Protect enterprise solutions with new Microsoft Power Platform security features
Many organizations feel the urgency and pressure to protect against increasingly sophisticated attacks. At the same time, these organizations are being propelled into the age of AI with employees that are eager to use AI to build apps and adopt AI-assisted business processes. Chief Information Security Officers (CISOs) and admins want to be confident that their data is secure as their organization harnesses the power of AI.
The Microsoft Power Platform comprehensive suite of security capabilities helps organizations to keep their enterprise data safe while leveraging the platform’s AI capabilities. Power Platform security features build on and augment the foundation provided by Microsoft security products and services, so customers get the deepest protection across the breadth of technologies their organization uses.
This month we are announcing several new security features for Power Platform:
- Admins will now have one place to manage Power Platform security at scale using the new Security Hub in the Power Platform admin center.
- New advanced data exfiltration protection features, including the next generation of network isolation and continuous access evaluation of user access rights.
- Microsoft Sentinel for Power Platform integrates Power Platform apps, workflows, and connections into your organization’s security operations to provide a holistic view in the industry leading security information and event management (SIEM) Microsoft Sentinel.
To help you understand the full security capabilities of Power Platform, we just published a whitepaper focused on enterprise security. This whitepaper shows you how to align Power Platform with your security practices.
Let’s look at these new security capabilities in more detail and explore how they can help secure your Power Platform deployments.
Achieve the full potential of AI enabled business applications with enhanced security management in the Security Hub
In today’s fast-paced digital transformation environment in the new era of AI, organizations have a hard time understanding how to unlock the power of business data and the flexibility of Power Platform while continuing to meet the ever-evolving security and compliance requirements. Without effective tools for assessing and managing security, administrators may resort to solutions that overly restrict modernization, productivity, and business growth. Security Hub in Power Platform admin center is designed to solve these challenges and more. Administrators will be able to quickly assess the security posture for the tenant, identify and act on the topmost impactful recommendations to improve the posture, use the rich set of high values tools and security capabilities available to gain deep visibility, detect threats effectively, and proactively set policies in place to safeguard from vulnerabilities and risks.
Security Hub is a must-have for any organization looking to achieve their security and compliance goals with minimal effort and resources, while gaining a competitive edge in the market with secure and reliable AI-enabled business applications solutions.
Security Hub is currently in private preview, you can express interest in joining the preview here.
Applying Sensitivity Labels with Microsoft Purview Data Map now supports Dataverse
Applying Sensitivity Labels with Purview Data Map enables organizations to identify sensitive data easily and consistently across the data estate, regardless of where it resides or how it is structured. It also reduces the manual effort and human error involved in labeling the data by using predefined rules and policies that match your business and compliance needs.
Using the public preview, you can now register Dataverse in Purview and apply Sensitivity Labels to columns in your tables. Try the new preview feature by following “Connect to and manage Microsoft Dataverse in Microsoft Purview“.
Admin activities now visible in Microsoft Purview
The ability to view Power Platform administrative logs using auditing solutions in Purview has reached general availability. With enhanced auditing capabilities providing insights ranging from environment lifecycle operations to billing activities, you’re able to adhere to compliance requirements and are empowered to act on security threats. To learn more, see the documentation.
Access audit data using Microsoft Azure Synapse Link for Dataverse and Microsoft Power BI
Security professionals can now use their own Synapse workspace to access Dataverse audit data to comply with their auditing requirements. Power BI can also be used to create and monitor auditing events. This feature is now generally available and for more information, review the documentation.
New advanced data exfiltration protection and network isolation
One of the best ways to protect your data is to limit access. Limiting access too broadly, though, can often prevent valid users and trusted sources from accessing data and can slow innovation. Power Platform is introducing new ways to limit access to data while at the same time allowing the right users and apps secure access.
Secure connections from Power Platform to Azure Virtual Network resources
Customers frequently use Power Platform resources together with Microsoft Azure applications and services hosted within their enterprise network. The new virtual network support for Power Platform allows this type of integration to be done over a private network instead of the public network. Customers can maximize their existing Azure networking investment to enable advanced network isolation that securely integrates with low-code resources without exposing any of them over the public internet.
The following are examples of what is possible by enabling virtual network support to a Power Platform environment:
- Use the private outbound connectivity from Dataverse plug-ins to access external data sources within the virtual network. For example, the plug-in could access an API hosted as an Azure application to integrate the logic into the plug-in processing.
- Use private outbound connectivity from Power Platform to access Azure services such as Microsoft Azure SQL, Microsoft Azure Storage, Microsoft Azure Key Vault, and others using Power Platform connectors. For example, a Microsoft Power Automate cloud flow could securely retrieve data from an Azure SQL table that supports another enterprise application.
These examples demonstrate how the Virtual Network integration breaks down the barriers to any Virtual Network resource integrating with any low-code app, automation, or copilot.
Virtual network support is in public preview now and you can review the documentation for details on how to enable it in your environments.
