New Year’s resolution: beef up your Power Platform security!

It’s the beginning of January, which is the time for New Year’s resolutions. One of these could be to harden the security of your Power Platform environments! For this purpose, I am creating a short blog series highlighting the different security options available in PPAC (Power Platform Admin Center). This article contains all information.

Call to action: please validate these options for your (customer’s) scenario’s, improve your security score, and harden your Power Platform environments as much as possible!

Many of the features I’m describing require your environment to be setup as a Managed Environment. In the Security hub (Home - Power Platform admin center) these show up with a little Managed Environment logo.

Managed Environments require Premium Power Platform licenses, but the good news is that if you are already have Copilot Studio or Dynamics Enterprise licenses in place this entitles you to use Managed Environments too. More information on Managed Environments and licensing here: Licensing - Power Platform | Microsoft Learn.

Chapter 1: Network Security Settings

In today's digital age, ensuring the security of network infrastructure is crucial for any organization.

IP firewall

A firewall acts as the first line of defense against external threats. PPAC allows administrators to configure IP firewall rules to control incoming and outgoing traffic based on IP addresses. By specifying which IP addresses are allowed or blocked, organizations can prevent unauthorized access and protect sensitive data. To further detail the allowed traffic, it is also possible to use Service tags and work with a Reverse proxy.

Aside from your environment being a Managed Environment, this feature also requires Microsoft 365 E5 (or equivalent) licenses. More detailed information on the license requirements and setup steps: IP firewall in Power Platform environments - Power Platform | Microsoft Learn.

Please note that the above does not apply to Finance & Operations, even when connected to Dataverse. F&O CHE's (Cloud Hosted Environments) can be firewall secured using Network security groups.

IP address-Based cookie binding

IP address-based cookie binding is a security feature that ties a session cookie to a specific IP address. This ensures that the session cookie cannot be used by unauthorized IP addresses, thus preventing session hijacking and unauthorized access.

This is simply a toggle to turn on, no additional configuration required. You can read up on it here: Safeguarding Dataverse sessions with IP cookie binding - Power Platform | Microsoft Learn.

Azure Virtual Network Policies

Azure Virtual Network policies provide enhanced security by allowing administrators to configure security rules for virtual networks within Azure. These policies control the flow of traffic between virtual networks and on-premises networks, ensuring that only authorized connections are allowed.

Power Platform uses the Virtual Network and subnets that you delegate to make outbound calls to enterprise resources over the enterprise private network. Using a private network eliminates the need to route the traffic over the public internet, which could expose enterprise resources.

To be able to turn this on, you need to already have an Azure Virtual Network policy created. If you use custom connectors these should be reviewed to make them work with private connectivity. Extensive information here:

• What is Azure Virtual Network? | Microsoft Learn
• Virtual Network support overview - Power Platform | Microsoft Learn

Chapter 2: Access Control

Access controls are a fundamental aspect of securing modern IT environments, particularly within cloud-based platforms such as Power Platform. You should make sure that only authorized users can access specific resources by protecting sensitive data and maintaining the integrity of your organizational systems.

Most Access Control features described below do not require Managed environments, so they can be enabled without paid Power Platform licenses.

Tenant Isolation

With Tenant Isolation, it is possible to restrict the flow of data from and to your Power Platform tenant. If you only have one tenant, or have separate tenants for DTAP (Dev, Test, ACC, Prod) and want to enforce you don’t mix data between these environments, turn this toggle on. Even when you want to allow for some cross tenant communication this can be governed using a whitelist. All the options are displayed here: Restrict cross-tenant inbound and outbound access - Power Platform | Microsoft Learn.

Data policies

Data policies or Data Loss Policies (DLP) can be used to restrict the use of Power Platform standard connectors or customer connectors. This way you can make sure connectors are not used to exfiltrate data to third party locations. This is especially important when there are many Power Platform makers and you have limited control over their actions. The options for applying DLP in Power Automate, Desktop flows and Copilot Studio are described here: Data loss prevention (DLP) policy creation - Power Automate | Microsoft Learn.

