An emerging trend in digital transformation efforts has been the rise of low-code development platforms. Of course, these low-code platforms must be grounded in best-of-breed governance capabilities which include security and compliance features. Without strong governance, the full benefits of low-code development cannot be realized. It’s only natural that any low-code platform chosen by an organization must have strong security and compliance capabilities. Microsoft has developed the Power Platform which includes Power Apps, Power Automate, Power Virtual Agents, and Power BI to serve our customer’s needs for a robust low-code development platform that includes app development, automation, chatbots, and rich, detailed data analysis and visualization. We previously reported on the fundamental security and compliance capabilities offered with Microsoft Flow which was renamed Power Automate. In this blog, we’re going to discuss the integrated security and compliance capabilities across the Power Platform and provide an update on the new capabilities we’ve launched.
Foundations of governance
As the number of developers grows, governance becomes a key criterion to ensure digital transformation. As such, IT must create stronger guardrails to ensure the growing numbers of developers and the assets they create all remain compliant and secure. The Power Platform’s governance approach is multi-step with a focus on security, monitoring, administrative management, and application lifecycle management (figure 1). Check out our detailed governance and administration capabilities. The Power Platform also offers a Center of Excellence Starter Kit which organizations can use to evolve and educate employees on governance best practices. The Power Platform comes equipped with features that help reduce the complexity of governing your environment and empowers admins to unlock the greatest benefits from their Power Platform services. We’re reporting some of our newest capabilities to protect your organization’s data with tenant restrictions and blocking email exfiltration. We’re also announcing new analytics reports available for the robotic process automation (RPA) capability recently launched with Power Automate.
Cross-tenant inbound and outbound restrictions using Azure Active Directory
The Power Platform offers access to over 400 connectors to today’s most popular enterprise applications. Connectors are proxies or wrappers around an API that allows the underlying service to ‘talk’ to Power Automate, Power Apps, and Azure Logic Apps. Control and access to these connectors and the data residing in the applications is a crucial aspect of a proactive governance and security approach. To this end, we have recently enhanced the cross-tenant inbound and outbound restrictions for Power Platform connectors. The Power Platform leverages Azure Active Directory (Azure AD) for controlling user authentication and access to data for important connectors such as Microsoft first-party services. While tenant restrictions can be created with Azure AD all up, enabling organizations to control access to software as a service (SaaS) cloud applications and services based on the Azure AD tenant used for single sign-on, they cannot target specific Microsoft services such as Power Platform exclusively. Organizations can opt to isolate the tenant for Azure AD-based connectors exclusively for Power Platform, using Power Platform’s tenant isolation capability. Power Platform tenant isolation works for connectors using Azure AD-based authentication such as Office 365 Outlook or SharePoint. Power Platform’s tenant isolation can be one way or two way depending on the specific use case. Tenant admins can also choose to allow one or more specific tenants in inbound or outbound direction for connection establishment while disallowing all other tenants. Learn more about tenant restrictions and tenant isolation. For now, this capability is available through support and will soon be available for admin self-service using Power Platform admin center.
In addition to leveraging Power Platform tenant isolation’s ability to prevent data exfiltration and infiltration for Azure AD-based connectors, admins can safeguard against connectors using external identity providers such as Microsoft account, Google, and much more—creating a data loss prevention policy that classifies the connector under the Blocked group.