Controlling App Access in Dataverse Environments

Controlling App Access in Dataverse Environments

Introduction

Data security is a critical aspect of managing Microsoft Dataverse environments. Organizations must ensure that only approved applications can interact with their data to prevent unauthorized data exfiltration and maintain compliance with security regulations.

Microsoft has introduced App Access Control as a preview feature to allow administrators to manage which applications can access a Dataverse environment. This feature enables organizations to permit or restrict applications based on predefined lists, helping to prevent malicious or unauthorized access to sensitive data.

Important Considerations

  • This is a preview feature and should not be used in production environments.
  • Functionality may be limited and subject to changes as Microsoft refines the feature.

How Does App Access Control Work?

App Access Control operates at the Dataverse authentication layer. When an application attempts to access Dataverse, the system:

  1. Validates the client application ID in the user's authentication token.
  2. Checks the application ID against the list of allowed and blocked applications.
  3. Grants or denies access based on the configuration.

This ensures that only trusted applications can connect to Dataverse, helping organizations prevent data loss and unauthorized access.

Authentication Methods in Dataverse

Users and applications authenticate using four different methods:

  1. User Context

    • Users log in with their credentials, such as those used in Dynamics 365 Sales.

  2. Application Context with User Impersonation

    • A first-party Microsoft application makes a request to Dataverse on behalf of the user.
    • Example: Power Automate impersonating a user to execute workflows.

  3. First-Party App with Service-to-Service Call

    • A Microsoft first-party service authenticates using its own application token.
    • Examples include background services like email synchronization.

  4. Third-Party Apps Registered in Azure

    • Custom applications authenticate using an Azure App Registration with a certificate or user token.

Scenarios Where App Access Control Applies

  • User context with user tokens

    • For all user token requests, the system verifies if the application ID is in the allowed or blocked list.
    • Public clients (applications without a secure identity) should only be allowed temporarily, if necessary.

  • Application context with user impersonation

    • When Power Automate or other services use a service-to-service application token to impersonate a user, the system verifies if the application is allowed or blocked.
    • If user impersonation is not used, access control is not enforced.

Exceptions: Apps Not Subject to Access Control

Certain first-party and partner applications are exempt from access control and will always have access to Dataverse.

  • First-party Microsoft applications with service-to-service calls.
  • Partner applications that use service-to-service authentication.
To block these apps, make them inactive or delete them from the environment in the Power Platform admin center.


Prerequisites for Enabling App Access Control

Before enabling App Access Control, administrators must meet the following requirements:

1. Verify Administrative Roles

To configure App Access Control, the user must have one of the following Power Platform roles:

  • Power Platform Admin
  • Dynamics 365 Admin

2. Ensure the Environment is Managed

  • The Dataverse environment must be a Managed Environment.

3. Enable Auditing

  • Auditing must be enabled to track application access.
  • To enable auditing:
    1. Sign in to the Power Platform Admin Center.
    2. Navigate to Manage > Environments and select the environment.
    3. Click Settings > Audit and logs > Audit settings.
    4. Enable Start auditing, Log access, and Read logs.
    5. Click Save.

4. Review the List of Pre-Authorized Applications

  • Certain Microsoft applications are pre-authorized and will automatically run in Dataverse.
  • These include applications using OAuth 2.0 On-Behalf-Of (OBO) authentication.

Managing Application Access in Dataverse

Adding an Application to the Allowed List

  1. Sign in to the Power Platform Admin Center.

  2. Navigate to Manage > Environments.

  3. Select the target environment and copy the Environment URL such as contoso.crm.dynamics.com.

  4. Open a new browser tab and enter the following URL, replacing <EnvironmentURL>:

    https://<EnvironmentURL>/main.aspx?forceUCI=1&pagetype=entitylist&etn=application&viewid=76302387-6f41-48e5-8eaf-4e74c1971020&viewType=1039
  5. Below is a sample screenshot of showing the list of all available applications in the environment.


  7. Click + New to add an application.

  8. Enter the Application ID (51f81489-12ee-4a9e-aaae-a2591f45987d) and Name.



  10. Click Save.

Note: By Default, XRMToolBox application is already listed under the name "Dynamics 365 Example Client Application". This may differ from environment to environment. If the Application ID already exists, then you will not be able to create a new record with the same App ID.

Blocking an Application

  1. Navigate to App Access Control in the Power Platform Admin Center.
  2. Select the environment where the app should be blocked.
  3. Click Set up App Access Control.
  4. Add the Application ID to the Blocked Apps List.
  5. Click Save.