Environment security groups

If you maintain multiple environments, you can use security groups to control which licensed users can be members of a particular environment. Those groups can also be M365 Security groups, so if set up well, authorization across Power Platform and Microsoft 365 can be done in one go. This for instance is helpful to reduce stale group assignments, where a user has moved on to another role but still holds previous (unneeded) access levels. More specifics here: Control user access to environments with security groups and licenses - Power Platform | Microsoft Learn.

Manage sharing

Admins can limit how broadly users can share canvas apps, flows, and agents. This feature is only available in a Managed Environment. Limit sharing - Power Platform | Microsoft Learn.

Guest access

When this setting is on, anyone who's designated as a guest in this tenant in Microsoft Entra will be restricted from accessing content created in these environments. This is useful because Entra tenants often contain guest users for the context of external Teams and document sharing, etc. More info on guest users in Entra: https://learn.microsoft.com/en-us/entra/external-id/what-is-b2b?toc=/entra/identity/users/toc.json&bc=/entra/identity/users/breadcrumb/toc.json.

The Turn off guest access toggle makes sure these guest accounts cannot be used to access the Power Platform environment.

App access control

App access control allows you to control what apps are allowed in your environment. This can be used to make sure data is not exfiltrated using an app. This feature is only available in a Managed Environment. More information on how this blocking works and typically used apps for exfiltration: Control which apps are allowed in your environment (preview) - Power Platform | Microsoft Learn.

Administrator privileges

In the Administrator privileges view the number of administrators per environment is displayed allowing you to review and reduce the administrators.

Chapter 3: Threat Detection

Chapter 1 and 2 were about measures to keep threats out. But as part of a complete security posture, discovery of anomalies is also crucial to take quick action and improving security.

The Security dashboard displays one option here: Auditing (in Dataverse). To give this chapter a bit more meat I added a short description of auditing capabilities in Finance & Operations too.

Auditing

Reviewing data logs in Dataverse helps you make sure your security and governance policies are being followed. This capability applies to Power Platform and Dynamics 365 CE apps accessing Dataverse. With the Auditing capability it is possible to log user logins, and access to Dataverse tables. Logging consumes Dataverse database storage, so it is important to consider the retention policy. Aside from turning on the feature, auditing has to be enabled per Dataverse table. More information on managing auditing settings can be found here: Manage Dataverse auditing - Power Platform | Microsoft Learn. Activity logging is sent to Purview.

Auditing in Finance & Operations

Since Dataverse auditing is not possible on Virtual tables, these capabilities do not apply to Finance & Operations.

Instead, Finance & Operations has two methods of it’s own of logging users access to the environment and data. The most widely known version is the Database Log. This feature allows you to log Create, Update and Delete actions on table and even field level. Database log entries consume Finance & Operations database capacity, and there is a possible performance impact when logging too many actions. So when using this, be careful what to select.

The second option is the User log that logs environment logins and highlights access to sensitive data: Manage access to sensitive data - Finance & Operations | Dynamics 365 | Microsoft Learn.

Chapter 4: Compliance

This final chapter is on Compliance. Compliance is essential in safeguarding organizational data and ensuring adherence to industry regulations. Implementing robust compliance measures helps mitigate risks and maintain trust with stakeholders. In Power Platform, the Compliance features resolve around prohibiting Microsoft access to data. These features required a Managed Environment.

Customer Lockbox

Customer Lockbox provides an authorization mechanism to allow Microsoft support staff access to Power Platform. Every access request needs to be approved by a Power Platform Administrator: Securely access customer data using Customer Lockbox in Power Platform and Dynamics 365 - Power Platform | Microsoft Learn.

Customer-managed encryption key

All Power Platform data is encrypted to protect it from exposure if a database copy is stolen. This is by default done using strong Microsoft-managed encryption keys. Additionally, customers can use a customer-managed encryption key (CMK) for added control, allowing them to manage their own encryption keys, rotate or swap keys on demand, and revoke Microsoft's access to their data at any time. More information and a listing of the application scope of the encryption can be found here: Manage your customer-managed encryption key in Power Platform - Power Platform | Microsoft Learn.

Conclusion

This was a listing of all the security features available from the Security dashboard in PPAC. As mentioned, I started this as call to action to improve security on your Power Platform environments, as a New Years resolution. Finding time to write this was a challenge even with the help of Copilot (because I want to check everything), so January is almost over. Please don't be like me, and evaluate these security measures asap!