Security in Power Platform

 

1️⃣ Security in Power Platform — Hierarchical View

Think of security in the Power Platform as layered from broad tenant-wide controls at the top down to record-level access at the bottom.

---

Level 1 – Tenant-Wide Security

• Scope: Entire Microsoft 365 tenant (all environments & users)

• Controlled by: Microsoft 365 Admin / Power Platform Admin

• Key Aspects:

  • Azure AD Authentication (SSO, MFA, Conditional Access)

  • Licensing & Entitlements (e.g., which users can even access Power Apps/Automate)

  • Tenant-level DLP Policies (block high-risk connectors across all environments)

  • Tenant Isolation Settings (limit data movement between tenants)

• Real-World Use:
  Block Twitter connector globally to ensure no data leaves the tenant.

---

Level 2 – Environment Security

• Scope: One specific Power Platform environment

• Controlled by: Power Platform Environment Admin

• Key Aspects:

  • Environment Roles:

    • Environment Admin – full control over apps, flows, settings

    • Environment Maker – can create resources but not manage security

  • Environment DLP Policies – can override global policies for specific needs

  • Security Groups for environment access control

• Real-World Use:
  Only HR staff have access to HR App Environment; marketing cannot even see it in their app list.

---

Level 3 – Dataverse Security Roles

• Scope: Dataverse database within an environment

• Controlled by: Dataverse System Administrator

• Key Aspects:

  • Security Roles – define CRUD permissions for tables, forms, dashboards

  • Access Levels:

    • Global (Organization)

    • Business Unit

    • Child Business Unit

    • User-Level

    • None

  • Team Access – security roles can be assigned to teams for group-based permissions

• Real-World Use:
  Sales reps can only view their own opportunities; sales managers can view team opportunities.

---

Level 4 – Business Unit Hierarchy

• Scope: Structural division of data ownership in Dataverse

• Controlled by: Dataverse Admin

• Key Aspects:

  • Parent-Child structure

  • Security roles assigned at business unit level cascade down

• Real-World Use:
  APAC sales team is a child business unit under Global Sales; their data is visible to global managers but not to EMEA sales reps.

---

Level 5 – Record-Level Security

• Scope: Single record in a Dataverse table

• Controlled by: Sharing & Access Teams

• Key Aspects:

  • Record Sharing – user-to-user or user-to-team

  • Access Teams – ad-hoc access without changing security roles

• Real-World Use:
  Share a sensitive contract record with the legal team only.

---

Level 6 – Field-Level Security

• Scope: Individual fields (columns) in a table

• Controlled by: Field Security Profiles

• Key Aspects:

  • Can Read/Update/Create at field level

  • Sensitive fields (e.g., salary, personal ID) are masked unless explicitly allowed

• Real-World Use:
  HR can see salary field; hiring managers can’t.

---

2️⃣ Data Loss Prevention (DLP) — Hierarchical Enforcement

Level	Policy Scope	Description	Example
Tenant-level DLP	All environments	Prevents specific connector combinations globally	Block Twitter & Dropbox in all environments
Environment-level DLP	One environment	Overrides or refines tenant policy for local needs	Allow Salesforce in Sales environment only
Per-app DLP	Individual app/flow	Controlled indirectly via connector rules	A specific flow can only use internal connectors

---

3️⃣ How They Work Together

• Tenant Admin sets broadest rules → applies everywhere.

• Environment Admin narrows rules for local needs.

• Dataverse Security Roles → define what users can do in a database.

• Business Units & Teams → structure who sees what.

• Record & Field Security → most granular control.

---

4️⃣ Best Practices

• Least privilege → give only what’s needed.

• Separate environments for Dev / Test / Prod.

• Use security groups for environment access.

• Audit & monitor via Power Platform Admin Center & Audit Logs.

• Review DLP regularly when new connectors are added.

Power Plartform Coding Standards and Best Practices.

Power Apps guidance documentation provides best practice information from the team that works with our enterprise customers. We'll regularly add and update the guidance content.

Please follow the link to get more details.

