- Slides: 32
MN Power. Apps & Flow User Group May 2, 2019 Wi. Fi: RBA_Guest Pswd: !Welcome!
CONNECT WITH US • www. powerplatformug. com/minneapolis • Twitter: @mnpowerappsflow • Linked. In: Minnesota Power. Apps & Flow User Group Wi. Fi: RBA_Guest Pswd: !Welcome!
Monthly on the 3 rd Thursday from 9 -11: 30 am UPCOMING EVENTS • May 7 - App in a Day at MTC • May 8 – MN Share. Point User Group – O 365 Search with Doug Splinter • May 17 – Microsoft 365 Admin Workshop Day at MTC • May 21 -23 – Share. Point Conference North America – Las Vegas • June 10 – MN 365 User Group • June 12 – MN Share. Point User Group • June 20 – MN Power. Apps & Flow User Group Wi. Fi: RBA_Guest Pswd: !Welcome!
TODAY’S AGENDA • Welcome! • Survey and Swag! • Power Platform Governance & Security – Cody Billings • Break • Power. Apps – Canvas App from Scratch – Joel Roetzer • Questions and Answers • Giveaway Wi. Fi: RBA_Guest Pswd: !Welcome!
MEETING SPONSOR GIVEAWAY SPONSOR Wi. Fi: RBA_Guest Pswd: !Welcome!
Power Platform Security and Governance
Cody Billings, CISSP Managing Principal for CI/DO | RBA Board of Directors | M 365 MN User Group Recent Experience Cody is an expert in applying technology to solve business problems. He has over 20 years of experience in the IT industry; having worked on both sides of the fence as an employee and a consultant. He takes the time to understand the needs of your business, then designs and implements solutions that fit your requirements. Cody is often seen working on the most complex projects adding his specialist skills in identity management, security, and cloud computing. Cloud Infrastructure Architect Providing Office 365 Thought Leadership to several enterprises of varying size (100 -50 k+). Specializing in initial onboarding, continuing adoption, mergers & acquisitions, and security hardening associated with Office 365. Infrastructure Architect Assessed legacy environment, then envisioned, designed, and implemented a new Active Directory infrastructure. Designed and implemented migration framework that was used. Led company-wide migration to the client’s new Active Directory and Exchange infrastructure. Infrastructure Architect Responsible for envisioning, designing, and implementing a new HIPAA -compliant, Defense-in-Depth, Application Hosting DMZ which included separate environments for development, test, and user testing purposes. Skills/ Expertise • • • Infrastructure Architecture Strategic and Tactical Planning Microsoft Cloud Stack: Infrastructure • Enterprise Mobility + Security • Office 365 • Microsoft Operations Management Suite • Microsoft Azure Iaa. S Microsoft On-Premise Stack: Infrastructure • Active Directory • PKI • Federation/SSO Quest Migration Manager for Active Directory and ODME Bit. Titan Migration Stack A Digital and Technology Consultancy
Platforms to Consider
Establishing Power. Apps and Flow in Your Organization As you are getting your feet under you in the Power Platform, I recommend the following: • Build out some business justification facts for these platforms • Forrester Total Economic Impact Study (June 2018) • Choose your platform consumption strategy • IT-driven development • Citizen development • Establish Platform Access Methodology • License Control • Conditional Access • Intune App Protection • Establish Security Baseline for Power Platform • Monitoring • DLP • Gateway Administration • Environment Isolation • RBAC
Business Justification Strategy
Business Justification and Cost Analysis Highlights of Forrester’s TEI for Power. Apps and Flow • The average cost to develop an application is 70% less with Power. Apps and Flow • Power. Apps and Flow increases process automation and efficiencies • If you already use Dynamics CRM and Share. Point, you get more out of those platforms by using Power. Apps and Flow • You can utilize the same security framework as your other M 365 platforms https: //buff. ly/2 vye. Nb. C
Choosing Your Platform Consumption Strategy
Platform Consumption Strategy Two Primary Choices • IT-Controlled Development • Citizen Development
IT-Controlled Development Benefits • Consistent development methodologies • Consistent support structure • Better alignment with Infosec Drawbacks • Perception that “IT gets in the way” • How to pay for this? Chargeback structure? Additional overhead, etc.
Citizen Development Benefits • It’s hot! It’s wow! It’s now! • “The next frontier for IT innovation” • Power users that were managing several sources of unstructured data have a platform they can leverage to consolidate and access their data! • Get rid of those “ 40 excel sheets and two Access Database” solutions Drawbacks • Inconsistent development standards and practices • “Why did he do it like that? ” • IT can be called in to “save the day” for application support when the citizen developer is no longer available, or when the citizen developer gets “out of one’s depth”.
