Power Pages Secure?

by Oct 3, 2022

Power Pages! They tell me it’s easy and is very secure, it’s built in!

I am not fully convinced when I hear this. Why?

Simple said: “Easy and Security don’t mix”. Making something more secure will make it less easy to use.

Data separation

The thing is, Dataverse is particularly good in security, it sits at its core. But that doesn’t mean that Power Pages then is automatically also secure. Dataverse security is based on users and their roles, where users are employees. Power Pages users are Contacts and its security is an add-on on top of Dataverse.

A good security practice is to separate your internal data (for employees) from public data (for customers). This separation should be very explicit, preferably in a separate environment, network and storage. If there is a breach in the public data environment by misconfiguration, then your internal data is still protected.

You create this separation by creating a projection (=view) of your internal data that is allowed to be public data. Then you push (synchronize) this projection to the public data environment by copying it.

Power Pages connects a public facing website directly with your internal Dataverse. A misconfiguration could open your whole Dataverse for the rest of the world.

Data breach

Power Apps Portals breach

People seem to forget that there was a major data breach a year ago with Power Apps Portals. Microsoft immediately acted on the issue.

I think this was one of the reasons to rebrand Power Apps Portals to Power Pages.

Rebranding to Power Pages

With the rebranding, Microsoft really stepped up their gear and by default made Power Pages secure. You need to explicitly set things open now.

Power Pages Permissions

Setting permissions on tables is now much clearer and has a more prominent place, it makes it easier to see what is going on. Also setting up an Identity provider seems to be easier, but I still need to try that out.

Microsoft did even change their messaging. Power Pages is now all about security: “Create secure, low-code business websites”.

power pages secure

While Power Pages is definitely improved, users can still open internal data to the entire world by misconfiguration. Users are responsible for keeping it secure and security reviews would be wise to do.

Data separation using Power Pages

To apply data separation guidelines with Power Pages you could do this in a couple of ways.

Make separate tables for public data and only allow these to be used by Power Pages. Try not to expose other tables, especially not the Account and Contact table. Copy the data that is allowed to be shared with customers to the public tables using Power Automate.

You can even go to the extreme by creating a separate environment with its own Dataverse. A sync than need to be created between your internal environment and the public environment.

Security is not easy. Even experienced developers have difficulty with it 😉.

Remy van Duijkeren

Remy van Duijkeren

Power Platform Advisor

Microsoft Power Platform Advisor with over 25 years of experience in IT with a focus on (marketing) automation and integration.

Helping organizations with scaling their business by automating processes on the Power Platform (Dynamics 365).

Expert in Power Platform, Dynamics 365 (Marketing & Sales) and Azure Integration Services. Giving advice and strategy consultancy.

Services:
– Strategy and tactics advise
– Automating and integrating

Subscribe to
The Daily Friction

A daily newsletter on automation and eliminating friction

Related Content

External authentication with Dataverse ServiceClient

For a while now we can use the new Dataverse ServiceClient that replaced the old CrmServiceClient. It has three big improvements: Works for .NET 5.0 and up (.NET Core) Uses the newer MSAL.NET instead of ADAL.NET (which is out of support) for authentication Support for...

read more

Everyone got ALM wrong in Dynamics 365 / Dataverse

For ages, we've been ferociously encouraging the integration of developer practices, such as source control and ALM, into the Dynamics 365/Dataverse realm. The ultimate truth The revered 'Master Branch' in source control, has always been the sole fountainhead from...

read more
Early-Bound Classes for .NET 4.6.2 and 6.0

Early-Bound Classes for .NET 4.6.2 and 6.0

You like to use strong types in .NET when working with Dataverse / Dynamics 365? Are you into Early-Bound Classes? Generating entity classes? You can use CrmSvcUtil for this, but I personally like to use XrmContext from Delegate to do this, because it creates smaller...

read more