Security & Compliance
Risk Analysis
CISA Guidelines
Safeguarding your organization’s data, infrastructure, and users.
Risk Analysis
Power Platform
Microsoft 365 (M365) Power Platform is a cloud-based enterprise group of applications comprised of a low-code application development toolkit, business intelligence software, a custom chat bot creator, and app connectivity software. This Secure Configuration Baseline (SCB) provides specific policies to help secure Power Platform security.
The Cybersecurity and Infrastructure Security Agency (CISA) score provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.
Assumptions
The License Requirements sections of this document assume the organization is using an M365 E3 or G3 license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.
Key Terminology
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
The following section summarizes the various Power Platform applications referenced in this baseline:
Power Apps: Low-code application development software used to create custom business applications. The apps can be developed as desktop, mobile, and even web apps. Three different types of Power Apps can be created:
Canvas Apps: These are drag and drop style developed apps, where users drag and add User Interface (UI) components to the screen. Users can then connect the components to data sources to display data in the canvas app.
Model-Driven Apps: These are apps developed from an existing data source. They can be thought of as the inverse of a Canvas App. Since, you build the app from the source rather than building the UI and then connecting to the source like Canvas apps.
Power Pages: These apps that are developed to function as either internal or external facing websites.
Power Automate: This is an online tool within Microsoft 365 and add-ins used to create automated workflows between apps and services to synchronize files, get notifications, and collect data.
Power Virtual Agents: These are custom chat bots for use in the stand-alone Power Virtual Agents web app or in a Microsoft Teams channel.
Connectors: These are proxies or wrappers around an API that allow the underlying service to be accessed from Power Automate Workflows, Power Apps, or Azure Logic Apps.
Microsoft Dataverse: This is a cloud database management system most often used to store data in SQL-like tables. A Power App would then use a connector to connect to the Dataverse table and perform create, read, update, and delete (CRUD) operations.
Security Solutions
1. Creation of Power Platform Environments
By default, any user in the Microsoft Entra ID Tenant can create additional environments. Enabling these controls will restrict the creation of new environments to users with the following admin roles: Global admins, Dynamics 365 admins, and Power Platform admins.
MS.POWERPLATFORM.1.1v1 -The ability to create production and sandbox environments SHALL be restricted to admins.
- Rationale: Users creating new Power Platform environments may inadvertently bypass data loss prevention (DLP) policy settings or misconfigure the security settings of their environment.
- Last Modified: June 2023
- Note: This control restricts creating environments to users with Global admin, Dynamics 365 service admin, Power Platform service admins, or Delegated admin roles.
- MITRE ATT&CK TTP Mapping:
MS.POWERPLATFORM.1.2v1 – The ability to create trial environments SHALL be restricted to admins.
- Rationale: Users creating new Power Platform environments may inadvertently bypass DLP policy settings or misconfigure the security settings of their environment.
- Last Modified: June 2023
- Note: This control restricts creating environments to users with Global admin, Dynamics 365 service admin, Power Platform service admins, or Delegated admin roles.
- MITRE ATT&CK TTP Mapping:
- None
- N/A
Security Solutions
2. Power Platform Data Loss Prevention Policies
o secure Power Platform environments, DLP policies can be created to restrict the connectors used with Power Apps created in an environment. A DLP policy can be created to affect all or some environments or exclude certain environments. The more restrictive policy will be enforced when there is a conflict.
Connectors can be separated by creating a DLP policy assigning them to one of three groups: Business, Non-Business, and Blocked. Connectors in different groups cannot be used in the same Power App. Connectors in the Blocked group cannot be used at all. (Note: Some M365 connectors cannot be blocked, such as Teams and SharePoint connectors).
In the DLP policy, connectors can be configured to restrict read and write permissions to the data source/service. Connectors that cannot be blocked cannot be configured. Agencies should evaluate the connectors and configure them to fit agency needs and security requirements. The agency should then create a DLP policy to only allow those connectors to be used in Power Platform.
When the Microsoft Entra ID tenant is created, by default, a Power Platform environment is created in Power Platform. This Power Platform environment will bear the name of the tenant. There is no way to restrict users in the Microsoft Entra ID tenant from creating Power Apps in the default Power Platform environment. Admins can restrict users from creating apps in all other created environments.
MS.POWERPLATFORM.2.1v1 – A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.
- Rationale: All users in the tenant have access to the default Power Platform environment. Those users may inadvertently use connectors that share sensitive information with others who should not have access to it. Users requiring Power Apps should be directed to conduct development in other Power Platform environments with DLP connector policies customized to suit the user’s needs while also maintaining the agency’s security posture.
