Monday, April 27, 2026

Power Platform Governance & COE Complete Guide

Power Platform Governance & COE — Complete Guide

Governance Fundamentals · DLP Policies · Environment Strategy · COE Starter Kit · ALM · Pipelines · Scenarios · Cheat Sheet

Governance Fundamentals
Data Loss Prevention (DLP) Policies
Environment Strategy & Lifecycle
COE Starter Kit & Adoption
ALM & Deployment Pipelines
Monitoring, Auditing & Compliance
Scenario-Based Questions
Cheat Sheet — Quick Reference

1. Governance Fundamentals

What is Power Platform governance and why does it matter?

Power Platform governance is the set of policies, processes, and tools that ensure the platform is used securely, efficiently, and in alignment with organisational standards.

Without governance:

Users create apps connecting to sensitive data without security reviews
Connectors expose corporate data to external services (consumer apps, personal accounts)
Hundreds of unmanaged environments consume capacity and storage with no oversight
Critical business processes run on flows owned by individuals who leave the organisation
Compliance violations occur when personal data flows to unsanctioned services

Key insight: The governance challenge is unique to Power Platform — it is a self-service platform by design. The goal is to enable innovation while preventing data leakage, shadow IT, and orphaned resources.

What are the three pillars of Power Platform governance?

Pillar	Focus Areas
Security & Compliance	DLP policies, connector restrictions, Azure AD conditional access, tenant isolation, data residency, sensitivity labels
Environment Management	Environment strategy (dev/test/prod), capacity planning, lifecycle (creation, monitoring, cleanup), access control
Adoption & Enablement	COE governance, training programmes, maker communities, app catalogues, support models, usage analytics

Tip: Governance without adoption = platform stagnation. Adoption without governance = security risk. Balancing the two is the central tension in Power Platform architecture.

What admin roles exist for Power Platform and what can each do?

Role	Scope	Use Case
Global Administrator	Full M365 + Power Platform	Too broad — avoid for regular admin
Power Platform Administrator	All environments, DLP, capacity, connectors, tenant settings	Primary Power Platform admin role
Dynamics 365 Administrator	D365 environments specifically	D365-focused admin
Environment Administrator	One specific environment	Delegated env-level management
System Administrator (Dataverse role)	Full access within one Dataverse environment	Customise, configure, manage data

Warning: Never assign Global Administrator for Power Platform administration. Use Power Platform Administrator — it has the right scope without unnecessary M365 access.

What is the Power Platform Admin Center and what can you manage from it?

The Power Platform Admin Center (admin.powerplatform.microsoft.com) is the central management portal.

Capability	Description
Environments	Create, configure, copy, reset, delete environments. Manage capacity and storage.
DLP policies	Create and manage Data Loss Prevention policies across tenant and environments.
Analytics	Usage reports for Power Apps, Power Automate, Copilot Studio across the tenant.
Capacity	Monitor Dataverse storage, file storage, log storage per environment.
Connectors	View and manage custom connectors across the tenant.
Tenant settings	Control who can create environments, AI features, sharing settings.
Support	Raise and manage Microsoft support tickets.

What are the most important tenant-level settings for governance?

Who can create production/sandbox environments — restrict to admins only. Prevents environment sprawl.
Who can create trial environments — balance exploration vs sprawl.
Power Apps/Power Automate for M365 users — enable/disable for specific Azure AD groups.
AI features (Copilot) — enable/disable generative AI features tenant-wide.
Sharing canvas apps — restrict who users can share apps with (organisation, specific groups, admins only).
Weekly digest emails to makers — notify makers when their resources are flagged.

Tip: Restricting environment creation to admins only is the single most impactful governance setting — it prevents the #1 governance problem: uncontrolled environment sprawl.

2. Data Loss Prevention (DLP) Policies

What are DLP policies in Power Platform and how do they work?

DLP policies control which connectors can be used together in a flow or app. They prevent sensitive business data from being exfiltrated to unsanctioned services by enforcing connector grouping rules.

Three connector groups:

Group	Description	Examples
Business	Approved connectors for business data	SharePoint, Dataverse, Teams, Outlook, SQL Server, Azure
Non-business (Personal)	Consumer/personal connectors	Twitter, Facebook, Gmail, personal OneDrive, Dropbox
Blocked	Cannot be used at all in this environment	High-risk or unvetted connectors

A flow or app can only use connectors from one group — Business OR Non-business, never both together. This prevents a flow from reading corporate SharePoint data and writing it to a personal Gmail.

