The rise of the Citizen Administrators

Daniel Christian

0 comments

In this eBook, you’ll be guided through several out-of-box features of the Microsoft Power Platform, giving you the confidence and ability to govern your apps, flows and connectors. You’ll also find out about free tools available to make your admin tasks easy and automated.

The next generation of Citizen Developers needs innovative Citizen Administrators who can configure the Power Platform securely and let the makers build apps. There are lots of Power Platform citizen developers out there, but for all these citizen developers, we need citizen administrators. This new breed of citizen administrators understands what the citizen developers need and how they think. Citizen administrators define the fundamental permissions and settings of the Power Platform admin center. Then they jump out of the way so citizen developers can build those fun and important apps.

What does it take to be an Innovative Administrator?

A screenshot of a person  Description automatically generated

Must, must, must have a Power Platform Admin role

It’s really important that you are assigned the Power Platform admin role. Many people think they have this level of permission, but then they find out from the Azure or Office 365 admin people that they don’t. Only when you have the admin role will you be able to do all the things covered in this eBook.

Preferably was/is a Citizen Developer

It’s preferable that you are a Citizen Developer, or you know what it takes to be a Citizen Developer. You should be familiar with canvas apps, know what it takes to build an app, and understand what connectors are.

Understand Application Lifecycle Management (ALM)

At the beginning of an app’s development, you should assess its usage and understand its whole lifecycle. At some point, you should do a quick pulse check to see if all the connectors and permissions are good. You need to know when the app should be integrated with other apps at an enterprise level.

Be aware of the latest announcements

This is critical. You may take ten steps to create a solution, but two months down the line there’s a new solution that eradicates those ten steps and lets you do it in two steps. As a Citizen Developer, it is your responsibility to be aware of new announcements of what’s coming up. To do this, you should be familiar with user communities for Power Apps, Power BI, Power Virtual Agents, and so on. In Power Apps itself, look at the preview and experimental features.

Maintain healthy relationships with the Azure Admins and Dynamics 365 Admins It’s important you have good communication with the admin teams because there will be times when you need each other’s help. Azure admins usually have access to all the Azure services and there may be some Azure services that you want to leverage in Power Platform. There may be times when the Azure admins ask whether you can build an app for them to meet a certain requirement – help them because there’ll be a time

when you need their help.

#1 DLP

A close up of a sign  Description automatically generated

DLP stands for Data Loss Protection (or Prevention). Your DLP policies determine what connectors you allow on a business site, non-business site and how to block connections. The K.I.S.S method: ‘Keep It Simple Stupid’ is good practical advice. It really helps to keep things simple. Although you may have a hundred different environments, you probably only need five or six policies. One policy can be applied across different environments and requirements. At the top level, keep it very simple, so you just have Microsoft vs. non-Microsoft connectors. Every once in a while, you may have to create a separate policy for a specific, separate environment.

There’s a new feature in the Power Platform that allows you to block connectors. In Power Apps: Settings/Admin center, you can see the data policies that have been defined for this environment.

A screenshot of a cell phone  Description automatically generated

When you name a policy, you can insert a timestamp into the title so you can see accurately when the policy was created.

A screenshot of a cell phone  Description automatically generated

In the ‘Assign connectors’ section, you can see the new ‘Blocked’ functionality feature. Before, it was just Business and Non-business, but now you can block the connector altogether.

A screenshot of a cell phone  Description automatically generated

You can select a connector and move it between Business, Non-business and Blocked – although some connectors simply cannot be blocked, you can only assign them to Business or Non-business.

You can add a policy to all environments, multiple environments or exclude certain environments.

A picture containing bird, flower  Description automatically generated

Finally, you can publish the policy.

A screenshot of a cell phone  Description automatically generated

#2 Access to create Environments

A screenshot of text  Description automatically generated

Only global, Dynamics 365 and Power Platform admins have access to create environments. There are six types of environment: Default, Production, Sandbox, Trial, Developer – and not forgetting the Support environment.

