Azure Active Directory configurations required to support a secure authentication process, alongside data loss prevention (DLP) policies.
We will define Power Apps Portal, Power Automate, and Canvas apps security mode to support the customer’s requirements. You will design management policies to control changes to the security model.
In this chapter, we’re going to cover the following topics:
Designing a Power Platform core security model involves tackling access to data and systems from three vectors:
During the discovery phase, solution architects work with the business to identify the security infrastructure currently in place. The implementation of a Power Platform solution is unlikely to be the guiding factor for an organization’s security and authentication strategy. Power Platform solutions architects look to work with the policies and framework currently in place.
To understand an organization’s existing security framework, solution architects work with business analysts and systems owners to complete a security baseline checklist, similar to the one described in the following table:
These questions will help you get a base understanding of the current security and authentication infrastructure. The answers may warrant further questions and investigation to pinpoint the detailed security framework. Once you understand the security systems in place, you are ready to find out how they are managed.
Once the existing security framework has been identified, you can proceed to discover its management and change processes. The following set of questions can help solution architects understand the security processes to be followed when implementing a Power Platform solution:
The answers to these questions will dictate the process to be followed during the design and implementation of the Power Platform security concepts.
The following are a set of guidelines and best practices you should follow when designing and implementing the Power Platform security concepts:
There are several ways users may gain access to Power Platform environments. Solution architects understand all the access vectors and define a security model that defines how each of them will be configured.
Power Platform environments may be associated with a Microsoft 365 or Azure AD group, effectively restricting access to the environment to members of that group. During the initial environment definition, solution architects define the security groups that are required to control access to each environment level.
Once an environment is associated with a group, only members of that group can access the system (except for Microsoft 365 global admins, Power Platform admins, and delegate admins).
The following diagram illustrates a typical Power Platform environment and security group configuration:
Having configured the environments and security groups, administrators can control the users that have access to each Power Platform environment level by adding and removing users from each group. Environments may be configured to use security groups via the Power Platform administration portal, as illustrated in the following screenshot:
If a Power Platform environment is not associated with a security group, all users with the appropriate license will be automatically added to the environment. When a Microsoft 365/AD user is added to a security group, they are automatically added to the Dataverse environment. Conversely, when a user is removed from a security group, their corresponding Dataverse user is deactivated.
Note
When a security group is associated with a Power Platform environment, all the users that were previously active within the system will be deactivated unless they are already in the security group (or they have a Microsoft 365 admin role granting them access to the environment).
Microsoft 365 includes specialized roles that automatically grant system administrators access to Power Platform environments. These Microsoft 365 roles are as follows:
Users may also be granted roles within a Power Platform environment. If a Dataverse database does not exist with an environment, the following two roles may be used:
Once a Dataverse database has been created within a Power Platform environment, the Dataverse security model takes over.
External applications looking to access the Dataverse API will need to authenticate themselves. Two types of users exist for this purpose.
Please refer to Chapter 10, Power Platform Integration Strategies, for instructions on creating application users.
Further Reading
The following documentation provides full details on managing application users within a Power Platform environment: https://docs.microsoft.com/power-platform/admin/manage-application-users.
Data loss prevention (DLP) policies help prevent data from being released unintentionally. They help protect the security of a tenant.
When configuring and implementing a Power Platform solution, it is important to be aware of the following DLP features and restrictions that may be in place.
The following are some key DLP considerations:
The following is a list of guiding principles when defining DLP policies:
When deploying DLP policies, solution architects consider the following:
If an existing process is found to be in breach of the DLP policies, it will be automatically disabled, and the owner will receive the following email notification:
Before DLP policies are configured, it is important to validate the rollout by running through a DLP deployment checklist that includes the following aspects:
Depending on the size of the organization, there may be individuals or teams dedicated to configuring DLP policies. Power Platform solution architects either configure or provide input for configuring DLP policies to ensure the Power Platform solution is secure, while at the same time being able to perform.
DLP policies may be configured via the Power Platform admin center by selecting the Data policies option, as illustrated in the following screenshot:
The DLP configuration pages allow you to categorize connectors into one of three areas:
The following screenshot illustrates the DLP connector configuration page. Note that custom connectors may also be configured and restricted via a DLP policy using an API/connector host URL pattern:
And finally, once the connectors have been assigned to their appropriate DLP restriction categories, the policy itself may be associated with all Power Platform environments or specific environments, as illustrated in the following screenshot:
DLP policies are powerful tools that can help prevent the unauthorized distribution of business data. Solution architects work with organizations to define and configure DLP policies to ensure the Power Platform’s data is secure.
