Empowering employees with the Microsoft Power Platform at Microsoft

At Microsoft, our employees are using the Microsoft Power Platform to bring their ideas and visions to life. It’s our low-code development suite that anyone—not just developers—can us to create apps, automate workflows, and analyze data.

In Microsoft Digital, the company’s IT organization, we’ve implemented a Power Platform governance strategy and vision that is empowering our employees to build solutions that are improving how they get their work done, including crafting their own AI agents with Microsoft 365 Copilot and Copilot Studio.

How are we doing this?

With proper governance mechanisms that keep them safe while letting their creativity flow—and our employees are running with it, creating innovative and dynamic solutions that are streamlining our processes and enhancing our productivity.

And that’s exactly the point—the Power Platform democratizes development, allowing the citizen developer in all of us to come out and play. For us, this is an essential ingredient for fostering the kind of innovation that can and will continue to drive our company forward.  

Our strategic approach to governance on the Power Platform

Locking in on the right approach to governance is pivotal.

“Governance provides essential guardrails by ensuring that we have visibility into what is being built and enforcing policies to maintain security and compliance with the Power Platform,” says Aisha Hasan, a senior product manager at Microsoft Digital. “Governance allows us to balance the freedom to innovate with the need to protect our tenant from risks.”

Governance is a key strategic enabler to our approach.

With the wide variety of users at Microsoft developing solutions in the Power Platform, it’s vital they understand how to develop within governance parameters and deploy their solutions effectively. This ensures that while innovation flourishes, it does so within a framework that maintains security and compliance.

Starting at the top with environments

Power Platform environments are the foundation for providing structure and organization with our Power Platform tenant.

“Most of what we’re trying to do from a governance standpoint is at that environment level,” says Lianne Zelsman, a senior product manager at Microsoft Digital. “It’s a more holistic approach than at the individual app, flow, or chatbot level.”

We use an intentional environment structure to enable good governance practices, and we apply our policies and rules to that structure to ensure that every single environment is governed to our standards. This approach avoids broadly shared environments that are difficult to govern effectively.

Every environment in our tenant has a specific purpose and we ensure we have the proper information about each environment to maintain proper governance. Every environment in our tenant is tied to an owner who is accountable for everything within that environment. This ownership model ensures clear responsibility and accountability.

“We’re trying to move away from broadly shared environments that are owned by an entire organization,” Zelsman says. “It can be really hard to understand—and control—an environment containing a bunch of different unrelated solutions built by different people.”

To enable this specific approach to environments, we make clear distinctions.

First, the default environment—a built-in environment that comes with every single Power Platform tenant—is not the default.

“We’re routing developers out of the default environment,” Hasan says. “It’s about getting away from that ‘big bucket’ approach. We want every flow, bot, and app to be in an environment that is purpose-built and intentionally configured.”

To streamline the process and ensure proper governance, we’ve turned on automated routing. This means that if anyone tries to use the default environment, they’re automatically routed to a specific environment type instead, according to their use case and our environment groupings. This helps in managing the lifecycles of our environments and ensures that every Power Platform solution is in the right place with the right governance.

Shifting to environment routing

We group environments based on their usage and apply specific rules to each group. There are groups for personal productivity, team collaboration, and enterprise development; each with its own set of rules and compliance requirements and tied to a specific environment type in the Power Platform.

Personal productivity environments are designed for individual use, where users can create and experiment with applications and automations without the need for extensive governance. These environments are typically developer environments, which are highly restricted in terms of sharing capabilities. Users can build apps, flows, and other solutions for their personal productivity, but they can’t share these solutions with others. This ensures that any experimentation or personal projects remain isolated and don’t impact the broader organization.

Team collaboration environments are intended for team-based projects and workflows. These environments are usually built within Dataverse for Teams, which integrates with Microsoft Teams. Dataverse for Teams environments are tied to a Microsoft 365 group, which helps manage governance and lifecycle through the group’s settings. These environments are perfect for team productivity solutions that are used within a specific team but aren’t meant to be shared companywide. While Dataverse for Teams environments have some quirks and limitations, they provide a balance between flexibility and governance, making them suitable for moderate governance and security controls.

Enterprise development environments are used for large-scale, enterprise-level projects that require stringent governance and compliance. These environments are typically sandbox or production environments and are subject to a rigorous request and approval process. Users must provide detailed information about their project, including data sensitivity, regulatory requirements, and business justification. These environments are governed by stricter usage policies, custom ownership policies, and regular security reviews. The goal is to ensure that any enterprise-level solutions are secure, compliant, and properly managed.

Using groups, roles, and policies

Microsoft runs on trust, and our success depends on earning and maintaining it. Our Secure Future Initiative ensures that security is first in everything that we do, and that extends to how we govern the Power Platform.

