Environment Security & Access

(0) Share

Report

Posted on by NativeN

Hi all

Might be a stupid question but this is a really unclear topic for me.

We are currently deploying an environment strategy at our company (prod/dev/test/..)

We assign security groups to access those environments.

- However, in the microsoft docs it says that users in those security groups, also need a dataverse license in order to access the environment.

- And what about an environment strategy with only SharePoint Online based apps in our production environment? Do we need to license these users as well? This would be really strange.

- The Microsoft docs also states the following:

Control user access to environments: security groups and licenses - Power Platform | Microsoft Learn

- Does this mean that if we assign 1 per app plan license to the environment, we are covered from a license perspective?

- Is this needed in order to define our environment strategy without having to license all users? We really want to avoid the default environment but we also don't want to license everybody when not leveraging Dataverse...

And a second question, when deploying the CoE in the tenant in a dedicated environment, we are advised to not assign a security group so end users can interact with the CoE.

- Does this mean that they can access the environment and said available data connectors? We want to restrict the usage of the HTTP connector, but this is required for the CoE. Only admins will be able to use the CoE, but since we cannot specify a security access group, is this a security gap?

Thank you in advance & kind regards

Categories:

Governance & administering

I have the same question (0)

All responses (8)

Answers (1)

Verified answer

joe_hannes_col 1,843 Super User 2024 Season 1 on at

Like (1)

Report

Hello @NativeN,

Yes, the users you want to add to the environment need a proper license. We found the documentation to be a bit confusing/unclear, so we did some tests.
It turned out that the users could be successfully added once they had the "Common Data Service" "app" from (in our case) M365 E3 enabled:
They did not have a premium Power Apps license.

Regarding your CoE question: if you do not give users a security role to create apps etc. in the environment (e.g. by not granting the Environment Maker role), they can only consume apps and flows in this environment.

Was this reply helpful? Yes No
NativeN 51 on at

Like (0)

Report

Hi @joe_hannes_col

Thanks a lot for this info.

Yes indeed quite unclear I thought so myself.
Because if this was not the case, we couldn't apply a decent environment strategy without premium licensing everybody.

Thanks a lot!

Was this reply helpful? Yes No
NativeN 51 on at

Like (0)

Report

Hi @joe_hannes_col

Went to look for it we don't seem to have that, and access was not possible without that extra 'license' checked?

Kind regards

Was this reply helpful? Yes No
joe_hannes_col 1,843 Super User 2024 Season 1 on at

Like (0)

Report

Hello @NativeN,

Could you please clarify what you are missing? The "Common Data Service" checkbox for your users' licenses?

Was this reply helpful? Yes No
NativeN 51 on at

Like (0)

Report

Hi @joe_hannes_col

Yup, it isn't present in our tenant..
Does this mean we need to keep working in the default environment when we are building apps based on SharePoint Online?

The ideal scenario was to create a production environment, give access through a security group, and let users access apps in that environment with their Office license, since the apps only use SharePoint online as a data source..

Because if this is not possible, that would be a big bummer..

Thank you in advance for you help

EDIT: It does seem to be present under the 'Apps' section at the license pane..
- Let's hope this works 🙂

Was this reply helpful? Yes No
joe_hannes_col 1,843 Super User 2024 Season 1 on at

Like (1)

Report

Hello @NativeN, just to be clear: I'm not talking about the licenses (e.g. Microsoft 365 E3), but about the apps and services that are included in the license. Through the M365 Admin Center, you can enable and disable these individual apps and services, as described here.
My screenshot above refers to this subset of the E3 license.
Since your users obviously have access to SharePoint Online, chances are fairly high that they should have a license that allows them to use Power Apps. Have you checked if you can add a user from your security group individually to the environment? If they have insufficient licenses, you will receive an error message about this.
If this will not work, according to the Microsoft documentation assigning one (1) per-app pass to the environment would be considered sufficient licensing for all users you add to the environment.

Was this reply helpful? Yes No
NativeN 51 on at

Like (0)

Report

Hi @joe_hannes_col

Thanks again for the swift response..
Man, this is really unclear documentation.. could have been made much easier.

and indeed:
If this will not work, according to the Microsoft documentation assigning one (1) per-app pass to the environment would be considered sufficient licensing for all users you add to the environment.

This is also stated in the documentation. But then again, this seems like something that shouldn't be allowed from a licensing perspective 😂

We'll see how it progresses.

Thanks for all you help & testing!

Was this reply helpful? Yes No
kbirstein 130 on at

Like (1)

Report

Let's just be honest and say the security documentation about Environments with Dataverse databases is a DISASTER. I teach Governance and I recommend NOT enabling Dataverse in an Environment if at all possible. Then one can simply use the Environment Maker/Environment Admin roles. If a Dataverse database is required because of the need to use solutions I recommend using two AD Security Groups (or M365 groups), one for Admins (with the System Administrator & System Customizer security roles) and one for Makers (with the Environment Maker role). Then if the environment DOES NOT include apps using Dataverse as a data source, you're done as long as the users have a M365/Office365 E1, E3, E5 or F2 license, all of which include Power Apps/Power Automate with standard connectors (most frequently SharePoint) as a right. Also, I don't recommend using the top-level environment Security Group because it introduces too much complication.

Was this reply helpful? Yes No