PL 400: Design authentication and authorization strategy (Part 2)

This article is a continuation of Part 1 (Design Authentication and Authorization Strategy). All information and images are collected from Microsoft documentation or the community. This is part of my PL 400 preparation.

Let's talk about the first layer of security. That is Azure AD Conditional Access. I already discussed about Azure AD in the previous section. As is well known that Azure Active Directory works as pillar of Authentication security, but it doesn't mean to prevent actual users of platform.

Azure AD Conditional Access :

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. 

Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

Administrators are faced with two primary goals:

  • Empower users to be productive wherever and whenever
  • Protect the organization's assets

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.


Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Environment Roles:

An environment is a separate place to store, manage, and share your organization's business data, apps, and flows. Multiple environments can be created and each of them acts as a container to isolate apps with different roles, security requirements, or target audiences.

Each environment is linked to a tenant and can only be accessed by users of that tenant. It can also be linked to a geographic location and has zero or one Common Data Service.


Roles in Power Platform

In Power Platform and environments, different roles can be assigned:

Power Platform

Power Platform service administrator (environment owner)

At the environmental level

Environment end user : Can access assets like apps and flows shared with them, but can't create assets themselves

Environmental Maker:  Create resources in the environment, including apps, connections, custom connectors, gateways, and flows. He/ She Can also distribute apps created by them to other users

Environment Administrator : All administrative actions on the environment.

Who can Manage Environments?

Environment management is based on roles.

- Global admin/ Dynamics 365 service admin can manage any environment in the tenant.

- Licensed users need to have Environment administrator role to manage the environment.

No additional Power Apps / Power Automate plan license is required to manage environments.

Resources Permission for Apps, flows, custom connectors:

Environments are the containers for all resources used by a Power Apps, Power Automate and Dataverse. A user's level of access within the environment and to the resources (apps and data) in the environment is determined by the privileges defined in the security roles assigned to that user. Their access mode being Administrative or Read-Write also determines their level of access within an environment. Access to Power Apps and Power Automate starts with having a license. The type of license a user has determines the assets and data a user can access. The following table outlines differences in resources available to a user based on their plan type, from a high level. Granular licensing details can be found in the Licensing overview. After users have licenses, environments exist as containers for all resources used by Power Apps, Power Automate and Dataverse. Environments can be used to target different audiences and/or for different purposes such as developing, testing and production. 


CDS/Dataverse  Security Roles :

Security roles can be used to configure environment-wide access to all resources in the environment, or to configure access to specific apps and data in the environment. Security roles control a user's access to an environment's resources through a set of access levels and permissions.

Access a Dataverse environment, a user must meet the following criteria:
  • Be enabled for sign-in in Azure Active Directory (Azure AD).
  • Have a valid license that has a Dynamics 365 or Microsoft Power Platform recognized service plan, or the environment must have active per-app plans.
  • Be a member of the environment's Azure AD group (if one has been associated with the environment).
  • Have at least one Dataverse security role assigned directly to them or to a group team they're a member of.

Cross-tenant inbound & outbound restriction to the 300 + connectors to Cloud services, content services, DBs, APIs etc. :

With tenant restrictions, organizations can control access to SaaS cloud applications, based on the Azure AD tenant the applications use for single sign-on. With tenant restrictions, organizations can specify the list of tenants that their users are permitted to access. Azure AD then only grants access to these permitted tenants using Azure AD-based tenant restriction. Additionally, if organizations want to enforce tenant isolation for Microsoft Power Platform connections, then they can use Power Platform’s tenant isolation capability. Note that the Power Platform tenant isolation feature does not impact Azure AD-based access outside of Power Apps and Power Automate. Power Platform tenant isolation only works for connectors using Azure AD-based authentication such as Office 365 Outlook or SharePoint. If you want to block connectors that use external identity providers such as Microsoft account, Google, etc., you can create a data loss prevention policy and classify the connector under the Blocked group.

Power Platform tenant isolation ability is available with two options: one-way or two-way restriction.

Comments

Post a Comment

Popular posts from this blog

Powering Up Your Analytics: Exploring Power Query in Power BI

Image
Data is a valuable asset that has a profound impact on almost every aspect of modern life. Its proper collection, analysis and application can promote innovation, improve efficiency and solve complex challenges in various sectors. In data processing, ETL is a comprehensive process that includes data extraction, transformation, and loading, while Power Query is a specific tool that facilitates the "extract" and "transformation" aspects of ETL, allowing data to be collected and analyzed. Permission is granted to process. And reporting. is ready. It becomes easy to do this. Microsoft's ecosystem of products. Power Query is a data transformation and data preparation engine. Power Query is available in Microsoft Excel and Power BI. Power Query provides a user-friendly and intuitive interface for data professionals and analysts to access and manipulate data from various sources without the need for extensive coding or scripting. It allows users to connect to a wide ra
Read more

Power App Component Overview : Canvas App vs Model-Driven App

Image
The Power Platform is a suite of low-code/No-code tools and technologies developed by Microsoft and Power App is integral component of Power Platform. Power App is platform that enables users to build custom web and mobile applications with a visual interface and minimal coding. The platform support various data sources, including Microsoft 365, Azure Service, and many other, enabling users to integrate and interact with their existing data and systems. In Microsoft's Power Apps, there are two main types of apps that we can create: Canvas Apps: Canvas apps provide a blank canvas where you can design highly customizable applications with a drag-and-drop interface.  Model-Driven Apps: Model-driven apps are built on top of the Dataverse, which provides a set of pre-built data entities and business logic. There are few key technical difference between Canvas App and Model Driven App: During the usability analysis, these high-level technical differences need to be considered. The choi
Read more

Exam PL-400: Microsoft Power Platform Developer

 Create a technical design (10-15%) Validate requirements and design technical architecture design and validate the technical architecture for a solution design authentication and authorization strategy determine whether you can meet requirements with out-of-the-box functionality determine when to use Logic Apps versus Power Automate flows determine when to use serverless computing, plug-ins, or Power Automate determine when to build a virtual entity data source provider and when to use connectors Design solution components design a data model design Power Apps reusable components design custom connectors design server-side components Describe Microsoft Power Platform extensibility points describe Power Virtual Agents extensibility points including Bot Framework skills and Power Automate flows describe Power BI extensibility points including Power BI APIs, custom visuals, and embedding Power BI apps in websites and other applications describe Power Apps portal extensibility points incl
Read more