Our governance strategy revolves around applying controls at the environment level. We categorize environments, using the three main groups already identified. There are specific security controls and approaches in place in each group:

“Our security controls and policies are really about enablement as much as possible,” says Jake Visser, a principal architect manager at Microsoft. “If you create a developer environment, we’ll assign an appropriate DLP policy for you to work with your solution and send you a Teams message indicating what policy we’ve assigned and what you can do there. It’s about making sure that people can build and innovate while staying within the guardrails of our governance policies.”

DLP policies are crucial for preventing data breaches and ensuring that data remains within the organization’s boundaries. We apply DLP policies at various levels to control which connectors and actions are allowed within different environments to prevent the unintentional sharing of sensitive information and ensure that data stays within the organization. These policies control which actions and endpoints connectors are allowed to interact with. For instance, if a connector is used to write data, the policy ensures that the data is protected and only interacts with approved endpoints.

For enterprise development environments, teams can request custom DLP policies if they need to use specific connectors or actions that aren’t covered by the standard policy. This involves providing a threat model and other relevant information to justify the need for the custom policy.

Harnessing proactive and reactive governance

Within each environment group, we apply a set of practices that apply our governance strategy. These practices maintain a balanced approach that incorporates both reactive and proactive measures.

We use a proactive governance approach to anticipate issues before they arise. Gaining visibility into what’s being built within our environment is a critical first step. Our inventory data collection processes collect data on apps, connectors, flows, and shared resources. By having a clear picture of our digital landscape, we can enforce policies that ensure security and compliance from the outset. We collect and integrate this data with the following methods:

• Automated data collection tools. We use automated tools to gather data on all assets within the Power Platform. These tools scan our environment to identify and catalog apps, connectors, flows, and shared resources. By automating this process, we ensure that our inventory is always current and accurate.
• Policy enforcement. With visibility and usage data in hand, we can enforce governance policies. This includes defining and applying DLP policies, custom ownership policies, and regular security reviews. These policies help ensure that solutions are secure and compliant with organizational standards. Even if users follow certain policies during the development phase, we need to keep them in check post-deployment to ensure ongoing compliance.
• Regular audits and updates. To maintain the accuracy of our inventory, we conduct regular audits. These audits involve cross-checking the data in our repository with actual usage and configurations in the Power Platform. Any discrepancies are investigated and resolved promptly.
• Integration with governance policies. Our inventory data collection is tightly integrated with our governance policies. For example, we use DLP policies to enforce data flow and access. The inventory data helps us enforce these policies by providing visibility into how data is being used and shared across the platform.
• Custom reporting and dashboards. We’ve used Power BI to develop custom reporting and dashboards to visualize our inventory data. These tools provide insights into asset usage, compliance status, and potential risks. They help us make informed decisions about governance and resource allocation.
• Collaboration with stakeholders. Collecting inventory data is a collaborative effort. We work closely with various stakeholders, including IT, security, and business units, to ensure that our data collection processes align with their needs and requirements. This collaboration helps us address any gaps and continuously improve our inventory management.

Reactive governance, on the other hand, deals with issues that arise after the fact. Even with stringent policies in place, there’s always a need to monitor and manage ongoing activities. The general application of our reactive measures is similar to the proactive measures—they even share some categories. However, our reactive governance measures are built around quickly identifying—as quickly as possible—events in the tenant that might compromise the integrity of our governance.

• Visibility and inventory. Without a good inventory, it’s impossible to govern effectively. To overcome this, we worked closely with the product group to develop an inventory solution. This tool collects data on all the apps, connectors, flows, and connections being used. By having a comprehensive inventory, we can see what’s being built and shared now, which is the first step in reactively enforcing governance.
• Usage data and metadata. After visibility is established, the next step is collecting usage data and metadata. This information tells us who is doing what within the Power Platform. By understanding usage patterns, we can enforce governance policies more effectively. For example, we can identify high-risk activities and take appropriate actions to mitigate potential issues.
• Continuous monitoring. Reactive governance also involves continuous monitoring of the Power Platform environment. This means regularly reviewing the inventory and usage data to identify any anomalies or potential risks. By staying vigilant, we can quickly address any issues that arise and ensure that our governance measures remain effective.
• Ownership accountability. One of our key reactive measures is the periodic attestation process. Every six months, we require asset owners to confirm their ownership and compliance with our policies. This includes verifying that they aren’t using unauthorized data, not sharing data outside the tenant, and adhering to all security protocols. This process helps us catch any deviations and address them promptly.
• Collaboration with product teams. Our reactive governance efforts are supported by close collaboration with the product teams. By working together, we can develop and refine tools and policies that enhance our governance capabilities. This ongoing partnership ensures that we stay ahead of potential risks and continue to improve our governance practices.

By combining proactive measures to prevent issues and reactive measures to address them, we can provide environments that allow our developers to innovate freely while safeguarding our digital assets. It’s a win for everyone involved and it’s truly enabling innovation at Microsoft.

