Industries
Industries Overview
Healthcare & Life Science
Manufacturing
Media & Entertainment
Public
Retail & Consumer Goods
Utilities
Consulting & Innovation
Consulting
Business Transformation
Technology Consulting
Process Consulting
Innovation
Generative AI
Sovereign AI
Metaverse
Consulting
Business Transformation
Business Transformation Consulting
Solutions & Products
Solutions
Sovereign IT
Business Process Management
Counterfeit Protection
Customer Experience
Data & Automation
Digital Workplace
Digital Commerce
Finance
SCM & Logistics
Products
Arvato Systems Alive
Order Management with aroma®
Digital Workplace with NAVOO®
Digitize logistics processes with platbricks®
Vulnerability Management with Varedy
Sustainability Management with green.screen
Further Products
Technologies
Amazon Web Services
Google Cloud
Microsoft
SAP
Further Partners
Solutions
Business Process Management
Process Modeling and Process Documentation
Process Mining
Process Automation
Governance, Risk & Compliance
Solutions
Counterfeit Protection
Serialization in the Consumer Goods Industry
Serialization in the Pharma Industry
Solutions
Customer Experience
API Management
App Development
Arvato Systems Alive
Customer Experience Consulting
Hyperpersonalization
Customer Loyalty
Content Management
Customer Relationship Management
Product Information Management
UX and UI Design
Solutions
Data & Automation
Data Fabric
Data Governance
Generative AI
Hyperautomation
DocuStream
Artificial Intelligence
Robotic Process Automation
Self-Service Business Intelligence
Solutions
Digital Workplace
Digital Meeting Management
Digital Workplace with NAVOO®
Guest User Manager
Microsoft 365
Microsoft 365 Backup Service
Microsoft 365 Data Protection
Microsoft Power Platform
Workplace Security
Solutions
SCM & Logistics
Warehouse Management
Transport Management
Production Planning
Digitize logistics processes with platbricks®
Artificial Intelligence in Logistics
Logistics 4.0
SCM & Logistics
Digitize logistics processes with platbricks®
Production Supply
Container Management
Warehouse Management System
Mobile Solutions
Analytics
Chatbots
Gamification
Healthcare Suite
Technologies
Amazon Web Services
Amazon Connect Contact Center
AWS Container Acceleration
AWS Cloud Migration
SAP on AWS
Technologies
Google Cloud
API Management with Apigee
Modern Data Warehouse Management with BigQuery
SAP on Google Cloud
Google Cloud Landing Zone
Technologies
Microsoft
Microsoft Azure
SAP on Azure
Microsoft 365
Microsoft Power Platform
Technologies
SAP
SAP Application Management Service
SAP Business Technology Platform
SAP Customer Experience
SAP IS-U
SAP License Management
SAP on Cloud
SAP RISE
SAP S/4HANA
End-2-End Process Monitoring
SAP BW/4HANA
SAP Datasphere
Infrastructure & Operations
Cloud & Data Center Services
Cloud Transformation
IT Outsourcing & Infrastructure Services
Multi & Hybrid Cloud
SAP on Cloud
Virtual Desktop Infrastructure
Workload Automation
Security Services
Cyber Care & CDC
Disaster Recovery
Vulnerability Management with Varedy
SAP Security
Managed Services
Cloud Foundation
Managed Workloads
Application Management
Cloud & Data Center Services
Cloud Transformation
Application Modernization on Cloud
Datacenter on Cloud
Data Management on Cloud
Enterprise Application Integration
Managed cloud IT with Avvia
Cloud & Data Center Services
IT Outsourcing & Infrastructure Services
SAP Hosting
Cloud & Data Center Services
Multi & Hybrid Cloud
Amazon Web Services
Google Cloud
Microsoft Azure
Virtual Private Cloud
About us & News
About Arvato Systems
Awards
Corporate Responsibility
Management
Memberships & Certifications
Partnerships
References
Locations
Press
Events
Contact
ArvatoSystems_LowCode_Sicherheit_AdobeStock_174969112

