Power Platform – Security Principles and Recommendations
Audience:
IT Admin, System Admin, CoE Owners and Power Platform Management teams.
Business Value:
- Environment security that hosts Power Platform solutions
- Various IT/Environment recommendations that helps IT team to manage Power Platform instance/environment/solutions.
Power Platform: Security Pillars
Based on the above representation, there are various areas where the IT/Security team need to focus on securing the Power Platform / Azure / Dataverse environment(s)
Compliance Strategy:
Utilize Microsoft Trust center to validate that Microsoft and your implementation comply with regulatory requirements for data security.
- Microsoft complies with data protection and privacy laws applicable to cloud services.
Our compliance with world-class industry standards is verified. - Learn more on the Microsoft Trust Center:
https://www.microsoft.com/trust-center/compliance
Data Management is the core of the security standards. Analyze where your data is located and the impact on regulatory requirements.
- Environments can be created in specific regions, even if different from the region the tenant resides in.
- Learn more on data location:
https://www.microsoft.com/trust-center/privacy/data-location
DPR: Data Protection Resources are listed below
- Discover how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization. This also includes the latest penetration test and security assessments.
- Learn more on the Service Trust Portal: https://servicetrust.microsoft.com/ViewPage/TrustDocumentsV3
- Learn more on Penetration Testing Rules of Engagement: https://www.microsoft.com/msrc/pentest-rules-of-engagement
Service Accounts Strategy:
Review privileged roles in Microsoft 365 and the Power Platform
- Microsoft 365 roles: Global administrator, Power Platform administrator, Dynamics 365 administrator.
- Power Platform environment security roles: System Administrator, System Customizer, Environment Maker.
- Learn more on Microsoft 365 (Azure AD) and Power Platform environment roles:
https://docs.microsoft.com/power-platform/admin/use-service-admin-role-manage-tenant
https://docs.microsoft.com/power-platform/admin/database-security
Limit and regularly review the list of elevated user and service accounts
- Consider a Just-In-Time (JIT) access approach to grant elevated privileges
Consider administrative users to grant access to settings and administration features but not to functionality - Learn more on Privileged Identity Management in Azure AD and Administrative User in the Power Platform
https://docs.microsoft.com/azure/active-directory/privileged-identity-management
https://docs.microsoft.com/power-platform/admin/prevent-elevation-security-role-privilege
Utilize Azure AD applications and service principals for integration and deployment
- Server-to-server (S2S) authentication allows secure and seamless communication between applications and services.
- Learn more on applications, service principals, in Azure AD and Power Platform
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
https://docs.microsoft.com/power-platform/admin/manage-application-users
Power Platform Network Security:
For specific network requirements, consider Azure ExpressRoute with Microsoft Power Platform
- Azure ExpressRoute provides a way to connect your on-premises network to Microsoft cloud services by using private connectivity. This is useful when you need to make sure your network or internet connection can handle additional traffic; to manage the predictability of traffic; or to ensure data never transits across the public internet.
- Configuring ExpressRoute for Power Platform services requires Microsoft peering. This means that the traffic will be routed to go to Power Platform public IP address ranges (and BGP communities are not supported).
- Learn more on using Azure ExpressRoute with the Power Platform:
https://docs.microsoft.com/power-platform/guidance/expressroute/overview
Leverage Azure Networking Connectivity
- Connect from the Power Platform into your Azure Virtual Network.
For complex architectures with multiple integrations, consider using API gateways
- With Azure API Management (APIM), you can deploy API gateways side-by-side with the APIs hosted in Azure, other clouds, and on-premises, optimizing API traffic flow. APIM also allows to publish backend service as APIs and export these to the Power Platform as custom connectors.
- Learn more on Azure API Management:
https://docs.microsoft.com/azure/api-management/
https://docs.microsoft.com/azure/api-management/export-api-power-platform
Monitoring Controls:
Leverage auditing and logging controls available in Microsoft 365 and Microsoft Dataverse
- When enabled and configured, these features allow to record and review data updates and user actions.
