This article provides a security checklist for key activities essential to maintaining a secure Power Platform environment. It summarizes the articles in this section into an action plan and covers activities such as data protection, threat detection, identity and access management, and compliance with regulatory standards. By following this checklist, administrators and security professionals can ensure that their Power Platform deployments are robust, resilient, and aligned with best practices. Whether you're setting up new environments or enhancing existing ones, this guide helps you implement effective security measures to protect your organization's data and applications.
Security posture management
| Done? |
Task |
| ✓ |
Understand the responsibilities of the service provider as a data processor and the customer responsibilities as the owner and data controller. Make sure both sides comply with the relevant laws and regulations. Familiarize yourself with Power Platform's architecture, including environments, connectors, Dataverse, Power Apps, Power Automate, and Copilot Studio. |
| ✓ |
Understand your security requirements and assess your existing security measures, tools, and practices to identify gaps and areas for improvement. Create a security baseline aligned with compliance requirements and industry standards. |
| ✓ |
Review the Security page in the Power Platform Admin Center and assess recommended actions to improve the security score. |
| ✓ |
Educate makers and developers on security, compliance, and privacy best practices. Ensure training materials are easily accessible through a central source like a SharePoint site or wiki. |
| ✓ |
Define and test incident response plans. Ensure clear roles and responsibilities for handling security incidents. |
| ✓ |
Regularly review and update security policies to adapt to changing threats and business needs. |
Threat protection
| Done? |
Task |
| ✓ |
Use the Power Platform Admin Center and Microsoft Sentinel to track user activities. Conduct regular audits to detect anomalies and ensure compliance. |
| ✓ |
Configure Microsoft Sentinel and set up alerts for suspicious activities and policy violations. |
| ✓ |
Monitor identity-related risk events on potentially compromised identities and remediate those risks |
| ✓ |
Investigate security incidents thoroughly to understand the root cause and impact. Use the findings to improve threat detection and response strategies. |
| ✓ |
Define and test incident response plans. Define clear roles and responsibilities for handling security incidents. |
Data protection and privacy
| Done? |
Task |
| ✓ |
Create DLP policies to control data flow between connectors and environments. Regularly review and update DLP policies to align with security requirements. |
| ✓ |
Consider using customer-managed keys for additional control over encryption. |
| ✓ |
Incorporate privacy considerations into the design and development of applications. Ensure privacy is a fundamental aspect of your development process. |
| ✓ |
Configure tenant isolation to control and restrict data access between different tenants. |
| ✓ |
Evaluate and configure network security features like IP firewall and Virtual Network. |
| ✓ |
Set up Microsoft Purview to discover, classify, and manage sensitive data across your Power Platform environment. |
| ✓ |
Use Dataverse's built-in RBAC security model to manage user permissions and access to data effectively. Implement field-level security, hierarchical security, and team-based security to enhance data protection. |
Identity and access management
| Done? |
Task |
| ✓ |
Create an identity management strategy that covers user access, service accounts, application users, federation requirements for single sign-on, and conditional access policies. |
| ✓ |
Create administrative access policies for different admin roles on the platform, such as service admin and Microsoft 365 admin. |
| ✓ |
Have the necessary controls to manage access to specific environments. |
| ✓ |
Assign roles and permissions based on the principle of least privilege. Use security roles to manage access efficiently. |
Compliance
| Done? |
Task |
| ✓ |
Determine which regulatory standards apply to your organization (for example, GDPR, HIPAA, CCPA, PCI Data Security Standard). Understand the specific requirements and obligations of each regulation. |
| ✓ |
Use the Power Platform admin center and Microsoft Sentinel to track user activities. Conduct regular audits to detect anomalies and ensure compliance with regulatory standards. |
| ✓ |
Educate makers and developers on regulatory requirements and compliance best practices. |
| ✓ |
Maintain detailed records of compliance efforts, including policies, procedures, and audit logs. Ensure documentation is up to date and readily available for regulatory audits. |
Workload security
| Done? |
Task |
| ✓ |
Apply security guidance to your architecture to guard confidentiality, integrity, and availability of your data and systems. Review security recommendations of the Power Platform Well-Architected guidance to ensure your workload is resilient to attacks and incorporates the interrelated security principles of confidentiality, integrity, and availability (also known as the CIA triad) in addition to meeting business goals. |