I am always learning about the Power Platform, Dynamics 365 and the crossover they have with the Common Data Service (CDS). Whenever I think I have a good handle on it, I realise that I don’t. It has taken me a couple of months to find all the information for this article. I have read blogs, posted on forums and experimented in my own Power Platform and Dynamics 365 environments. However, it wasn’t until I attended a Microsoft PowerApps course that it all came to light. Now, I think, I have all the answers I need to write something intelligent.
This is part one of a series of articles that aim to demystify the sometimes confusing world of PowerApps, Dynamics 365 and CDS environments. Part one focuses on the Default PowerApps environment.
I am going to talk about two categories of environments in this series of articles. I will refer to them as Dynamics 365 instances and PowerApps environments.
A Dynamics 365 instance can be a Production or Sandbox Dynamics 365 organization which has its own database. Find out more here. This article refers to instances that are on version 9.x of Dynamics 365, where the underlying database is the CDS. This is important to note.
A PowerApps environment is essentially a container for PowerApps, Microsoft Flow, a CDS database, gateways and connections. These containers can be used to separate Production, Test and Development environments, for example, but also have other uses and attributes which can be read more about here.
Setting the Scene
I will start this journey by introducing a fake company and a couple of personas. This will enable us to talk about how different user roles within a company interact with the environments.
Dynamics Citizen Developer Inc. is a brand new company and has decided to go with Microsoft cloud offerings for all of their software needs. As part of this they will be implementing Office 365 and Dynamics 365 as their core application set.
Sarah is an IT Manager and is tasked with setting up and managing all of the Microsoft cloud services. She is responsible for making sure that everything operates smoothly on the IT front and has Global Admin rights across their Office 365 tenant.
Luke is a Customer Service Representative and also works for Dynamics Citizen Developer Inc. He’s tech savvy and at his previous company he liked to explore all the apps available to him through his Office 365 and Dynamics 365 licenses so that he could be more effective at his job. He will not be given a PowerApps plan license.
The Default Environment
Office 365 is the platform on which Office 365, the Power Platform and Dynamics 365 resides. Every organisation’s Office 365 platform sits under an Azure AD tenant and only the users within that tenant (usually the organization’s staff) can access the applications.
Sarah provisions Office 365 in their Dynamics Citizen Developer Inc. tenant. Included is a PowerApps environment by default. Unsurprisingly, this is called the “Default” environment. The Default environment is provisioned with PowerApps and Microsoft Flow automatically. This is depicted in the following digram. The diagram which will grow as Sarah and Luke interact with the environments.
When Sarah navigates to PowerApps through the Office 365 portal she sees the default environment already set up. It has her company\tenant name with (default) appended to it.
Default PowerApps environments are very special. I will explain below
Every user can access the Default environment
Every user, within the company’s the tenant, that has a PowerApps license can access the Default environment.
Luke, being tech savvy and explorative, finds this out quickly. Through his Office 365 and Dynamics 365 licenses, which include PowerApps, he is able to execute the following actions in the Default environment:
- Create and edit Canvas PowerApps (see here for the difference between Canvas and Model Driven apps)
- Create and edit data Connections
- Create and edit Microsoft Flows
- Share PowerApps and Microsoft Flows
How does this happen?
Sarah finds out that Luke is able to carry out all of the actions above and she decides to investigate. She’s puzzled because she hasn’t given Luke permissions to any PowerApps environments.
Update – 30 Oct 2018 – The following section is now out of date after a recent release from Microsoft to the Power Platform. Skip to the section following for the latest details.
Sarah opens the PowerApps Admin Center and navigates to the Security section of the Default PowerApps environment. Under the environment roles, she opens the Environment Maker role and notices that a user named Tenant is a member of this role. This means that everyone in the Tenant, including Luke, has Environment Maker role permissions to the Default PowerApps environment. When Sarah tries to remove the Tenant user from the Environment Maker role she is presented with an error and is unable to do so.
Sarah opens the PowerApps Admin Center and navigates to the Security section of the Default PowerApps environment. Clicking through to the Manage User Roles form, Sarah can see that Luke is assigned the Environment Maker role by default.
Things are now starting to make a bit more sense. Sarah knows from the Microsoft documentation that the Environment Maker role is giving Luke the access that he is experiencing.
Sarah removes the Environment Maker role from Luke but unfortunately this does not seem to do what is expected. Luke still has the same access to create PowerApps etc. in the Default environment.
The Environment Maker role can create resources within an environment including apps, connections, custom connectors, gateways, and flows using Microsoft Flow. Environment Makers can also distribute the apps they build in an environment to other users in your organization. They can share the app with individual users, security groups, or all users in the organization
How does Sarah stop the crazy?
With Luke and his colleagues having free reign over this environment things could become unmanageable in a short period of time. Imagine the mess, multiple PowerApps and Microsoft Flows accessing multiple data sources, inside and outside of the tenant. With no governance to restrict what users can do, you can see where data and security quickly become at risk.
There are a number of things Sarah can do.
- Treat the Default environment like a play-pen for employees to create personal apps. It should not be used as a production environment if there is a need for full control. However, let’s make it a safe play-pen by implementing the following…
- Use the Admin and Maker connectors to create PowerApps and Microsoft Flows for monitoring and enforcing the company’s policies. For example, a Sarah may wish to monitor when an employee creates a new PowerApp and shares with other users. Sharing the PowerApp indicates that it is useful to multiple users and would probably be better managed by the IT team in a production environment. Microsoft Flow can detect the new PowerApp, unshare it and notify Sarah so that she can speak to the employee.
- Set up Data loss prevention (DLP) policies to stop organisational data from being shared externally.
- Use the Featured and Hero app setting to ensure the company’s most important apps appear at the top of the users PowerApps list and separates them from the noise of end user created apps.
- Monitor the Quotas area of the Flow Admin Center to see the consumption of Flow runs. If a certain Flow is consuming too many runs, maybe it can be optimised.
- Monitor the Analytics area of the Power Platform Admin Center to see app usage. If there are PowerApps that no-one is using, maybe they can be removed.
Default environments cannot have a CDS database
Default environments can have a CDS database
Before the Microsoft Business Application October 2018 update, Sarah noticed that the Default environment did not have a CDS database. When she tried to create a CDS database she recieved an error.
However, Sarah has been able to create a CDS database in the Default environment since the October 2018 update, so clearly things have changed!
Sarah is now worried. Luke currently has a lot of free range to create and edit PowerApps, Microsoft Flows and Connectors in the Default environment. Now there is a CDS database, does that mean he can start modifying the CDS data model and creating Model Driven apps? Luckily the answer to this is no. There is an extra layer of security at the database level which means that Luke cannot modify the data model or create a Model Driven app unless he is given access.
This article has focused on the Default PowerApps environment which has special characteristics that are not obvious at first glance. Office 365 Administrators need to be very aware of these characteristics and put plans in place to make sure they don’t end up with an unmanagable environment with potential security holes. Microsoft have provided the tools to do this, administrators just need to decide how to apply them.
Other environment types behave differently to the Default environment. Look out for more articles following this one on the other types of PowerApps and Dynamics 365 environments.
If you want to find out more about PowerApps environments, here are some useful links.
Persona Avatars designed by Freepik from Flaticon
Within 2 weeks of writing this article the security configuration for the Default environment changed. I have updated this article, as you will notice above, and I will try to continue to keep updating as things change. Help me out and leave a comment below if you notice that something else has changed.