{"id":16345,"date":"2021-09-10T17:24:25","date_gmt":"2021-09-11T00:24:25","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/"},"modified":"2021-09-10T17:24:25","modified_gmt":"2021-09-11T00:24:25","slug":"best-security-practices-for-power-apps","status":"publish","type":"power-apps","link":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/","title":{"rendered":"Best security practices for Power Apps"},"content":{"rendered":"<h1>Best practices for securely using external data sources with Power Apps<\/h1>\n<p>We get questions from time to time about how our customers should work securely with Power Apps.\u00a0 Security and privacy are very important to us.\u00a0 For the most control over both security and privacy we recommend Dataverse which has best in class security and privacy features.<\/p>\n<p>However, customers may not have their data in Dataverse.\u00a0 \u00a0And, it&#8217;s important for customers to be able to connect to data where it lives.\u00a0 Power Apps enables this scenario with a very rich set of connectors.\u00a0 \u00a0As part of the deployment of your app, however, you should be clear about the security risk for how authentication to data is enabled for your app.<\/p>\n<p>We talk about connections being &#8220;implicitly&#8221; or &#8220;explicitly&#8221; shared.\u00a0 \u00a0By this we mean that the authentication method used for the connection is either\u00a0<strong>explicit<\/strong>\u00a0or\u00a0<strong>implicit<\/strong>.<\/p>\n<p>An\u00a0<strong>explicitly shared connection<\/strong>\u00a0means that the end user of the application must authenticate to the back-end data source (e.g., SQL Server) with their own explicit credentials. Usually this authentication happens behind the scenes as part of Azure Active Directory or Windows authentication handshake. The user doesn\u2019t even notice when the authentication takes place.<\/p>\n<p>Explicitly shared connections are the most secure.\u00a0 \u00a0Explicitly shared connections use the user&#8217;s ID on the server to authenticate and then formulates the queries (e.g., filtering, etc.) on the server.\u00a0 \u00a0For instance, to securely filter data on the server side for SQL Server, such an app uses built-in security features in SQL Server such as\u00a0<a href=\"https:\/\/github.com\/MicrosoftDocs\/powerapps-docs\/blob\/main\/sql\/relational-databases\/security\/row-level-security\">row level security<\/a>\u00a0for rows, and the\u00a0<a href=\"https:\/\/github.com\/MicrosoftDocs\/powerapps-docs\/blob\/main\/sql\/t-sql\/statements\/deny-object-permissions-transact-sql\">deny<\/a>\u00a0permissions to specific objects (such as columns) to specific users. This approach will use the Azure AD user identity to filter the data on the server.<\/p>\n<p>An\u00a0<strong>implicitly shared connection<\/strong>\u00a0means that the user implicitly uses the credentials of the account that the app maker used to connect and authenticate to the data source during while creating the app. The end user\u2019s credentials are\u00a0<strong>not<\/strong>\u00a0used to authenticate. Each time the end user runs the app, they&#8217;re using the credentials the author created the app with.<\/p>\n<p>An implicitly shared connection is the least secure.\u00a0 It has the all of the risks associated with a connection made directly to a server on a service.\u00a0 In particular, you cannot rely on filtering commands to be be secure and even the name of the database and other details can be discovered.\u00a0 Consequently, we actively discourage the use of implicitly shared connections except in narrow scenarios where the data and access are already public.\u00a0 \u00a0If you have a connection of this type we encourage you to consider a more secure connection type.<\/p>\n<h2>Connection choices.<\/h2>\n<p>Some data sources (such as SQL Server) have multiple ways in which you can connect.\u00a0 \u00a0For example, the following four connection authentication types can be used with SQL Server for Power Apps:<\/p>\n<table>\n<thead>\n<tr>\n<th>Authentication Type<\/th>\n<th>Power Apps connection method<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Azure AD Integrated<\/td>\n<td>Explicit<\/td>\n<\/tr>\n<tr>\n<td>SQL Server Authentication<\/td>\n<td>Implicit<\/td>\n<\/tr>\n<tr>\n<td>Windows Authentication<\/td>\n<td>Implicit<\/td>\n<\/tr>\n<tr>\n<td>Windows Authentication (non-shared)<\/td>\n<td>Explicit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Future<\/h2>\n<p>We are always looking to improve our product and welcome feedback you may have.<\/p>\n<h2>See also<\/h2>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/powerapps\/maker\/canvas-apps\/connections\/sql-server-security\">Use Microsoft SQL Server securely with Power Apps <\/a><br \/>\n<a href=\"https:\/\/github.com\/MicrosoftDocs\/powerapps-docs\/blob\/main\/powerapps-docs\/maker\/canvas-apps\/connections-list.md\">Overview of connectors for canvas apps<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> A reminder on best practices when working with Power Apps and external data sources.  <\/p>\n","protected":false},"author":105,"featured_media":0,"comment_status":"open","ping_status":"open","template":"","power-apps-category":[1715,1549,1635,1664,1703],"power-apps-tag":[],"coauthors":[2056],"class_list":["post-16345","power-apps","type-power-apps","status-publish","hentry","power-apps-category-best-practices","power-apps-category-building-power-apps","power-apps-category-learning","power-apps-category-uncategorized","power-apps-category-support"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Best security practices for Power Apps - Microsoft Power Platform Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Best security practices for Power Apps - Microsoft Power Platform Blog\" \/>\n<meta property=\"og:description\" content=\"A reminder on best practices when working with Power Apps and external data sources.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Power Platform Blog\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-content\/uploads\/2023\/12\/Microsoft-logo_rgb_c-gray_950-1.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"950\" \/>\n\t<meta property=\"og:image:height\" content=\"413\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 min read\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"Lance Delano\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/\",\"name\":\"Best security practices for Power Apps - Microsoft Power Platform Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#website\"},\"datePublished\":\"2021-09-11T00:24:25+00:00\",\"dateModified\":\"2021-09-11T00:24:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Power Apps\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Best security practices for Power Apps\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/\",\"name\":\"Microsoft Power Platform Blog\",\"description\":\"Innovate with Business Apps\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#organization\",\"name\":\"Microsoft Power Platform Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-content\/uploads\/2020\/03\/Microsoft-Logo-e1685482038800.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-content\/uploads\/2020\/03\/Microsoft-Logo-e1685482038800.png\",\"width\":194,\"height\":145,\"caption\":\"Microsoft Power Platform Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Best security practices for Power Apps - Microsoft Power Platform Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/","og_locale":"en_US","og_type":"article","og_title":"Best security practices for Power Apps - Microsoft Power Platform Blog","og_description":"A reminder on best practices when working with Power Apps and external data sources.","og_url":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/","og_site_name":"Microsoft Power Platform Blog","og_image":[{"width":950,"height":413,"url":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-content\/uploads\/2023\/12\/Microsoft-logo_rgb_c-gray_950-1.webp","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 min read","Written by":"Lance Delano"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/","url":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/","name":"Best security practices for Power Apps - Microsoft Power Platform Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#website"},"datePublished":"2021-09-11T00:24:25+00:00","dateModified":"2021-09-11T00:24:25+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/best-security-practices-for-power-apps\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/"},{"@type":"ListItem","position":2,"name":"Power Apps","item":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-apps\/"},{"@type":"ListItem","position":3,"name":"Best security practices for Power Apps"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/","name":"Microsoft Power Platform Blog","description":"Innovate with Business Apps","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#organization","name":"Microsoft Power Platform Blog","url":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-content\/uploads\/2020\/03\/Microsoft-Logo-e1685482038800.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-content\/uploads\/2020\/03\/Microsoft-Logo-e1685482038800.png","width":194,"height":145,"caption":"Microsoft Power Platform Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/#\/schema\/logo\/image\/"}}]}},"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Power Platform Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/power-apps\/16345"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/power-apps"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/types\/power-apps"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/users\/105"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/comments?post=16345"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/power-apps\/16345\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/media?parent=16345"}],"wp:term":[{"taxonomy":"power-apps-category","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/power-apps-category?post=16345"},{"taxonomy":"power-apps-tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/power-apps-tag?post=16345"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/wp-json\/wp\/v2\/coauthors?post=16345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}