Power Platform | Zero Trust possible?

When talking to organizations about starting their digital transformation journey with Microsoft´s Power Platform, Security is one of the topics that comes up. Security has multiple dimensions and top asks at workshops are like:

• Using Power Platform, don´t we open the doors to „shadow IT“?
• Seeing Citizen Developers using all those connectors, don´t we allow for an unmonitored, unmanageable amount of apps and flows handling business data in an uncontrolled manner?
• Allowing everyone to create and use interfaces (connectors), don´t they become risk-managers?

In a complex hybrid work model, this topic has become a challenge for many IT departments over the course of the last months. Microsoft is following the principles of Zero Trust. This model offers guiding principles, an overview of end-to-end framework and many more. To help yours stepping into this quickly, here´s a short visual that outlines the principles that I am using in conversation.

What many of my workshop attendees recently request is where Power Platform „fits“ in this. Taking a look to the left on above visual it starts with Identities and Devices. Considering that Power Platform tools such as Power Automate, Power Virtual Agents, Power BI or Power Apps can be used from multiple devices such as Desktop PCs, Tablets or mobile phones, an identity is always needed. Meaning a verification is ongoing, least privileges access should be applied and breach assumed when it comes to connectivity. So what about the right side of above visual?

A maker interested in creating a process flow with Power Automate, using Power Automate Desktop, Power Virtual Agents or Power Apps always needs to authenticate and authorize using their identity. When talking about endpoint communication to APIs, encryption at REST is what the SaaS platform manages „behind the scenes“. Communication to custom APIs can further be secured using Azure API Management. Accessing Data, such as Dataverse, Role-based access control (RBAC) can be assigned in granular control using security roles. Power Apps being deployed are managed insight environments and app access controlled via sharing principles. Furthermore, access to apps can be granularly controlled via Azure conditional access policies. Apps not meeting compliancy standards can be quarantined. Talking about the infrastructure of tenants and environments access via connectors can be managed and secured using DLP policies. And finally using the on-premises Gateway, access to network can be further controlled.

Microsoft´s Power Platform therefore can be assessed following Microsoft´s Zero Trust model. Why?

Because Azure is the heartbeat of the Power Platform. Several compliance, security and governance offers are based on the fundamentals of Azure services. Above visual outlines principles, I would talk about during a Governance workshop. Principles applied, the questions at top of today´s article could be answered with setting up the Governance model of using your SaaS platform.

If you´re interested to learn more about the security side, please follow this guidance. Until then, …