The Power Platform is a suite of low-code/no-code services consisting of PowerApps, Power Automate, Power Virtual Agents and PowerBI. When connected together, these services build end to end solutions and applications for the individual and the business. By default, your Microsoft tenant will already have at least one Power Platform environment live and depending on decisions and actions your users take it may already have components and artifacts of the Power Platform operating within it. This is commonly referred to as the default environment which is the repository for personal productivity services users create.
Knowing you already have a power platform environment and users potentially building cloud flows, apps, and other components within it, it becomes important to invest some time and effort into building a governance plan and potentially setting up tools to aid and assist your team in properly administering requests and changes from users across the organization. Another potential challenge is that users who are making use of services such as power automate and power apps may change positions or possibly leave the organization. If their creations were being shared, this could break processes and workflows for other users within their departments or agencies. These apps, connections, power automate cloud flows, and other components which have become ownerless are referred to as “Orphaned” and without a way to monitor your tenant you may be caught off guard when they surface.
Having a proper governance plan in place as well as tools and helper apps will allow you not only to avoid orphaned situations but will also provide a streamlined approach for your users to request power platform environments and features from your administrative team as well as a central area for both parties to monitor and communicate about these requests.
In addition to administering your users, their creations, and what they plan to create, another core part of power platform governance is the ability to control and secure data and control which connected services have access to data being used within your power platform tenant. Power automate has over 380 data sources it can connect to, making it a great tool for building robust apps and automations while reducing the need for users to navigate multiple applications or services to perform their tasks. We all know with great power comes great responsibility which is why a good governance system will include attention to data loss prevention (DLP) and provide a way to easily turn these connections on and off in addition to monitoring them and power automate as a whole.
Let’s say James is building a model driven app that uses power automate to connect to a SQL data source with sensitive data, he is following a blog from the internet to build his app and the blog author has some steps which move the data into SharePoint lists for use with a teams canvas app in a follow-up tutorial/article. James is following the guide step-by-step, but unfortunately doesn’t realize that he has now exposed the data to a SharePoint site where users who should not see the data have access to. With a proper DLP policy this situation could have been avoided, additionally with the Microsoft Center of Excellence these flows and connections could have also been surfaced and reported on. The point here is that it is easy for users to connect and move data around now more than ever, that is the wonderful benefit of power automate, however data and the power platform tenant must be governed and monitored in order to continue to provide security and reliability.
In order to manage the power platform Microsoft does provide a comprehensive administration center which they are consistently rolling out updates and improvements. One of the more recent updates allows for DLP management of connector actions. Historically there has been the ability to govern power automate connections on the tenant and environment level, recently Microsoft has added additional functionality to govern specific connector actions allowing you to have an even more granular control over who is able to do what with which data connections. This is a great enhancement, and more detail can be learned here: https://docs.microsoft.com/en-us/power-platform/admin/dlp-granular-controls
In addition to governing existing power automate connectors and their actions Microsoft also offers the ability to now manage specific access endpoints (either domain or IP). This is now part of the data policy wizard available in the power platform admin center and permits administrators to restrict specific domains or IP addresses to the tenant or to specific environments. A useful example would be restricting a specific SQL server to an environment to ensure that no data connections could be created between the two.
Good governance is not only about mitigating risks and monitoring your tenant, a good governance plan and system will also identify highly active makers, their individual activities as well as what they are creating. It will also provide a pathway to success for those interested in learning, creating, and requesting power platform resources. How do users request development environments? What is the review process for cleaning up inactive resources? Who is making what? This is referred to as nurturing. As your organization’s teams continue to grow and evolve, new talented individuals may bring power platform experience onboard in addition to the existing user base growing their individual skill sets. A good governance system will monitor and provide insights into your organization on a per user basis at both a macro and micro level.
Change management is also an important factor covered in a good governance plan. Is there a code promotion process in place? Even though the power platform is a low-code/no-code platform, changes are, can, and should be contained and managed properly with solutions. There are also best practices and guidelines for model driven apps, canvas apps, and environments which should not only be implemented but also be able to be reported on. Just because a service account exists for makers to use in developing their model driven apps, canvas apps, and power automate flows does not mean they are necessarily following the procedure and the tenant should be monitored in some facet to surface any deviations so they can be corrected.
I have listed a lot of governance topics above and the truth is every governance plan will be unique to every organization. There is no silver bullet or magic template that will solve all the challenges administrators face when governing their power platform tenant. There is, however, an excellent starting point which is the Microsoft Center of Excellence (COE). The Microsoft Center of Excellence is a readymade collection of apps and features available here: https://docs.microsoft.com/en-us/power-platform/guidance/coe/starter-kit
Not only will the COE report on the macro level status and details of your organization’s tenant, BUT the COE reporting will also allow you to zoom in with robust detail and identify orphaned resources, highly active makers, and data connections in use. It also comes with a suite of apps for administrators to govern data loss prevention policies (DLP) and resource requests. Remember though, the COE is just a starting point and the beginning of your journey to governance. For the best experience it will be configured uniquely to your organization’s needs as well as coalesce into the existing processes, best practices, and policies your organization has adopted over the years. Governance is never done or finished, it should evolve with the organization over time as well as new offerings and enhancements Microsoft releases for the power platform.
Ready to Start?
The Microsoft Center of Excellence (COE) is a great place to get started by reviewing all the content available here: https://docs.microsoft.com/en-us/power-platform/guidance/coe/starter-kit
As always, if you need assistance, Planet is ready to work with you on creating a governance plan that works for your organization and your users.