1. Environment Strategy

  • The Default Environment: Every tenant has one. It cannot be deleted or disabled. Every user with a license is an Environment Maker.
    • Best Practice: Rename it (e.g., “[Company Name] - Personal Productivity”) and set the expectation that this is for personal non-critical apps.
    • Shared Environment, Private Items: Everyone has “entry” to the environment and the permission to create their own resources, however, for other standard users to see an item, you must explicitly share it with them.
  • Dedicated Environments (Prod/Dev/Test): Create dedicated environments for departmental or enterprise-grade solutions.
    • Managed Environments: Provides extra governance features (e.g., sharing limits, usage insights, data policies) but requires every user accessing an app in that environment to have a Premium license.
  • Dataverse: The underlying database. Environments can be created with or without a Dataverse database. Enterprise apps usually require Dataverse for relational data storage and granular security roles.

2. Power Platform Data Loss Prevention (DLP)

  • Connector Categorization: Connectors are grouped into three buckets within a DLP policy:
    1. Business: Data can be shared between these connectors (e.g., SharePoint, Outlook, Dataverse).
    2. Non-Business (General): Data can be shared between these, but not with connectors in the Business bucket.
    3. Blocked: Connectors that are entirely disabled for use (e.g., Twitter, Facebook, personal Dropbox).
  • Policy Scoping: Policies can be applied to “All Environments,” “Multiple Environments,” or “Exclude Specific Environments.”
    • Strategy: Apply a highly restrictive “Tenant-Wide” policy and create less restrictive policies for specific, sanctioned “Project” environments.

3. Licensing & Capacity

  • Standard vs. Premium:
    • Standard: Included with M365 E3/E5. Covers basic connectors (SharePoint, OneDrive, Excel, Outlook).
    • Premium: Required for “Premium” connectors (SQL, HTTP, Azure DevOps), On-premises Gateways, and Dataverse.
  • License Types:
    • Per User: User can run unlimited apps.
    • Per App: User can run one specific app in one environment (assigned to the environment’s capacity).
  • Capacity: Power Platform storage is shared across the tenant and split into Database (Dataverse tables), File (attachments/images), and Log (audit trails).

4. The Center of Excellence (CoE) Starter Kit

  • Purpose: A Microsoft-provided collection of components (Power Apps, Flows, and Power BI) designed to help admins move beyond reactive management.
  • Inventory: Automatically crawls the tenant to identify every App and Flow, who created them, and how often they are used.
  • Compliance Flow: Can automatically email makers of “orphaned” apps (where the owner has left the company) or apps that violate naming conventions, asking them to provide a business justification or the app will be deleted.

5. On-Premises Data Gateways

  • Function: Allows Power Apps and Power Automate to securely access data residing on-premises (e.g., SQL Server, File Shares, SAP).
  • Management: Gateways are installed on an on-premises server. Admins must manage the “Gateway Cluster” to ensure high availability.
  • Security: Users must have their own credentials to the data source; the gateway does not bypass the underlying data source’s permissions.

6. Essential PowerShell Cmdlets (Microsoft.PowerApps.Administration.PowerShell)

  • Connection: Add-PowerAppsAccount
  • Environment Discovery:
    • Get-AdminPowerAppEnvironment (Lists all environments)
    • Get-AdminPowerApp -EnvironmentName <ID> (Lists all apps in a specific environment)
  • DLP Management:
    • Get-AdminDlpPolicy
  • Ownership Reassignment:
    • Set-AdminPowerAppOwner -AppId <AppID> -EnvironmentName <EnvID> -NewOwner <UserUPN> (Critical for offboarding/orphaned apps)