Integrating with Microsoft Sentinel detection and response

Microsoft Sentinel plays a crucial role in our governance strategy. It’s an essential tool that helps us monitor, detect, and respond to various activities within the platform, ensuring that our governance policies are enforced effectively.

Sentinel integrates with Microsoft Purview audit feeds to monitor all activities within the Power Platform. This integration allows us to capture events such as bot creation, environment creation, flow runs, and edits. Essentially, any action performed by a user or admin within the Power Platform generates an event that is captured by Sentinel.

“With Sentinel, we can perform real-time monitoring of all activities within the Power Platform,” Visser says. “We must have visibility into what’s being built and how the platform is being used. For instance, if a user creates a new environment or modifies an existing one, Sentinel captures this event and allows us to cross-reference it with our governance policies.”

Sentinel enables us to automate governance actions based on the events it captures. For example, when a user creates a personal developer environment, we use the Sentinel events and an Azure Logic App to automatically assign a DLP policy to that environment and send a Teams message to the user, informing them of the assigned policy and what they can do within that environment.

Sentinel’s integration with the Power Platform’s inventory service allows us to maintain an up-to-date inventory of all environments, apps, and flows within the platform. This inventory is crucial for proactive governance, as it provides us with the necessary metadata to enforce policies and ensure compliance. If an environment’s configuration is altered against policy, Sentinel can trigger an alert and send an email to the environment owners, asking them to rectify the issue.

Collaborating and innovating in the framework of governance

Appropriate governance and environment ownership has opened up a whole new wave of collaboration between departments and teams at Microsoft. The controls and assurances provided by an effective governance strategy have enabled our teams to work side-by-side in the Power Platform with confidence.

“Internally, our employees and our team, especially in Microsoft Digital, are building solutions to look at different aspects of how we can continue to improve productivity,” Hasan says. “The Power Platform offers so much freedom to create quickly and with the introduction of AI and Copilot, we can add more intelligence and use all Power Platform tools to create more robust solutions across the organization.”

Streamlining financial reporting with Power Apps

The finance team at Microsoft has been using the Power Platform to streamline their processes. By collaborating with us in Microsoft Digital, they’ve developed a series of Power Apps to automate financial reporting and budget tracking. This collaboration allowed the finance team to reduce manual data entry and improve accuracy in their reports. We provided the necessary technical support to ensure the apps were secure and compliant with company policies. For instance, they created an app that pulls data from multiple sources, consolidates it, and generates real-time financial reports. This has significantly reduced the time spent on manual data consolidation and reporting.

Simplifying legal reviews with Power Automate

The marketing and legal teams have also found common ground on the Power Platform. They worked together to create a Power Automate flow that simplifies the approval process for marketing materials. The flow ensures that all marketing content is reviewed and approved by the legal team before publication. This collaboration has significantly reduced the time it takes to get marketing materials approved, allowing the marketing team to be more agile and responsive. For example, the flow includes automated notifications and reminders, ensuring that the legal team reviews and approves content promptly.

Enhancing onboarding with integration and collaboration

The HR and support teams have used the Power Platform to enhance employee onboarding and support processes. By building a Power App, they created a centralized onboarding portal where new hires can access all the necessary resources and complete required tasks. The support team integrated this app with their existing systems to provide seamless support for new employees. This collaboration has improved the onboarding experience and ensured that new hires have all the support they need from day one. The app includes features like task checklists, document uploads, and direct links to support resources.

Creating cross-functional innovation with Copilot Studio

One of the most exciting examples of collaboration is the use of Copilot Studio across various departments. Teams from finance, marketing, CELA, HR, and IT have all contributed to developing AI-infused solutions using Copilot Studio. For instance, the marketing team created an AI-powered agent to handle customer inquiries, while the HR team developed an AI assistant to help employees with common HR-related questions. Using Copilot Studio, we’ve been able to increase discoverability and productivity by using Copilot as our “UI for AI”, bringing the power of these specialized agents to answer frequently asked questions, provide product information, and even assist with troubleshooting.

Looking forward

Governance on the Power Platform at Microsoft is poised to become even more robust and comprehensive. As the platform continues to evolve, so will our strategies for ensuring its secure and effective use.

We’re working to develop and implement more granular governance controls. Currently, our governance strategy revolves around applying rules at the environment level, using environment groups and rules to manage security and compliance. However, the future holds the promise of even more detailed control mechanisms and as customer zero, we’re working with the Power Platform PG to ensure that our learnings related to governance are reflected in the product. This includes the ability to nest environment groups, allowing for more specific governance based on criteria such as geography, data sensitivity, and regulatory requirements.

The Power Platform has proven to be a transformative tool for fostering collaboration and innovation across various departments at Microsoft. From streamlining the approval process for marketing materials to enhancing employee onboarding and creating AI-driven solutions, the platform has enabled teams to work more efficiently and effectively. Our focus on robust governance helps ensure that the Power Platform remains a secure and innovative environment for all users—and Microsoft customers.