Controlling ISV Access to Power Platform Environments Using Security Groups in Microsoft Entra ID

Microsoft allows customers to control ISV access to Power Platform environments by leveraging Security Groups in Microsoft Entra ID (formerly Azure AD). This is particularly useful when ISVs require the Power Platform Administrator or Dynamics 365 Administrator role but should only access specific environments.

How Security Groups Work in Power Platform Environment Access Control

  1. Security Groups in Microsoft Entra ID are used to manage user access at scale.
  2. Each Power Platform environment can be assigned a specific Security Group.
  3. Only members of the assigned Security Group can access that environment.
  4. ISVs with Power Platform Administrator or Dynamics 365 Administrator roles must be explicitly added to the correct Security Group to gain access.

Step-by-Step: Configuring Security Groups for ISV Access Control

Step 1: Create a Security Group in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com).
  2. Navigate to Groups > Click + New Group.
  3. Choose Security as the group type.
  4. Name the group (e.g., “PowerPlatform-Environment1-Admins”).
  5. Add the ISV user accounts (or their Entra ID identities) to this group.
  6. Click Create to finalize the group.

Step 2: Assign the Security Group to a Power Platform Environment

  1. Sign in to the Power Platform admin center (https://admin.powerplatform.microsoft.com).
  2. Select Environments from the left-hand menu.
  3. Click on the environment you want to restrict access to.
  4. Under the Details tab, locate the Security Group setting.
  5. Click Edit, then select the Security Group you created earlier.
  6. Save the changes.

Important: If an environment is linked to a Security Group, only users within that group can access it—regardless of their Power Platform or Dynamics 365 Administrator roles.

Step 3: Control ISV Admin Access by Assigning Roles within Security Groups

Once the ISV is inside the Security Group, further refine their permissions by:

  1. Going to Microsoft Entra admin center.
  2. Navigating to Roles & administrators.
  3. Selecting the Power Platform Administrator or Dynamics 365 Administrator role.
  4. Assigning the role only to Security Group members instead of granting it tenant-wide.

Best Practice: Avoid assigning Power Platform Administrator or Dynamics 365 Administrator roles at the tenant level, as it grants access to all environments.

Step 4: Monitor & Audit ISV Access

  1. In the Power Platform Admin Center, review active users within environments.
  2. Use Microsoft Entra Sign-in logs and Power Platform logs to track ISV activities.
  3. Set up Microsoft Entra Conditional Access Policies to enforce additional security, such as:
    • MFA (Multi-Factor Authentication)
    • Location-based access restrictions
    • Time-based access limits

Key Benefits of Using Security Groups for ISV Access

Granular Access Control – ISVs can be restricted to specific environments, even with high-level admin roles.
Improved Security Posture – Reduces the risk of unauthorized access to environments.
Compliance & Auditability – Clear tracking of ISV activities within customer environments.
Operational Efficiency – Automates environment access control by simply adding/removing ISVs from Security Groups.
Zero Trust Model Alignment – Ensures ISVs only access what they need, when they need it.

Summary

By leveraging Security Groups in Microsoft Entra ID, customers can restrict ISV access to specific Power Platform environments even when ISVs have the Power Platform Administrator or Dynamics 365 Administrator role. This approach aligns with Zero Trust security principles and ensures ISVs can only manage environments explicitly assigned to them.