Secure your Power Pages
Power Pages let internal and external users access Dataverse data through external-facing websites. You can expose your data to anyone—that is, to anonymous users—or only to authenticated users. For example, you can create a landing page or a home page that anyone can see, or a page that's only for users in your organization. To secure your Power Pages sites, you need to use authentication and authorization.
Authentication
Authentication verifies the identity of the users who access your Power Pages sites. All users, internal and external, must exist as contacts in Dataverse. Power Pages supports Microsoft Entra ID, Azure B2C, ADFS, and non-Microsoft providers such as LinkedIn, Facebook, and Google. Learn how to configure authentication in Power Pages.
Azure B2C is the preferred authentication provider for Power Pages. It separates authentication from authorization and supports non-Microsoft authentication providers such as LinkedIn, Facebook, Google, and many more with custom policies. Use Azure B2C as a bridge to other identity providers because it supports more options, and Microsoft won't duplicate these investments in Power Pages.
For B2B scenarios, consider guest users with Microsoft Entra ID authentication. Learn more about B2B collaboration.
Note
Azure Active Directory is now Microsoft Entra ID. Learn more
Sign-up
You can control how users sign up for your Power Pages sites in two common ways:
Open registration lets anyone sign up for your Power Pages site by providing a user identity. A new contact is created in Dataverse when a user signs up.
Invitation lets you invite contacts to your Power Pages through customized emails that you create in Dataverse. The contacts you invite receive an email with a link to your Power Pages site and an invitation code.
Authorization
Authorization controls the access to data and web pages in your Power Pages sites. You manage authorization through web roles.
Web roles
Web roles let you assign special actions and access rights to users. They're similar to security roles in Dynamics 365 apps. A contact can have multiple web roles.
A Power Pages website can have multiple web roles, but can only have one default role for authenticated users and one for anonymous users.
Web roles control the following permissions:
Dataverse table permissions let you access individual records in the Dataverse tables. You can set a scope for access, such as global, contact level, account level, and parental level. You can also control the access to a record, such as read, write, delete, and append.
Page permissions let you access Power Pages web pages. For example, you can make pages available to anyone or restrict access to users who have specific roles.
Website access permissions let Power Pages site users manage some portal contents, such as content snippets and weblink sets.
Learn more at Power Pages security.
Other security options
In addition to authentication and authorization, you can use other security options to protect your Power Pages sites:
Consider Microsoft Entra External ID to control access to your Power Pages sites.
You can use WAF (Web Application Firewall) to enhance your perimeter security.
Next steps
- Learn about security features in finance and operations apps
- Learn how to make security a priority from day one
- Use the Success by Design security checklist to help identify and prioritize key requirements and implementation activities in the areas of privacy and compliance, identity and access, and application security