Earlier this year, researchers discovered that a Microsoft Power Apps security configuration issue had led to some 38 million records being exposed online. Personal information, including vaccination appointments, Social Security numbers, employee ID’s, email addresses and COVID-19 contact tracing, was effectively being published online via Power Apps portals.
The issue arose because of the way that certain Power Apps portals were set up. When people build Power Apps, they can set up web-based portals which display data to be viewed by employees and members of the public, over a browser. Unfortunately, the default setting was to make all data public too. To keep this information private, Power Apps developers needed to tick a specific box when building apps. Unfortunately, many people did not realize this was the case – and this caused the leak.
Deep dive: What is a Power Apps portal?
Although the issue has now been fixed, it is a reminder of the importance of Power Apps security best practice. Here is a quick refresher on Power Apps user permissions and security.
Overview of Power Apps security levels
Microsoft Power Apps allows you to build functional apps using no (or small amounts of) code. The idea is that anyone with a basic understanding of application logic can build tools that will help their colleagues to be more productive. The risk, however, is that without a good understanding of security, people might accidentally share sensitive data.
Generally speaking, Microsoft Power Apps security settings are user friendly. You just need a general understanding of security concepts to reduce the risk of a breach.
Power Apps lets you build security into your apps in the following ways:
Power Apps permissions is about defining who is allowed to use the application, enter data or view tables and forms. When building the app, you need to define specific user groups to say what they can and can’t do with the application.
Example: Imagine your organization had an app where employees could enter their bank details and update them if they ever changed who they bank with. Evidently, only a limited number of people should be allowed to view data about the employee’s bank details. When building the app, you can use Active Directory security groups to ensure that only your finance department can see individual records.
Once you have finished building your application, you will want to share it with end users. Depending on the purpose of the app, you need to set app sharing controls which define who can use the app and what they can do with it.
Example: Your customer success team might want to use a Power App that requests feedback from clients. You would therefore want to limit access to the app to individuals in the customer success team – and prevent the application or its data being accessible to anyone else.
Microsoft also allows you to set Power Apps security limits on the databases linked to each application. Each time a record is updated or changed in the app, this will be reflected in a spreadsheet on the backend. You can set permissions which define who can view the database itself, who can edit specific records within it, or even individual cells.
Example: Your company has an expense reporting application, and your finance department decides they need to update certain employees’ expense claims. The finance team has access to the backend database, but you don’t want all employees to be able to make tweaks to the system. You therefore set database permissions so that only the head of finance can make certain kinds of changes to cells in records.
Other considerations for Power Apps security
Besides setting Power Apps user permissions and controlling Power Apps portals, there are some other more general considerations you should bear in mind for improving your app’s security.
- Update permissions routinely
Employees will join and leave your organization or shift from one department to another. At regular intervals, you should take the time to update your permission settings in Power Apps to ensure that only right people are allowed to interact with the app or its data.
There are many different laws about personal data management, defining what organizations can and can’t do with it – and these rules sometimes change or are updated. Every few months – or when announcements are made – you should verify that your Power Apps are still compliant with relevant legislation.
- Monitor app and user activity
Power Apps admin analytics lets you see how each app is being used. You can monitor this to identify unusual behavior and see if your apps are leaking data.
Support with your Power Apps security
As the recent Power Apps portals configuration issue revealed, it is possible to create Power Apps that are not completely ‘watertight’. This can lead to embarrassing and potentially expensive data breaches.
At Bauen, we help companies to design and build Power Apps to the highest security standards while letting them benefit from low and no code application development.
Contact us today to learn about Power Apps security best practices – and how to ensure your tools are protected from potential breaches.