Further Reading
Please refer to the following documentation for detailed instructions on how to configure DLP policies: https://docs.microsoft.com/power-platform/admin/prevent-data-loss.
In this section, we will discuss how to secure Dataverse and the applications that use its security framework. We will start by looking at how users interact with the solution, tailoring the security settings to enable authorized tasks and restrict other activities.
When defining the security model, solution architects assess how the system will be used. The following table lists the key patterns for users looking to access Power Platform applications:
When defining the security model, solution architects analyze how users interact with data and whether they work by themselves or interact with other team members.
Power Platform solution architects secure Dataverse solutions with the following best practices in mind:
Dataverse provides a rich feature set for managing data access privileges. The following list outlines the main Dataverse security concepts:
The following subsections describe each of these security concepts.
Users looking to access Dataverse data require a user record. Privileges are configured for that user, granting access to tables, columns, and rows. These user records are automatically created when a Microsoft 365 user account is granted access to Dataverse by assigning the corresponding licenses and security groups (where appropriate; see Azure AD Groups security configuration for Dataverse teams, as described in the following section).
The two main types of Dataverse users are as follows:
Users with the appropriate license and group membership will appear on the Power Platform admin center page, as follows:
New application users can be registered via the App registrations section of the Azure Active Directory page in the Azure portal. The following screenshot illustrates an example application user registered in Active Directory:
Once the application registration is complete, the application user may be created in the Power Platform admin center. The resulting application user is illustrated in the following screenshot:
Standard users and application users can then be given security roles and assigned to teams.
Further Reading
Please refer to the following documentation for additional details on Power Platform application users: https://docs.microsoft.com/en-us/power-platform/admin/manage-application-users.
Dataverse Teams provide a means of grouping users. Grouping users into teams reduces or removes the need for managing rights for each user, and provides a mechanism for granting row access to the entire group.
There are four types of Dataverse teams:
When creating a Dataverse Azure AD Security or Office Group team, it is possible to define whether members, guests, or owners of the group will be replicated as Dataverse users. The following screenshot illustrates the available options:
Solution architects review the organization’s functional and security requirements and define a team strategy that leverages the different types of teams. The following diagram illustrates various use cases for the different types of Dataverse teams:
Dataverse business units contain teams and users. They are key components in the Dataverse security model, as they allow data to be partitioned within tables. Combining business units with security models allows users and their data to be segmented.
When designing the Dataverse security model, solution architects define a business unit hierarchy that matches the security requirements, rather than the organizational structure,
Consider the following when defining Business Units:
The following diagram illustrates a typical business unit structure:
Note
Most of the time, you will want to define a business unit hierarchy based on security requirements. There are exceptions to this rule, where the organizational structure may, at times, match the needs of the Dataverse security model.
Dataverse tables are configured on creation using one of two ownership modes:
Note
Once a table has been created using organization-level ownership, it can’t be changed. The table would need to be recreated, resulting in potential migration and refactoring efforts. Solution architects should only select organization-level table ownership when it is confirmed that there will never be a need to control access to its rows based on the user or team that owns it.
Dataverse security roles provide granular control over the level of access granted to users and teams. They are the central mechanism for controlling who has access to Dataverse data, the level of access, the features may use, and the actions they may perform.
Security roles may be assigned to teams (and therefore granted to the team’s members) or directly assigned to individual users.
Security roles can specify the level of permissions to be granted to users and teams. The following screenshot illustrates the eight available privileges:
Solution architects review the business requirements and define the minimum level of access required by users. The eight record-level privileges are as follows:
Row-level privileges may be further configured by the five levels of access illustrated in the following screenshot:
The five levels of access are as follows:
Security roles may be configured for member privilege inheritance. The two inheritance options are as follows:
As the name implies, the key difference between these two application modes is that, when a security role is assigned to a team, the team’s user has the security role assigned as if it has been directly associated with their user. This removes the need to assign security roles directly to users and allows administrators to manage Dataverse access using solely user team memberships.