There’s a new feature that lets you refresh the cadence functionality. In the Environments tab of the Power Platform admin center, click directly on an environment name (rather than use the radio button), and you can see the functionality for this environment.

A screenshot of a cell phone  Description automatically generated

Click on Edit and then on the information icon next to ‘Refresh cadence’. Click on ‘Create and manage environments in the Power Apps Admin center’

A screenshot of a cell phone  Description automatically generated

This gives you a great example of how to do it, but read the note that says, ‘By default, environments are automatically in the frequent cadence; creating and editing canvas apps will receive updates once a week’ and ‘If you’ve chosen the moderate cadence for the environment, all creating and editing of canvas apps will receive updates once a month’. Being able to see the frequency of updates is really great functionality.

#3 Office 365 Security Groups and Security Roles

A picture containing ball  Description automatically generated

Office 365 security groups and the Power Platform security roles are two separate things, but you can use them in combination to either give environment-level access or app-level access. You can manage security at a granular level so that you have two security groups: one to give people access to the environment and a second (inside the environment) at the app level. Security roles are now tied more to the Power Platform where you can, for example, make sure people have enough security to only add more CDS entities or edit CDS entities within certain environments. This combination of options means you can be really precise with your security settings. However, the more granular you make it the more challenging it can be to administer, so be very careful with the decisions you make here.

A common problem is when you give an Office 365 group access to an environment, but the users can’t see it. Although they have access to the environment, there needs to be an app in the environment for the permissions to work. Create an app in the environment and give people access to this and then give access to the group at an environment level. Conversely, before you revoke someone’s environment access, make sure they don’t have access to any of the apps in the environment.

#4 Know your capacity

A screenshot of a cell phone  Description automatically generated

In Power Apps Settings/Admin center, go to Resources and Capacity. The message ‘Database storage is over capacity’ means you have no capacity to create another environment because by default you need at least 1GB of storage left.

A screenshot of a cell phone  Description automatically generated

The Storage capacity tab shows you a breakdown of usage per environment. As an

admin, it’s important you keep a close eye on this to ensure you have enough capacity. If you don’t, you may want to buy more storage from Microsoft. Before you do this, check whether any apps are consuming capacity even though they are not being used anymore.

A screenshot of a social media post  Description automatically generated

#5 Option to disable self-service

A picture containing person, racket, ball, player  Description automatically generated

Previously, if your company didn’t provide you with a Power Platform or Power Apps licence, you could use self-service to buy your own. Microsoft has provided a PowerShell script to disable this functionality, if necessary. This does not affect DLP. If you set up a DLP policy it’s effective at a Power Platform level. If someone has used the self-service feature to buy more licences, they are still bound by the environment’s DLP. This is why DLP is so important and was highlighted at the beginning of the eBook.

#6 Azure Application Insights

A screenshot of a cell phone  Description automatically generated

Azure Application Insights is a log telemetry service for your apps. It’s part of the Azure Monitoring service, which collects heavy logging information and lets you create visualisations based on the information.

A picture containing bus  Description automatically generated

With the Azure Monitoring service, Microsoft created Application Insights for Power Apps. It gives you the ability to see request rates, response times, page views, load performance, user and session counts, performance counters and location services.

A close up of a person  Description automatically generated

You can configure Azure Application Insights, but you don’t need to create a new app – you can apply it to existing apps. To do this, you have to get an Application Insights instrumentation key from Azure services and apply it in Power Apps. Data can be viewed on the Azure site or you can take the connection string supplied to you and import the static data into Power BI.

A picture containing person, swinging, court, playing  Description automatically generated

You need Azure access to create a new service. Billing is based on the amount of data stored. You need to have makers assigned to the Application Insights service, but most of the time your admins will already have this and be able to provide you with the instrumentation key. Only the owner or co-owner levels will have to open the app.