Critical: An environment with no DLP policy allows any combination of connectors — corporate data can flow freely to consumer services. Always apply DLP before allowing maker access to an environment.

What is the difference between tenant-scoped and environment-scoped DLP policies?

Tenant-scoped DLP policy: applies to ALL environments in the tenant (or all except explicitly excluded ones). Set by Power Platform Administrator. Cannot be overridden by environment admins. Used for baseline security.

Environment-scoped DLP policy: applies to one or more specific environments. Can be set by Power Platform Admins or Environment Admins. Can be more restrictive than the tenant policy but never more permissive — tenant policy always wins.

Tenant policy (baseline):         Environment policy (stricter):
Business: SharePoint, Teams        Business: SharePoint only
Non-business: Gmail, Twitter       Blocked: Teams, Gmail, Twitter

Effective result for that environment:
= most restrictive combination of both policies
→ SharePoint in Business, Teams blocked, Gmail blocked

Tip: Always create a baseline tenant-wide DLP policy first. Then add environment-specific policies for additional restrictions in sensitive or production environments.

What are connector action controls in DLP policies?

Connector action controls allow admins to permit or block specific actions within a connector — rather than blocking the entire connector. This provides fine-grained control.

SharePoint connector action controls:
Allow: Get items, Get item, Create item, Update item
Block: Delete item, Delete attachment

HTTP connector action controls:
Allow: GET requests only
Block: POST, PUT, DELETE requests
→ Allows reading external APIs but prevents writing data out

Dataverse connector action controls:
Allow: List rows, Get row, Create row, Update row
Block: Delete row, Execute action, Perform bulk operations

Tip: Connector action controls are a governance maturity milestone — they allow enabling a connector for legitimate use while preventing its abuse. Much more nuanced than all-or-nothing connector blocking.

What are endpoint filtering rules in DLP policies?

Endpoint filtering rules restrict which specific URLs or hosts the HTTP connector, custom connectors, or certain other connectors can connect to.

HTTP connector endpoint rules:
Allow list:
  *.internal-company-api.com
  https://api.approvedsystem.com
Deny list (default):
  * (all other endpoints blocked)

Use case: allow Power Automate to call only internal
APIs — block calls to external/consumer services
via HTTP action even with custom endpoints

How do DLP policies interact with existing flows when a new policy is applied?

When a DLP policy is created or changed, existing flows are evaluated against the new policy
Flows that violate the new policy are suspended — they stop running immediately
The flow owner receives an email notification that their flow has been suspended
The flow remains suspended until: the policy is changed to permit the connectors, OR the flow is modified to comply
Power Platform Admin Center shows which flows are suspended and which policy caused it

Warning: Applying a new restrictive DLP policy to an existing environment can immediately suspend production flows. Always audit existing flows before applying a new policy — use the COE Starter Kit inventory to identify potentially affected flows first.

3. Environment Strategy & Lifecycle

What is environment strategy in Power Platform and what are the recommended patterns?

Environment strategy defines how environments are structured, purposed, and managed across the organisation.

Recommended environment tiers:

Tier	Purpose	Access	DLP
Default	Personal M365 productivity	All licensed users (restricted)	Strict — M365 connectors only
Developer	Individual maker experimentation	One maker only	Restrictive
Shared sandbox	Project development & testing	Project team	Standard business connectors
Test/UAT	Pre-production validation	QA team + business owners	Production-equivalent
Production	Live business applications	End users (read), admins	Most restrictive
COE/Admin	Governance tools and admin flows	COE team only	Permissive (for admin connectors)

How do you prevent environment sprawl in a large organisation?

Restrict environment creation — set "Who can create production and sandbox environments" to admins only in tenant settings
Environment request process — implement a formal request flow (Power Automate approval). COE Starter Kit includes this out of the box.
Environment lifecycle policies — auto-identify environments with no activity for 90 days via COE analytics → notify owners → delete if no response
Trial environment controls — trial environments auto-expire after 30 days. Ensure cleanup is monitored.
Regular audits — monthly review of all environments via COE Starter Kit inventory

Tip: Environment sprawl is the #1 governance problem in large tenants. Microsoft reports that uncontrolled tenants can have 1000+ environments — most unused. Proactive controls prevent this from the start.

