The blog post by author EY Kalman, professionally known as The CRM Ninja, delves into his experience rolling out the Microsoft Centre of Excellence solution. In doing so, he offers valuable insights for optimizing usage within the Power Platform tenant.
Through the usage of Power Automate Admin connectors for Power Platform, the solution gathers telemetry around environments, Power Apps, etc. However, these connectors reportedly require a user account to run, commonly via a ‘pseudo service account’, a process that has historically been complex.
Customers are recommended to set up an account with necessary licensing & permissions. This account is then used to manage and execute Power Automate flows linked to the CoE solution. This task typically calls for a higher level of permissions, suggesting the adoption of the Power Platform Admin security role.
The challenge has been operating within a stringent security framework. Many organizations mandate multi-factor authentication (MFA), which can complicate automations. When a user authenticates through MFA, a token is stored. While these tokens are useful, they will eventually expire.
Token expiry leads to an abrupt stop on automations, with no prompts indicating that the token has expired. To determine if there's been an expiry, users must explore the Power Automate flow history. While necessary, this exercise often turns arduous, as signing in again via the service account triggers MFA authentication, and the system begins running again.
The eventual token expiration disrupts Power Automate flows, leading to discussions on mitigation and the implementation of tools like Azure Sentinel. This issue is reportedly the annoying pain for technical implementation.
However, a recent amendment now allows MFA to be used for the CoE user account. This change was surprisingly subtly added into the online documentation. EY Kalman discovered this when a Microsoft technical person enquired why MFA was not recommended.
With MFA enabled, users can now view and manage automation processes more securely. Specific policies must be set up and implemented for this account which will be a crucial step forward for those involved in security and governance.
Moving forward, the task will be retrofitting this functionality into existing organisations already using the CoE toolkit. While this task might seem daunting, the emphasis placed on tighter security control suggests that it will serve as a necessary and beneficial upgrade.
For more details about the application of security in Power Automate, visit here.The interplay of MFA and the Microsoft Centre of Excellence offers a window into leveraging the Power Platform tenant correctly. It highlights the importance of comprehensive permission management. Deeper understanding of token usage and augmenting security protocols offer a more efficient and secure user experience.
Read the full article The story of MFA & the Centre of Excellence
Microsoft's Centre of Excellence (CoE) is a benchmark solution for users to better understand activities within a Power Platform tenant. This integral component aids in assembling telemetry surrounding diverse environments, Power Apps, and Power Automates through the use of Power Automate Admin connectors for Power Platform.More details on this can be found on Microsoft's official learning page.
Running these requires usercredentials, often through a 'pseudo service account'. It’s worth noting, a high level of permissions are needed. We recommend the Power Platform Admin protection role for the user account given within the Microsoft 365 Admin Centre.
The most challenging concern has been around safeguards. Multi-factor authentication (MFA), which is commonly required by organizations, can be complex when it comes to automations. When a user logs in and verifies through MFA, a token is stored allowing access to systems. Automations can also utilize this. However, when the token expires, the automations will stop running without any indication. The only way to know is by checking the Power Automate flow history. This could prove complicated as signing in with the pseudo service account will prompt for MFA verification, and then everything will restart.
Prevention measures using tools such as Azure Sentinel are implemented after discussing with safeguard teams. This has been the most irksome obstacle for the technical implementation. Going forward, there's good news! After a lot of await, we're now able to use MFA for the CoE user account. This will indeed assure numerous users, especially those who are in safeguard and/or governance. The specifics around the MFA implementation can be found at Microsoft's Learning page for Conditional access and multi-factor authentication in Flow – Power Automate.
The next job will be to retrofit this to all organisations that already have the CoE toolkit in place. It shouldn't be difficult and will undoubtedly enhance the safeguard controls for it.
The original post on MFA and CoE inspires many conversations on this evolving subject. If you have mitigated these issues in the past, we would love to hear about your experiences in the comment section.
MFA Story, Centre of Excellence, MFA Centre Interaction, MFA Excellence Journey, Story Excellence Centre, MFA centre story, Centre Excellence MFA background, MFA excellence centre achievements, The Story MFA Excellence, MFA and Centre Excellence Story.