Secure Data from Internal Data Leaks and Disgruntled Employees 

• How can I minimize user access to sensitive data in my applications? 

Microsoft Purview Information Protection establishes protection across environments and provides ways to combine data sets to be defined that allow data collaboration. Microsoft Purview‘s data classification allows you to protect your data based on data sensitivity/classification and prevent sensitive data from falling into the wrong hands. IT professionals and administrators can designate containers (Dataverse environments) and folders (data entities) with data sensitivity that can define the boundaries for that data in the organization. The platform also provides additional security using Role-Based Access (RBAC) that system administrators can configure to further lock down access to your organization’s tables in the system. Dataverse uses Azure AD identity and access management mechanisms to help ensure that only authorized users can access the environment, data, and reports. 

• How can I ensure users have the right privileges necessary to access a Dataverse environment? 

Dataverse uses role-based security to group together a collection of privileges. These security roles can be associated directly with users, or they can be associated with Dataverse teams and business units. These privileges provide users access to records.  Secure data and ensure users have the least privilege necessary through Dataverse authorization and data level security roles that define row, field, hierarchical, and group protection.  

• How can I make sure users do not have the ability to intentionally leak or allow others to easily access and leak sensitive data in my environment? 

Dataverse provides features that you can easily configure and set up to stop users from data leaking or accidentally providing access to the system. Data Loss Prevention Policies are one way to do this. You can create data loss prevention (DLP) policies that can act as guardrails to help prevent users from unintentionally exposing organizational data.   

Protect, Detect & Respond to Internal Client Threats 

Protect 

We recommend the following preventative steps: 

• Leverage Dataverse Authorization to create the right group and individual access to collections and records. See how access to a record is determined in Dataverse for more details about how to set up the proper authorization model. 
• Use IP address-based cookie binding to block cookie replay attacks in Dataverse. 
• Restrict guest user access permissions through Azure Active Directory. 

• Limit IP surface area by configuring inbound and outbound rules within Power Platform. See Azure service tags overview for available service tags. 

Detect 

Take these steps to identify and locate possible issues: 

• Review audit logs in Azure Active Directory for public IP address access to your environment and to identify which users have authenticated to Dataverse. 

• Retrieve the history of audited data changes in Dataverse. 
• Review Microsoft 365 admin center activity reports. 
• Use Microsoft Dataverse usage reports. 
• Track user access of the Microsoft Power Platform. 
• Deep auditing for all data changes to detect tampering or manipulation and rich access/activity auditing for data exfiltration risks. 

Respond 

Follow these steps to execute an effective response: 

• Disable user from the environment (see delete users from environments). 
• Revoke user access in an emergency in Azure Active Directory.  

• Modify IP Firewall to meet your changing network requirements. 

Additional Resources

Learn more about Dataverse Security features and capabilities covered in the Microsoft Dataverse Security white paper.

The post Protecting Data with Dataverse Part 2: Security from Internal Threats (Users)   appeared first on Microsoft Power Platform Blog.

In this blog series, we will be covering how to protect data in Dataverse from external and internal threats (both from internal users and Microsoft). In today’s post, we will focus on protecting data from external threats.

Secure Data from Hackers and Malicious Intent

• How can I protect my data from unapproved access?

Dataverse handles authentication with Azure Active Directory (Azure AD) to allow for conditional access and multi-factor authentication. Dataverse also uses Azure AD identity and access management mechanisms to help ensure that only authorized users can access the environment, data, and reports. Conditional access and location awareness can help control access to environments by only allowing trusted devices, locations, and other conditions which can be evaluated for authentication. Essentially, conditional access helps to secure where users can sign into Dataverse environments and what devices they can use. Also, because Dataverse is built on Azure, it benefits from the Azure platform’s powerful security technologies. Encryption of data, both at rest and in transit, also preserves confidentiality.

• How can I quickly identify any threats or suspicious activity in the system?

Dataverse auditing provides ways for system admins to quickly set up audit tracking for their environment. The platform provides the ability to track and log activities that include CRUD operations, opening and viewing records, sharing records, and more. The logs can be easily accessed directly by the client without the need for additional reporting or the export of audit activity. It is important to note that read auditing is configured separately from Create, Update, or Delete as this audit trail may produce a lot of data. Please note, not all environments require read auditing. 

Protect, Detect & Respond to External Threats

Protect

We recommend the following preventative steps:

• Utilize Azure AD authentication to confirm identities of those logging into the system.
• Leverage conditional access authentication based on IP address, location, device, or other properties of the user’s authentication context.
• Enablement of auditing (including user access auditing) is a baseline for detections. Learn more about how tomanage Dataverse auditing. For a functional sample which tests the auditing, review audit user access.