Power Apps guidance documentation - Power Apps | Microsoft Learn

Power Apps coding guidelines - Power Apps | Microsoft Learn

Components & Their Usages in Dynamics 365 CRM

 

✅ Key Components & Their Usages in Dynamics 365 CRM

Component	Usage / Purpose
Entities / Tables	Core data structure (e.g., Account, Contact, Lead, Opportunity); stores business data.
Forms	UI for users to interact with data; customizable per role and device.
Views	Define how lists of records are displayed; used in grids, lookups, dashboards.
Dashboards	Visual insights using charts, KPIs, and data views; used for user-specific reporting.
Business Process Flows	Guide users through standardized business stages (e.g., sales or case resolution).
Business Rules	No-code logic to show/hide fields, set default values, enforce validation.
Workflows (Classic)	Legacy process automation for background tasks like email notifications.
Power Automate (Flows)	Modern, cloud-based automation for tasks, approvals, and integrations.
Plugins	Custom server-side logic triggered by platform events (e.g., create/update/delete).
Custom Workflow Activities	Custom C# logic used in classic workflows for reusable business operations.
JavaScript (Client Scripts)	Runs on forms for real-time validation or dynamic field control.
Security Roles	Control user access at entity, field, and record levels.
Teams / Business Units	Used for structuring user access and data ownership.
Solutions	Package and deploy customizations across environments (managed/unmanaged).
Power Pages	External-facing portals for customers or partners to interact with CRM data.
Dataverse	The underlying data platform used to store, secure, and manage data.
Model-driven Apps	Customized UI apps built using Dataverse tables and views for specific roles.
Web Resources	Store HTML, JS, CSS, images used in forms and custom interfaces.
Audit History	Tracks changes at field level for compliance and traceability.
Field-Level Security	Restricts visibility of sensitive data to specific users/roles.
AI Features / Copilot	Offers recommendations, automation, and insights based on business data.
Power BI Integration	Advanced reporting and dashboarding with CRM data via live or scheduled refresh.
Mobile App Support	Access CRM data and functionality via official Dynamics 365 mobile apps.

The Cynefin Framework

 With problem-solving and decision making there are different approaches depending on the situation. An approach that works well in one situation can prove ineffective or even counterproductive in another. A framework that can help you think about this is the Cynefin Framework developed by Kurtz and Snowden.

This sensemaking framework provides you a context to think through the details of a situation, classify it, and understand the appropriate response to make the most of the situation.

As per the diagram above the Cynefin Framework outlines five domains:

Obvious or Simple (the known) — We’ve seen this a million times and as such can categorize and respond according to established best practices. The relationship between cause and effect is well known.

Complicated (the knowable) — Although we don’t immediately know what is happening, we can analyze the situation and come to a conclusion of what must be done. We can enlist experts to analyze, set up constraints and a process addressing resolution.

Complex (the unknowable) — We’re not able to determine what will cause a particular result. The best course of action is to conduct experiments and check if any or all take us in the correct direction. A lot of time when human opinion and decision is involved we could be working in this area; simply because humans are complex beings.

Chaotic (the incoherent) — The situation is very unstable. We don’t have time to experiment or probe since the situation is dire and we need to act. An IT issue that must be taken care of immediately with no delay may be categorized as such. If we have no time to figure out a system deadlock issue, we may opt to get ourselves out of this chaotic state by rebooting the server.

Disorder (not determined) — Anything whose domain has not been determined falls into this domain.

An interesting point to make about the placement of the “Simple” and “Chaotic” domains next to each other is to make the point that poorly managed simple systems can quickly become chaotic, requiring rapid triage to bring them back under control. 

Of particular interest to me is the un-ordered “Complex” domain which Snowden describes in some detail in an excellent HBR article as having the following characteristics:

It involves large numbers of interacting elements.

The interactions are nonlinear, and minor changes can produce disproportionately major consequences.

The system is dynamic, the whole is greater than the sum of its parts, and solutions can’t be imposed; rather, they arise from the circumstances. This is frequently referred to as emergence

The system has a history, and the past is integrated with the present; the elements evolve with one another and with the environment; and evolution is irreversible.

Though a complex system may, in retrospect, appear to be ordered and predictable, hindsight does not lead to foresight because the external conditions and systems constantly change.

Unlike in ordered systems (where the system constrains the agents), or chaotic systems (where there are no constraints), in a complex system the agents and the system constrain one another, especially over time. This means that we cannot forecast or predict what will happen.