How to Decide? There is no uniform recommendation to make. Each organization will have to make their own choices. Consider: • Develop a Center of Practice (mix of IT and citizen developers) • Sensitivity of data being accessed by the platforms • This data may be segregated for good reasons! • Have “Leading Questions” for business units that want to begin using Power. Apps and Flow
Engaging People who are Interested in using Power. Apps Leading Questions • Who are the owners of the app? • Will you be able to develop a staging and production version of this application? • What connectors will you be using? • Do you require connecting to on-premises data sources? • Do you plan on using the Common Data Service (CDS) for this app? • Is the application dependent on any other existing applications or external services? • Are there different security roles for different types of app users? • Is there any existing data that must be migrated to different systems or platforms as part of this development effort? • Who will be testing the application? • How will users report problems or request enhancements? • How frequently do you plan to update the app?
Establish Platform Access Methodology
How to Control Access to the Power Platform Here are some practical methods to control access to Power. Apps, Power BI, and Flow • License Control • Azure AD Conditional Access • Intune App Protection Policies
License Controlling access via license distribution is one method. Plan Description Office 365 Included Extend Share. Point and other Office assets you already have Dynamics 365 Included Customize and extend Dynamics 365 apps you already have (is P 2+ license) Power. Apps P 1 Upgrade to premium connectors and the Common Data Service Power. Apps P 2 Upgrade to use robust business logic across application types & enable administration capabilities Trial Licenses are an issue that must be addressed! Set-MSOLCompany. Settings –Allow. Ad. Hoc. Subscriptions $false
Azure AD Conditional Access to the Power Platform can be controlled via Azure AD Conditional Access (AAD Premium P 1 required)
Intune App Protection Access to the Power Platform can be controlled via Intune App Protection Policies!
Establish Security Baseline for the Power Platform
How can I monitor app/flow creation…. # Ask Today’s capability 1 How can I get a report of all users that have access Power. Apps or Flow? Download license report 2 How can I automate a report of all activity in my company for reporting & BI purposes 1. Power. Shell cmdlets + sample script 2. Admin connectors + flow template 3 How can I observe logs for all events for analytics and audit purposes? Flow and Power. Apps maker & admin operations are logged as activity log events 4 How can I measure adoption of the Power Platform, add proactive monitoring, and troubleshoot/diagnose issues? 1. Power. Apps and Flow admin analytics reports (in preview) 2. Flow events triggered off of activity logs
Use Flow to Monitor…. Power. Apps and Flow! # Ask Today’s capability 1 How do I restrict app/flow creation in default env? Reactive – Flow aka. ms/restrictappcreators 2 How do I throttle environment creation? Reactive – Flow aka. ms/restrictedenvcreators 3 How do I control which apps are shared to a tenant? Reactive – Flow 4 How do I prevent use of a connector before it’s approved to be used? Reactive – Flow aka. ms/newconnectornotification 5 How do I control who can use a connector? Reactive – Flow aka. ms/restrictflowconnector aka. ms/restrictappconnector 6 How do I control access to data in a service in scope for a user’s job but prevent access to data out of scope of their job? N/A – DLP only provide control at the connector-level E. g. Allow access to Enterprise storage in Box but prevent access to personal storage in Box. But you can automate DLP policy creation aka. ms/dlppowershellscript How do I enable an app to only read data through certain connectors and not write? N/A (but planned by June ’ 19, along with respecting Data Classification rules) 7 E. g. Read-only from Twitter and write to Share. Point.
Prevent data leakage with DLP policies Data loss prevention policies (DLP) enforce rules for which connectors can be used together by classifying connectors as either Business Data only or No Business Data allowed. Simply, if you put a connector in the business data only group, it can only be used with other connectors from that group in the same app. Tenant admins can define policies that apply to all environments
Connector Isolation DLP Policies There is no way to blacklist or whitelist connectors today, our only option is to mitigate using DLP Isolation Rules Far from a perfect solution, but this is all we have
Gateway Administration – New (Preview) Capabilities! Previously you could not see gateways unless they were shared with you. Power Platform Analytics to the rescue! https: //admin. powerplatform. microsoft. com – another portal…. yay?
Environment Isolation Consider an Environment Isolation Strategy Benefits • Get developers and users out of the Default Environment! • Take advantage of RBAC model • Isolate security liabilities like the SQL connector into an isolated environment Drawbacks • Additional infrastructure may be needed • Putting gateway in an isolated environment requires a Microsoft ticket… for now
Environment Isolation: RBAC Overview • The Environment Admin role (or System Administrator role) can perform all administrative actions on an environment including the following: • Add or remove a user from either the Environment Admin or Environment Maker role. • Provision a Common Data Service database for the environment. • View and manage all resources created within an environment. • Set data loss prevention policies. • The Environment Maker role can create resources within an environment including apps, connections, custom connectors, gateways, and flows using Microsoft Flow. Environment Makers can also distribute the apps they build in an environment to other users in your organization. They can share the app with individual users, security groups, or all users in the organization. • MS is releasing preview features such as the Power. Apps Admin Analytics which require Global Administrator plus Power. Apps P 2 licensing, which makes things very difficult for us here…
Control capabilities: Teams Channel Examples