- 8 minutes to read
This article describes the areas to focus on when considering the security of your default environment.
In large organizations, you might want to assign the Environment Administrator and System Administrator roles to a few users instead of assigning the more powerful Power Platform Administrator role.
Summary of the environment
One of the biggest challenges for the Center of Excellence (CoE) team is communicating how they want employees to use the standard environment. This section provides some ways to let vendors in your organization know about your use of the default environment. More information:What is a competence center?
Rename the default environment
One of the first things a Power Platform CoE can do is change the name of the default environment. The default environment is created with the name:tenant name(Originally). A Power Platform admin can change the default environment name to something more descriptivePersonal Productivity Environmentclearly state the intention.
More information:Edit environment properties
In addition to changing the name of the default environment, the Power Platform CoE team should set up a central wiki that contains information about the organization's Power Platform service. This may include but is not limited to:
- Use cases for personal productivity.
- How do I create applications and flows?
- Where are apps and flows built?
- How can I contact the CoE support team?
- Rules for integration with external services.
ÖCentro de Microsoft Power Platformis a SharePoint communication site that gives you a starting point for content and page templates when setting up your internal Power Platform communication site.
Personalization of Power Platform messages
If a publisher creates an app that violates the DLP policy, you can customize the error message that appears to show the Power Platform wiki URL specific to your organization. You can also add the Power Platform team contact email address. This will redirect manufacturers or users to their Power Platform wiki. This is particularly critical for the standard environment because all employees in an organization have access to it. As the CoE team refines the DLP policy over time, you may inadvertently break some existing applications. Ensure that reports of DLP policy violations include contact information or a URL to give manufacturers a way forward.
You can use the following PowerShell scripts to customize these messages:
|Establecer-PowerAppDlpErrorSettings||set government message|
|Establecer-PowerAppDlpErrorSettings||Update government notice|
More information:Power Platform governance error message commands
Environment creators can distribute the applications they create in an environment to other users in their organization by sharing the application with individual users or security groups. In addition, the platform allows a manufacturer to share an application with them"Everyone" in the organization.
Your organization should consider using a closed loop process for widespread applications to enforce mandates such as the following policies and requirements:
- Security Audit Policy.
- Business Evaluation Policy.
- ALM Requirements.
- User Experience and Brand Requirements.
You should consider disabling thoseshare with everyoneResource in the energy platform. After the restriction, only a small group of admins can share an app with "everyone" in the environment.
To prevent the app from being shared with everyone in the area:
UseGet-TenantSettingsto get the list of tenant configurations for your organization. This cmdlet returns a tenant configuration object.
In the powerPlatform.PowerApps object you will find three flags:
Use the following commands to get the configuration object and set the share to all variable to false.
$settings=Obtener-configuraciones of inquilinos $settings.powerPlatform.powerApps.disableShareWithEveryone=$true
Use Set-TenantSettings with the Settings object to prevent vendors from sharing their apps with all tenant members.
Once these commands have been run, only admins have the right to share an app with all tenant members. Manufacturers are limited to sharing the application with a security group or individuals.
Data loss prevention policy for the default environment
This section covers the recommended settings for configuring a default data loss prevention (DLP) policy in the environment.
Block new connectors in the default environment
New connectors added to the platform are added to the non-enterprise group by default. You can configure it so that new connectors arrive at companies or blocked data groups. For DLP in the standard environment, we recommend setting the default data group (typically non-enterprise) toclogged. This ensures that newly introduced connectors remain unusable until a tenant admin manually unlocks that connector.
To limit employee access to only the basic non-lockable connectors and prevent access to all other connectors, classify the pre-built connectors as follows:
Move all unblockable connectors to the business data pool.
Move all blockable connectors to the blocked data group.
Custom connectors allow you to create a connector for your own in-house developed service. These services are intended for technical consumers such as developers. It is preferable to reduce the footprint of APIs (organization created) that can be called from applications or flows in the standard environment. To ensure that manufacturers can't create and use custom connectors for APIs, create a rule to block all URL patterns. If there are APIs that you want users to have access to in the standard environment (for example, a service that sends a published list of holidays back to the organization), you can configure multiple rules that map different URL patterns into commercial and non-commercial classify . dice groups. Make sure the connections always use the HTTPS protocol. More information:DLP policy for custom connectors
For more information on Power Platform's DLP policies, seeCreate a Data Loss Prevention (DLP) policy.
