Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Ensure that authorized users are the only people who can access sensitive data in items across your tenant.
IP firewall
The IP firewall feature in Microsoft Power Platform is a security control that applies only to Managed Environments with Dataverse. It provides a critical layer of security by controlling inbound traffic to Power Platform environments. Administrators can use this feature to define and enforce IP-based access controls. In this way, they can ensure that only authorized IP addresses can access the Power Platform environment. By using IP firewall, organizations can mitigate risks that are associated with unauthorized access and data breaches, and therefore enhance the overall security of their Power Platform deployments. Learn more in IP firewall in Power Platform environments.
Tenant isolation
By using tenant isolation, Power Platform administrators can govern the movement of tenant data from Microsoft Entra-authorized data sources to and from their tenant. Learn more in Cross-tenant inbound and outbound restrictions.
IP address-based cookie binding
The IP address-based cookie binding feature applies only to Managed Environments with Dataverse. It prevents session hijacking exploits in Dataverse through IP address-based cookie binding. Learn more in Safeguarding Dataverse sessions with IP cookie binding.
Environment security groups
Security groups help control which licensed users can access environments. Learn more in Control user access to environments with security groups and licenses.
Manage sharing
The manage sharing feature applies only to Managed Environments. By using sharing, administrators can control what their makers can share, and which other individual users and security groups they can share it with. (Examples of things that might be shared include canvas apps, cloud flows, and agents.) This feature ensures that sensitive information is available only to authorized users. Therefore, it reduces the risk of data breaches and misuse. Learn more in Limit sharing.
App access control (preview)
The app access control feature applies only to Managed Environments. It prevents data exfiltration by controlling which apps are allowed and blocked in each environment. Learn more in Control which apps are allowed in your environment.
Guest access (preview)
[This section is prerelease documentation and is subject to change.]
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
To ensure data security and compliance in the Power Platform ecosystem, it's crucial that you minimize the risk of oversharing. Therefore, all new Dataverse-backed environments prohibit guest access by default. However, you can allow guest access for an environment if your business use case requires it. You can also retroactively turn off (restrict) guest access for existing environments. In this case, you block connections to resources that guests previously had access to.
Configure guest access
- Sign in to the Power Platform admin center as a system administrator.
- In the navigation pane, select Security.
- In the Security section, select Identity and access.
- In the Identity and access section, select Guest access.
- In the Guest access pane, select the environment for which you want to turn off guest access.
- Select Configure guest access.
- Turn on the Turn off guest access option.
- Select Save. The Guest access pane reappears.
- Repeat steps 5 through 8 for other environments as required.
- When you finish, close the Guest access pane.
Improve your security score and act on recommendations
Restriction of guest access is a key way to improve your tenant's security posture. You can also take direct action by selecting the Restrict guest user access recommendation on the main Security page or in the actions page in the Power Platform admin center. After you configure guest access restrictions, your tenant's security score improves, based on the number of environments that are configured.
Latency considerations
The time that is required to effectively block guest access varies, depending on the volume of environments and resources in those environments. In the most extreme cases, the latency for full enforcement is 24 hours.
Known limitations
Guest access is a preview feature. More enhancements are planned. It has the following known limitations, among others:
- By blocking guest access, you prevent any guest from saving and using resources. However, a guest might not be prevented from accessing the Power Apps maker portal.
- Items that are made in Copilot Studio might use graph connectors as knowledge sources from outside Microsoft Power Platform. Currently, the information in them might be accessible to guests, even if guest access is blocked.
Administrator privileges (preview)
[This section is prerelease documentation and is subject to change.]
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
The administrator privileges feature applies only to Managed Environments. By limiting the number of users who have high-privileged, administrative roles in Microsoft Entra ID and Microsoft Power Platform, you can improve the security score of your tenant. You can use this feature to review users who have those privileged roles, review the user list, and remove users who should no longer have privileged access. Learn more in Overview of the Power Platform admin center.
Users with administrative privileges
The Administrative privileges pane provides a proactive recommendation if many users in your tenant have administrative privileges. You can open the recommendation to view a list of environments where many users have the System administrator security role. (Currently, the list shows environments where more than 20 users have that role.) For any environment in the list, select the link in the System administrators column to open the Security roles page. There, you can select the System administrator security role and then select Membership to open the Membership page. This page shows a list of users who have the role assignment. You can select users to remove from the role, one user at a time.
Note
Only users who are assigned to the Global administrator role can remove other users from the Global administrator role.
Known issues
Be aware of the following known issues with the feature:
- The Membership page for the security role shows only the security roles in the default business unit. To view all security roles across all business units, turn off the Display only parent security roles option.
- After you remove a user from the System administrator role, it takes about 24 hours for the page to show the updated administrator count.
Authentication for agents (preview)
[This section is prerelease documentation and is subject to change.]
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
This feature allows administrators to configure authentication for all agent interactions in the environment. Admins can select one of the following options:
- Authenticate with Microsoft or Authenticate Manually allows you to force authentication through Microsoft Entra ID or authenticate manually. This helps prevent makers from creating or using agents with no authentication.
- No authentication allows anonymous access.
For information about the authentication options in Copilot Studio, go to Configure user authentication in Copilot Studio.
The Authenitcation for agents feature is a modernized framework of the existing virtual connector, Chat without Microsoft Entra ID. It helps you scale through environment-level configurations and rules. If you're using both the virtual connector and the Authentication for agents setting in the Security area of the Power Platform admin center, then access must be allowed in both places for it to be allowed at runtime. If you block anonymous access in either one of the places, then at runtime the most restrictive behavior is enforced and it will be blocked. For example, consider the information in the following table.
| Access in the virtual connector | Access in the Authentication for agents settings in Power Platform admin center | Runtime enforeement |
|---|---|---|
| Blocked | Blocked | Blocked |
| Allowed | Blocked | Blocked |
| Blocked | Allowed | Blocked |
| Allowed | Allowed | Allowed |
We recommend that all customers move towards using the Authentication for agents setting in the Power Platform admin center to leverage the capability of groups and rules.
Agent access points (preview)
[This section is prerelease documentation and is subject to change.]
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
This feature gives administrators control over where agents can be published, allowing customer engagement across multiple platforms. Admins can select multiple available channels, such as Microsoft Teams, Direct Line, Facebook, Dynamics 365 for Customer Service, SharePoint, and WhatsApp.
The Agent access points feature is a modernized framework of the existing virtual connectors. It helps you scale through environment-level configurations and rules. If you're using both virtual connectors and the Agent access points settings in the Security area of the Power Platform admin center, then access must be allowed in both places for it to be allowed at runtime. If you block channel access in either one of the places, then at runtime the most restrictive behavior is enforced and it will be blocked. For example, consider the information in the following table.
| Access in the virtual connector | Access in the Agent access points settings in Power Platform admin center | Runtime enforeement |
|---|---|---|
| Blocked | Blocked | Blocked |
| Allowed | Blocked | Blocked |
| Blocked | Allowed | Blocked |
| Allowed | Allowed | Allowed |
We recommend that all customers move towards using the Agent access points settings in the Power Platform admin center to leverage the capability of groups and rules.