- Learn more on Dataverse audit mechanisms, Microsoft 365 compliance center audit logs
https://docs.microsoft.com/power-platform/admin/audit-data-user-activity
https://docs.microsoft.com/power-platform/admin/enable-use-comprehensive-auditing
Integrate with Microsoft Sentinel
- Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution for alert detection, threat visibility, proactive hunting, and threat response.
- Learn more on Microsoft Sentinel https://docs.microsoft.com/azure/sentinel/connect-dynamics-365
Monitor usage and Application Telemetry
- Reports and configurable export options provide insights on Power Platform usage, performance and diagnostics data.
- Learn more on Azure Application Insights integration:https://docs.microsoft.com/power-platform/admin/overview-integration-application-insights
- Learn more on Power Apps tenant-wide analytics: https://docs.microsoft.com/power-platform/admin/tenant-level-analytics
- Learn more on Power Automate analytics https://docs.microsoft.com/power-platform/admin/analytics-flow
- Learn more on exporting usage and inventory data to an Azure Data Lake:https://docs.microsoft.com/power-platform/admin/self-service-analytics
- Learn more on the Center of Excellence starter kit: https://docs.microsoft.com/power-platform/guidance/coe/starter-kit
Data Security & Controls:
Review your Power Platform environments encryption
All environments of Microsoft Dataverse perform real-time encryption of data, at rest and in-transit. By default, Microsoft stores and manages the encryption key, but under eligible conditions, admins can choose to self-manage it.
- Learn more on using customer-managed keys:
https://docs.microsoft.com/power-platform/admin/manage-encryption-key
Scan, classify, and label Dataverse data with Azure Purview
Azure Purview is a unified data governance service that helps you manage and govern your data, with automated data discovery, sensitive data classification, and end-to-end data lineage.
- Learn more on Azure Purview:https://docs.microsoft.com/azure/purview/overview
- Learn more on Microsoft Information Protection:https://docs.microsoft.com/microsoft-365/compliance/information-protection
Enable Lockbox policies for your Power Platform environments
Lockbox provides an interface to review – and approve or reject – data access requests, typically in the context of a support request. After access is granted to Microsoft, any customer data access during the elevated access period is recorded and made available as audit logs.
Environment Security & Strategy
Assess if your environments should be visible to all users or not
- You can associate an AAD security group with an environment to limit access to the group members.
- Learn more on controlling user access to environments
https://docs.microsoft.com/power-platform/admin/control-user-access
Understand environment system and manual backups
- System backups for production environments that have been created with a database and have one or more Dynamics 365 applications installed are retained for up to 28 days. For others, 7 days.
- Learn more on backing up and restoring environments
https://docs.microsoft.com/power-platform/admin/backup-restore-environments
Evaluate need for data archival and retention policies
- Move Dataverse data to long-term storage to support regulatory requirements, internal and external audit requirements, and reduce non-active data from the transactional store.
Have representative non-customer data for test sets in non-production environments
- Avoid using customer personal and business confidential data in non-production environments.
- If performing production environment copies, consider implementing processes to obfuscate sensitive data
Solution Model / Package Security:
Keep your model simple and have the future in mind
- Be mindful of the required effort to maintain the security model.
Anticipate the impact of reorganizations, user onboarding, user leaving or user changing roles. - Try to limit the number of security patterns, security roles, business units (and their depth) and teams.
Avoid unhealthy patterns
- Automated sharing at scale is never easy to maintain and can introduce scalability and performance issues. Try to cover as many scenarios as possible with simple patterns, and only resort to sharing for exceptions to the model.
- Plug-ins firing on Retrieve and Retrieve Multiple events also have caveat and impact performances negatively.
Understand that customization of the user interface is different from securing data
- When a user has update privileges on a record, just because a field is set as read-only on a form doesn’t mean the data can’t be updated through other means. True security resides server-side.
- Hiding the “Export to Excel” button doesn’t mean users can’t export the data with other tools.
- That being said, security roles can and should also be leveraged to create simple role-based UX.