What is the Default environment and what special considerations does it have?

Characteristic	Detail
Existence	Every tenant has exactly one — cannot be deleted
Membership	All licensed users automatically added as Environment Makers
M365 flows	Teams, Outlook, SharePoint-triggered flows run here by default
Risk level	Highest risk — anyone can create apps and flows here

Governance recommendations:

Apply strict DLP — allow only M365/productivity connectors, block all premium and personal connectors
Remove Environment Maker role from all users — grant only to approved individuals
Rename to signal its purpose: "Default — Personal Productivity Only"
Use COE Starter Kit to monitor and clean up unused resources regularly

Critical: The Default environment is the highest-risk environment in any tenant. Without governance it becomes a dumping ground for production apps with no oversight.

How do you handle environment capacity and storage management?

Three Dataverse storage types:

Type	Contains
Database storage	Dataverse table data, relationships, metadata
File storage	Attachments, images, file columns
Log storage	Audit logs, plugin trace logs

Capacity management practices:

Monitor via Admin Center → Capacity → Summary
Set storage alerts — get notified before hitting capacity limits
Regularly purge audit logs older than the retention period
Run Dataverse bulk delete jobs for old/inactive records
Use Azure Blob or SharePoint for file storage instead of Dataverse file columns where possible
Archive inactive environments' Dataverse data before deletion

4. COE Starter Kit & Adoption

What is the COE Starter Kit and what does it provide?

The Centre of Excellence (COE) Starter Kit is a free, open-source collection of Power Platform components published by Microsoft that helps organisations govern, monitor, and nurture their Power Platform adoption.

Key modules:

Module	Description
Core components	Inventory of all apps, flows, connectors, environments, and makers across the tenant. Synced daily via admin APIs.
Governance components	Compliance processes — maker compliance emails, app archival, orphaned resource cleanup, environment request flows.
Nurture components	Adoption tools — maker onboarding, training resources, app showcase/gallery, hackathon management, community tools.
Audit & compliance	Risk assessment of apps/flows, DLP violation reporting, sensitivity analysis.
Power BI dashboard	Tenant-wide analytics — top makers, most used apps, connector usage, risk scores, environment health.

Tip: The COE Starter Kit transforms Power Platform administration from reactive firefighting into proactive governance. It is the expected answer to "how do you govern Power Platform at scale."

What does the COE Core inventory collect and how does it work?

A scheduled cloud flow runs daily using the Power Platform Admin connector and Management APIs:

API calls:
Get Environments           → all environments in tenant
Get Apps as Admin          → all canvas and model-driven apps
Get Flows as Admin         → all cloud flows
Get Connectors as Admin    → all connectors used
Get Makers                 → all users who have created resources

Stored in Dataverse tables:
admin_Environment          → all environments
admin_PowerApp             → all canvas and model-driven apps
admin_Flow                 → all cloud flows
admin_Connector            → all connectors used
admin_Maker                → all users who have created resources
admin_PowerAppConnector    → connector usage per app
admin_FlowConnector        → connector usage per flow

Warning: The COE inventory sync requires a service account with Power Platform Administrator role. Use a dedicated service account — never a personal admin account (single point of failure risk).

What is the compliance process in the COE Governance module?

The governance module automates a compliance conversation with makers about their apps and flows:

Admin emails makers of apps/flows that haven't been reviewed — asking for business justification, data classification, and owner confirmation
Maker fills in a compliance form: app purpose, data sensitivity level, business owner, support contact
If no response within the grace period: app/flow is quarantined (shared access removed)
If still no response: app/flow is deleted (with backup)
Compliant resources are tagged and exempted from future compliance sweeps

Tip: This automated compliance process cleans up years of accumulated shadow IT without manual effort. The grace period approach avoids disrupting legitimate users while enforcing governance.

What does a Power Platform Centre of Excellence team look like?

Three layers of a mature COE:

Layer	Composition	Responsibilities
Central COE team	2–5 people (Architect, Admin Lead, Enablement Lead)	Platform strategy, DLP, environment strategy, security standards, COE Starter Kit
Champions network	Power users/citizen developers in each BU	First-line support, evangelism, quality gatekeeping for department apps
Professional developers	IT/dev team	Complex solutions requiring pro-code extensions (PCF, plugins, custom APIs)

Key principle: The COE's role is to enable — not gatekeep. The goal is a "managed self-service" model where makers can build freely within guardrails, not a bottleneck where everything goes through central IT.

