cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
emurdock
Level: Powered On

How to secure and adminster the default Environment for enterprise scale deployment

I'm am looking for experiences people have in securing, establishing data loss protection polices, and administering the default environment.  With thousands of users creating apps, how can one support a restrictive approach for protecting business data?

In reference to documentation at: https://docs.microsoft.com/en-us/power-platform/admin/database-security.    Using the "Minimum privileges to run app", I am able to restrict the creation of a model based app for specific environments. I would also like to restrict the ability for specific users to create canvas apps in the default environment. 

 

4 REPLIES 4
Super User
Super User

Re: How to secure and adminster the default Environment for enterprise scale deployment

Users who have a valid PowerApps license, but are not assigned a Maker or Administrator role in an environment can still run apps that are shared with them.  But they are unable to see the Environment so they can't create or edit Apps in that environment. So if you want to keep specific users from creating Apps just remove all roles from them in the default or any other environment where you wish to restrict their ability to create PowerApps.  



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
v-yutliu-msft
Level 10

Re: How to secure and adminster the default Environment for enterprise scale deployment

Hi @emurdock ,

Firstly, you could inactive different kinds of users with different licenses.

Usually, the functions from simple to complex: Office365->P1->P2

I recommend you inative common users with Office365, developers with P1, administrators with P2.

Since only users with P2 could create environments, they could create environments accoding to your company's demand and then give different permission to other users. You could refer the link that you listed to see permission in datails.

Here's a doc about guidance to those administrators responsible for planning, securing, deploying, and supporting applications built on the PowerApps platform for your reference:

https://powerapps.microsoft.com/en-us/blog/powerapps-enterprise-deployment-whitepaper/

 

 

Best regards,

Community Support Team _ Phoebe Liu

 

 

 

emurdock
Level: Powered On

Re: How to secure and adminster the default Environment for enterprise scale deployment

Thanks all.  I found the "Administering a PowerApps Enterprise Deployment" whitepaper helpful across many topics.  Page 10 of the whitepaper articulates my problem well: 

 

The "default" environment has a few unique characteristics from other environments that you create. This environment can’t be disabled or deleted. All tenant users are added automatically to the maker role for the default environment and you can’t remove them from that role.  

 

I have users (external 3rd parties) that require access to specific applications deployed in PowerApps Prod Environments.  These Prod environments are have CDS provisioned and the security model works very well.  

 

I want to prevent these users from having the maker role in the default environment.

v-yutliu-msft
Level 10

Re: How to secure and adminster the default Environment for enterprise scale deployment

Hi @emurdock 

The Environment Admin role can add or remove a user or group from either the Environment Admin or Environment Maker role. You could limit the permission of the users that you mentioned.

Here's a doc for your reference:

https://docs.microsoft.com/en-us/power-platform/admin/environments-overview

 

Best regards,

Community Support Team _ Phoebe Liu