In Application Insights, click on Add to add a new resource.

A screenshot of a cell phone  Description automatically generated

You add your subscription, name, and region.

A screenshot of a cell phone  Description automatically generated

Once you’ve created a resource, you can see the instrumentation key in the Overview

tab.

A screenshot of a social media post  Description automatically generated

Copy the key, go to your app (make sure you’re in the ‘App’ screen), and paste the key into the ‘Instrumentation key’ field in the panel on the right.

A screenshot of a cell phone  Description automatically generated

Almost as soon as you’ve done that, it starts grabbing the data. Some of the data it

provides is phenomenal. Here’s the Analytics screen:

A screenshot of a cell phone  Description automatically generated

One limitation in Power Apps is that it’s app-based: When was the app opened? Which device was used? How many times was the app used? But Azure Insights lets you see what’s happening inside the apps – for example, in the Events screen you can see exactly which screens were used and how often.

A screenshot of a cell phone  Description automatically generated

In User Flows, you can go into further detail about how each particular screen has been used during a certain period.

A screenshot of a social media post  Description automatically generated

#7 Azure AD Privileged Identity Management

A close up of text on a black background  Description automatically generated

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) gives people admin-level access to the Power Platform – once they have completed their admin tasks, they are relieved of their access level. This is also known as ‘Break Glass’ access.

A screenshot of a cell phone  Description automatically generated

People are pre-approved for this access level, so they don’t always need to go through an approval process. Their access may be ‘time-bound’, so they have access only for the next 8 or 24 hours, for example.

#8 Free tools every Admin must have

A close up of a logo  Description automatically generated

PowerShell scripts

This is a PowerShell module that can help you do things in bulk, such as granting and removing access. When someone creates an app they are, by default, the owner of the app. You can create a ‘co-owner’, but if the original owner leaves you can only use PowerShell to set the co-owner as the new owner.

XRM Toolbox

XRM Toolbox contains free tools that give you the ability to do a lot of fun things.

A screenshot of a cell phone  Description automatically generated

Record Counter

In Power Apps, you can see all your CDS entities, but the level of detail is limited and it doesn’t give a total of records. If you open Record Counter from the XRM Toolbox, all the entities are listed and, for each entity, you can select ‘Get Count’ to see a total of items.

A screenshot of a cell phone  Description automatically generated

User Security Manager

In User Security Manager, you can easily see all the users of an environment. You can then click on a user and see what environments, teams, and roles they are assigned to.

A screenshot of a social media post  Description automatically generated

CoE Center of Excellence

The CoE or Center of Excellence Starter Kit is a collection of components and tools that help you get started with developing a strategy for the Power Platform. It gives you a solution containing a model-driven app and flows that you import and configure. Once you have stored data in CDS you can see a lot of useful information, such as the number of apps and users, flow details, and makers.

A screenshot of a social media post  Description automatically generated

Monitor

Monitor is a new functionality that grabs each and every activity that is happening in an app at that time – it’s ‘monitoring’ that app. You ‘play’ an app and click on ‘Record’ to gather detailed information about the app and its properties.

A screenshot of a cell phone  Description automatically generated

#9 Free training for Power Platform Admins

A picture containing person, playing, court, player  Description automatically generated

The link above takes you to the Learning Resources page where there are lots of useful tools, videos, and tutorials for Power Platform admins.

A screenshot of a social media post  Description automatically generated

#10 Reward the champions!!

A picture containing player, person, swinging  Description automatically generated

Using the Center of Excellence, you can find the makers in your organisation – the heaviest flow makers, the Power Automate flow makers, the Power Apps admin makers

– and take a look at their apps. These makers may already have really good habits, or this could be an opportunity to train them in good habits, which they can then share with others. Once you have found the makers honour them and encourage them to be talkative and share their knowledge with other people.

0000-00-00 00:00:00


Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}