What is the maker onboarding process in a governed environment?

User requests maker access via a Power Automate approval flow
Manager approves — confirms the maker needs to build on the platform
Automated onboarding: assigned Environment Maker role in appropriate dev environment, added to makers Azure AD group, added to maker community Teams channel
Welcome email with training resources, DLP policy overview, coding standards, ALM process documentation
Mandatory Power Platform fundamentals training before first app published to production
COE inventory automatically tracks the new maker and their subsequent resource creation

5. ALM & Deployment Pipelines

What is ALM for Power Platform and what does it involve?

ALM (Application Lifecycle Management) covers the processes and tools for developing, testing, and deploying Power Platform solutions in a controlled, repeatable way.

Core ALM elements:

Element	Description
Source control	Solution files stored in Git (Azure DevOps or GitHub) — tracked, versioned, peer-reviewed
Solution packaging	All components in a managed solution (apps, flows, tables, connection references, env variables)
CI/CD pipelines	Automated export → unpack → commit → build → deploy
Environment promotion	Dev → Test/UAT → Production with gated deployments
Connection references	Environment-agnostic connection pointers
Environment variables	Environment-specific configuration values

What is the Power Platform Build Tools and how is it used in CI/CD?

Power Platform Build Tools is an Azure DevOps extension (and GitHub Actions equivalent) providing pipeline tasks for automating Power Platform ALM.

# Typical CI pipeline (on commit):
- task: PowerPlatformToolInstaller@2
- task: PowerPlatformExportSolution@2
    inputs:
      authenticationType: 'PowerPlatformSPN'
      Environment: '$(DevEnvironmentUrl)'
      SolutionName: 'MyAppSolution'
      SolutionOutputFile: '$(Build.ArtifactStagingDirectory)/solution.zip'
- task: PowerPlatformUnpackSolution@2
    inputs:
      SolutionInputFile: '$(Build.ArtifactStagingDirectory)/solution.zip'
      SolutionTargetFolder: '$(Build.SourcesDirectory)/solutions/MyAppSolution'
- task: PowerPlatformChecker@2
    inputs:
      SolutionInputFile: '$(Build.ArtifactStagingDirectory)/solution.zip'

# Typical CD pipeline (to Production):
- task: PowerPlatformPackSolution@2
- task: PowerPlatformImportSolution@2
    inputs:
      Environment: '$(ProdEnvironmentUrl)'
      SolutionInputFile: '$(Pipeline.Workspace)/solution.zip'

What are Power Platform Pipelines (in-product) vs Azure DevOps pipelines?

	Power Platform Pipelines	Azure DevOps / GitHub Actions
Setup	Native in Admin Center	External DevOps tool required
Audience	Makers, citizen developers	Professional developers/DevOps
Customisation	Limited	Fully customisable
Testing	Manual	Automated test support
Best for	Simple solutions, maker-led deployments	Complex solutions, pro-code components, enterprise DevOps

Tip: Most mature enterprise teams use Azure DevOps for complex solutions and Power Platform Pipelines for simpler maker-built apps. Both can coexist in the same tenant.

What is Solution Checker and why should it be part of every deployment pipeline?

Solution checker analyses a Power Platform solution against best practice rules and returns issues by severity (Critical, High, Medium, Low, Informational).

What it checks:

Plugin and custom workflow code quality (deprecated APIs, missing error handling)
JavaScript web resource issues (deprecated client API usage)
Canvas app formula issues (delegation warnings, performance patterns)
Solution structure issues (missing dependencies, invalid references)

# Run via CLI in pipeline:
pac solution check --path ./solution.zip \
  --outputDirectory ./checker-results \
  --rulesetId 0ad12346-e108-40b8-a956-9a373e549abb

# Gate deployment:
# Critical issues > 0 → fail pipeline, block deployment
# High issues > threshold → require manual approval

Tip: Solution checker as a mandatory CI quality gate is the difference between a governed and ungoverned ALM process. It catches technical debt before it reaches production.

What are connection references and environment variables and why are they critical for ALM?

Connection references: solution components acting as pointers to connections. Flows reference a Connection Reference instead of a hardcoded connection. After solution import, each environment's Connection Reference is updated to point to the appropriate connection.

