This document outlines security best practices for the Microsoft Power Platform. It discusses implementing tenant level access control to restrict connections between internal and external tenants. It also recommends isolating environments by restricting environment creation and using data loss prevention policies. The document also provides guidance on implementing resource level security through sharing, field level security in Dataverse, and grouping connectors with data loss prevention policies. It concludes with a demonstration of these security capabilities.

1. Global Power Platform
Bootcamp, Bulgaria 2021
Crack the insecurity with Power Platform Security
- Dipti Chhatrapati, Modern Workplace Architect, AIS.
Global Power platform Bootcamp Bulgaria 2021

2. Thanks to our Sponsors
With the support of:
Global Power platform Bootcamp Bulgaria 2021

3. Agenda
Tenant Level
Access Control
Environment
Isolation
Resource-level
security
Connection
security and
DLP
Dataverse
Access Levels
Balance the
privileges
Separate
illusion from
the reality
Make a
promise to
be secured
Set the
relationships
& boundaries
Organize
realistic
routine
1
2
3
4
5
Global Power platform Bootcamp Bulgaria 2021

4. Security is built into every layer of the stack.
Resource permissions
Microsoft Dataverse security
Dev
Test
Environment
Prod
Tenant access & isolation
1
3
4
5
2 Environment access & strategy
Connector access and data loss policies
Global Power platform Bootcamp Bulgaria 2021

5. Tenant Level Access Control
Power Apps Power Automate
Internal user cannot establish
a connection using external
tenant credentials
External user cannot
establish a connection
using internal tenant
credentials
INTERNAL TENANT
EXTERNAL TENANT
Power Apps Power Automate
1
AAD Conditional policies by
Device/Location/User/Group
Global Power platform Bootcamp Bulgaria 2021

6. Environment Isolation
Restrict environment creation to Power Platform/Dynamic 365 Admins only
Provision personal apps in Default and non-personal apps in Sandbox/Production env.
•Dev/Test/Production environments for specific business groups or application
Configure DLP policies for all environments to restrict connectors
Non-default and non-developer environments with Dataverse can be restricted with
specific AAD security group.
2
Global Power platform Bootcamp Bulgaria 2021

7. Resource Level Security
Share via
Security
Role
Co-
Ownership
to Share
Co-
Ownership
to Edit
Co-
Ownership
to Use
Canvas App Canvas App
• To edit, update and
delete this flow.
• access the run
history and add or
remove other
owners.
Cloud Flow Model Driven App
• Environment Admin
• Environment Maker
• Basic User
• System Admin
• System Customizer
3
Global Power platform Bootcamp Bulgaria 2021

8. Connectors and Data Loss Prevention Policies
Data
Connectors
Connection
Power Platform Resources
4
Global Power platform Bootcamp Bulgaria 2021

9. Connectors and Data Loss Prevention Policies
Connectors Grouping –
Business/Non-Business/Blocked
Tenant Level and
Environment Level
DLP policies
Set policies using
connectors/Admin
center/PowerShell
4
Most restrictive DLP –
Default/new environment (Tenant, all env. except )
Org Productivity DLP –
LOB environments ( Tenant , Include env.)
Org IT management DLP -
Central IT environment ( Tenant , Include env.)
Special Env DLP –
Special Application Environment ( Environment, Single Env.)
Global Power platform Bootcamp Bulgaria 2021

10. Microsoft Dataverse Security
Field
Level Security
Record level security
Business Units and Teams
Security Roles and Privileges ( Users/Teams)
Read-Create-Update
Create-Read-Write-Delete-Append-Append To-Assign-Share
Security boundary for the users data / work with security role’s scope
Environment Admin - Environment Maker - Common Data Service User - System Admin - System Customizer
5
Global Power platform Bootcamp Bulgaria 2021

11. Default BU
BU 1
BU 1.1
BU 1.1.1
BU 1.2
BU 2
BU 2.1 BU 2.2
BU 2.2.2
Tamra Jeramy
Lucas Ren Gavin Ross Tobias
Weston
Tom
Dipti
Record
Scope
Who can access?
Create-Read-Write-Delete-Append-
Append To-Assign-Share
Global Anyone in the organization
Deep Any user from assigned business unit and
it’s child business unit
Local Any user from assigned business unit
Basic User who owns
Record Level Security
Epic Manager Security Role
Create Read Write Delete
 Anyone can create record
 Tamra can only read all records from BU 1/1.2/1.1/1.1.1
User experience with Epic Manager Security Role
 Lucas can only write records from BU 1.1
 Ross can only delete record created by him in BU 2.1
Global Power platform Bootcamp Bulgaria 2021

12. DEMO
How user connects to
external tenant which
should be restricted?
How environments can
be restricted?
How are resources
shared with
users/Security groups?
How are connectors
grouped with DLP?
How records can be
secured via security
roles/scopes?
Global Power platform Bootcamp Bulgaria 2021

13. Thank you for joining!
With the support of:
Join Dynamic 365 Trial Tenant:
https://docs.microsoft.com/en-
us/dynamics365/marketing/trial-signup
Administering Power Platform :
https://docs.microsoft.com/en-us/power-
platform/admin/admin-documentation
Power Platform Best Practices:
https://docs.microsoft.com/en-us/power-
platform/guidance/adoption/methodology
Global Power platform Bootcamp Bulgaria 2021