Using Microsoft’s Low-Code Platform Securely

Settings for more security

...
ArvatoSystems_Schneider_Karsten
Written by
Tips on the Power Platform - The Low-Code Platform From Microsoft
05.05.2022
Digital Transformation
Microsoft 365
Digital Workplace

For the security of the Power Platform – Microsoft's low-code platform – M365 offers numerous functions and configuration settings in various Admin Centers. However, some of these can only be implemented with PowerShell. This complicates the work of administrators, consultants and those responsible for the internal rollout of Microsoft 365 applications. We will show you the advantages of the Power Platform and how to protect it from unwanted access.

What Actually Is a Low-Code Platform?

A low-code platform (also low-code development platform and tool), such as Microsoft's Power Platform, is a development environment that makes it easy to implement software with little or no programming knowledge. As such, it enables rapid development, programming, and deployment of applications such as apps. 

 

This is achieved through low-code solutions that provide a standardized modular kit for development. The graphical user interface includes few drag-and-drop and logic functions. There's no need to write extensive code.

 

A no-code platform eliminates the need to write code for applications altogether. As a result, anyone can create applications, even without programming skills. There is no programming in the classical sense.

Advantages and Disadvantages of the Low-Code Development Platform

ArvatoSystems_PowerPlatform_CenterOfExcellence_735x492

Low-code platforms like the Power Platform quickly advance digitization in the enterprise by greatly simplifying the development of applications. They help your employees work digitally, automating and speeding up unnecessary tasks. In addition, you have the possibility to implement even complex applications and apps cost-effectively and without in-depth programming knowledge.

 

However, it is important to know how to use the low-code platform to avoid risks for your business:

  • Phishing and obtaining user consent for their data.
  • Extraction of data to uncontrolled data stores
  • Corruption of documents
  • Data leakage through automated disclosure

 

For example, the low-code Power Automate platform does not provide settings for individual access rights.

 

The risks of low-code platforms can be effectively avoided with a set of security and governance measures. For example, the Center of Excellence - a solution based on the Power Platform - supports compliance with governance guidelines, promotes innovation and helps monitor the low-code platform.

Tips for Safe Use of the Power Platform and Good Governance

The setting options for more security and control over the low-code development platform are diverse and are partially only implementable with PowerShell:

 

Configuration of the AllowAdHocSubscriptions

A first option is to prevent self-service subscriptions. This is done via a PowerShell command from the administrator.

 

Disable trial and developer license plans

There are two types of license plans in Microsoft's documentation - "Internal" and "Viral". In both cases, users have the option to issue licenses to themselves. You can disable Trial and Developer license plans.

 

Disable Self-Service Purchase License

This restriction is primarily intended for organizations that have a defined centralized purchasing process. As mentioned earlier, users can use their credit cards to purchase their own licenses for various applications and tools, such as PowerApps, PowerAutomate, PowerBI Pro, Project Plan 1 and 3, and Visio Plan 1 and 2. Again, this setting is currently only done through PowerShell.

If you have made these three configurations, users can still view data and possibly use it for unwanted purposes. The low-code platforms PowerApps and PowerAutomate are free, so anyone with a private account can use the services. So it would be conceivable for the user to use their private service and use their corporate account to connect to the data source. All that is needed is a live or private Microsoft account to create workflows and apps. The connection to the data is then established with the company account.

ArvatoSystems_PowerPlatform_SettingsAdminCenter_2_735x492

Disable cross-tenant functions

For a long time, cross-tenant connections could only be disabled via a ticket at Microsoft. Recently, a preview function called "Tenant Isolation (preview)" has been available.

The function is located in the Admin Center of the Power Platform and allows the restriction of incoming and outgoing connections. Check with Microsoft for more details on this solution.


Setting Data Policies

Data Policies are used to create data zones and thus easily allow further restriction of access. It is possible to move connectors to one of the following three data zones:

  • Business data
  • Non-business data
  • Block


When such a data policy is in place, workflows can only work with connectors from one data zone. Specifically, this means that a workflow cannot use business data and non-business data connectors at the same time. You can also set the data policy in the Admin Center via an interface.

