Power Pages Secure?

by Oct 3, 2022

Power Pages! They tell me it’s easy and is very secure, it’s built in!

I am not fully convinced when I hear this. Why?

Simple said: “Easy and Security don’t mix”. Making something more secure will make it less easy to use.

Data separation

The thing is, Dataverse is particularly good in security, it sits at its core. But that doesnโ€™t mean that Power Pages then is automatically also secure. Dataverse security is based on users and their roles, where users are employees. Power Pages users are Contacts and its security is an add-on on top of Dataverse.

A good security practice is to separate your internal data (for employees) from public data (for customers). This separation should be very explicit, preferably in a separate environment, network and storage. If there is a breach in the public data environment by misconfiguration, then your internal data is still protected.

You create this separation by creating a projection (=view) of your internal data that is allowed to be public data. Then you push (synchronize) this projection to the public data environment by copying it.

Power Pages connects a public facing website directly with your internal Dataverse. A misconfiguration could open your whole Dataverse for the rest of the world.

Data breach

Power Apps Portals breach

People seem to forget that there was a major data breach a year ago with Power Apps Portals. Microsoft immediately acted on the issue.

I think this was one of the reasons to rebrand Power Apps Portals to Power Pages.

Rebranding to Power Pages

With the rebranding, Microsoft really stepped up their gear and by default made Power Pages secure. You need to explicitly set things open now.

Power Pages Permissions

Setting permissions on tables is now much clearer and has a more prominent place, it makes it easier to see what is going on. Also setting up an Identity provider seems to be easier, but I still need to try that out.

Microsoft did even change their messaging. Power Pages is now all about security: “Create secure, low-code business websites”.

power pages secure

While Power Pages is definitely improved, users can still open internal data to the entire world by misconfiguration. Users are responsible for keeping it secure and security reviews would be wise to do.

Data separation using Power Pages

To apply data separation guidelines with Power Pages you could do this in a couple of ways.

Make separate tables for public data and only allow these to be used by Power Pages. Try not to expose other tables, especially not the Account and Contact table. Copy the data that is allowed to be shared with customers to the public tables using Power Automate.

You can even go to the extreme by creating a separate environment with its own Dataverse. A sync than need to be created between your internal environment and the public environment.

Security is not easy. Even experienced developers have difficulty with it ๐Ÿ˜‰.

Subscribe to
The Daily Friction

A daily newsletter on automation and eliminating friction

Related Content

Early-Bound Classes for .NET 4.6.2 and 6.0

Early-Bound Classes for .NET 4.6.2 and 6.0

You like to use strong types in .NET when working with Dataverse / Dynamics 365? Are you into Early-Bound Classes? Generating entity classes? You can use CrmSvcUtil for this, but I personally like to use XrmContext from Delegate to do this, because it creates smaller...

read more
WordPress Blocks Post using the REST API

WordPress Blocks Post using the REST API

Sending email to my subscribers is done by an automation flow. In the last couple of days paragraphs in my emails started to disappear. It changed into one large blob of text which is very annoying to read. Sorry about this! The automation depends on the RSS-feed of...

read more
Form Data OnLoad

Form Data OnLoad

You want to call Form OnLoad multiple times? Don't! I was reading about a blogpost to trigger the Form OnLoad multiple times. This should happen after the data was saved and/or refreshed. Why would you want this? Usually, the Form OnLoad contains logic to change the...

read more
Share This