Leaders who don’t recognise that a complex domain requires a more experimental mode of management may become impatient when they don’t seem to be achieving the results they were aiming for. They may also find it difficult to tolerate failure, which is an essential aspect of experimental understanding. If they try to overcontrol the organization, they will preempt the opportunity for informative patterns to emerge. Leaders who try to impose order in a complex context will fail, but those who set the stage, step back a bit, allow patterns to emerge, and determine which ones are desirable will succeed.

 

- Many thanks to the original owners of these contents 🙏

Scrum Master - Roles and Responsibilities

 Roles & Responsibilities of a Scrum Master - Deep Dive

A Scrum Master (Scrum Master), popularly known as the “servant leader” is a coach, motivator, and leader of an Agile team. The role of a Scrum Master is to educate the team on Agile processes and help team members follow Scrum practices religiously.  

A good Scrum Master helps to establish a high-performing team dynamic, a continuous flow, and exponential improvement in processes. They are required to play a pivotal role and are responsible for the progressive development of a Scrum team.  

The Scrum Master collaborates both with the Product Owner (PO) who focuses on building the right product and the development team that focuses on building the product right. A Scrum Master’s job is essentially to help everyone understand and imbibe Scrum values, principles, and practices and get the best product out to the customer.

Read on to find out about the Scrum Master role and responsibilities, and much more!

So, who exactly is a Scrum Master?

A Scrum Master is a 'master' or expert in Scrum and has the ability to coach the team in the values, principals, and processes of the Scrum framework.  

Despite what the title implies, the Scrum Master does not have the full authority to make strategic product decisions. However, he or she is accountable for the Scrum process and the effectiveness of the scrum team. Any decisions on the scope of the work are the responsibility of the Product Owner and not the Scrum Master.

The Scrum Guide has defined a set of roles, rules, values, and rituals that should be followed to get the optimum benefit of Scrum. The Scrum Master works in sync with the development team, Product Owner as well as the entire organization and coaches them through the implementation of the Scrum framework.  

Scrum is very easy to understand, but at the same time equally tough to implement. While the Scrum Guide lays out precise instructions for following Scrum, almost all participants tell me in my training programs that they are using their own version of Scrum and not doing it by the book!

Let’s try and understand the challenges faced by the Scrum Master and how he or she plays the role of a servant leader.

Scrum Master’s Role

A Scrum Master collaborates with all the members of the team and is required to provide various services to the Product Owner, the Team, and the organisation.

1. Scrum Master’s service to the Product Owner

What is one service the Scrum Master provides to the Product Owner?

The Scrum Master both guides and serves the Product Owner in more ways than one including:

• Formulating techniques for effective Product Backlog Management,
• Helping the team understand the need for clear and concise product backlog items, 
• Imparting the understanding of product planning in an empirical environment, 
• Ensuring that the Product Owner has clarity on arranging the product backlog to yield maximized value, 
• Understanding and practicing agility, and 
• Facilitating Scrum events as requested or needed.

2. Scrum Master’s service to the development team

What is one service the Scrum Master provides to the Development Team?

The Scrum Master has an important role to play with respect to the development team.

• Removing project impediments that stand in the way of team productivity and performance
• Helping the development team to create high-value products
• Ensuring the development team is working effectively, by conducting regular reviews
• Creating transparency in processes and resolving conflicts
• Helping the team to understand and follow the goals, scope of work, and product domain
• Facilitating Scrum events as requested or needed, and 
• Coaching the Development Team in organizational environments in which Scrum is not yet fully adopted and understood.

3. Scrum Master’s service to the organization

What is one service the Scrum Master provides to the organization?

The Scrum Master has several responsibilities to the organization as well.

• Helping employees and stakeholders understand and implement Scrum practices 
• Acting as a change agent that increases the productivity of the team 
• Leading and guiding the organization in successful Scrum adoption, by streamlining processes and ensuring that every member on the team follows the Scrum framework
• Taking part in planning Scrum implementations within the organization, and 
• Working with other Scrum Masters to increase the effectiveness of the application of Scrum in the organization.