Environment variables: solution components storing configuration values that differ per environment (API URLs, email addresses, SharePoint site IDs, feature flags).

WITHOUT Connection References/Env Variables (broken ALM):
→ Flow hardcodes connection to dev SharePoint site
→ Import to prod → flow still points to dev site
→ Must manually edit flow in each environment
→ Error-prone, time-consuming, not repeatable

WITH Connection References/Env Variables (proper ALM):
→ Flow references "SharePoint Connection Reference"
→ Import to prod → update Connection Reference to prod SharePoint
→ Set env variable: SiteURL = "https://prod.sharepoint.com/sites/app"
→ No flow edits needed — fully automated, environment-agnostic deployment

Critical: Not using Connection References and Environment Variables is the #1 cause of broken Power Platform deployments. Every solution component with environment-specific configuration MUST use these.

6. Monitoring, Auditing & Compliance

What analytics are available natively in Power Platform Admin Center?

Report	Metrics
Power Apps analytics	Active users, app launches, sessions, errors, service performance
Power Automate analytics	Flow runs, success/failure rates, run durations, top flows
Copilot Studio analytics	Sessions, resolution rates, escalation rates per copilot
Capacity	Dataverse storage per environment, tenant-wide consumption
Connector usage	Which connectors are used, by which environments, top users

For advanced analytics beyond the built-in reports, use the COE Starter Kit Power BI dashboard which aggregates inventory, usage, risk, and compliance data across the entire tenant.

How do you audit Power Platform activity for compliance?

Microsoft Purview (formerly Compliance Center):

Power Platform operations are logged in the Microsoft 365 Unified Audit Log
Auditable events: app creation/deletion, flow creation/deletion, environment creation, DLP policy changes, permission changes
Accessible via Microsoft Purview compliance portal → Audit → Search

Power Platform Admin Center:

Environment-level activity logs
Admin activity logs (who changed DLP policies, who created environments)

Dataverse auditing:

Record-level create/update/delete/access tracking
Field-level change history
Accessible via audit history on records or Dataverse Web API

What is the Power Platform for Admins connector and how is it used for governance automation?

The Power Platform for Admins connector provides actions for programmatic management of Power Platform resources — used extensively in COE Starter Kit flows.

Key actions:
Get Environments                → list all environments
Create Environment              → provision new environments
Delete Environment              → remove environments
Get Apps as Admin               → inventory all canvas apps
Get Flows as Admin              → inventory all flows
Get Connectors as Admin         → inventory all connectors
Suspend Flow as Admin           → disable a flow remotely
Get DLP Policies                → list all DLP policies

Common governance automation patterns:
→ Daily inventory sync (COE core)
→ Auto-suspend flows violating new DLP policy
→ Send weekly digest to makers of their resource usage
→ Auto-delete trial environments after 30 days
→ Alert when storage exceeds 80% of capacity
→ Notify when a new environment is created in the tenant

7. Scenario-Based Questions

Scenario: A new CISO wants to ensure no corporate data leaks to consumer services via Power Automate. What do you implement?

Tenant-wide baseline DLP policy: move all Microsoft business connectors (SharePoint, Dataverse, Teams, Outlook, SQL Server, Azure services) to Business group. Move all consumer connectors (Gmail, Twitter, Facebook, personal OneDrive, Dropbox) to Non-business. Block high-risk connectors.
Production environment DLP policy: additional restriction — only Microsoft-approved connectors in Business group. Block all non-Microsoft connectors.
HTTP connector endpoint filtering: restrict HTTP action to only approved internal API endpoints.
Connector action controls: on sensitive connectors like Dataverse, allow Read operations but restrict bulk Delete or Export actions.
COE inventory monitoring: daily review of new connectors used across the tenant. Alert when a blocked connector is attempted.
DLP violation reports: weekly report from COE to CISO showing suspended flows, violation trends, and remediation status.

Warning: Exclude the COE environment from the tenant DLP policy — it needs broader connector access for admin flows. Use an explicit exclusion list.

Scenario: Your organisation has 800 environments after 3 years of ungoverned Power Platform usage. How do you clean this up?