When selecting Direct User (Basic) access level and Team Privileges, the team’s members will receive the security role privileges as if the role had been assigned directly to the user. This removes the need to assign at least one security role to the user record, simplifying the user management and onboarding process:
Note
Using Direct User security roles in combination with Azure AD Group Teams is a great way to streamline the creation and management of Dataverse users. New users may be added to a Microsoft 365 group and have their accounts created in Dataverse. Any necessary security roles are assigned automatically.
The effect of security roles is cumulative. When a user is granted multiple security roles, they gain access to rows by aggregating all the permissions granted by the assigned roles. This aggregation of security roles provides a means of defining security design strategies that leverage security role layers.
The four main Dataverse security role layering strategies are as follows:
Position-specific roles include all the permissions a user requires. Roles will typically be named after the position that it caters for (for example, Sales Person or Customer Service Manager). While this strategy provides a clear set of self-contained roles, each fully defining all the privileges a position requires, it may result in a higher maintenance overhead, as the various roles are likely to have a common set of permission across them. Adding a new custom table may mean editing all the roles to include access to the new table:
This security role strategy adds a base layer to the position role. The base security role includes permissions that are common across the board (for example, all users will need a basic level of create/read/write access to contact records). The position role can then focus on complementing the base role, including permissions that are specific to the position in question. An example set of base and position roles are as follows:
A member of the sales team could then be assigned the Baseline and Sales person roles, thus completing their access to Dataverse:
This strategy is similar to the base role and position role strategy. The main difference is that the specialized roles are built around capabilities rather than staff member positions. An example set of base and capability roles are as follows and shown in the Figure 11.18:
This strategy combines the position and capability roles, providing greater flexibility when defining and assigning permissions. An example set of roles is as follows and shown in the Figure 11.19:
Dataverse columns may be configured for column-level security, allowing administrators to specify the user and/or teams that will be granted access. Column-level security works separately from security roles and is designed to provide further control over who can see and update data within specific fields. This may be used to control access to personal data within a contact record, granting read access to only a select group of people or teams.
The sharing feature within Dataverse allows rows to be shared with a user or team that would not normally have access.
Note
Sharing a large number of records will result in performance degradation as sharing creates a sharing record per row per user, resulting in a potentially large dataset that needs to be checked by Dataverse every time a user attempts to access a row. Therefore, sharing is used when the volume of data to be shared is expected to be low.
Auditing is configured at the environment, table, and column levels. When auditing is enabled, it logs data changes performed by Dataverse users.
Read actions are not monitored by the Dataverse auditing facility. They may, however, be captured using activity logging, which is monitored via the Microsoft 365 Security and Compliance Center. Activity logging must be enabled before use.
Both implementation consultants and stakeholders will benefit from a high-level permissions matrix. This is typically a table that presents the different roles (or teams) and the actions they can perform in the system. From the requirements captured so far, solution architects list the various activities and the users that perform them in a matrix, as follows:
The Dataverse permissions matrix allows you to quickly review and compare roles. It also serves as a discussion point with stakeholders, who will be able to visualize the separation of roles. The security design may then be adjusted based on these discussions.
External users may access Power Platform applications via several routes. The following is a summary of the main routes through which external users may access the Power Platform:
Power Pages (previously Power Apps Portals) may be configured to authenticate external users through a variety of authentication protocols, including AD and Azure AD B2C.
Microsoft 365 tenants may be connected, granting access to users from one tenant to the other. This implementation route allows users from another organization or Microsoft 365 tenant to access Model-Driven Apps, Canvas Apps, and Dataverse using the credentials from the external tenant.
Custom applications may implement any number of authentication strategies. While the connection from the custom application to Power Platform and Dataverse may be through an application user or service account, external users may authenticate any number of bespoke protocols with the custom application, thus allowing external users access to Power Platform data.
As a solution architect, you will work with the business to identify the optimal access route for external users.
In this chapter, you learned how to work through the security architecture discovery process, and you learn about how to define security concepts for Power Platform applications, and, more specifically, the Dataverse security concepts. A solid security solution design is crucial for the successful implementation and ongoing operation of Power Platform applications.
In the next chapter, you will learn how to manage the implementation of Power Platform solutions, including how to validate compliance with security concepts and how to resolve automation and integration conflicts.
18.224.246.203