Power Pages! They tell me it’s easy and is very secure, it’s built in!
I am not fully convinced when I hear this. Why?
Simple said: “Easy and Security don’t mix”. Making something more secure will make it less easy to use.
Data separation
The thing is, Dataverse is particularly good in security, it sits at its core. But that doesn’t mean that Power Pages then is automatically also secure. Dataverse security is based on users and their roles, where users are employees. Power Pages users are Contacts and its security is an add-on on top of Dataverse.
A good security practice is to separate your internal data (for employees) from public data (for customers). This separation should be very explicit, preferably in a separate environment, network and storage. If there is a breach in the public data environment by misconfiguration, then your internal data is still protected.
You create this separation by creating a projection (=view) of your internal data that is allowed to be public data. Then you push (synchronize) this projection to the public data environment by copying it.
Power Pages connects a public facing website directly with your internal Dataverse. A misconfiguration could open your whole Dataverse for the rest of the world.
Data breach
People seem to forget that there was a major data breach a year ago with Power Apps Portals. Microsoft immediately acted on the issue.
I think this was one of the reasons to rebrand Power Apps Portals to Power Pages.
Rebranding to Power Pages
With the rebranding, Microsoft really stepped up their gear and by default made Power Pages secure. You need to explicitly set things open now.
Setting permissions on tables is now much clearer and has a more prominent place, it makes it easier to see what is going on. Also setting up an Identity provider seems to be easier, but I still need to try that out.
Microsoft did even change their messaging. Power Pages is now all about security: “Create secure, low-code business websites”.
While Power Pages is definitely improved, users can still open internal data to the entire world by misconfiguration. Users are responsible for keeping it secure and security reviews would be wise to do.
Data separation using Power Pages
To apply data separation guidelines with Power Pages you could do this in a couple of ways.
Make separate tables for public data and only allow these to be used by Power Pages. Try not to expose other tables, especially not the Account and Contact table. Copy the data that is allowed to be shared with customers to the public tables using Power Automate.
You can even go to the extreme by creating a separate environment with its own Dataverse. A sync than need to be created between your internal environment and the public environment.
Security is not easy. Even experienced developers have difficulty with it 😉.