Power Automate lets you create automation at scale using low-code. This allows everyone in an organization to create scalable, secure, and rich workflows. With connectors you can create workflows that connect different systems.
Office 365 Outlook-Connectorit is one of the standard non-locking connectors. This connector allows an employee to send, delete, and reply to email messages in mailboxes that they have access to. The risk of this connector is also one of its most powerful features: the ability to send an email. A citizen developer could end up accidentally creating a flow that sends an email burst. This section explains how you can mitigate this risk.
Your organization's Microsoft Exchange administrator can set up rules on the Exchange server to prevent applications from sending email. It is also possible to exclude certain flows or applications from the defined rules for blocking outbound mail. You can combine this rule with an "allow list" of email addresses to ensure that outgoing email from apps and flows can only be sent from a small set of mailboxes.
Every time an app or flow sends an email through the Office 365 Outlook Connector, it inserts specific SMTP headers into the email. These headers contain reserved phrases that can be used to identify whether the email came from a thread or from an application.
The SMTP header inserted in an email sent by a broadcast looks like the following example:
x-ms-mail-Anwendung: Microsoft Power Automate; Benutzeragent: azure-logic-apps/1.0 (Transferfluss 2321aaccfeaf4d7a8fb792e29c056b03; Version 08585414259577874539) microsoft-flow/1.0 x-ms-mail-operation-type: Enviar x-ms-mail-environment-id: 0c5781ec-e ecd7-b964-fd94b2c8e71b
The x-ms-mail-application header can have the following values depending on the service used:
|energy automation||Microsoft Power Automate; User agent: azure-logic-apps/1.0 (workflow <GUID>; version <version number>) microsoft-flow/1.0|
|Power-Apps||Microsoft Power-Apps; Benutzer-Agent: PowerApps/ (;AppName= <App-Name>)|
The x-ms-mail-operation-type header can use the following values depending on the action being performed:
|responder||For reply email operations.|
|Advance payment||For email forwarding operations.|
|From you||For sending email operations, including SendEmailWithOptions and SendApprovalEmail.|
The x-ms-mail-environment-id header contains the environment ID value. The presence of this header depends on the product you are using:
- It's always there in Power Apps.
- In Power Automate it will only be present in connections created after July 2020.
- It will never be present in Logic Apps.
Possible replacement rules for the standard environment
Here are some email actions you might want to block using Exchange rules.
Block outgoing emails to external recipients
Block all outbound emails sent from Power Automate and Power Apps to external recipients. This rule ensures that citizen developers don't send emails from apps or flows to external recipients (such as partners, vendors, or customers).
Block outbound forwarding
Block all outbound emails that are forwarded to external Power Automate and Power Apps recipients if the sender isn't on an approved mailbox list.
This rule ensures that users cannot create a flow that automatically forwards incoming email to an external recipient.
Exceptions to consider for email blocking rules
Here are some possible exceptions to Exchange's email blocking rules for flexibility:
- Excluded from certain applications and flows. Add an exception list to the rules above to allow approved apps or flows to send emails to external recipients.
- Organization level whitelist. In this scenario, it makes sense to move the solution to a dedicated environment. If multiple flows in your environment need to send outbound email, you can create a blanket exception rule to allow outbound email from that environment. Creator and administrator permissions in this environment must be tightly controlled and restricted.
Isolation between tenants
Microsoft Power Platform has an Azure Active Directory (Azure AD) based connector system that allows authorized users of Azure AD to connect applications and flows to data stores. Tenant isolation allows admins to effectively control the transfer of data from authoritative Azure AD data sources to and from their tenant.
Tenant isolation applies at the tenant level and affects all tenant environments, including the default environment. Because all employees are makers in the default environment, establishing a strong tenant isolation policy is critical to protecting the default environment.
As a best practice, explicitly configure the tenants your employees can connect to. All other tenants should be covered by default rules that block data inbound and outbound.
- Power Platform tenant isolation differs from Azure AD tenant restriction in that it doesn't impact Azure AD-based access outside of Power Platform.
- Power Platform tenant isolation only works for connectors that use Azure AD-based authentication, such as B. the Office 365 Outlook and SharePoint connectors.
Restrict inbound and outbound access between tenants (preview)