Scrum Master on a SAFe Team

A Scrum Master on a SAFe team creates and nurtures an environment that supports smooth team dynamics, ensures continuous flow through the Agile Release Train, and facilitates ongoing improvement.

A SAFe Scrum Master undertakes the following responsibilities

• Promotes a Lean-Agile mindset and exhibits leadership behaviour, supporting and enforcing team rules
• Helps the team to drive relentless improvement and progress toward goals
• Hosts and facilitates Scrum events
• Supports the PO and acts as a bridge between the PO, team, and the organization
• Removes obstacles  
• Promotes SAFe practices, and supports SAFe adoption across the enterprise
• Coordinates activities on the ART, prepares for ART events, and
• Works in tandem with Scrum Masters on other teams to improve the overall Value Stream.

A SAFe Scrum Master represents the team in the Scrum of Scrums, keeping them aware of all efforts to engage and build upon program effectiveness across teams.

Some common pitfalls/mistakes made by the Scrum Master

Scrum Master acts as a commander

Project managers turned Scrum Master are still hung up on the "command and control" style of leadership. They need to behave like an agile coach but they often end up behaving like wardens handling their jail prisoners. In many cases, they take over the full ownership and responsibility of the project, which goes against the grain of Scrum.

In such a scenario, the team never starts to take on the responsibility for their actions. Instead, a good Scrum Master can just show the way by which the team can carry out their own work, and assume ownership of the product.

Scrum Master and Product Owner are the same

Most often this does not work well because of the different kinds of focus that these two roles have. The Product Owner is the VOC – Voice of Customer and speaks in the best interest of the stakeholders and the product that is being visualized.  

The Scrum Master is supposed to be focused on the long-term effectiveness of the team so that the team structurally improves in delivering value to the stakeholders. He or she has to make sure that the interest of the team doesn’t suffer.

When one individual is tasked with assuming the role of both Scrum Master and Product Owner on the team, more attention could be paid to the short-term needs of stakeholders at the cost of the team.

Interfering with technical issues of the team

It might happen that the Scrum Master is someone who has a strong technical background. They could then feel the urge to advise the development team on technical issues, since they may think that work will progress faster if they give the solution to the team.

This is not always the best way to go about matters. The Scrum Master should trust the team to take the right technical decisions and should not interfere in technical aspects.

Characteristics/Must-Have Skills for a Scrum Master

What are the characteristics that a Scrum Master must possess, to be exceptional at their job? Here are the top traits of a successful Scrum Master.

Knowledgeable

First and foremost, a person who wants to be an effective process coach should be knowledgeable. The same holds true for a Scrum Master, who must understand the technical issues the team needs to address and the technologies the team will use to come up with end solutions. However, while they should be aware of the domain, they are not required to be an expert.

Patient

A Scrum Master needs to be patient and give time to the team to arrive at appropriate answers on their own. At times, all that may be needed is to oversee how the team is dealing with a certain issue, and step in only when they are unable to deal with it without support.

Collaborative

As a Scrum Master, you should have the right collaboration skills to work with the product owner, development team, and all other parties; even those who might not be directly involved with Scrum. The Scrum Master works as a process coach to help the Scrum team members achieve their goals.

Transparent

Last but not least, the Scrum Master should be transparent in all forms of communication. When working with team members, there should be no hidden agendas; what you see and hear from the Scrum Master must be what you get. People expect nothing less of a servant leader.

The Scrum Master also promotes transparent communication outside of the Scrum team. Without transparency, it is difficult for the organization to inspect and adapt to achieve the desired business results using Scrum.

Top 7 responsibilities of a Scrum Master

The Scrum Master wears many hats, and carries out several mission-critical responsibilities on the Scrum project. Here is a curated Scrum Master responsibilities list.

1. Coaches team members

The Scrum Master acts as the coach for both the development team and the product owner. By acting as a bridge between the roles, he or she can enable the product owner to directly drive development.  

The Scrum Master knows the capabilities of the team and constantly finds ways to help the team to boost performances and enhance productivity. 

He or she makes sure that the team is well trained, and understands Agile well enough to address challenges on its own.

Like any good coach, the Scrum Master does not solve the problems faced by the team, rather, they facilitate them in solving the problem themselves. Only in extreme cases when the team is unable to find a resolution, the Scrum Master takes full accountability and ownership of the problem and gets it resolved.