Detect

Take these steps to identify and locate possible issues:

• Review audit logs in Azure Active Directory to identify which users have authenticated to Dataverse.
• Retrieve the history of audited data changes in Dataverse.
• Review Microsoft 365 admin center activity reports.
• Use Microsoft Dataverse usage reports.

Respond

Follow these steps to execute an effective response:

• Create a custom Logic App to handle your unique scenarios using Microsoft Sentinel SOAR.
• Modify the authorization settings for the Dataverse entity.
• M365 automations may be applicable in the case of an account compromise.

Additional Resources

Learn more about Dataverse Security features and capabilities covered in the Microsoft Dataverse Security white paper.

The post Protecting data with Dataverse appeared first on Microsoft Power Platform Blog.

Microsoft Dataverse is a cloud-based, low-code solution that lets you securely store and manage data that’s used by business applications. With your data stored in Microsoft Dataverse, there are many ways to access or modify it. You can work with the data natively with tools such as Power Apps or Power Automate, or through connectors and APIs you can link to Microsoft Dataverse from any business solution. Dataverse was built for powerful, scalable solutions. 

Security In Dataverse 

The goals of the Dataverse security models are as follows: 

• To provide users with the access only to the appropriate levels of information that is required to do their jobs. 
• To categorize users by role and restrict access based on those roles. 
• To support data sharing so that users and teams can be granted access to records that they do not own for a specified collaborative effort. 

• To prevent a user’s access to records the user does not own or share. 

Why Choose Dataverse? 

• Security: Dataverse handles authentication with Azure Active Directory (Azure AD) to allow for conditional access and multi-factor authentication. It also provides rich auditing capabilities. 

• Logic: Dataverse allows you to easily apply business logic at the data level. Regardless of how a user is interacting with the data, the same rules apply. These rules could be related to duplicate detection, business rules, workflows, or more. 
• Data: Dataverse offers you the control to shape your data, allowing you to discover, model, validate, and report on your data. This control ensures your data looks the way you want regardless of how it is used. 
• Storage: Dataverse stores your physical data in the Azure cloud. This cloud-based storage removes the burden of worrying about where your data lives or how it scales.  
• Integration: Dataverse connects in different ways to support your business needs. Data exports and other tools give you the flexibility to get data in and out. 
• Auditing: The Dataverse auditing feature is designed to meet the external and internal auditing, compliance, security, and governance policies that are common to many enterprises. 

• Data Loss Prevention: The Power Platform and Dataverse protects your data with Microsoft Data Loss Prevention (DLP) both data at rest and in transit. 

Building Secure Hybrid Environments 

As organizations accelerate the transition to the cloud there is a higher need and reliance on advanced technologies when making business and operational decisions.  

• Connected: From anywhere in the world and at any time, your workers can access cloud-based services and data in your Microsoft 365 subscription and organizational resources, such as those offered by on-premises application data centers. 
• Secure: Sign-ins are secured with multi-factor authentication (MFA) and built-in security features supported by Azure AD which helps protect against malware, malicious attacks, and data loss. 
• Managed: Your hybrid worker’s devices can be managed from the cloud with security settings, allowed apps, and compliance with system health. 
• Collaborative and productive: Your hybrid workers can be as productive as on-premises in a highly collaborative way with online meetings and chat sessions with Teams, shared workspaces for cloud-based file storage with global accessibility and real-time collaboration with SharePoint and OneDrive, and shared tasks and workflows to divide up the work and get things done. 

Additional resources:

• Learn more about Dataverse Security features and capabilities covered in the Microsoft Dataverse Security white paper.  
• Learn more about the other Microsoft cloud solutions to help you build unified and seamless experiences across platforms.  

• Microsoft Azure 
• Microsoft 365 
• Microsoft Dynamics 365 

• Learn more about available licenses by downloading the Dynamics 365 Licensing Guide 

The post Security in Microsoft Dataverse  appeared first on Microsoft Power Platform Blog.

We are excited to share with you all a new feature that provides Dynamics 365 records to users that search for information on Bing.com, Office.com and Sharepoint.com.  This makes it easy for a user to find the most relevant customer and business data stored in their Dynamics 365 Dataverse environment where they work without having to change context or log into an app to find records they need to work with on a daily basis.

