Manage website security from the Power Platform admin center (preview)

[This topic is pre-release documentation and is subject to change.]

Use the Power Platform admin center to monitor the security status of the websites in your tenant. You can also see key information such as how many sites have Web Application Firewall (WAF) disabled or how many sites have external authentication enabled.

Important

  • This feature is a preview feature.
  • Preview features aren’t meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback.

To monitor website security for all websites in your tenant:

  1. Sign in to the Power Platform admin center.

  2. On the left pane, select Resources, and then select Power Pages sites.

  3. Select Security (preview) tab.

    A screenshot of Power Platform admin center security tab.

Anonymous access enabled

Anonymous access enabled shows the number of websites where anonymous access is allowed for certain tables in Microsoft Dataverse. It means that these sites have at least one table permission that allows anonymous users to have access to the data. For more information, go to Table permissions.

Select View details to review the anonymous access setting for each website.

Web Application Firewall disabled

Web Application Firewall disabled shows the number of production websites where Web Application Firewall (WAF) is disabled.

Enabling WAF improves the security of your website and Microsoft recommends enabling WAF. For more information, go to Enable Web Application Firewall for a website.

Select View details to review the WAF setting for each website.

External authentication enabled

External authentication enabled shows the number of websites where there is at least one authentication provider enabled which isn't Microsoft Entra ID allowing access to Dataverse data. for more information, go to Authentication providers.

Select View details to review the external authentication configuration for each website.

Site security health

Site security health dashboard gives you a summary of the websites in your organization related to security status. The security status of a website is determined based on certain security checks that are run for each website. For more information, go to Security site checker.

The security health is calculated by looking at various configuration parameters and identifying common issues. These checks aren't exhaustive and we recommend you continue following website security best practices.

The criteria for classifying security health into Standard, Enhanced and Advanced is outlined in the table provided. This criteria might change during the feature preview and before the feature is generally available.

Health status Description
Standard This status means that less than 33% of the security checks for this website are in Pass state.
Enhanced This status means that more than 33% of the security checks for this website are in Pass state.
Advanced This status means that more than 66% of the security checks for this website are in Pass state.
No results This status means that security checker isn't being run, or the site configurations don't allow checks to be run. Such as, a site that has an IP restriction setup, or a site that is stopped. To resolve, run the site checker from Power Platform Admin Center. Site checker doesn't work if a website has IP address restrictions.

Select View to review the security checker results.

The checks are flagged as Warning when the configurations aren't the same as what Microsoft recommends. There can be cases where your business needs demand the sites to be configured in a way that isn't in the Recommended state.

Authentication providers

Authentication providers shows the list of all authentication providers that are used across the websites in your tenant, along with the count of all websites in which they're used.

Select Review to see the list of websites where the specific authentication provider is used.

Frequently Asked Questions

In this section, find answers to frequently asked questions related to managing website security using Power Platform admin center.

How frequently is the data refreshed?

Security checks are run against all websites in your tenant, once every day automatically. The insights and security status are refreshed after every run. The most current update for the results can be seen on the top right corner of the page.

You can also manually refresh the security status on-demand by selecting Refresh.

Who can view the security dashboard?

You must have one of the following roles to view website security using Power Platform admin center:

  • Global administrator
  • Dynamics 365 administrator
  • Power Platform administrator
  • System administrator (can only see websites for the environments of which they're a system administrator)

Next steps

Configure site details

See also