PL 400: Design authentication and authorization strategy (Part 2)

This article is a continuation of Part 1 (Design Authentication and Authorization Strategy). All information and images are collected from Microsoft documentation or the community. This is part of my PL 400 preparation.

Let's talk about the first layer of security. That is Azure AD Conditional Access. I already discussed about Azure AD in the previous section. As is well known that Azure Active Directory works as pillar of Authentication security, but it doesn't mean to prevent actual users of platform.

Azure AD Conditional Access :

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. 

Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

Administrators are faced with two primary goals:

  • Empower users to be productive wherever and whenever
  • Protect the organization's assets

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.


Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Environment Roles:

An environment is a separate place to store, manage, and share your organization's business data, apps, and flows. Multiple environments can be created and each of them acts as a container to isolate apps with different roles, security requirements, or target audiences.

Each environment is linked to a tenant and can only be accessed by users of that tenant. It can also be linked to a geographic location and has zero or one Common Data Service.


Roles in Power Platform

In Power Platform and environments, different roles can be assigned:

Power Platform

Power Platform service administrator (environment owner)

At the environmental level

Environment end user : Can access assets like apps and flows shared with them, but can't create assets themselves

Environmental Maker:  Create resources in the environment, including apps, connections, custom connectors, gateways, and flows. He/ She Can also distribute apps created by them to other users

Environment Administrator : All administrative actions on the environment.

Who can Manage Environments?

Environment management is based on roles.

- Global admin/ Dynamics 365 service admin can manage any environment in the tenant.

- Licensed users need to have Environment administrator role to manage the environment.

No additional Power Apps / Power Automate plan license is required to manage environments.

Resources Permission for Apps, flows, custom connectors:

Environments are the containers for all resources used by a Power Apps, Power Automate and Dataverse. A user's level of access within the environment and to the resources (apps and data) in the environment is determined by the privileges defined in the security roles assigned to that user. Their access mode being Administrative or Read-Write also determines their level of access within an environment. Access to Power Apps and Power Automate starts with having a license. The type of license a user has determines the assets and data a user can access. The following table outlines differences in resources available to a user based on their plan type, from a high level. Granular licensing details can be found in the Licensing overview. After users have licenses, environments exist as containers for all resources used by Power Apps, Power Automate and Dataverse. Environments can be used to target different audiences and/or for different purposes such as developing, testing and production. 


CDS/Dataverse  Security Roles :

Security roles can be used to configure environment-wide access to all resources in the environment, or to configure access to specific apps and data in the environment. Security roles control a user's access to an environment's resources through a set of access levels and permissions.

Access a Dataverse environment, a user must meet the following criteria:
  • Be enabled for sign-in in Azure Active Directory (Azure AD).
  • Have a valid license that has a Dynamics 365 or Microsoft Power Platform recognized service plan, or the environment must have active per-app plans.
  • Be a member of the environment's Azure AD group (if one has been associated with the environment).
  • Have at least one Dataverse security role assigned directly to them or to a group team they're a member of.

Cross-tenant inbound & outbound restriction to the 300 + connectors to Cloud services, content services, DBs, APIs etc. :

With tenant restrictions, organizations can control access to SaaS cloud applications, based on the Azure AD tenant the applications use for single sign-on. With tenant restrictions, organizations can specify the list of tenants that their users are permitted to access. Azure AD then only grants access to these permitted tenants using Azure AD-based tenant restriction. Additionally, if organizations want to enforce tenant isolation for Microsoft Power Platform connections, then they can use Power Platform’s tenant isolation capability. Note that the Power Platform tenant isolation feature does not impact Azure AD-based access outside of Power Apps and Power Automate. Power Platform tenant isolation only works for connectors using Azure AD-based authentication such as Office 365 Outlook or SharePoint. If you want to block connectors that use external identity providers such as Microsoft account, Google, etc., you can create a data loss prevention policy and classify the connector under the Blocked group.

Power Platform tenant isolation ability is available with two options: one-way or two-way restriction.

Comments

Popular posts from this blog

Exploring the Differences: Managed vs. Unmanaged Solutions in Dynamics CRM/Dataverse

PCF vs. Web Resources: Choosing the Right Extensibility Tool for Dataverse

Effective Strategies for Debugging Plugins in Dynamics CRM