Using Microsoft’s Low-Code Platform Securely
Settings for more security
For the security of the Power Platform – Microsoft's low-code platform – M365 offers numerous functions and configuration settings in various Admin Centers. However, some of these can only be implemented with PowerShell. This complicates the work of administrators, consultants and those responsible for the internal rollout of Microsoft 365 applications. We will show you the advantages of the Power Platform and how to protect it from unwanted access.
What Actually Is a Low-Code Platform?
A low-code platform (also low-code development platform and tool), such as Microsoft's Power Platform, is a development environment that makes it easy to implement software with little or no programming knowledge. As such, it enables rapid development, programming, and deployment of applications such as apps.
This is achieved through low-code solutions that provide a standardized modular kit for development. The graphical user interface includes few drag-and-drop and logic functions. There's no need to write extensive code.
A no-code platform eliminates the need to write code for applications altogether. As a result, anyone can create applications, even without programming skills. There is no programming in the classical sense.
Advantages and Disadvantages of the Low-Code Development Platform
Low-code platforms like the Power Platform quickly advance digitization in the enterprise by greatly simplifying the development of applications. They help your employees work digitally, automating and speeding up unnecessary tasks. In addition, you have the possibility to implement even complex applications and apps cost-effectively and without in-depth programming knowledge.
However, it is important to know how to use the low-code platform to avoid risks for your business:
- Phishing and obtaining user consent for their data.
- Extraction of data to uncontrolled data stores
- Corruption of documents
- Data leakage through automated disclosure
For example, the low-code Power Automate platform does not provide settings for individual access rights.
The risks of low-code platforms can be effectively avoided with a set of security and governance measures. For example, the Center of Excellence - a solution based on the Power Platform - supports compliance with governance guidelines, promotes innovation and helps monitor the low-code platform.
Tips for Safe Use of the Power Platform and Good Governance
The setting options for more security and control over the low-code development platform are diverse and are partially only implementable with PowerShell:
Configuration of the AllowAdHocSubscriptions
A first option is to prevent self-service subscriptions. This is done via a PowerShell command from the administrator.
Disable trial and developer license plans
There are two types of license plans in Microsoft's documentation - "Internal" and "Viral". In both cases, users have the option to issue licenses to themselves. You can disable Trial and Developer license plans.
Disable Self-Service Purchase License
This restriction is primarily intended for organizations that have a defined centralized purchasing process. As mentioned earlier, users can use their credit cards to purchase their own licenses for various applications and tools, such as PowerApps, PowerAutomate, PowerBI Pro, Project Plan 1 and 3, and Visio Plan 1 and 2. Again, this setting is currently only done through PowerShell.
If you have made these three configurations, users can still view data and possibly use it for unwanted purposes. The low-code platforms PowerApps and PowerAutomate are free, so anyone with a private account can use the services. So it would be conceivable for the user to use their private service and use their corporate account to connect to the data source. All that is needed is a live or private Microsoft account to create workflows and apps. The connection to the data is then established with the company account.
Disable cross-tenant functions
For a long time, cross-tenant connections could only be disabled via a ticket at Microsoft. Recently, a preview function called "Tenant Isolation (preview)" has been available.
The function is located in the Admin Center of the Power Platform and allows the restriction of incoming and outgoing connections. Check with Microsoft for more details on this solution.
Setting Data Policies
Data Policies are used to create data zones and thus easily allow further restriction of access. It is possible to move connectors to one of the following three data zones:
- Business data
- Non-business data
- Block
When such a data policy is in place, workflows can only work with connectors from one data zone. Specifically, this means that a workflow cannot use business data and non-business data connectors at the same time. You can also set the data policy in the Admin Center via an interface.
By the way: There are different connectors, for example premium connectors or connectors from other providers, such as Google, Facebook, Twitter, Dropbox or Adobe.
Determination of the Environment Settings
The Admin Center of the low-code platform allows you to define who can create additional environments. The environments are based on Dataverse and consume additional storage from the tenant. You can restrict this in the Admin Center of PowerApps or PowerAutomate (for example here). There you click on the gear icon to access the Power Platform Settings.
It is recommended to allow all settings for creating environments (Production, Sandbox, Trial) only for specific admins. These are the Global Admin, the Power Platform Admin and the Dynamics Service Admin.
Furthermore, the allocation of additional capacity (memory) should also only be possible for specific admins.
By the way: Microsoft's low-code platform can also be used in Teams. Environments are automatically created for this purpose - for every Microsoft Teams that you use for this purpose. Currently, you can only turn this off by deactivating PowerApps and PowerAutomate within Teams.
How Can Users Access PowerApps and PowerAutomate?
Like any other service in Office 365, Power Platform is a subscription-based model (license per user per month). There are two types of licenses:
- Free licenses are included in almost every Office 365 license and allow to create apps and workflows in the available standard environment.
- Premium licenses enable the use of additional features such as over 400 Premium Connectors.
If administrators turn off the services, users can still create workflows and apps - contrary to what is often assumed.
Example: Standard access to PowerAutomate
The user wants to create a workflow and forward his mails to his private mail address. He opens the portal and has the following options:
- "Sign in"
- "Try free"
- "Buy now"
- "Start free"
1. Sign in: Access in shadow service
The user gets access to the service even if PowerAutomate and PowerApps do not appear in the menu tile. He does not have a free license. This is identical to the fourth item, "Start free".
2. Try free: access to the service with free license
The user fills in a simple form and is assigned a free license. An administrator can see this license in the portal.
3. Buy now: self-service for premium licenses
The user can buy his own licenses for the service under the item and store his credit card information. This gives him access to the premium functions. It is an option for departments with a corresponding budget, for example.
In the low-code PowerApps platform, access behaves similarly when the user opens the portal. However, there are a few differences. A user without a license can still create apps. Users who want to launch an app and do not have a license will receive an appropriate warning that they need a license. There is no free license to use the developed app.
Conclusion: Secure Power Platform With All Options
With the executed measures, you control access to the Power Platform and thus make unwanted use more difficult. This cannot be prevented completely, since the default environment is open for every Maker. These restrictions are particularly helpful if you do not yet want to unlock all functions during the rollout of Office 365 or only want to use some of them permanently. It is advisable to use all mechanisms for good governance of the low-code platform if possible.
Then let our experts advise you free of charge on the low-code platform from Microsoft - they are available to you at any time.