1. Power Platform Hierarchy & Architecture

The Power Platform is structured to allow for granular governance and scale across an enterprise tenant.

  • Tenant: The top-level boundary, tied to a single Entra ID tenant.
  • Environments: The primary containers used to store, manage, and share business data, apps, and flows.
  • Solutions: The mechanism for implementing Application Lifecycle Management (ALM); used to package and transport components across environments.
  • Items/Components: The actual tools built by makers, including Power Apps, Power Automate flows, Copilot Studio bots, and Power Pages.
  • Dataverse: The underlying cloud-scale database and security layer that can be provisioned within an environment.
  • Connectors: The bridges that allow apps and flows to interact with data sources (e.g., SharePoint, SQL, or 3rd-party APIs).

2. Environment Strategy

  • The Default Environment: Every tenant has one, which cannot be deleted or disabled. Every user with a license is automatically an Environment Maker here.
    • Best Practice: This environment should be renamed (e.g., “[Company Name] - Personal Productivity”) to signal its use for non-critical, personal apps.
    • Permissions: While everyone can create items, they remain private until explicitly shared with other users.
  • Dedicated Environments (Prod/Dev/Test): These should be created for departmental or enterprise-grade solutions to maintain strict separation.
    • Managed Environments: Provide enhanced governance features, such as sharing limits and usage insights. Note that every user accessing an app in a Managed Environment must have a Premium license.
  • Dataverse Integration: Environments can be provisioned with or without a Dataverse database. Enterprise-grade apps typically require Dataverse for relational data storage and granular security roles.

3. Power Platform Data Loss Prevention (DLP)

  • Connector Categorization: Connectors within a DLP policy are grouped into three distinct buckets:
    1. Business: Data can be shared freely between connectors in this bucket (e.g., SharePoint and Outlook).
    2. Non-Business (General): Data can be shared between these, but cannot interact with connectors in the Business bucket.
    3. Blocked: These connectors are entirely disabled for use within the scoped environments (e.g., social media or personal storage).
  • Policy Scoping: Policies can be applied to “All Environments,” “Multiple Environments,” or used to “Exclude Specific Environments”.
    • Strategy: It is recommended to apply a highly restrictive “Tenant-Wide” policy and create more permissive policies for specifically sanctioned “Project” environments.

4. Licensing & Capacity

  • Standard vs. Premium:
    • Standard: Included with M365 E3/E5 licenses, covering basic connectors like SharePoint, OneDrive, and Outlook.
    • Premium: Required for “Premium” connectors (e.g., SQL, HTTP), On-premises Gateways, and any use of Dataverse.
  • License Types:
    • Per User: Allows a single user to run unlimited apps.
    • Per App: Allows a single user to run one specific app in one specific environment.
  • Capacity Management: Power Platform storage is shared across the tenant and categorized into Database (Dataverse tables), File (attachments), and Log (audit trails).

5. The Center of Excellence (CoE) Starter Kit

  • Purpose: A collection of Microsoft-provided components designed to move administration from reactive to proactive management.
  • Inventory: The kit automatically crawls the tenant to identify every App and Flow, their creators, and usage frequency.
  • Compliance Flow: This can automate governance by emailing makers of “orphaned” apps (where the owner has left) to request business justification or mark them for deletion.

6. On-Premises Data Gateways

  • Function: Enables Power Apps and Power Automate to securely access data residing on-premises, such as SQL Server or local File Shares.
  • Management: Gateways are installed on local servers and managed in “Gateway Clusters” to ensure high availability.
  • Security: The gateway does not bypass underlying permissions; users must still have valid credentials for the data source itself.

7. Essential PowerShell Cmdlets (Microsoft.PowerApps.Administration.PowerShell)

  • Connection: Add-PowerAppsAccount
  • Environment Discovery:
    • Get-AdminPowerAppEnvironment: Lists all environments.
    • Get-AdminPowerApp -EnvironmentName <ID>: Lists all apps in a specific environment.
  • DLP Management:
    • Get-AdminDlpPolicy
  • Ownership Reassignment:
    • Set-AdminPowerAppOwner -AppId <AppID> -EnvironmentName <EnvID> -NewOwner <UserUPN>: Critical for managing orphaned apps during offboarding.