Security page overview
The Security page in the Power Platform admin center is designed to enhance your organization's security and streamline management. The Security page provides a centralized location to view and manage security recommendations, assess your security score, and implement proactive policies to safeguard your organization.
Administrators can:
- Assess security score: Understand and improve your organization’s security policies with the security score. This score is illustrated on a qualitative scale (Low, Medium, or High) and helps you measure your organizational security position for Power Platform and Dynamics 365 workloads.
- Act on recommendations: Identify and implement impactful recommendations generated by the system based on best practices to improve your tenant's security score.
- Manage proactive policies: Manage proactive policies for governance and security.
Prerequisite
To see your security score, you must turn on tenant-wide analytics. For instructions, see How do I enable tenant-level analytics?
Note
It might take up to 24 hours to populate the Security page with data after you turn on tenant-wide analytics. Until then, most sections on the page display “Calculating security score”.
Access the Security page
To access the Security page, you must have Microsoft Entra ID roles such as Power Platform administrator or Dynamics 365 administrator. Learn more about these roles at Use service admin roles to manage your tenant.
Go to the Power Platform admin center.
From the navigation pane, select Security.
Select the page you want to view in the Security section. You can view pages for network security, access controls, threat detection, and compliance.
Note
On each security page, the features that apply to Managed Environments are noted with this icon:
Key capabilities
Security score (preview)
[This section is prerelease documentation and is subject to change.]
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
The security score is calculated based on the security features turned on in your environment. It provides a measurement of your organizational security position for Power Platform and Dynamics 365 workloads. The score is calculated using this formula:
(your score/total possible score) * 100
- Qualitative scale: The security score is illustrated on a qualitative scale with labels of Low (0-50), Medium (51-80), or High (81-100). The more security features you have turned on, the higher your security score. Medium and High assessment labels indicate that more recommended actions have been taken, improving the security position of the tenant.
- Feature impact: Each security feature is assigned a score based on its scope and the number of resources impacted by turning the feature on or off. As new security features are added, the total possible score may change, which can affect your overall score even if your settings remain the same.
- Score calculation formula: The security score is calculated using the formula: (your score/total possible score) * 100.
For example, if you have a tenant with 10 environments (five Managed Environments and five non-Managed Environments), and you have the following features configured:
- IP firewall: On in two of 10 environments (2 points)
- Tenant isolation: On in 10 of 10 environments (10 points)
- Environment security group: On in five of 10 environments (5 points)
Your total score would be (2 + 10 + 5 = 17) and the total possible score would be 30. Your security score would be: (17/30) * 100 = 56.66%
Important
The security score refreshes every 24 hours and any action taken could take up to 24 hours to reflect the updated score. The score calculation takes into account all environments, including both Managed Environments and non-Managed Environments. If there are no Managed Environments to take action on in the recommendation panel, you will see no environments listed.
Reactive governance through recommendations
The system generates various recommendations based on common, best practices that improve the security score of your tenant. Recommendations refer to actions or measures that the administrator can take to enhance their overall security status.
- Administrators are guided through an intuitive experience to take relevant actions on environments for specific recommendations.
- Each recommendation shows the potential score increase to overall security score.
While these recommendations span all environments, you can only act on them in environments that are managed. For non-Managed Environments, you have the option to turn on recommended features by navigating to the Settings page, locating the necessary feature, and turning it on for those environments.
Conditions that trigger feature recommendations
Below is a table outlining the conditions that trigger specific feature recommendations.
| Feature | Scope | Recommendation triggering condition |
|---|---|---|
| Administrator privileges | Environment | Environments with more than 10 administrators. |
| Auditing | Environment | Environments with auditing turned off. |
| Customer Lockbox | Tenant | Tenants with Customer Lockbox on, but no Managed Environments. |
| Client application access control | Environment | Environments with auditing turned on and client application access control not configured. |
| Data policy | Tenant | No tenant level policy set. |
| Environments Azure Virtual Network | Environment | Environments with no Virtual Network policy. |
| Environment security group | Environment | Environments with no security group. |
| Guest access | Environment | Environments with restricted guest access turned off. |
| IP firewall | Environment | Environments with IP firewall not configured. |
| IP address-based cookie binding | Environment | Environments with IP address-based cookie binding not configured. |
| Sharing | Environment | Environments with no sharing limit. |
| Tenant isolation | Tenant | Tenant isolation setting is turned off. |
Manage proactive policies for governance and security
There are several security features that help secure your tenant. Some of these features require being set as managed type as a prerequisite. If you decide to enable such a feature, you're prompted to first change the environment to managed type before being allowed to configure the feature.
Use the following links to view and manage proactive policies for governance and security.
- Network security: Protect applications and cloud workloads from network-based cyberattacks with features like IP firewall, IP address-based cookie binding, and Azure Virtual Network.
- Access controls: Ensure only authorized users can access specific resources with features like tenant isolation, data policies, environment security groups, and sharing controls.
- Threat detection: Protect your organization’s assets and resources with a unified detection with features like auditing.
- Compliance: Implement robust compliance measures to safeguard organizational data and ensure adherence to industry regulations with features like Customer Lockbox and customer-managed key.
Frequently asked questions (FAQs)
How is the security score calculated?
The security score is calculated based on the security features turned on in your environment. Each security feature is assigned a score based on its scope and the number of resources impacted by turning the feature on or off. It’s important to note that as new security features are added, the total possible score may change. This means that your overall security score might be affected even if your current settings remain the same.
Why don’t I see all the environments in the recommendation action?
These recommendations span across all environments, but you can only act on these recommendations in Managed Environments. For non-Managed Environments, you have the option to turn on recommended features by navigating to the Settings page, locating the necessary features, and turning it on for those specific environments.
Can customers modify the recommendations based on their needs?
No. The recommendations are system-generated and are based on Microsoft's best practices and guidance.
When is the security score be updated after taking recommended actions?
Once you have taken action to turn on the feature, it might take up to 24 hours to reflect the overall security score. The security score isn't updated in real-time.