New controls to Govern the Power Platform
Published Mar 26 2021 08:08 AM 3,348 Views
Bronze Contributor

Review the latest governance capabilities in Microsoft’s Power Platform, including more granular data loss prevention controls and enhanced visibility through new tenant-wide built-in analytics.


Power Platform makes it easy for anyone to build rich experiences around their data, apps, and processes, and integrate them with the apps they use every day. While this adds value to the business and developers, governance and productivity must be balanced. Microsoft CVP, Charles Lamanna, joins Jeremy Chapman to give you all the controls to support the shift to low-code development safely.




Visibility: Out-of-the-box analytics allow you to easily discover and monitor flows and apps and how they’re being used.


Connector Action Control: A new feature to create more granular controls over the actions you can allow or deny.


Endpoint Filtering, Tenant Isolation, Block Email Exfiltration: For more control over what’s permitted or blocked.


Out-of-box Analytics: Track adoption usage and health monitoring across Dataverse, Power Automate, and Power Apps. See which apps are being used across your environments, and quickly spot best performing apps.


Troubleshooting & Diagnostics: Run your own diagnostics and troubleshooting using data about your app included out-of-the-box.




03:21 — Visibility

04:35 — Granular controls: Connector Action Control

06:24 — Endpoint filtering

08:04 — Out-of-box analytics

08:56 — Troubleshooting and diagnostics

11:01 — Wrap Up


Link References:

For more about security and governance with the Power Platform, go to

To see best practices our largest customers are using, check out our detailed white paper at


Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Video Transcript:

- Up next, on this special edition of Microsoft Mechanics we’re joined again by Microsoft CVP, Charles Lamanna. Now with so many organizations now using Microsoft’s Power Platform, we’re going to review the latest governance capabilities, and this includes more granular data loss prevention controls, enhanced visibility through new tenant-wide built-in analytics and more. So Charles, welcome back to the Microsoft Mechanics.


- Thank you for having me it’s always great to be back.


- And thanks so much for joining us from home today. So every time we have you on the show you really expand our understanding of the different types of apps that you can build with the Power Platform. Now we’ve shown how the Power Platform makes it easy for literally anyone with an idea to build rich experiences around their data, their apps, and processes, even integrating them with the apps that they use everyday like Microsoft Teams. Now this is great for citizen developers and pro developers and also business users. But at the same time, I know a lot of the folks that are watching maybe in security and governance, might feel a bit anxious about people developing apps or having access to business critical data and processes.


- Yeah, and I empathize with their concern, wanting to protect your data and your users. The good news though is that we give you all the controls to support the shift to low-code development safely. And these are important tools to use and take advantage of because this shift is very real. Power Automate, for example, is one of the most popular automation platforms on the planet right now, with over 25 billion actions being taken every day. And each month over 4 million users are actively leveraging the Power Platform to develop low-code solutions. So this is something that has huge value to the business and developers because the makers of these flows and apps are thinking of custom experiences around the core business processes that can improve their day-to-day jobs. So we have to balance governance and productivity When we look at the Power Platform. Which means rather than stopping these efforts you can instead establish the right guard rails for innovation to take place safely.


- Right, and it’s really hard to ignore the momentum now. You know, over half a million organizations worldwide now use the Power Platform. So if you’re in IT, it’s more of a question of when your business users will get on board.


- It really is, but you have more control and visibility to establish your governance foundation than you think. So for example, we have a dedicated admin portal which offers a single location to discover and access all these capabilities, spanning environment creation and management with analytics and data loss prevention policies. And we give you multiple layers of security. At the tenant level everything is identity-based with the Azure Active Directory, which provides native integration with the Power Platform. This allows you to define things like conditional access policies for your users. The next level is the environment. Here you can scope permissions by defining environment strategies to govern access to resources like apps, flows and data sources as users create content. You can also even determine who can be the admin or a maker inside of these environments. And the layer beyond that is the data itself. That includes mechanisms to secure data stored in Dataverse, as well as data being accessed at runtime via connectors. For external data you can control access to specific data sources with data loss prevention policies. And for data stored in Dataverse, you can control data access right down to a specific table, field, or even record.


- Okay so what are some of the things that you can now do to establish a governance strategy right now?


- A lot of it starts with visibility. For example we give you out-of-the-box analytics that allow you to easily discover and monitor flows and apps and how they’re being used. So if you see a new killer app start to emerge, and you want to go add more guard rails around it you can do that. You can even move it to a dedicated environment. Then because you have visibility into the apps and flows and your environments, you can start to publish approved apps to your organization’s catalog for even greater discovery. And we have tools to manage all of this application life cycle from creation to deletion.


- Right, and the approach here makes for a really strong partnership as well between the IT department and also business users.


- It does, and what we have seen happen in a lot of organizations is that having a good governance structure goes a long way to encouraging a culture for app innovation. It’s not unusual to see internal maker communities that actively share tips and tricks to help train new users so it’s not all on IT. In fact we have a lot of free training available from Microsoft, built by my team to help you get started and get your first users apps up and running really quickly.


- So the governance building blocks are there, and thanks so much for bringing us up to speed on all the updates of what exists today. But that said, I know that you and the team are making things even better and taking things to the next level.


