Power Pages Secure?

by Oct 3, 2022

Power Pages! They tell me it’s easy and is very secure, it’s built in!

I am not fully convinced when I hear this. Why?

Simple said: “Easy and Security don’t mix”. Making something more secure will make it less easy to use.

Data separation

The thing is, Dataverse is particularly good in security, it sits at its core. But that doesn’t mean that Power Pages then is automatically also secure. Dataverse security is based on users and their roles, where users are employees. Power Pages users are Contacts and its security is an add-on on top of Dataverse.

A good security practice is to separate your internal data (for employees) from public data (for customers). This separation should be very explicit, preferably in a separate environment, network and storage. If there is a breach in the public data environment by misconfiguration, then your internal data is still protected.

You create this separation by creating a projection (=view) of your internal data that is allowed to be public data. Then you push (synchronize) this projection to the public data environment by copying it.

Power Pages connects a public facing website directly with your internal Dataverse. A misconfiguration could open your whole Dataverse for the rest of the world.

Data breach

Power Apps Portals breach

People seem to forget that there was a major data breach a year ago with Power Apps Portals. Microsoft immediately acted on the issue.

I think this was one of the reasons to rebrand Power Apps Portals to Power Pages.

Rebranding to Power Pages

With the rebranding, Microsoft really stepped up their gear and by default made Power Pages secure. You need to explicitly set things open now.

Power Pages Permissions

Setting permissions on tables is now much clearer and has a more prominent place, it makes it easier to see what is going on. Also setting up an Identity provider seems to be easier, but I still need to try that out.

Microsoft did even change their messaging. Power Pages is now all about security: “Create secure, low-code business websites”.

power pages secure

While Power Pages is definitely improved, users can still open internal data to the entire world by misconfiguration. Users are responsible for keeping it secure and security reviews would be wise to do.

Data separation using Power Pages

To apply data separation guidelines with Power Pages you could do this in a couple of ways.

Make separate tables for public data and only allow these to be used by Power Pages. Try not to expose other tables, especially not the Account and Contact table. Copy the data that is allowed to be shared with customers to the public tables using Power Automate.

You can even go to the extreme by creating a separate environment with its own Dataverse. A sync than need to be created between your internal environment and the public environment.

Security is not easy. Even experienced developers have difficulty with it 😉.

Subscribe to
The Daily Friction

A daily newsletter on eliminating friction in business processes, development and life. Yes, it's every workday. And yes, people actually stay subscribed. I promise not to abuse your inbox, and I always abide by my privacy policy.

Related Content

Who is the target audience for Power Pages

Who is the target audience for Power Pages

Power Pages is slowly getting better and better product. But then I look at the pricing page: https://powerpages.microsoft.com/en-us/pricing/ Who is the target audience for this product? If you need something 'quick and dirty' it is nice to have a website up and...

read more
Improving the Form Switcher

Improving the Form Switcher

In Microsoft Dynamics 365, Model Driven Apps in the Power Platform, you can create multiple main forms for the same table or TOFKAE (The Object Formally Known As Entity). When to use multiple forms This can be handy because you can assign different security roles to...

read more
How to use Environment Variables in your plugins

How to use Environment Variables in your plugins

Environment Variables Dynamics 365 / Power Apps solution can have Environment Variables. Often a Settings table (=entity) would be created to store configuration settings that differ between environments. We now can replace these with environment variables. These...

read more
Share This