Power Platform | Admin Center access by Teams Owners
With Microsoft Dataverse for Teams or Power Apps for Teams being available, there seems to be some questions upcoming around Teams Owners being given access to Power Platform Admin Center automatically.
Governance & Adoption Teams trying to monitor and act on what´s ongoing inside Power Platform, therefore need to slidely adjust their strategy and be aware of this important feature.
So let´s take a closer look: First by understanding automatic role assignments documented here. As you can see from the table provided in the link, Microsoft Teams Owners are auto-assigned the System Administrator Security role. What does this mean?
Teams Owners accessing aka.ms/ppac will be able to see all the environments they created or they´ve been provided admin access to.
For those users who have a mixture of environments listed as different types, you should assume them being assigned multiple licenses and not only the M365 license which provides them access to Microsoft Teams and Power Platform seeded capabilities. M365 licensed users who are Microsoft Teams Owners and created multiple Microsoft Dataverse for Teams environments, will see all of them being listed inside above view.
Before diving into the navigation this Teams Owner – and remember – System Administrator can walk through, it´s important to understand that for governance and security reasons, you might have set the following permissions when you introduced a Governance & Adoption concept for your Power Platform environment(s).
This now becomes important in terms of the action ribbon you can see from the environments screen being shown to a Teams Owner. You can find a „+ New“ inside the action ribbon. So will a Teams Owner be able to create a new environment? The answer to this is: No, if you set the above permissions and this Teams Owner is not part of the specific admin groups that can be found in the infobox when you hover over (i). Though they will be able to run through the dialog when creating a new environment and only see an error message when hitting the create button after finishing the dialog form.
What else, are Teams Owners able to do when entering Power Platform Admin Center?
As you can see from above visual, Teams Owner also will be able to monitor the capacity of the tenant as a summary, though their main interest should focus around the Microsoft Teams tab here, where they can monitor what is ongoing inside their environment(s). On the summary tab though, they see Add-ons as well. Why I am pointing out Add-ons, is the fact of the action ribbon showing the „Manage“ and „Download reports“ action here.
If you assigned a Teams Owner an M365 license only, they should see a pop-up dialog when selecting the „Manage“ action, preventing them for changing or adding Add-ons. From the „Download reports“, I´ve recognized them being able to download AI Builder report which you should be aware of.
From the left-navigation pane, you can see a Teams Owner having access to other areas of the Power Platform Admin Center as well. Last, but not least, I wanted to show the Data policies section.
It´s important to understand, that as a Teams Owner, I will be able to monitor and review all DLP policies that will occur for the environment(s) I am able to manage. I can drill into those to help my Team understand limitations that they might see, when creating new apps or automation jobs using Power Apps or Power Automate insight Teams.
Additionally, I will be able to create new DLP policies for the environment(s) I am managing. Searching for environments that I am not part of the admin team will not be possible as you can see from the visual above.
Wrap-up: With Microsoft Dataverse for Teams, Teams Owners will be a new group to look after in terms of setting up your Governance & Adoption team. Especially, if Microsoft Teams Administrators allowed everyone inside the company to become a Microsoft Teams Owner. They are allowed to manage and monitor various sections from entering the Power Platform Admin Center. On many of those, they will be limited to perform actions only against their own managed environment(s). But you will also find sections/actions, they are allowed to – even though them only being assigned an M365 license with seeded Power Apps and Power Automate capabilities.
Governance & Adoption Framework should be adjusted and Microsoft shares a couple of best-practices to get yours up to speed.
Until then, …
This was originally posted here.
*This post is locked for comments