Several key benefits include:

• Easy to use: Users can easily and quickly find key information stored in Dynamics 365, without needing to navigate to a new app or page.
• Easy to find: Dynamics 365 content is visible to users in Bing.com, Office.com, and SharePoint.
• Built-in data protection: Dynamics 365 results will only appear for users that have access to the connected instance and records.
• Quick setup: Easy to configure and maintain the search connection to a Dynamics 365 instance.
• Unified search experience: To maintain a cohesive experience, Dynamics 365 results are consistent across all search entry points. Wherever you search, you’ll get the same results with the same look and feel.

The search results are categorized under Dynamics 365

When you click on a search result it will navigate you to the Dynamics 365 application and open the record.  There is no need to do additional searches or take additional steps to navigate to the record.

Enabling search results on Bing.com, Office.com or Sharepoint.com takes a few simple steps that can be completed by an Admin with the appropriate levels of authorization and access for your environments.  You can find out more on how to setup and configure your instance in the Dynamics 365 results in Microsoft Search article on docs.microsoft.com.

The post Search and find Dynamics 365 records with Microsoft Search appeared first on Microsoft Power Platform Blog.

Localizing custom pages will help you build multi-language Power Apps that align model-driven apps with custom pages that are needed for cross-regional deployments. We are excited to bring this capability as it will ensure you can seamlessly deploy a Power App that uses both model-driven forms and custom pages with multiple languages enabled by admins and set by your users.

We have added the ability to easily add files containing multiple languages that are supported in a model-driven app using standard resx web resource files. You can build multi-language support directly into your custom page by uploading the resource files to you solution, add the file you are authoring onto your page and use a standard PowerFX function to render the content of a control in the supported languages of your model-driven app.

The steps include:
1. Setting up your Power App environment to use localized languages.
2. Adding your localized content in a resx file to your solution.
3. Add your authoring language to your page by uploading the resource in studio.
4. Use PowerFX to localize strings on controls in your page.
5. Use preview to view right-to-left orientation.

To get familiar with setting up your Power App environment to support multiple language it’s always a good idea to review how to enable multiple languages that you are planning to use in your model-driven app with custom pages. See Regional and language options for your environment for further details and instructions.

Adding resx files to can be done from make.powerapps.com, selecting solutions and adding the files as a web resource with the appropriate language associated to the file.

After adding the files to your solution open your custom page and add the file with the language you are authoring in the Page designer on make.powerapps.com.

Next you just set the property of a label to a localized string using PowerFX functions.

Save and publish your page and application.  Localized content based on the PowerApp user personal settings or admin locale settings for the environment will now render on your custom page.

We also support right-to-left languages that will render content in the correct orientation.  You can test or view your page in PowerApps by selecting the settings option on the page, select upcoming features and turn on the option to enable right-to-left testing in preview.

We look forward to your continued feedback on using custom pages! Let us know your thoughts and suggestions within this community post Feedback on Custom Page

The post Localizing content on a custom page appeared first on Microsoft Power Platform Blog.

I wanted to share with you some thoughts on how to improve the overall productivity of your forms by moving from the “low-density” header to a high-density header in a model-driven app.  If this is something you’ve already done, then you know how the high-density headers can really help users understand the data they are working with on a model-driven form. This is important because the fields in the header represent the most important information a user needs to see to help them understand what information is on a form and what data a user will be working with.

For forms over data (main forms) in model driven app we include some basic information that identifies the table and the record the user is working on in the form header.  We also include information on the data if it is in a read-only state and we include notifications that you, as a maker, can define and errors that occur while working with data including data types (added a text where it should be numeric) or required fields.

In this example the form has a  high-density header with the four fields that are essential for a user to quickly scan and does not need to edit or need additional fields beyond what is included on the header.   To achieve this, you can set the form header in the designer to high-density and remove the option to show the flyout.  This helps the user stay on task without distractions or unnecessary clicks in the header.

Form Runtime:
Form Designer Settings:

If you need to have more than four fields or need to have users edit the fields in your form header you will need to make sure you use the high-density with flyout option.   This can be easily set in the modern form designer.  When this flag is set a small chevron will show in the right, like how low-density header worked but, in this mode, all the fields in the header will be available for a user to interact with including the four read-only fields that are rendered on the form.

Form Runtime:
Form Designer Settings:

In the example below you can see how data reflows in a high-density header and how information always wraps and is never truncated. This is vital for user to be able to always see important information especially when dealing with long table or record titles on a form.
IMPORTANT CHANGES – Removing low-density headers.

It is also very important to know that low-density headers will be deprecated in October 2021 with Release Wave 2.  What that means is if you have not moved to a high-density header, with or without flyout, the platform will automatically change this at runtime.  To ensure data entry is still available the runtime will set all low-density headers to high-density with flyout.