- We are, and the first thing I want to show you is our focus on bringing you more granular controls for data loss prevention policies. The Power Platform gives you the ability to connect your apps to any data source. We have over 450 available connectors that can take care of integration for you. And as you can see here, currently with data loss prevention policies we allow you to classify connectors as business. These are the connectors with sensitive data and will only work with other data sources defined as business as well. You can also keep them in the non-business category, which means they contain nonsensitive data and are not intended to connect with business data sources. And the last category is blocked, which means the connector can’t be used. And you can scope these policies at the environment level or the tenant level. And that said, we’ve just released the preview of a brand new feature called Connector Action Control. For most connectors, specifically the blockable ones, you can now create more granular controls over the actions that you can allow or deny. In this case, I’ll select Twitter and click on the configure connector and under connector actions it opens up the side panel. This shows you the types of connector actions that you can allow verses block access to. And for example, you might have a Twitter handle associated with an app to create feedback for customers. So with these controls you can do things like block makers from using Power Apps or Power Automate to post a tweet, and block the collection of followers for PII reasons, but still allow searching tweets for marketing teams to gauge customer sentiment. And you simply can block or allow any of these actions using these really easy to use radio buttons. And this level of control is an area that many of our existing customers, like Unilever, are exploring as a way to open up the usage of some of the connectors they had previously blocked for their tenant.


- And that’s really a lot more control than simply blocking at the all up connector level. But what else are you adding then to protect the flow of data?


- So at the endpoint level we now have endpoint filtering for some of our most commonly used connectors. So for example you can see here how you can use this feature for more granular control of your SQL servers. So that you can allow access to some SQL databases and deny access to others. And beyond endpoints you can restrict the flow of data between tenants and block cross-tenant connections with a new tenant capability we call tenant isolation. So based on business requirements you can allow connections to or from a specific list of tenants. And to do this you just have to configure which domains you’d like to allow for inbound or outbound communication when you enable this tenant isolation feature.


- This is super important for organizations that are comprised of multiple tenants, like maybe companies that they’ve got subsidiaries or departments that are managed through a multi-tenant architecture.


- Totally, and one more critical data production capability that we are adding based on high demand is the ability to block email exfiltration. This allows you to configure rules for email messages being sent from PowerApps and Flow. For example, you can do things like block emails from being sent to recipients outside of your organization, or Scope just to block emails being sent from specific apps and flows. Because we use consistent email message headers as you can see here, you can easily set up rules that block sending emails from your Power Apps or your Power Automate flows outside of your organization as part of preventing data exfiltration through email.


- That’s a lot more granularity in terms of how you can define what’s permitted or blocked, but in order to really know where to spend your time and act you really need to have visibility into what’s going on in your environment. As you’ve shown we’ve had reporting available for a while now. But what are we doing to make things even better?


- So analytics is a huge area of focus for us. And one of the things I’m most excited about is the new out-of-the-box analytics. These now make it easier for better inventory, to track adoption, usage and health monitoring across Dataverse, Power Automate, and Power Apps. In fact, I’ll switch these reports to tenant level and that will load reporting across your entire tenant and all of your environments as you can see here. And because we’re using Power BI integration, these can also be exported as Excel files really easily. And I’m showing tenant-level reporting for Power Apps today, and this tenant-level reporting will be coming to the rest of the Power Platform in the future.


- This is pretty significant, because I remember previously we had to install the Center of Excellence starter kit to really get this level of reporting across your environments and across your entire tenant.


- That’s right. So now you can see which apps are being used across all of your environments and quickly spot the best performing apps right out-of-the-box.


- Can you also use the data then for things like troubleshooting or diagnostics?


- You can, and let me show you an example of that with an app that a lot of organizations are using right now as people start to return to the office. This app is a Canvas app template that lets you check out computer accessories, which is useful if you left something at home or maybe you’re at a hot desk and you need to borrow a keyboard or mouse for the day or week. In order to hook this app up to App Insights, I just grabbed the instrumentation key and add in the app properties right here. And this is a brand new app and you can see I already have three users. So if I scroll down I can see a few more insights, including things like events, performance, location of users and their operating systems to name a few. Then if I click into the sessions, this shows me the number of times the app’s been launched, I can see similar stats per session and events break this down even further. And what I love about this view is that I can see the engagement levels per screen of the app. This chart tracks engagement and user flows, so it lets me see how the app is being used and which screens are the most popular. If I flip back to the Canvas App and click on this button you can see a custom trace event that captures app feedback. And this trace event has custom dimensions to include with the message, things like username, email and the active screen. And if I go back to App Insights into logs I can skip the custom trace function with granular details whenever this scenario or issue is hit by my users. And here I can look for messages related to the app feedback, see lots of information. So there’s tons of great data about your apps included out-of-the-box. You can even extend it using these custom trace functions like I did here. And by the way, what I just showed for troubleshooting is pretty much what Microsoft support engineers might do in response to a customer support ticket. So now you can do the same types of diagnostics immediately without having to wait for us. And of course, there are even more capabilities in App Insights coming in the future. For example we’re going to make it so all of your apps and environment can be connected and configured all at once with App Insights.


- It’s really great to see the focus on reporting and monitoring and diagnostics. Of course these insights can be used to improve your governance as well. But what’s the team working on next?


- So what I’ve shown today is just the beginning. We’re going to continue to expand all your options for visibility and reporting. And one of the things I’m really looking forward to is our integration work with Microsoft Information Protection to scan, classify and protect sensitive data inside of the Power Platform.


- This is such an important topic really, as people do more with the Power Platform and at the same time want to be able to keep their data safe but where should people go then to learn more?


- You can find the guidance you need at And if you want to see some of the best practices that our largest customers are using check out our detailed white paper at


- Thanks so much again for joining us today Charles and I hope that we were able to answer the many questions that you had on this important topic. And of course if you haven’t already please subscribe to Microsoft Mechanics for the latest tech updates. Thanks for watching we’ll see you next time.

Version history
Last update:
‎Apr 01 2021 07:28 AM
Updated by: