PL 400: Design authentication and authorization strategy (Part 2)
This article is a continuation of Part 1 (Design Authentication and Authorization Strategy). All information and images are collected from Microsoft documentation or the community. This is part of my PL 400 preparation.
Let's talk about the first layer of security. That is Azure AD Conditional Access. I already discussed about Azure AD in the previous section. As is well known that Azure Active Directory works as pillar of Authentication security, but it doesn't mean to prevent actual users of platform.
Azure AD Conditional Access :
Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action.
Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.
Administrators are faced with two primary goals:
- Empower users to be productive wherever and whenever
- Protect the organization's assets
By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.
Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
Environment Roles:
An environment is a separate place to store, manage, and share your organization's business data, apps, and flows. Multiple environments can be created and each of them acts as a container to isolate apps with different roles, security requirements, or target audiences.
Each environment is linked to a tenant and can only be accessed by users of that tenant. It can also be linked to a geographic location and has zero or one Common Data Service.
Roles in Power Platform
In Power Platform and environments, different roles can be assigned:
Power Platform
Power Platform service administrator (environment owner)
At the environmental level
Environment end user : Can access assets like apps and flows shared with them, but can't create assets themselves
Environmental Maker: Create resources in the environment, including apps, connections, custom connectors, gateways, and flows. He/ She Can also distribute apps created by them to other users
Environment Administrator : All administrative actions on the environment.
Who can Manage Environments?
Environment management is based on roles.
- Global admin/ Dynamics 365 service admin can manage any environment in the tenant.
- Licensed users need to have Environment administrator role to manage the environment.
No additional Power Apps / Power Automate plan license is required to manage environments.
Resources Permission for Apps, flows, custom connectors:
Environments are the containers for all resources used by a Power Apps, Power Automate and Dataverse. A user's level of access within the environment and to the resources (apps and data) in the environment is determined by the privileges defined in the security roles assigned to that user. Their access mode being Administrative or Read-Write also determines their level of access within an environment. Access to Power Apps and Power Automate starts with having a license. The type of license a user has determines the assets and data a user can access. The following table outlines differences in resources available to a user based on their plan type, from a high level. Granular licensing details can be found in the Licensing overview. After users have licenses, environments exist as containers for all resources used by Power Apps, Power Automate and Dataverse. Environments can be used to target different audiences and/or for different purposes such as developing, testing and production.
CDS/Dataverse Security Roles :
- Be enabled for sign-in in Azure Active Directory (Azure AD).
- Have a valid license that has a Dynamics 365 or Microsoft Power Platform recognized service plan, or the environment must have active per-app plans.
- Be a member of the environment's Azure AD group (if one has been associated with the environment).
- Have at least one Dataverse security role assigned directly to them or to a group team they're a member of.
Comments
Post a Comment