Power Platform Fact Check

By | November 21, 2022

Tenant Admins can be restricted from viewing Dataverse data

Neither Power Platform Admins, nor Tenant Admins can be restricted from accessing data in Dataverse environments:

https://learn.microsoft.com/en-us/power-platform/admin/use-service-admin-role-manage-tenant

Dynamics 365 administrators can be restricted, though, as long as they have not been added to an Azure AD group that’s been assigned to a given environment.

You need a separate test account to test Dataverse security

You definitely need an account, but you don’t necessarily need a separate test account. Instead, you can use “Promote to Admin” feature to promote your own account back to system admin once you have demoted it to a “regular” user:

https://www.itaintboring.com/dynamics-crm/promote-to-admin-and-check-access-two-buttons-we-can-use-to-investigate-access-issues/

There is a caveat, though. As mentioned above, a Tenant Admin / Power Platform Admin / Dynamics 365 Admin will always have system admin permissions. Technically, if you try removing system admin Dataverse permissions from an account that’s been assigned one of those admin roles in Azure, that account seem to lose its ability to access Dataverse environment properly for a very short period of time, and, then, its permissions get restored.

Whether you can use this option or not depends, it seems, on whether your Power Platform/Dynamics 365 admin roles are permanent or not. As in, if you are supposed to use Azure Privileged Identity Management to activate those roles, (https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure), then, when the roles are not activated, you should be able to test Dataverse permissions this way.

Managed Environments restrict Application Sharing

In the managed environments, it’s now possible to restrict sharing (https://learn.microsoft.com/en-us/power-platform/admin/managed-environment-sharing-limits). That’s a great feature to ensure that an app does not go to the whole organization before it gets tested, validated, and approved. However, it only works for Canvas Apps. Model-Driven applications are not covered (yet?)

Only environment owners/creators have access to their individual Development Environments

Development environments do have limitations; however, applications in those environments can still be shared with the team members:

https://learn.microsoft.com/en-us/power-apps/maker/developer-plan

Would it be possible to have a production application in the development environment? Technically, yes. There are some other limits which may affect application behavior in the dev environment (2 GB of Dataverse storage and 750 flow calls per month), but, other than that, it’s a fully-functional environment.

That said, it would be hard for the users not to notice that an app running in that environment is not meant for production )the screenshot below is from the same link above):

Leave a Reply

Your email address will not be published. Required fields are marked *