- Last Modified: June 2023
- Note: The following connectors drive core Power Platform functionality and enable core Office customization scenarios: Approvals, Dynamics 365 Customer Voice, Excel Online (Business), Microsoft DataverseMicrosoft Dataverse (legacy), Microsoft Teams, Microsoft To-Do (Business), Office 365 Groups, Office 365 Outlook, Office 365 Users, OneDrive for Business, OneNote (Business), Planner, Power Apps Notification, Power BI, SharePoint, Shifts for Microsoft Teams, and Yammer. As such these connectors remain non-blockable to maintain core user scenario functions.
- MITRE ATT&CK TTP Mapping:
MS.POWERPLATFORM.2.2v1 – Non-default environments SHOULD have at least one DLP policy affecting them.
- Rationale: Users may inadvertently use connectors that share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.
- Last Modified: June 2023
- MITRE ATT&CK TTP Mapping:
Data Policies for Power Automate and Power Apps | Digital Transformation Agency of Australia
Create a data loss prevention (DLP) policy | Microsoft Learn
- N/A
Security Solutions
3. Power Platform Tenant Isolation
Power Platform tenant isolation is different from Microsoft Entra ID wide tenant restriction. It does not impact Microsoft Entra-based access outside of Power Platform. Power Platform tenant isolation only works for connectors using Microsoft Entra-based authentication, such as Office 365 Outlook or SharePoint. The default configuration in Power Platform has tenant isolation set to Off, allowing for cross-tenant connections to be established. A user from tenant A using a Power App with a connector can seamlessly establish a connection to tenant B if using appropriate Microsoft Entra ID credentials.
If admins want to allow only a select set of tenants to establish connections to or from their tenant, they can turn on tenant isolation. Once tenant isolation is turned on, inbound (connections to the tenant from external tenants) and outbound (connections from the tenant to external tenants) cross-tenant connections are blocked by Power Platform even if the user presents valid credentials to the Microsoft Entra-secured data source.
MS.POWERPLATFORM.3.1v1 – Power Platform tenant isolation SHALL be enabled.
- Rationale: Provides an additional tenant isolation control on top of Microsoft Entra ID tenant isolation specifically for Power Platform applications to prevent accidental or malicious cross tenant information sharing.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.POWERPLATFORM.3.2v1 – An inbound/outbound connection allowlist SHOULD be configured.
- Rationale: Depending on agency needs an allowlist can be configured to allow cross tenant collaboration via connectors.
- Last modified: June 2023
- Note: The allowlist may be empty if the agency has no need for cross tenant collaboration.
- MITRE ATT&CK TTP Mapping:
- None
- N/A
Security Solutions
4. Power Apps Content Security Policy
Content Security Policy (CSP) is an added security layer that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS), clickjacking, and data injection attacks. When enabled, this setting can apply to all current canvas apps and model-driven apps at the Power Platform environment level.
MS.POWERPLATFORM.4.1v1 – Content Security Policy (CSP) SHALL be enforced for model-driven and canvas Power Apps.
- Rationale: Adds CSP as a defense mechanism for Power Apps against common website attacks.
- Last Modified: March 2025
- Note: This policy is only applicable to environments using Dataverse.
- MITRE ATT&CK TTP Mapping:
- N/A
Security Solutions
5. Power Pages Creation
Power Pages formerly known as Power Portals are Power Apps specifically designed to act as external facing websites. By default any user in the tenant can create a Power Page. Admins can restrict the creation of new Power Pages to only admins.
MS.POWERPLATFORM.5.1v1 – The ability to create Power Pages sites SHOULD be restricted to admins.
- Rationale: Users may unintentionally misconfigure their Power Pages to expose sensitive information or leave the website in a vulnerable state.
- Last Modified: June 2023
- MITRE ATT&CK TTP Mapping:
- N/A
Our Expertise
Why Choose
Crimson Line?
01.
Crimson Line
Innovation
We stay ahead of the curve by embracing AI-driven tools like Copilot.
02.
Crimson Line
Expertise
Our experienced team architects and manages cloud-native solutions.
03.
Crimson Line
Cost-Effective
Enjoy the benefits of PaaS with minimal risk.
04.
Crimson Line
Flexibility
We tailor solutions to meet your unique needs.
Get Started
Create a Customized
Security Strategy
At Crimson Line, security is not just a product—it’s our commitment to your peace of mind.