Removing an Application from the List

  1. Select the application from the allowed or blocked list.
  2. Click Delete.
  3. Repeat for any additional applications.

Note: If a system application is removed, it may be automatically restored by the system.

Modes of App Access Control

There are four different modes available:

1. Audit Mode (Recommended First Step)

  • Runs for at least one week to gather data on app usage.
  • Logs which apps access the environment without enforcing restrictions.

2. Enabled Mode

  • Sign in to the Power Platform admin center.

  • In the navigation pane, select Security.

  • In the Security pane, select Identity and access.

  • In the Identity and access management page, select App access control.

  • Select the environment where you want to turn on the app access control feature.

  • Select the Set up app access control button.

  • Select Enabled in the Access control dropdown list.

  • Select a Dataverse application, then select one of these options (Allow or Block), located above the grid:

  • Select Save.

  • The environment list is displayed again. Repeat the procedure for each environment where you want to start blocking apps that are blocked and allow approved apps. Close the panel when you're done.







3. Enabled for Roles Mode

  • Extends Enabled Mode by restricting allowed applications to specific Dataverse security roles.

4. Disabled Mode

  • Turns off app access control, allowing any authenticated application to access Dataverse.

Example: Blocking XrmToolBox from Accessing Dataverse

Scenario: Your organization wants to block XrmToolBox to prevent unauthorized access to Dataverse.

Steps to Block XrmToolBox

  1. Note the App ID for XrmToolBox - 51f81489-12ee-4a9e-aaae-a2591f45987d
  2. Sign in to the Power Platform Admin Center.
  3. Navigate to Environments > App Access Control.
  4. Search for XrmToolBox App ID and select Block.
  5. Click Save.

Once applied, XrmToolBox will no longer be able to connect to Dataverse.



Conclusion

The App Access Control feature in Power Platform offers a powerful way to manage application access to Dataverse. By implementing access restrictions, organizations can:

  • Prevent unauthorized applications from exporting sensitive data.
  • Ensure that only trusted apps are used in their environment.
  • Improve security and compliance with governance policies.

Since this feature is still in preview, Microsoft recommends testing it in a non-production environment before deploying it broadly.


Comments

Post a Comment

Popular posts from this blog

Custom Events in PCF Components

Image
  Introduction In modern low-code development, Power Apps Component Framework (PCF) plays a vital role in enhancing the user interface and delivering rich interactive components. As part of building truly dynamic PCF components, one powerful capability is the event mechanism—especially custom events that allow developers to trigger and listen to component-specific behavior across the app. In this post, we'll explore how PCF components handle events, including how to raise and handle custom events. We’ll also look at practical use cases, implementation steps.   What Are Events in PCF? Events in PCF enable components to communicate with the model-driven app form or other consumers of the control. Microsoft introduced support for custom event handling, allowing PCF control to: Raise events from within the control (e.g., on button click). Notify the hosting form or script when something changes in the control. Enable loosely coupled communication ...
Read more

Dataverse Native Git Integration

Image
Dataverse now offers native Git integration, enhancing the application lifecycle management (ALM) process for developers and makers. This integration enables seamless synchronization of solutions and their components between Dataverse environments and Azure DevOps Git repositories. What is Dataverse Git Integration? Dataverse Git integration is a feature that allows development teams to connect their Dataverse environments directly to Git repositories hosted in Azure DevOps. This connection facilitates the versioning, tracking, and management of solutions and their components within Dataverse, streamlining collaboration among team members. The integration is accessible through the Power Apps interface, making it user-friendly for both citizen developers and professional developers. Benefits of Dataverse Git Integration Centralized Source Control : Git becomes the single source of truth, ensuring consistent and reliable development and deployment processes . Improved Compliance and Secu...
Read more

Set up Power Platform Managed Identities for Dataverse Plugins

Image
Setting Up Power Platform Managed Identities for Dataverse Plugins In this blog, we'll walk through how to configure Power Platform Managed Identities specifically for Dataverse plugins. But first, let's establish a clear understanding of what Power Platform Managed Identities are and why they're useful. What Are Power Platform Managed Identities? Power Platform Managed Identities (currently in preview) enable seamless and secure connections between Dataverse plugins and Azure resources that support Azure Managed Identities. This eliminates the need for manually managing sensitive credentials, like client secrets. Why Use Managed Identities Instead of Client Credentials? Managed Identities simplify authentication and bolster security in several ways: Credential Management : They reduce or eliminate the need for storing and rotating client secrets. Enhanced Security : By minimizing exposure, the attack surface for malicious threats is reduced. Seamless Authentication : They ...
Read more