Deploy COE Starter Kit — get full inventory of all 800 environments: owners, last activity, resource counts, storage consumption
Categorise: Active (resources used < 90 days), Stale (90–180 days inactive), Abandoned (180+ days inactive)
Owner notification campaign: automated email — "Your environment will be deleted in 30 days unless you confirm it is still needed"
Stale environment archival: export all resources to solutions, back up Dataverse data, delete the environment
Abandoned environment deletion: no owner response + no active resources → delete after backup
Restrict new creation: simultaneously change tenant setting to admin-only environment creation — prevent new sprawl while cleaning up old
Implement request process: going forward, all new environments require formal request with business justification approved by COE team

Tip: Tackle in waves — start with clearly abandoned environments (no activity, no resources), then stale. Never delete without backup and owner notification.

Scenario: A business-critical flow in production is owned by an employee who has left. How do you handle it?

Immediate remediation:

Use Power Platform Admin role to reassign flow ownership to a service account via Admin Center → Flows → Edit owner
Check the flow's connections — departed user's personal connections will be broken. Replace with service account connections or shared Connection References.
Check if the flow uses the departed user's credentials (SharePoint, Outlook) — replace with service account or delegated credentials
Test the flow end-to-end after ownership and connection transfer

Preventive measures:

COE governance policy: all production flows must be owned by a service account or team, not an individual
COE compliance process: quarterly audit of flow ownership — flag production flows owned by individuals
IT offboarding checklist: include a Power Platform asset transfer step — reassign all flows/apps before account deletion

Critical: Flow connections tied to personal user accounts are the #1 cause of production outages when staff leave. This is a governance failure that COE ownership policies prevent.

Scenario: How do you set up a complete Dev → Test → Production ALM pipeline for a Power Apps solution?

Setup:

Three environments: Dev (sandbox), Test (sandbox), Production. Separate DLP policies per environment.
Dedicated service principal for pipeline authentication (not a personal admin account).
Unmanaged solution in Dev. All components — app, flows, tables, connection references, environment variables.
Azure DevOps repo with branch strategy: feature branches → main → release branches.

CI pipeline (on commit to feature branch):

Export unmanaged solution from Dev environment
Unpack to source files → commit to repo
Run Solution Checker → fail build on Critical issues

CD pipeline — to Test (on merge to main):

Pack as managed solution
Import to Test environment
Set Connection References and Environment Variables for Test
Run automated smoke test flow
Notify QA team for UAT

CD pipeline — to Production (manual trigger + approval gate):

Same managed solution promoted from Test
Required approval from business owner in Azure DevOps
Import to Production
Set Production Connection References and Environment Variables
Post-deployment Teams notification to stakeholders

Scenario: How do you handle a maker who has built a production app in the Default environment using premium connectors?

Problem: Maker built a business-critical app in the Default environment using Dataverse — violating governance policy. Moving it is risky.

Assess impact: use COE inventory to identify all users of the app, data connections, and dependencies
Create a proper production environment: provision a new Production environment with correct DLP policy and security configuration
Export the app as a solution: package the app, its flows, Dataverse tables, and connection references into a managed solution
Migrate Dataverse data: use Data Export Service or Power Automate to copy data from Default to the new production environment's Dataverse
Redirect users: update the app URL, update any embedded links, communicate the change to users with a transition period
Delete or archive original: quarantine the Default environment copy first, verify all users are on the new app, then delete
Update governance policy: document this scenario in the maker guidelines — new apps requiring Dataverse must request a proper environment from the start

8. Cheat Sheet — Quick Reference

DLP Policy Configuration Reference

Connector groups:
Business     → approved for corporate data
Non-business → consumer/personal services
Blocked      → cannot be used at all

Policy scope:
Tenant-wide  → applies to ALL environments (with optional exclusions)
Environment  → applies to specific environments only
Precedence   → most restrictive policy wins

Key connectors to classify:
Business:    SharePoint, Dataverse, Teams, Outlook, OneDrive for Business,
             SQL Server, Azure Blob, Azure Service Bus, Azure Key Vault,
             Power BI, Dynamics 365, Microsoft Forms
Non-business: Gmail, Twitter/X, Facebook, Dropbox, personal OneDrive,
              Google Sheets, Slack (personal), Trello
Blocked:     HTTP (without endpoint filtering), custom connectors
             to unapproved endpoints

DLP violation outcome:
→ Existing flows: suspended immediately
→ New flows: cannot be saved/published
→ Owner notified by email with policy name and violation details

Environment Strategy Reference

Environment types and purposes:
Default      → personal M365 productivity. Strict DLP. Remove Maker role.
Developer    → individual maker sandbox. Free with Developer Plan.
Sandbox      → team dev/test. Reset-able. Not for production data.
Production   → live business data. Full backup. Strict access control.
COE/Admin    → governance tools only. Permissive DLP for admin connectors.