We are making this change because:

• Most makers building model-driven apps have moved away from low-density headers and usage is very low.
• Low-density headers don’t promote a highly dense experience and require users to always use the chevron for all fields across view-port sizes (small to very-wide). Data becomes hidden and requires extra clicks to interact with information on the header.

Moving away from low-density forms will really improve the usability and the data density of your form and will move you down the path of creating and building highly productive forms.

Read more about how to build high performant main forms in model-driven apps.

The post Improve data density with High-Density Headers in model-driven apps. appeared first on Microsoft Power Platform Blog.

For example, if you want to directly edit a primary contact’s information on an account form, you can easily do this with the new form component.

You can add a form component directly inline on a main form or you can add it onto a tab.  The component supports onLoad, onSave events, the main form save pipeline, form error handling and duplicate detection.

You can easily add a form component using a lookup control and configuring it using the legacy form designer.  Please see the detailed documentation on how to add and configure a form component onto a main form.

The post Editing related records on a main form in a model driven app appeared first on Microsoft Power Platform Blog.

Power BI reports bring a host of visualization and data manipulation that we have all become accustomed to using with a Power BI report.  The ability to quickly build reports using the Power BI tools, publish those reports and extend them to model-driven apps makes it easy to provide your organization with data in one place, removing the need to go outside your model driven or Dynamics application.

Power BI embedding in Power Apps builds on existing capabilities giving users access to shared reports governed by you through standard Power Bi practices that include who you share the report with and licensing.    Users will need to use the relevant Power BI license and authorization to consume the content.

Power BI reports can be used with any report that you have created and can share with your organization.  This can include records in your model-driven or Dynamics app and reports with rich visualization to data that is not limited to just your application.  This gives your users access to your Power BI reports making it easier for you to share organizational data in an embedded Power BI report.

Power BI report in model driven app

Enable a Power BI report
Adding a Power BI report for makers and administrators is done by adding an existing report from make.powerapps.com through a solution dialog that allows referencing the workspace that the report or dashboard is uploaded to.  A new report can also be added by clicking “Create in Power BI desktop” which generates a connection to the current Dataverse environment.

ALM Support
Makers can manage ALM for multiple environments.  With Environment Variables you can set each environment to reference a different workspace.  This allows configuring each environment using the standard current and default values.

Learn more about creating and embedding Power BI reports.

The post General Availability of Power BI reports as system dashboards in model-driven apps appeared first on Microsoft Power Platform Blog.

Many of these types of issues are based on business rules, java script, form events or client api that admins and makers have set and are causing unintended behavior and experiences on your forms. The tool can help identify if the issue you are seeing is designed out of box or is due to a customization in the application and provide details that can help you understand why records are not showing in the related menu of a table/entity, why a control is not editable or why a record is in a read-only state. These are a just a few examples of what is included in the form events that you can troubleshoot in the monitoring tool.

To launch the tool just log into your Dynamics or Model Driven app and add &monitor=true to the end of your URL. This will add an icon onto the app header toolbar. Click on the icon that looks like the one in the circle below.

The tool will open a new tab to the Power Apps portal, click on the tab in `the browser that appended “- Monitor” to the end of the app name.  Select the option to “Play model-driven-app”. This will start a new session for your application and display a dialog. Click on the “Join” from the dialog and this will launch your app that is now being monitored.

To test the scenario you want just run through the steps, for example if you want to understand why an option is not showing in a related menu, select a record like “Accounts”, open any account form and select any related menu option that is listed in the drop down menu.

Once you complete the steps, click on the tab that has the monitoring tool running and use the Category filter to just show forms related issues.

To view the information, select the Operation labeled “RelatedView” when you click on that a panel will open on the right.  Make sure you are on the “Details” tab in the panel and click on the “+” line that says “data”, in the screen shot below it would be line #5.  That will expand to include detailed information on the Related items tab including why a record/entity is or is not showing in the list.

We hope this will help make it easier to quickly find and fix issues when working with Model Driven app and please be sure to check out the docs  to learn more about how to troubleshoot your forms in a Model Driven app with the monitor tool.

The post Troubleshoot Forms in a Model Driven App appeared first on Microsoft Power Platform Blog.

With this change the save is not hidden and will show in the command bar and in the footer of the form with auto-save on or off, reducing confusion as users move from creating new records to editing records in model driven apps.

The post Save is always visible in the command bar on edit forms appeared first on Microsoft Power Platform Blog.