In this eBook, you’ll be guided through several out-of-box features of the Microsoft Power Platform, giving you the confidence and ability to govern your apps, flows and connectors. You’ll also find out about free tools available to make your admin tasks easy and automated.
The next generation of Citizen Developers needs innovative Citizen Administrators who can configure the Power Platform securely and let the makers build apps. There are lots of Power Platform citizen developers out there, but for all these citizen developers, we need citizen administrators. This new breed of citizen administrators understands what the citizen developers need and how they think. Citizen administrators define the fundamental permissions and settings of the Power Platform admin center. Then they jump out of the way so citizen developers can build those fun and important apps.
What does it take to be an Innovative Administrator?
Must, must, must have a Power Platform Admin role
It’s really important that you are assigned the Power Platform admin role. Many people think they have this level of permission, but then they find out from the Azure or Office 365 admin people that they don’t. Only when you have the admin role will you be able to do all the things covered in this eBook.
Preferably was/is a Citizen Developer
It’s preferable that you are a Citizen Developer, or you know what it takes to be a Citizen Developer. You should be familiar with canvas apps, know what it takes to build an app, and understand what connectors are.
Understand Application Lifecycle Management (ALM)
At the beginning of an app’s development, you should assess its usage and understand its whole lifecycle. At some point, you should do a quick pulse check to see if all the connectors and permissions are good. You need to know when the app should be integrated with other apps at an enterprise level.
Be aware of the latest announcements
This is critical. You may take ten steps to create a solution, but two months down the line there’s a new solution that eradicates those ten steps and lets you do it in two steps. As a Citizen Developer, it is your responsibility to be aware of new announcements of what’s coming up. To do this, you should be familiar with user communities for Power Apps, Power BI, Power Virtual Agents, and so on. In Power Apps itself, look at the preview and experimental features.
Maintain healthy relationships with the Azure Admins and Dynamics 365 Admins It’s important you have good communication with the admin teams because there will be times when you need each other’s help. Azure admins usually have access to all the Azure services and there may be some Azure services that you want to leverage in Power Platform. There may be times when the Azure admins ask whether you can build an app for them to meet a certain requirement – help them because there’ll be a time
when you need their help.
DLP stands for Data Loss Protection (or Prevention). Your DLP policies determine what connectors you allow on a business site, non-business site and how to block connections. The K.I.S.S method: ‘Keep It Simple Stupid’ is good practical advice. It really helps to keep things simple. Although you may have a hundred different environments, you probably only need five or six policies. One policy can be applied across different environments and requirements. At the top level, keep it very simple, so you just have Microsoft vs. non-Microsoft connectors. Every once in a while, you may have to create a separate policy for a specific, separate environment.
There’s a new feature in the Power Platform that allows you to block connectors. In Power Apps: Settings/Admin center, you can see the data policies that have been defined for this environment.
When you name a policy, you can insert a timestamp into the title so you can see accurately when the policy was created.
In the ‘Assign connectors’ section, you can see the new ‘Blocked’ functionality feature. Before, it was just Business and Non-business, but now you can block the connector altogether.
You can select a connector and move it between Business, Non-business and Blocked – although some connectors simply cannot be blocked, you can only assign them to Business or Non-business.
You can add a policy to all environments, multiple environments or exclude certain environments.
Finally, you can publish the policy.
#2 Access to create Environments
Only global, Dynamics 365 and Power Platform admins have access to create environments. There are six types of environment: Default, Production, Sandbox, Trial, Developer – and not forgetting the Support environment.
There’s a new feature that lets you refresh the cadence functionality. In the Environments tab of the Power Platform admin center, click directly on an environment name (rather than use the radio button), and you can see the functionality for this environment.
Click on Edit and then on the information icon next to ‘Refresh cadence’. Click on ‘Create and manage environments in the Power Apps Admin center’
This gives you a great example of how to do it, but read the note that says, ‘By default, environments are automatically in the frequent cadence; creating and editing canvas apps will receive updates once a week’ and ‘If you’ve chosen the moderate cadence for the environment, all creating and editing of canvas apps will receive updates once a month’. Being able to see the frequency of updates is really great functionality.
#3 Office 365 Security Groups and Security Roles
Office 365 security groups and the Power Platform security roles are two separate things, but you can use them in combination to either give environment-level access or app-level access. You can manage security at a granular level so that you have two security groups: one to give people access to the environment and a second (inside the environment) at the app level. Security roles are now tied more to the Power Platform where you can, for example, make sure people have enough security to only add more CDS entities or edit CDS entities within certain environments. This combination of options means you can be really precise with your security settings. However, the more granular you make it the more challenging it can be to administer, so be very careful with the decisions you make here.