Creation governance:
→ Restrict to admins only (tenant setting)
→ Request process: maker submits → manager approves → admin provisions
→ Mandatory fields: business owner, purpose, expected lifetime, data classification

Lifecycle:
90 days inactive   → automated owner notification
120 days inactive  → quarantine (access suspended)
150 days inactive  → deletion (with backup)
Trial environments → auto-expire after 30 days

ALM Pipeline Checklist

Solution setup:
☐ Custom publisher prefix (not 'new_')
☐ All components in solution
☐ Connection References for all connectors
☐ Environment Variables for all env-specific config
☐ No hardcoded connection strings or URLs

CI pipeline:
☐ Export solution from Dev
☐ Unpack to source files
☐ Commit unpacked files to Git repo
☐ Run Solution Checker
☐ Fail on Critical issues

CD to Test:
☐ Pack managed solution
☐ Import to Test environment
☐ Configure Connection References
☐ Set Environment Variable values
☐ Run smoke test / automated tests
☐ Notify QA for UAT

CD to Production:
☐ Manual approval gate (business owner sign-off)
☐ Import same managed solution from Test
☐ Configure Production Connection References
☐ Set Production Environment Variable values
☐ Post-deployment notification
☐ Monitor for errors in first 24 hours

COE Starter Kit — Key Components

Core module:
→ Daily inventory sync (flows, apps, envs, makers, connectors)
→ Admin Power BI dashboard
→ Environment overview report

Governance module:
→ Compliance flow (maker emails, grace periods, quarantine, delete)
→ Environment request and approval process
→ Developer environment provisioning automation
→ Orphaned resource identification and cleanup
→ DLP violation reporting

Nurture module:
→ Maker onboarding welcome email automation
→ App gallery / showcase
→ Training resource hub
→ Maker community management
→ Hackathon toolkit

Admin connector actions used:
Get/List Environments, Apps, Flows, Connectors, Makers
Suspend Flow as Admin
Delete Environment
Add/Remove Environment Maker role

Governance Maturity Model

Level 1 — Reactive (no governance):
→ Default environment used for everything
→ No DLP policies
→ No inventory visibility
→ Issues discovered only when things break

Level 2 — Basic (foundational):
→ Tenant-wide DLP policy applied
→ Environment creation restricted to admins
→ COE Starter Kit deployed (inventory only)
→ Maker onboarding process defined

Level 3 — Managed (operational):
→ Environment strategy implemented (dev/test/prod)
→ DLP policies per environment type
→ COE governance module running (compliance emails)
→ ALM pipeline for key solutions
→ Regular environment audits

Level 4 — Optimised (mature):
→ Full COE with champions network
→ Automated environment lifecycle management
→ Solution Checker in CI/CD pipelines
→ Connection References + Env Variables everywhere
→ Monthly governance reviews with metrics
→ Risk scoring and remediation tracking
→ Fusion team model (makers + pro devs + IT)

Top 10 Tips

DLP = connector grouping, not content scanning — DLP in Power Platform prevents connectors from being combined, not scanning message content like M365 DLP. Clarify this distinction confidently.
Tenant policy wins over environment policy — environment policies can only be more restrictive, never more permissive. The tenant baseline always applies.
Restrict environment creation first — this is the single most impactful governance action. Mention it in every environment sprawl question.
Default environment is highest risk — every licensed user is a maker there by default. Always recommend removing the Maker role and applying strict DLP.
Connection References are mandatory for ALM — hardcoded connections are the #1 cause of broken deployments. Mentioning this signals real deployment experience.
COE Starter Kit is the governance answer at scale — know its three modules (Core, Governance, Nurture) and what each does. It is the expected answer to "how do you govern Power Platform."
Service accounts for production flows/apps — never personal user accounts.
Solution Checker in CI pipelines — quality gate that catches technical debt before production. A maturity signal in any ALM discussion.
DLP violations suspend existing flows — a new policy change immediately impacts running flows. Always audit before applying a new policy.
Governance vs adoption balance — Governance that blocks legitimate use is a failure just as much as no governance at all. The goal is "managed self-service."

Monday, April 27, 2026