Assess security impacts in related applications and/or features
- Evaluate access rights in satellite apps and services (e.g., Customer Insights, SharePoint, Teams, Portals, Power BI, etc.).
User Account/Roles Management:
Implement a least privilege strategy when designing your security roles
- Consider only providing users with what is necessary (just-enough-access – JEA) to accomplish their job by reducing read/write privileges to a user or business unit scope and avoid granting delete privileges by favoring deactivating records instead.
When possible, drive security roles assignment through Azure AD groups
- Managing user roles through Azure AD group teams greatly reduces administration effort and risks of error.
Start from a copy of existing security roles and create them at the root business unit
- This allows better control over the new security roles and avoids conflicts with first-party updates.
- Security roles at the root business level can be included in solutions and deployed to other environments.
Be mindful of privileges potentially leading to elevated permissions
E.g., “Promote User to Microsoft Dynamics 365 Administrator Role”
- Combine similar roles for easier management
- You rarely need as many security roles as there are job titles.
- Consider reporting to simplify a security model
- If managers only need an overview of business (e.g., territory pipeline forecast), instead of defining a complex model on individual records, consider an anonymized report with limited access to the underlying raw data.
- Monitor customizations being deployed to production
- By being source control-centric and with a gated Application Lifecycle Management (ALM) approach – with code reviews and approvals of pull requests – reduce risk of deploying malicious or unsecure customizations.
- Have a secure process to handle changes to data involved in sensitive operations
- E.g., updating a customer phone number used for verification, should it be approved, audited?
- Consider security checks and trainings for employees accessing confidential data
- Reduce risks by performing security checks and providing security trainings.
- Don’t use Dataverse as a vault for highly sensitive information such as credit cards
- Compliant tools and solutions should be considered instead
Power BI / Reports Security Principles:
Have a data management strategy for all data that is stored outside of a core application.
- When data is exported to external data stores, you need to apply your own security mechanism for reporting, as the Dataverse security permissions are no longer honored.
- The reporting strategy should include security requirements (encryption, access controls, row level, PII) as well as data residency and retention requirements.
- Learn more on how row-level security (RLS) can be used in Power BI to restrict data access for given users.
https://docs.microsoft.com/power-bi/admin/service-admin-rls
Understand how and when to leverage the Power BI Dataverse connector with DirectQuery
- The Dataverse connector in Power BI is based on the TDS endpoint, and this offers the following benefits:
- DirectQuery support, so that the connected user’s security context is applied to retrieve data in real-time, making sure that users don’t see more data than what the Dataverse security model allows for them.
- Native SQL query support can be used in Power BI interactive and paginated reports. With the CURRENT_USER function, you can filter records based on the connected user (e.g., “My accounts”).
- Learn more on the Dataverse TDS endpoint and on using the Dataverse connector Power BI
https://docs.microsoft.com/powerapps/developer/data-platform/dataverse-sql-query
https://docs.microsoft.com/powerapps/maker/data-platform/view-entity-data-power-bi
Microsoft Resources for reference:
Dynamics 365 Implementation Guide
- The “Environment strategy” chapter describes how environment-related decisions affect every aspect of the application, from application lifecycle management (ALM) to deployment and compliance. The “Security” chapter looks at the fundamental security principles applicable to Microsoft Dynamics 365 implementations.
- https://aka.ms/D365ImplementationGuide/#p=192
and
https://aka.ms/D365ImplementationGuide/#p=291
Success by Design: Security Strategy
- Useful to review the security model for Dynamics 365 solutions.
- https://docs.microsoft.com/learn/modules/fast-track-security/
Power Platform and Dynamics 365 Apps – Guide to security and compliance 2021
- This document pulls together various information sources to provide an overview and underpinning details on aspects related to Compliance, Privacy, Security and Transparency.
- https://aka.ms/D365SecurityAndComplianceGuide
Embrace proactive security with Zero Trust
- Real-world deployments and attacks are shaping the future of Zero Trust. Our framework, key trends, and maturity model can accelerate your journey.
- https://www.microsoft.com/security/business/zero-trust