A common problem is when you give an Office 365 group access to an environment, but the users can’t see it. Although they have access to the environment, there needs to be an app in the environment for the permissions to work. Create an app in the environment and give people access to this and then give access to the group at an environment level. Conversely, before you revoke someone’s environment access, make sure they don’t have access to any of the apps in the environment.
#4 Know your capacity
In Power Apps Settings/Admin center, go to Resources and Capacity. The message ‘Database storage is over capacity’ means you have no capacity to create another environment because by default you need at least 1GB of storage left.
The Storage capacity tab shows you a breakdown of usage per environment. As an
admin, it’s important you keep a close eye on this to ensure you have enough capacity. If you don’t, you may want to buy more storage from Microsoft. Before you do this, check whether any apps are consuming capacity even though they are not being used anymore.
#5 Option to disable self-service
Previously, if your company didn’t provide you with a Power Platform or Power Apps licence, you could use self-service to buy your own. Microsoft has provided a PowerShell script to disable this functionality, if necessary. This does not affect DLP. If you set up a DLP policy it’s effective at a Power Platform level. If someone has used the self-service feature to buy more licences, they are still bound by the environment’s DLP. This is why DLP is so important and was highlighted at the beginning of the eBook.
#6 Azure Application Insights
Azure Application Insights is a log telemetry service for your apps. It’s part of the Azure Monitoring service, which collects heavy logging information and lets you create visualisations based on the information.
With the Azure Monitoring service, Microsoft created Application Insights for Power Apps. It gives you the ability to see request rates, response times, page views, load performance, user and session counts, performance counters and location services.
You can configure Azure Application Insights, but you don’t need to create a new app – you can apply it to existing apps. To do this, you have to get an Application Insights instrumentation key from Azure services and apply it in Power Apps. Data can be viewed on the Azure site or you can take the connection string supplied to you and import the static data into Power BI.
You need Azure access to create a new service. Billing is based on the amount of data stored. You need to have makers assigned to the Application Insights service, but most of the time your admins will already have this and be able to provide you with the instrumentation key. Only the owner or co-owner levels will have to open the app.
In Application Insights, click on Add to add a new resource.
You add your subscription, name, and region.
Once you’ve created a resource, you can see the instrumentation key in the Overview
Copy the key, go to your app (make sure you’re in the ‘App’ screen), and paste the key into the ‘Instrumentation key’ field in the panel on the right.
Almost as soon as you’ve done that, it starts grabbing the data. Some of the data it
provides is phenomenal. Here’s the Analytics screen:
One limitation in Power Apps is that it’s app-based: When was the app opened? Which device was used? How many times was the app used? But Azure Insights lets you see what’s happening inside the apps – for example, in the Events screen you can see exactly which screens were used and how often.
In User Flows, you can go into further detail about how each particular screen has been used during a certain period.
#7 Azure AD Privileged Identity Management
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) gives people admin-level access to the Power Platform – once they have completed their admin tasks, they are relieved of their access level. This is also known as ‘Break Glass’ access.
People are pre-approved for this access level, so they don’t always need to go through an approval process. Their access may be ‘time-bound’, so they have access only for the next 8 or 24 hours, for example.
#8 Free tools every Admin must have
This is a PowerShell module that can help you do things in bulk, such as granting and removing access. When someone creates an app they are, by default, the owner of the app. You can create a ‘co-owner’, but if the original owner leaves you can only use PowerShell to set the co-owner as the new owner.
XRM Toolbox contains free tools that give you the ability to do a lot of fun things.
In Power Apps, you can see all your CDS entities, but the level of detail is limited and it doesn’t give a total of records. If you open Record Counter from the XRM Toolbox, all the entities are listed and, for each entity, you can select ‘Get Count’ to see a total of items.
User Security Manager
In User Security Manager, you can easily see all the users of an environment. You can then click on a user and see what environments, teams, and roles they are assigned to.
CoE Center of Excellence
The CoE or Center of Excellence Starter Kit is a collection of components and tools that help you get started with developing a strategy for the Power Platform. It gives you a solution containing a model-driven app and flows that you import and configure. Once you have stored data in CDS you can see a lot of useful information, such as the number of apps and users, flow details, and makers.
Monitor is a new functionality that grabs each and every activity that is happening in an app at that time – it’s ‘monitoring’ that app. You ‘play’ an app and click on ‘Record’ to gather detailed information about the app and its properties.
#9 Free training for Power Platform Admins
The link above takes you to the Learning Resources page where there are lots of useful tools, videos, and tutorials for Power Platform admins.
#10 Reward the champions!!
Using the Center of Excellence, you can find the makers in your organisation – the heaviest flow makers, the Power Automate flow makers, the Power Apps admin makers
– and take a look at their apps. These makers may already have really good habits, or this could be an opportunity to train them in good habits, which they can then share with others. Once you have found the makers honour them and encourage them to be talkative and share their knowledge with other people.