2. Hosts Daily Stand-up Meetings, Sprint Planning Meetings, Retrospectives and Reviews

The Scrum Master will facilitate and host all the Scrum events, including Sprint Planning Meetings, Daily Stand-up Meetings, Reviews and Retrospectives.

Sprint Planning Meeting

The Scrum Master in this meeting shall prevent the development team from being over-ambitious by selecting more Product Backlog items than they can deliver. If the Scrum team is not very mature, they may also require help in estimation.

Daily Stand-up

While the Scrum Master is not required to be a part of the Daily Scrum, he or she should make sure that the development team conducts it on time. In case the development team is distributed, the logistics to coordinate the Daily Scrum are made available to the development team.

Sprint Review

The Scrum Master is a part of the review meeting and captures the feedback raised by the stakeholders. This feedback is used to take inputs from the team in the retrospective meeting.

Sprint Retrospectives

The Scrum Master conducts the retrospective meeting, noting down the areas of improvement that were suggested by the team. At times, the Scrum Master could ask someone else to conduct the retrospective meeting so as to get a different point of view on the process improvement.

3. Acts as a Servant Leader

The Scrum Master is often referred to as a servant leader. A servant leader is someone who asks, “what can I do today to help you and the team be more effective?” rather than asking “what are you going to do for me today?”

His or her objective is to enhance and increase teamwork and personal involvement. Rather than being a master of the team, the Scrum Master is a master at encouraging, enabling, and energizing people and helping them to realize their potential.

A servant leader should have the following qualities:

• Listening skills 
• Empathy 
• Cultivating a culture of trust 
• Acting with humility 
• Encouraging others

As a servant leader, the Scrum Master’s duties include:

• Leading the team through healthy conflict and debate on ideas 
• Teaching, mentoring and coaching the organization and team in adopting and using Scrum 
• Helping the team remove and prevent impediments 
• Empowering and guiding the development team on self-management.

4. Helps the Product Owner with the Product Backlog

While it is the Product Owner’s responsibility to create and maintain the product backlog, the Scrum Master helps the product owner refine and groom the tasks, based on the current status of the work and development needs. The Scrum Master is in the best position to do this, using the information gathered from the daily stand-up meetings.

The Scrum Master helps with the product backlog by scheduling review meetings and prioritizing tasks on user stories.

5. Protects the Team from outside interference

The Scrum Master acts as a protector and helps the team by protecting it from outside interference that comes in the way of delivering the business value during each sprint.

Interference can come from many sources; for instance, it can be from managers who want to redirect team members in the middle of a sprint. No matter what the source of the interference, the Scrum Master acts as an interceptor and solves the issue amicably.

6. Removes obstacles

A core responsibility of the Scrum Master is to help the team stay focused on the tasks that need to be done in each iteration, and for this, any distractions and roadblocks that can impede progress must be ironed out. This is important especially when the team members cannot easily remove those impediments on their own.

For instance, if team members are being forced to attend too many unimportant meetings that do not allow them to make progress on the work, the Scrum Master can work with meeting organizers to pare down the number of attendees for each meeting. Only those who are absolutely essential can participate.

If a team member is being assigned tasks on multiple teams, the Scrum Master can work to redistribute the workload.

Again, there could be internal disagreements in the team about their individual working styles or there could be disagreements about the Scrum process itself. The Scrum Master may have a one-on-one meeting with development team members to understand the same and resolve such conflicts before they escalate into full-blown disagreements.

7. Teaches and upholds Scrum practices and principles

The Scrum Master is well versed in all key Scrum practices and processes and knows how to follow the core values of Scrum. If the other team members are new to Agile, the Scrum Master acts as a mentor and teacher to guide new team members, helping them to learn the ropes and ensuring work does not slow down. 

The Scrum Master has the authority to ensure whether the team enacts and adheres to the Scrum values, principles, and practices. Whenever they are found wanting, as a teacher, the Scrum master will help them to understand the scope and vision, and adhere to Scrum practices and rules.

In doing so, the Scrum Master helps the Scrum team to improve the process and helps in maximizing the delivered business value.

------------------------------------------------------   ***************   --------------------------------------------------------