Protect your Dataverse data with a firewall
Many organizations want more control over who is accessing their business data. In public preview now is a new IP firewall feature. The IP firewall helps to protect your organizational data in Dataverse by limiting user access to the data from only allowed IP locations.
The IP firewall analyzes the IP address of each request in real time. For example, suppose the IP firewall is turned on in your production Dataverse environment and allowed IP addresses are in the ranges associated with your office locations and not any external IP location like a coffee shop. If a user tries to access organizational resources from a coffee shop, Dataverse denies access in real time. Learn more about IP firewall and how to enable it in.
Continuous access evaluation
In today’s modern workplace, a user’s eligibility for business application access can change at any time. Evaluating eligibility for application access only during authentication would not ensure that critical events like a network change are re-evaluated when they occur.
In public preview today, Power Platform now supports continuous access evaluation, a feature of Microsoft Entra ID. Dataverse will initially support this near real-time evaluation, and support for other Power Platform services will follow. Continuous access evaluation continuously evaluates user access to resources based on Microsoft Entra ID signals, such as critical events and changes in user location. User access to resources can be revoked/reauthenticated in near real-time if a critical event occurs, such as IP location change.
You can enable continuous access evaluation to help mitigate insider and data exfiltration threats. For example, an employee can’t authenticate while on the corporate network, export a valid access token, and then replay it from an external location. Organizations can also use this for shutting down a terminated user and other scenarios that require immediate response.
To learn more about the continuous access preview feature, review the documentation.
Power Platform Managed Identity support
Power Platform Managed Identity will allow organizations to securely connect to Azure resources that support Managed Identity from Power Platform resources like Dataverse plug-ins, connections, and flows without the need for managing the credentials. Additionally, you can enforce conditional access policies on resources within Power Platform. For example, if an organization wants to enforce an Azure policy that allows the use of Power Platform resources from location, and particular device, the Power Platform resource onboarded on Managed Identity will simply honor it.
We are enabling this experience under private preview starting with Dataverse plug-ins this week and in future we will support other experiences on Managed Identity within Power Platform. You can join the private preview program here.
Microsoft Entra ID Privileged Identity Management support
Use Entra ID Privileged Identity Management to assign admin roles and use Power Platform admin center with the elevated role assignments. For more on this preview feature review the documentation.
Prevent data exfiltration from Dataverse by controlling apps access
Secure Dataverse environments by allowing only approved apps to access. This is to prevent data exfiltration where employees cannot use apps like Excel or custom apps to download data from a Dataverse environment. This feature is currently in private preview.
Support for IPv6 starts rolling out
IPv6 is the latest protocol of network layer of the internet designed to address issues with IPv4, most notably, IPv4 exhaustion. Microsoft will continue to support both IPv4 and IPv6 protocols for Power Platform products and services.
Customers using IPv6 are requested to ensure their network settings are configured correctly, especially firewall rules to allow IPv6 Service Tags. Review IPv6 support in Microsoft Power Platform and Dynamics 365 for complete details on plans and how to prepare your organization.
Integrating Power Platform into your security operations center
Organizations are turning to tools like Microsoft Sentinel to provide enterprise overwatch to respond to the increased complexity of detecting, investigating, and mitigating threats. Microsoft Sentinel is a cloud-native security information event and management platform that provides intelligent security analytics for enterprises and provides security operations center (SOC) analysts with a single pane of glass for threat detection and incident management across the organization.
Business applications, including low-code solutions, typically don’t expose enough telemetry to the SIEM platforms for adequate threat protection. We are announcing the public preview of Microsoft Sentinel for Power Platform, a comprehensive security and monitoring solution that helps you protect and defend your Power Platform environments. With the solution, organizations can detect and respond to the following type of threats and suspicious activities:
- Power Apps execution from unauthorized geographies
- Suspicious data destruction by Power Apps
- Mass deletion of Power Apps
- Phishing attacks made possible through Power Apps
- Power Automate flows activity by departing employees
- Microsoft Power Platform connectors added to the environment
- Update or removal of Microsoft Power Platform data loss prevention policies
Microsoft Sentinel support for all Microsoft Business Applications
We are also opening a private preview of an enhanced solution that extends threat detection protection with Sentinel to Dynamics 365 and Power BI, in addition to Power Platform. Customers in the private preview will be able to monitor and secure the entire business application portfolio from a single pane of glass, with substantial content update, including new data connectors, hunting queries, playbooks, workbooks, and many new threat detections scenarios. Sign up now by joining the Security Connection Program (CCP) and selecting “SIEM & XDR” as the product of interest.
Keeping your organization’s apps and data secure is a priority. With the addition of these new features Power Platform enhances your ability to meet the requirements for your Power Platform solutions and to create a secure and productive workplace for your users.
Learn more about Power Platform security
- Power Platform security whitepaper
- Low-Code Security and Governance
- Virtual network support documentation
- Continuous access documentation
- Admin audit logging documentation
- Access Dataverse audit using Synapse documentation
- Microsoft Entra Privileged Identity Management documentation
- Admin audit logging documentation
- Access Dataverse audit using Synapse documentation