New governance tools for Power Platform environments

If you have decided to take true ownership of the low-code platform available in the Microsoft cloud, one of the first policies you’ll likely end up creating is your Power Platform environments strategy. After all, most of the technical governance capabilities in the platform revolve around the environment concept.

In the August 2021 release of Power Platform Center of Excellence (CoE) Starter Kit we now have a bunch of great tools for environment management purposes. These are freely available on GitHub and there’s even some Docs content explaining the technical details.

What doesn’t appear to be available yet are the installation steps for getting these new components up and running. So, in this article I’ll first go through the setup process and then show the basic functionality of how app makers and platform admins can use the new tools for requesting, provisioning and managing Power Platform environments.

Setting up the environment management tools in CoE Starter Kit

After you have installed the Core solution package of CoE Starter Kit, you’ll find two new Canvas apps within that package. Power Platform Request Center is what the end users (app makers) should be using. Admin – Power Platform Resource RMS is meant for the platform admins, as the name suggests (RMS is short for “request management system”).

There are four cloud flows related to environment management that you’ll need to turn on before using the apps:

  • Env Request | Notify admin when new request submitted
  • Env Request | Notify requestor when rejected
  • Env Request | Create approved environment
  • Env Request | Cleanup expired environments

Next you should grant access to the end users for making new environment requests. Although the request records are stored in a Dataverse table, you don’t necessarily need to give a premium Power Apps license for anyone who might need to file a request. This is possible if you leverage Dataverse for Teams as your CoE platform, which is what I would recommend most people to use today.

Let’s assume you have an existing security group or a security enabled Office 365 group that includes all the app makers who will potentially need to request new Power Platform environments. The first thing to do is give this group access to the Power Platform Request Center app in your Dataverse for Teams environment. You’ll do this via the “share with colleagues” process. It will make this Canvas app visible to the users in the Microsoft Teams app store:

They won’t be able to use it for anything yet, though. That’s because we have merely shared the access to the definition of the Power Apps Canvas app UI and business logic. The actual data that this Canvas app works with is accessed via connectors that talk with Dataverse. To figure out what tables are relevant for the users to have access to, we can open the Power Platform Request Center app in edit mode and review the data sources used by it:

Next we’ll need to return back to the list of Dataverse tables within the environment and set the table permissions accordingly. In my example, the group “App Access Team” will be given the private permission level for the Environment Creation Request table, so that they can create new records but only view their own requests. Other tables used by the app will presumably work best with the reference permission level (read all, edit none).

Finally, we should probably add the Power Platform Request Center app into a relevant Teams channel as a tab. While the users in our security group could in theory find it from the Teams app store, you should make the app visible in the places where your app maker community spends time talking about Power Apps development practices, for example.

(Oh, and don’t forget to update your governance model documentation, end user instructions and all other places once you launch this new process!)

Requesting a new Power Platform environment

When an app maker determines that he/she would need to have a new environment to develop, test or actually use a set of low-code apps for a particular end user audience, the Request Center app will guide them through this process. What’s remarkable about this app is that the user interface is nearly identical to what the official Power Platform Admin Center (PPAC) offers for environment creation. Awesome!

Since we aren’t now directly provisioning the environment like PPAC would do, the creation of a new environment request will trigger an email notification sent to the Power Platform admin email address configured in your CoE settings:

The user who has made the environment request can use the Request Center app to keep track of the status of their own requests:

How about the admins? Well, obviously they aren’t going to coordinate the environment request processing work via mere email messages. That’s where the other new Canvas app, Power Platform Resource Request Management System (RMS), comes into play. Since this app is only for admin use, you may want to keep it accessible only within the CoE Teams environment and pin it as a tab for a relevant channel in there.

Again, the experience in the RMS app is extremely close to the actual in-product UI of the Power Platform Admin Center, including the responsive layouts built with containers. Not only does this demonstrate the importance of details in Canvas app design, it also proves how Power Apps can be used for building professional looking interfaces.

As we can see from the impacting policies section, this RMS app will also allow you to work with the data loss prevention (DLP) policies available in your tenant. During the environment request creation process, the requestor will need to define which connectors should be available in the environment. This is nicely presented in the app by comparing the impacting policies with what has been requested. Check out the detailed DLP recommendation logic documentation to understand how all this works.

If the admin determines that the request is justified and all the necessary information has been provided, all that he/she needs to do is click the approve button. This will trigger a cloud flow that will take care of all the environment provisioning logic:

This is quite a complex process implemented inside a single Power Automate flow. Upon testing the environment request, approval and provisioning process in our demo tenant, I discovered a few issues with the August 2021 release version of this flow that I had to manually edit. I assume that these details will get resolved in future releases, but you should be prepared to test and evaluate how the process logic works for your own scenarios.

This is a good place to remind everyone that the Power Platform Center of Excellence Starter Kit is not an official Microsoft product. Yes, it is developed by Microsoft, but the CoE Starter Kit is a sample implementation of governance tools and processes built on top of the products in Power Platform. Support is provided and issues are tracked via the community tools on GitHub, which is a great channel for #PowerAddicts. Just make sure that your own organization’s CoE Starter Kit deployment is actively maintained and extended by someone who’s a member of this community.

Once the cloud flow runs successfully, the user who made the Power Platform environment request will receive an email confirmation. “Request approved, environment provisioned, you’re the admin now. Enjoy!”

Since environments are not free and they will consume Dataverse capacity from the shared pool of the tenant, it’s good that this template process does include the option for defining environment expiration dates. The cloud flow Cleanup expired environments contains logic for notifying the admins about environment expiration, as well as physically deleting the Power Platform environment from the tenant.

Summary

This new addition to CoE Starter Kit offers very useful features that pretty much every organization using Power Platform tools in a structured way should take into use. At least if they haven’t yet built something similar themselves. Being included in the Core solution package for CoE Starter Kit will certainly help in gaining awareness for the environment management functionality.

There’s one thing you should keep in mind, though: these environment creation requests don’t cover all Power Platform environment types available to users these days. Anyone who’s a member of a Microsoft Teams team can start building apps on top of Dataverse for Teams – or simply provision one of the sample apps from MS. Either way, new environments will appear inside your tenant, which means you should plan for a governance process around them both. Please see my earlier blog post on how to create an approval process for Teams based environments.

Want to get started with Power Platform governance?

We have created the Power Platform Governance Starter Kit product to help you kickstart you low-code application platform journey with confidence. Tools, reports, analysis and guidance from the Forward Forever team of experts.

Leave a Comment