Introducing PowerApps admin center
Enterprises use PowerApps to create business apps involving data and other resources that are critical for the enterprise and need to be restricted to a specific audience. An admin role is critical in order to establish boundaries and policies around the use of PowerApps in their organization. Introducing PowerApps admin center, which provides features to help admins achieve these tasks. Today, with the admin center you can create and manage environments for your organization, databases (with access control for the DBs) and data policies.
Accessing PowerApps admin center
The admin center is geared to tenant admins(including O365 Global admins) and environment admins and can be accessed from powerapps.com. Visit the admin center from the gear in the navigation header.
Please note that any changes you make in PowerApps Admin center will impact the Flow Admin center and vice versa. You need either a PowerApps Plan 2 or Flow Plan 2 to access the admin center. Learn more
Environment is a space to store, manage, and share your organization’s business data, apps, and flows. They also serve as containers to separate apps that may have different roles, security requirements, or target audiences. How you choose to use environments depends on your organization and the apps you are trying to build, for example:
- You may choose to only build your apps in a single environment.
- You might create separate environments that group the Test and Production versions of your apps.
- You might create separate environments that correspond to specific teams or departments in your company, each containing the relevant data and apps for each audience.
- You might also create separate environments for different global branches of your company.
You can read about environments in detail here.
When you land on the admin center, you arrive in the Environments tab and will see the list of all environments you are admin for (as shown below)
A tenant admin is an admin for all the environments in tenant. Hence, tenant admin will see all the environments in the AD tenant.
Create a new environment
Click on + New environment to launch a modal dialogue and create an environment
You can create an environment in a specific region. With this all your data, apps, flows, and connections will reside in that specific region, which can improve performance for app users closer to the region.
Currently, an environment can’t be renamed or deleted.
In an environment, all the users in the Azure AD tenant are users of that environment. However, for them to play a more privileged role or have access to certain set of data, they need to be added to permission groups. Select the environment where you want to update user permissions
Go to the Security tab where you can set environment and database permissions
An environment admin can set policies and overall govern the environment and environment maker can create PowerApps, flows and other resources in the environment. The image below shows the experience for adding more users or security group (from Azure AD Tenant) as environment admins or makers.
Similarly, you can set the database permissions and also create permission sets. Learn about it here.
Currently we have two predefined roles “Database owner” and “System user”. These roles are only relevant if an admin has chosen to “restrict” their database.We will be adding functionality of defining custom roles in future.
- Modifying the permission to an app or other resources in an environment is currently available from the PowerApps.com Learn more
- Adding users in the tenant can be done using Office 365 Admin center.
Create a database
From the Database tab, you can create a database as part of the Common Data Service feature in PowerApps.
If you have already have a database, then you can “restrict” or “open” the access of the database.
An organization’s data needs to be protected so that it isn’t shared with audiences that should not have access to it. To protect this data, you can create and enforce policies that define which consumer services and connectors specific business data can be shared with. These policies that define how data can be shared are referred to as data loss prevention (DLP) policies.
Create a data policy
Visit the Data Policies tab in the admin center
Let’s create a new DLP policy
Choose an environment where this policy gets applied to. If you are a tenant admin, you can apply the policies to all or multiple environments.
As a next step, we need to define data groups. There will be certain data that is critical for business and needs to be protected. All those data sources e.g. SharePoint, SQL, etc. can go in the Business data group and those that do not contain protected information would go to No business data group.
Once you set the policy, a environment user creating an app will not be able to add connections from both Business data only group and No-business data allowed group. e.g from the above example, an app can’t have SharePoint connection and OneDrive connection, but can have SharePoint and Dynamics CRM connections in the same app. Please note that this restriction gets applied in the PowerApps Studio for Windows from version 2.0.540 and newer. It is very much applicable in PowerApps Studio for web.
Go ahead and try the admin experience now!