I was in PowerUp! Live Meetup on Thursday and Tatu Seppälä was presenting security solution to give permissions to environments trough Entra ID security groups instead of assigning them directly to users. During his presentation I remembered that I have built automate solution for ordering and provisioning Power Platform environment – already three years ago.
Tatu’s session topic was Streamlining Power Platform environment access and security role management with Entra ID. Tatu was telling how managing access and security roles in Power Platform and Dataverse can be complex and difficult to scale. The session introduced a proven and repeatable strategy to simplify access control using native Microsoft features, especially Entra ID (formerly Azure AD).
✅ Key Takeaways were (slides)
- Use Entra ID groups to manage Dataverse security roles
- Control access to Power Platform environments via Entra ID
- Automatically clean up stale user role assignments
- Enable self-service access and role management for environment owners (no admin rights needed)
- Implement just-in-time role activation (e.g., System Administrator) with optional business justification and usage monitoring
Prevent human errors and speed up environment creation
Back in the days I was looking the CoE Starter Kit tool for environment ordering. I think it was too complex for citizen developers because it started with selecting the connectors. I designed more user friendly solution, where user just tells the reason for usage, environment members and other things the user could possibly know.
I ended up having process version 0.1 – it has been so long time ago in an environment I don’t have access to, so I don’t have screenshots or more detailed instructions.
- Microsoft Forms – Ask the name for the environment (project), members, region, currency and does the environment need to have datavase (Dataverse, one option was “I’m not sure”).
- Power Automate cloud flow, which triggered Approval workflow. The approvers were introduced in SharePoint list, so I did not need to fix them into the Power Automate.
- Order was saved into SharePoint list containing all the data the data and the status of the environment order.
- Approvers were given Teams notification (and email) to approve the creation of the environment. If the approver rejected and gave comments, the reject information with description were send to the user creating the order in Teams message and email.
- When a environment request were accepted, the Power Automate creates
– the Environment
– Entra ID Security Groups and adds members to them
– Group Teams (to Dataverse) and attaches Security Roles to them
– Assigns the Security Groups to the Group Teams to the created Environment
– Creates the database meaning Dataverse to the Environment - Once everything is ready, the flow will inform the person made the request that the Environment is ready and offers links to the Environment, Maker Portal and Entra ID group for adjusting members in future.
- There was also instructions for basic Power Platform development both in written and video format. Links to those and Teams team, where help could be asked if there are some problems.
I remember having problems with multiple phases of the project. I could not assign permissions, if I already had created the database. Some configuration things should be done to the environment before creating the database. In some cases I went to the CoE StarterKit solution Power Automate flows to see how they had done it.
Afterwards it felt quite simple procedure
As usually every complex things tend to feel after you have figured out the hard part and solved the problems. This is why problems should be solved immedeately, because after next corner there is another one. You don’t want them to pile up 😉