How to improve governance on the Power Platform: Second step
AlfaPeople |
Feb 01, 2022

How to improve governance on the Power Platform: Second step

As the interest in the Microsoft Power Platform continue to grow, it has also raised some concerns and questions related to security and governance. So, in this blog series we look into how you can improve governance on the power platform.

In the first post, you read an introduction to how you can create an overview of the organizational components in Microsoft’s Power Platform: Environment, Apps, flows, etc.

Now, let’s look into which apps the Power Platform Center of Excellence (CoE) provides to administer it.

Admin: Command center

This is a canvas app that you can use as an administrator as a starting point to launch other apps in the CoE Starter Kit and review relevant content.

That could be:

  • Launch CoE Starter Kit apps and other bookmarks.
  • Review the service health by checking sync flows that have recently failed.
  • Update environment variables used in the CoE Starter Kit.
  • View Microsoft 365 Message Center news related to Microsoft Power Platform.
  • Download the latest CoE Starter Kit version and raise support tickets with the team.
  • Launch Microsoft Learn learning paths to learn more about Microsoft Power Platform.
  • Launch the latest posts of the Power Apps, Power Automate, Power BI and Power Virtual Agent blogs.
  • Configure email subject and body text for emails sent through the CoE Starter Kit.
Figure 1 – Admin Command Center View

Figure 1 – Admin Command Center View

You can also manage and change the environment settings by using only one App. In addition, this app provides bookmarks to open support tickets or learn about the platform.

Admin: App and Flow Permission Center

The Set App Permission and Set Flow Permission apps allow the administrators to manage apps and flows. You can use these apps to:

  • Set a new app owner.
  • Add new viewers and editors.
  • Remove app or flow permissions.
  • Change app permissions from editors to viewers or viewers to editors.

Also, this app will help you check if there are any orphaned apps (in cases where the owner of the app has left your organization) and clean them up.

Figure 2 – Adding permission to the users to access the App

Figure 2 – Adding permission to the users to access the App

Data Loss Prevention Editor (DLP) V2

The third app on our list is the DLP Editor V2. You can use this canvas app to read and update data loss prevention (DLP) policies while also see a list of the apps and flows that are impacted by the policy configurations.

You can use this app to:

  • Make changes to DLP policies.
  • See the impact of any edits or changes.
  • Mitigate the risk by contacting makers.
Figure 3 – Data Loss Prevention Editor V2

Figure 3 – Data Loss Prevention Editor

Create Data Loss Prevention policies

You can create data loss prevention (DLP) policies that act as guard rails to help prevent users from unintentionally exposing organizational data.

DLC policies are scoped on environment level or tenant level. For tenant policies, you define the scope to include all environments, some selected environments or you choose a number of environments that you want to specifically exclude.

Environment level policies are defined for one environment at a time. DLP policies enforce rules for which connectors can be used together by classifying connectors as either Business or Non-business.

If you put a connector in a business group, it can only be used with other connectors from that group in any given app or flow.

Also, you might want to block the usage of specific connectors altogether by classifying them as Blocked.

Managing environments

In the CoE Starter Kit, you can design two canvas apps to easily submit requests for Power Platform environments and manage these requests.

For instance, if a maker needs a new environment to create a new app, they can submit their request using the app Environment Request.

Figure 4 – New Environment Creation Request

Figure 4 – New Environment Creation Request

Once the maker has submitted their request, they will enter the following flow to get approval from the Power Platform administrators.

Figure 5 – Approval flow to create new environments

Figure 5 – Approval flow to create new environments

Note: You can customize the flow according to the organization’s needs. You will notice that the administrator only needs to approve the request to create the environment.

Once you have submitted a new request, the team of administrators is alerted by email to check the new request. The admin team can then choose to approve or reject it.

Figure 6 – Environment Request

Figure 6 – Environment Request

Figure 7 – Details from the environment requested

Figure 7 – Details from the environment requested

In the screenshots from the app Environment Request, we can see the details about the environment, users, security groups and the connectors that will be a part of the environment.

Tips:

  • Make sure you create and set up security group to the environment.
  • Make sure to add DLP (Data Loss Prevention) for all environments and connectors. It’s crucial to keep the data secure.

You can extend both apps to request/approve information like:

  • What tables and fields will be part of the app?
  • Is there any sensitive or confidential data on this app?

These insights are important, if you want to manage the access to data, comply with existing privacy regulations (such as GDPR, LGPD, CCPA, POPI) and to improve governance on the Power Platform.

In the first post “Improve governance on the Power Platform: First step”, one of the questions we asked was: “What data is being used”.

This is how you start to map you data and manage how it is used.

App catalog

The canvas app App Catalog gives you an overview of some apps in your organization.

Here you can:

  • See which connectors each app uses
  • Launch an App
  • View, review or leave an app
  • Request access to an app
  • Contact the maker of an app
Figure 8 – App Catalog View

Figure 8 – App Catalog View

To see the apps in this catalog, the admin needs to put ‘Yes’ in the field ‘In App Catalog’. You will find this in the table called Apps.

Also, you can implement an audit process where you’ll decide what apps should be visible in this area.

Figure 9 – Audit Process View – Enable App on catalog

Figure 9 – Audit Process View – Enable App on catalog

Finally, the CoE Starter Kit has process samples for audits that you can adjust according to the needs of your organization.

Maker: Command Center

This final view is very useful, because you can find content such as apps, Power Platform news, and courses that teach you how to create amazing apps.

Figure 10 – Maker Command Center View

Figure 10 – Maker Command Center View

Generally, I believe this app is a relevant to add to your organization’s process and policies documents, for the Maker to understand how they can create apps while following the available documentation.

So, if you have implemented the CoE, this could be the place to share content with your makers.

The third step to improve governance on the Power Platform

Overall, it’s the Starter Kit is an excellent tool that provides you with many apps and processes to manage your environments and thereby improve governance on the Power Platform.

By using it, you can start to implement the components to access administration and improve data security.

Also, it gives you flexibility to adapt the standard processes according to your organization’s needs.

The apps in the Starter Kit will allow you to:

  • Manage the requests to access or create environments.
  • Promote an approval flow.
  • Manage permissions in Apps and Flows.
  • To be compliant with privacy regulations related to confidential and sensitive data.

Next up: Governance components.