By the way: There are different connectors, for example premium connectors or connectors from other providers, such as Google, Facebook, Twitter, Dropbox or Adobe.

ArvatoSystems_PowerPlatform_SettingsAdminCenter_735x492

Determination of the Environment Settings

The Admin Center of the low-code platform allows you to define who can create additional environments. The environments are based on Dataverse and consume additional storage from the tenant. You can restrict this in the Admin Center of PowerApps or PowerAutomate (for example here). There you click on the gear icon to access the Power Platform Settings.

ArvatoSystems_PowerPlatform_SettingsAdminCenter_1_735x492

It is recommended to allow all settings for creating environments (Production, Sandbox, Trial) only for specific admins. These are the Global Admin, the Power Platform Admin and the Dynamics Service Admin.


Furthermore, the allocation of additional capacity (memory) should also only be possible for specific admins.

By the way: Microsoft's low-code platform can also be used in Teams. Environments are automatically created for this purpose - for every Microsoft Teams that you use for this purpose. Currently, you can only turn this off by deactivating PowerApps and PowerAutomate within Teams.

How Can Users Access PowerApps and PowerAutomate?

Like any other service in Office 365, Power Platform is a subscription-based model (license per user per month). There are two types of licenses:

  1. Free licenses are included in almost every Office 365 license and allow to create apps and workflows in the available standard environment.
  2. Premium licenses enable the use of additional features such as over 400 Premium Connectors.

If administrators turn off the services, users can still create workflows and apps - contrary to what is often assumed.

ArvatoSystems_PowerPlatform_StartScreen_0_735x492

Example: Standard access to PowerAutomate

The user wants to create a workflow and forward his mails to his private mail address. He opens the portal and has the following options:

  1. "Sign in"
  2. "Try free"
  3. "Buy now"
  4. "Start free"
ArvatoSystems_PowerPlatform_StartScreen_1

1. Sign in: Access in shadow service

The user gets access to the service even if PowerAutomate and PowerApps do not appear in the menu tile. He does not have a free license. This is identical to the fourth item, "Start free".

ArvatoSystems_PowerPlatform_StartScreen_2_735x492

2. Try free: access to the service with free license

The user fills in a simple form and is assigned a free license. An administrator can see this license in the portal.

ArvatoSystems_PowerPlatform_StartScreen_3_735x492

3. Buy now: self-service for premium licenses

The user can buy his own licenses for the service under the item and store his credit card information. This gives him access to the premium functions. It is an option for departments with a corresponding budget, for example.

In the low-code PowerApps platform, access behaves similarly when the user opens the portal. However, there are a few differences. A user without a license can still create apps. Users who want to launch an app and do not have a license will receive an appropriate warning that they need a license. There is no free license to use the developed app.

Conclusion: Secure Power Platform With All Options

With the executed measures, you control access to the Power Platform and thus make unwanted use more difficult. This cannot be prevented completely, since the default environment is open for every Maker. These restrictions are particularly helpful if you do not yet want to unlock all functions during the rollout of Office 365 or only want to use some of them permanently. It is advisable to use all mechanisms for good governance of the low-code platform if possible.

Do you have questions about the Power Platform?

Then let our experts advise you free of charge on the low-code platform from Microsoft - they are available to you at any time.

Get advice now
Microsoft Power Platform

Benefit from concentrated business and IT knowledge with Arvato Systems for your Digital Transformation with the Microsoft Power Platform.

Learn more
Microsoft 365

Discover the individual possibilities of your Modern Workplace with Microsoft Office 365.

Learn more

Written by

ArvatoSystems_Schneider_Karsten
Karsten Schneider
Expert for Microsoft 365
Subscribe to our newsletter
ImprintPrivacy PolicyGeneral Purchase ConditionsYour Career at Arvato SystemsContactChange Cookie-Settings
© 2024 Arvato Systems