Power Platform | Risk mitigation for beginners

I was recently asked, if I could provide more guidance around Citizen development risk mitigation. As I was already sharing in my recent post it starts by having a solid understanding around the purpose of each component that makes the Power Platform and maybe used for digital transformation. Having that knowledge and being able to define potential risks that may raise, it becomes easier for you to provide guidance or create a governance plan. What do I mean by a governance plan?

You should consider write-up something like above visual to ensure what matters most for your company, your Makers and your digital transformation journey. Something you could execute on and improve around. Having a plan makes is so much easier. Defining this is no rocket-science, you should simply be aware of the three pillars of trust that should be initialized, configured and improved over time. Below visual shows you the first of these – Security.

It all starts with a solid Access Management and identification of Makers activity in your tenant. To guide and protect them, you would start with a first defined set of Data Loss Prevention & environment policies that spans from your default environment to the usage of Microsoft Teams environments and finally those environments that are used in typical application lifecycle management scenarios, such as DEV/TESTS/PROD. I provided some jeopardy around this previously, take a look. But of course, it doesn´t stop there. Data Encryption and exfiltration controls also could help protect your companies data and Citizen developers when using Connectors for creating chatbots, BI visuals, apps or automate processes by connecting systems.

Above visual outlines the 2nd pillar which is around monitoring and acting. Meaning you familiarize yourself with all analytics capabilities that are offered inside the Power Platform Admin Interface + you may consider additional analytics based on the CoE Starter Kit offering or Azure Insights. Not to forget the Microsoft 365 Compliance and Security center and Audit logging that via a Connector can be used inside a Center of Excellence to act as trigger of processes to provide Citizen developers with more guidance or protection mechanism.

This brings us to our 3rd and final pillar – the Manage part. Think about it from a Unified administration approach, which means to define roles and responsibilities. For example when would your Microsoft 365 Administration Team kicks-in? Do you even split the Admin responsibility of Microsoft 365 and Power Platform? Next, how to establish a Center of Excellence in your company? There may be something like this already in place, due to classic app development practices. And last but not least, what about DevOps Tooling and API Automation when it comes to your individual integration projects. As outlined, we´re talking about a platform approach. Your API-based microservices may force some custom connectivity for Citizen developers to help them tooling and composing. Critical applications may require Application Lifecycle Management mechanism that side-loads the Maker effort and doesn´t require a Citizen Developer to learn a tooling they won´t and don´t use.

Above visual may help you defining a matrix on when an app becomes critical and therefore needs to be either not included, optional or included in your Center of Excellence. Don´t forget to perform the same for chatbots, BI visuals and processes. Again, think of it from a platform approach. All main components of Power Platform could be composed, extended and even orchestrated with additional services, not necessarily Microsoft technology only.

Wrapping up my beginners guide on risk mitigation around the Power Platform above visual represents a level of knowledge you will familiarize with over the time of using the Power Platform. You don´t need to be an expert on all this to start your journey, and for many topics you will find kind of „autopilot“ guidance that is already provided, due to Power Platform being a SaaS offering.

That means, Microsoft already takes care of many of those items, but of course due to your companies individual regulations, you would have to configure steps or shape rules and monitoring to work exactly as you need it. That includes a change management process as the digital transformation journey doesn´t stop. As always, let me know about your thoughts, what´s missed or what you´d like to know more about providing a comment or leave a reply via LinkedIn or Twitter.

Until then,…