Can I Further Restrict Data Access in Power Platform Environments Even If an ISV Has the Power Platform and Dynamics 365 Administrator GDAP Role? : Dynamics ATS

Yes, customers can further restrict data access in the environment even when an ISV holds the Power Platform Administrator or Dynamics 365 Administrator role via GDAP. While these roles grant administrative privileges over the environment and applications, they do not automatically grant full access to customer data.

Methods to Restrict Data Access Further

1. Role-Based Access Control (RBAC) in Dataverse

Dataverse Security Roles define what users (including ISVs) can do within the environment.
Even though an ISV has administrative rights over Power Platform or Dynamics 365, they must still be assigned security roles within Dataverse to access specific records.
Customers can:
- Assign least-privilege roles to ISVs.
- Restrict read/write permissions to sensitive data.
- Prevent exporting data via role restrictions.

2. Table and Column Security in Dataverse

Table-Level Security: Customers can restrict ISV access to specific tables (e.g., preventing access to financial data or customer records).
Column-Level Security: Sensitive columns (e.g., Social Security Numbers, financial transactions) can be hidden from ISVs.
Even if an ISV has environment-wide admin access, they cannot view restricted tables or columns without explicit permission.

3. Business Units and Hierarchical Security

Customers can segment data by Business Units to isolate records.
ISVs can be placed in a separate Business Unit with only necessary data access.
Record-level security ensures ISVs can only see records they are assigned to.

4. Conditional Access and Microsoft Entra ID Policies

Customers can apply Conditional Access Policies to restrict when, where, and how ISVs access data:
- Require Multi-Factor Authentication (MFA)
- Block access from certain geographic locations or untrusted devices
- Enforce Just-in-Time (JIT) access via Privileged Identity Management (PIM)

5. Prevent Data Export and API Access

Customers can disable data export for ISVs:
- Block Excel and CSV exports in security roles.
- Restrict Power Automate flows from extracting data.
- Use DLP (Data Loss Prevention) policies to prevent API-based extractions.

6. Logging and Monitoring ISV Activity

Enable audit logs in Microsoft Purview Compliance Center to track ISV actions.
Use Microsoft Defender for Cloud Apps to detect unusual data access.
Set up alerts when an ISV attempts unauthorized access.

Summary: ISVs Have Admin Rights, But Data Can Still Be Restricted

Even if an ISV has GDAP Power Platform Administrator or Dynamics 365 Administrator roles, customers still control access to the actual data through Dataverse security roles, table/column security, Business Units, Conditional Access, and DLP policies. This Zero Trust approach ensures ISVs can manage the platform without exposing sensitive customer data.

Can I Further Restrict Data Access in Power Platform Environments Even If an ISV Has the Power Platform and Dynamics 365 Administrator GDAP Role? Print