- All of Microsoft
- Power Platform
Microsoft Power Platform Tenant Isolation Now Generally Available
Enhance security with Microsoft Power Platform Tenant Isolation, allowing administrators to effectively govern and minimize data exfiltration risks.
The Microsoft Power Platform has officially launched its Tenant Isolation feature. This function, designed for usage within the Azure Active Directory-based ecosystem, allows administrators to ensure a secure environment for data usage by mitigating risks of data exfiltration outside their tenant. It provides efficient governance over tenant data, from authorized Azure AD sources, flowing in and out of their tenant.
In contrast to Azure AD-wide tenant restrictions, tenant isolation only impacts connectors within the Power Platform that employ Azure AD-based authentication, like Office 365 Outlook or SharePoint. Unfortunately, there's a known issue with the Azure DevOps connector not enforcing the tenant isolation policy for established connections. If an insider attack is a concern, limiting the usage of this connector or its actions via data policies is advisable.
Microsoft's Power Platform feature, which is currently defaulted Off, advantageously enables cross-tenant connections. Given valid Azure AD credentials, a user from tenant A can establish a seamless connection to tenant B. However, administrators who desire to permit only select intentional tenants to establish connections to or from their tenant, can turn the Tenant Isolation function On.
With Tenant Isolation set to On, all tenants become restricted. Even if a user presents valid credentials to Azure AD, inbound and outbound cross-tenant connections will be blocked by the software, commonly referred to as the Power Platform. However, administrators can create rules to add exceptions on specific tenants that they wish to bypass Tenant Isolation.
Further the isolation function can be set one-way or two-way, enabling admins to specify an explicit whitelist of tenants. Those who wish to appreciate the impacts and scenarios of tenant isolation can review a provided list, significantly reducing the risk of existing apps and flows that use cross-tenant connections from stopping work.
Tenant Isolation restricts outbound and inbound connection attempts from external tenants, disallowing users to form Azure AD-based connections to data sources in other tenants, and vice versa. Connection attempts initiated by a guest user from their host tenant targeting data sources are not impacted by these rules.
There are specific outbound allowlists and bidirectional scenarios, permitting external connections if the correct Azure AD credentials are presented by the user. However, inbound connection requests are still disallowed despite these permissions.
The Tenant Isolation feature and its associated rules are configured in the Power Platform admin center and affect its canvas apps and Power Automate flows. Only Tenant Admins can set up these settings. These rules include adding, editing, deleting, and determining the execution of entries in the outbound allowlist.
The entry value of the allowed tenant can be entered as either tenant domain or tenant ID, which is automatically calculated if domain is selected. Special characters can also be utilised to signify all tenants being permitted when isolation is activated. Modifications per business requirements, however, prohibit editing in the Tenant Domain or ID field.
Understanding the Impact on Apps and Flows
Users who create or edit a resource under the Tenant Isolation policy will encounter error messages related to blocked cross-tenant connections based on Tenant Isolation. Similarly, makers using Power Automate flows that use connections blocked by tenant isolation policies will run into errors. The policy does allow the flow to be saved, but it will be marked as "Suspended" and requires the maker to amend the data loss prevention policy (DLP) violation.
Apps or flows in violation of these policies won't run successfully. For existing flows that don’t run as a result of changes in the tenant isolation policy, the Power Automate tool will record the failed flow runs. A lag of about an hour is expected for the latest tenant isolation policy changes to take effect on active apps and flows.
To mitigate any known issues with connectors, users are strongly urged to use other types of data policies to limit connector usage.
Read the full article General Availability of Microsoft Power Platform Tenant Isolation (MC553090)
Learn about General Availability of Microsoft Power Platform Tenant Isolation (MC553090)
The announcement of the Microsoft Power Platform Tenant Isolation becoming generally available represents a significant landmark in the field of cloud services and data security. This Platform aids in fostering a safe ecosystem of connectors grounded on Azure Active Directory (Azure AD). It assists authorized Azure AD to build captivating apps and establish secure connections to business data. Understanding this capability could be vital for administrators seeking to strengthen their grasp on data movement and safeguarding Azure AD authorized data sources.
The Tenant Isolation in the Power Platform is unique as it allows administrators to control the movement of data within their tenant. The feature primarily works for connectors that utilize Azure AD-based authentication such as Office 365 Outlook or SharePoint. However, it's important to remember that this tenant isolation differs from Azure AD-wide tenant restriction and does not impact Azure AD-based access outside of the platform ecosystem.
Administrators can either allow cross-tenant connections to be effortlessly established if the user shows correct Azure AD credentials, or limit connections by switching on tenant isolation. In the latter case, all cross-tenant connections, either inbound or outbound, are restricted. Furthermore, administrators have the potential to create permissions for precise methods of tenant connections based on preferences and requirements.
The decision to introduce tenant isolation inevitably impacts the operations within the tenant. Therefore, before configuring these settings, it's necessary to understand the impact and scenarios of both one-way and two-way restrictions, as well as the effect of permit that is created. For instance, one-way tenant isolation blocks connection attempts to the tenant from other tenants, while a two-way tenant isolation would also prevent connection attempts from the tenant to other tenants.
Exception cases can be configured directly in the Power Platform administration center, offering administrators one or two-way restriction options. This allows for scenario-specific configurations, such as outbound 'allowlist' – where outbound connections to specific tenants are permitted, as well as bidirectional 'allowlists'. The Power Platform allows the addition of specific tenant domains or IDs to these 'allowlists' to facilitate a more flexible administrative process.
A crucial factor to take into account regarding tenant isolation is its effect on applications and flows when the policy is modified. Such policies will encounter errors if apps and flows violate the tenant isolation rules. Thus, caution is necessary, and before implementing any policy changes, in-depth knowledge of the platform and understanding of tenant isolation implications is vital.
Awareness and adaptation of these new capabilities can play an essential role in improving the overall management and security of cloud platforms. In a cyber world where threats are continuing to evolve, staying up-to-date with these developments promises the best protection for system administrators and end-users alike.
Alternative Keywords:Power Platform: Microsoft's low-code platform, Microsoft's app development platform.
Tenant Isolation: Isolating tenants feature, secure tenants feature.
More links on about General Availability of Microsoft Power Platform Tenant Isolation (MC553090)
- Announcing General Availability for Microsoft Power ...
- May 11, 2023 — Tenant isolation is generally available on Wednesday, May 10, 2023, in all regions and clouds. The change removing the “preview” tag in Power ...
- General Availability of Microsoft Power Platform Tenant ...
- May 20, 2023 — Microsoft has announced that tenant isolation for Power Platform is now generally available in all clouds and regions.
- June 2023 - Microsoft 365 US Public Sector Roadmap ...
- Jun 14, 2023 — We are excited to announce that tenant isolation for Power Platform is now generally available (GA) in all clouds.
Keywords
Microsoft Power Platform, Tenant Isolation, MC553090, General Availability, Microsoft MC553090, Power Platform Tenant Isolation, Microsoft Power update, Microsoft GA, Power Platform GA, Tenant Isolation MC553090