Restricting Environment Creation in Power Apps and Microsoft Flow
Environments are an important governance tool inside of Microsoft Power Apps and Microsoft Flow (now known as Power Automate). Environments isolate apps and flows from another. They also support traditional environment design where organizations will have Development, Test and Production environments.
Data Loss Prevention (DLP) policies also have an impact on environments. Since DLP policies restrict what connectors can be used together, they provide another governance layer on top of environments. DLP polices can be established against individual environments or across a tenant. This behavior may then cause concerns for some organizations if they have chosen not to have tenant-wide DLP policies. The reason being that any new environment that is created, will be created without a DLP policy which means that business and non-business connectors may be used together, and data leakage may occur.
Having too many environments also creates ‘visibility’ challenges for organizations. For example, much of the Admin Analytics that are available today are focused on environments. If organizations have 10s or 100s of environments, it will become very difficult for administrators to understand exactly how Power Apps and Power Automate is being used in the organization.
Environments are also bound to specific Azure regions. This is very important for some organizations who need to respect specific data privacy regulations. As a result, you want some clear governance on who is creating environments.
Microsoft now provides the ability to restrict who, within an organization, can create environments. By default, Everyone can create both production and trial environments. Alternatively, Microsoft provides the ability to restrict to Only specific admins. When Microsoft refers to specific admins, they are referring to
• Office 365 Global admins
• Service admins
• Delegated admins
These settings are controlled from the Power Platform Admin Center and can be accessed by clicking on the Gear icon.
Once clicked, an administrator can choose to restrict environment creation to specific admins.
There is no good reason for allowing everyone to create environments. It leads to unmanageable sprawl for most organizations. However, for some organizations they want control, but they also want some flexibility. This flexibility can come from Power Automate and the Power Platform Management Connectors. An administrator can restrict environment creation to just admins through the steps we just discussed. But, they can provide a Microsoft Forms or Power Apps form that people can request an environment to be created. Power Automate can then receive these requests and start an approval. If the administrator feels the environment is required, the approval can be granted, and the environment automatically created through the Power Platform Management Connector. This approach balances governance with productivity.