Best Security,

Compliance, and
Privacy Practices
for the Rapid Deployment
of Publicly Facing Microsoft
Power Apps Intake Forms

White Paper
Contents

Introduction 5

Security Best Practices Specific to Forms-Level Security 6

Step 1 Configure a contact for use on a portal 6

Step 2 Invite contacts to your portals 6

Step 3 Create web roles for portals 6

Step 4 Add record-based security by using entity permissions for portals 6

Step 5 Control webpage access for portals 7

Step 6 Create website access permissions 7

Step 7 Add a CAPTCHA helper to any Publicly-facing forms to Reduce Bot Attacks 7

General Security Best Practices for the Power Apps Platform 8

Step 1 Understand Power Apps 8

Step 2 Learn How to Manage Power App Environments 8

Step 3 Understand How Data is Stored and Processed 8

Step 4 Review Governance Considerations 8

Step 5 Review Security Concepts in the Common Data Service 8

Step 6 Configure User Security 8

Step 7 Implementing Role Based Security In Your PowerApps App 8

Step 8 Configure Field-level security to control access 9

Step 9 Configure environment security 9

Step 10 Control user access to environments: security groups and licenses 9

Step 11 Restrict Cross-Tenant Access 9

Step 12 Use Teams to Securely Share Business Objects and Collaborate with
Business Units 9

Step 13 Collaborate with Team Templates 9

2 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
 Step 14 Create a Team Template to control access rights for automatically
created Teams 9

Step 15 Implement Azure Security Center 9

Step 16 Implement Security Recommendations in Azure Security Center 10

Implementing Compliance and Privacy with Data Loss Prevention 11

Step 1 Data Loss Prevention Policies 11

Step 2 Create a data loss prevention (DLP) policy 11

Step 3 Manage Data Loss Prevention (DLP) Policies 11

Step 4 Understand and Implement Data Groups 11

Implementing Compliance with Geolocation and Data Residency 12

Step 1 Block Access by Location with Azure AD Conditional Access 12

Implementing Compliance with Data Encryption 12

Step 1 Encrypt Data in Process and at Rest 12

Step 2 Manage the Encryption Key 12

Step 3 Set up Threat Protection for Azure Key Vault 12

Step 4 Secure Access and Data in Azure Logic Apps 12

Meet Compliance Requirements and Enforce Secure Practices by Managing

the Application Lifecycle 13

Step 1 Review Microsoft Security Development Lifecycle (SDL) – Process Guidance 13

Step 2 Automate application lifecycle management with Power Apps Build Tools 13

Step 3 Perform code reviews 13

Step 4 Perform static code analysis 13

Step 5 Perform Web Application Scanning 13

Step 6 Use the Secure DevOps Kit for Azure 14

Step 7 Implement Azure Application Gateway 14

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms 3
 Step 8 Implement Azure DDoS Protection 14

Step 9 Implement Azure Web Application Firewall 14

Monitor and Protect Azure App Services including Power Apps 15

Step 1 Protect your Azure App Service web apps and APIs with Azure
Security Center 15

Step 2 Automate Responses to Alerts and Recommendations 15

Step 3 Export Security Alerts and Recommendations 15

Step 4 Setup Email Notifications 15

Step 5 Protect and Defend Azure Applications including Power Apps Intake
Forms using Azure Sentinel 16

Step 6 Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks 17

Step 7 Monitoring Cloud Security for Zero Trust with Azure Sentinel 17

Implement Data Privacy for Power Apps 18

Step 1 Track Activity logging for Power Apps 18

Step 2 Ensure Data Privacy Compliance in Azure 18

Step 3 Responding to DSR requests for system-generated logs in Power Apps,

Power Automate, and Common Data Service 18

Step 4 Datacenter Regions and Data Sovereignty - About the Microsoft Cloud
Canada Datacenter 18

Step 5 Manage Access to Apps by Using Security Roles 18

4 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
Introduction

Have you been tasked with deploying a publicly facing intake form using Microsoft Power Apps?
It is a popular way of modernizing legacy form intake, such as having an applicant fill out a
paper forms and sending it back to the requesting party via mail to be transcribed or having the
applicant stand in line at an agency to submit paper forms.

If the forms require the applicant to provide sensitive personal information, you want to ensure
that online forms have the highest level of security, privacy, and comply with best practices for
data privacy.

Before getting Started, it is recommended that application support, stakeholders and, if

applicable, the Power Apps Center of Excellence established in your organization review
“Administering a PowerApps Enterprise Deployment” and the “Power Apps and Power Automate
Administration and Governance Whitepaper”.

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms 5
Security Best Practices Specific to Forms-Level Security

This section will help organizations plan key Invitations are sent via the Send Invitation
aspects of building or updating their enterprise workflow. By default, the workflow creates an
breach response plan across these key functions: email with a generic message and sends it to the
invited Contact’s primary email address. The email
STEP 1 addresses in the CC and BCC fields are ignored to
Configure a contact for use on a portal ensure secure communication. The Send Invitation
workflow contains an email template that will need
After filling out the basic information for a contact, to be edited to contain a specific message for your
(or having a user fill out the sign-up form in a portal and the correct hyperlink to your portal’s
portal), go to the web authentication tab on the Invite Redemption Page.
portal contact form to configure a contact by
using local authentication. For more information To edit the Send Invitation workflow email template,
about federated authentication options, see Set locate it and deactivate it. After it is deactivated, edit
authentication identity for a portal. the email template to send the message you want
and provide a link to the Invite Redemption Page
• Technology of your portal.
• Operations
• Legal STEP 3
• Communication Create web roles for portals

STEP 2 After a contact has been configured to use the

Invite contacts to your portals portal, it must be given one or more web roles to
perform any special actions or access any protected
Use the invitation feature of portals to invite contacts content on the portal. For example, to access a
to your portal through automated email(s) created restricted page, the contact must be assigned to a
in your Common Data Service. The people you role to which read for that page is restricted to. To
invite receive an email, fully customizable by you, publish new content, the contact must be placed in
with a link to your portal and an invitation code. This a role which is given content publishing permissions.
code can be used to gain special access configured
by you. With this feature you have the ability to: STEP 4
Add record-based security by using entity
• Send Single or Group Invitations permissions for portals
• Specify an expiry date if desired
• Specify a user or portal contact as the inviter if To apply record-based security in portals to
desired individual records, use entity permissions. You add
• Automatically assign the invited contact(s) to an entity permissions to web roles so you can define
account upon invite redemption roles in your organization that correspond logically
• Automatically execute a workflow upon invite to the privileges and concepts of record ownership
redemption and access that are introduced by using entity
• Automatically assign the invited contact(s) to a permissions. Remember that a given contact can
Web Role(s) upon redemption belong to any number of roles, and a given role can
contain any number of entity permissions. More
Invitation redemption can be accomplished using information: Create web roles for portals
any of our many authentication options. For
documentation regarding portal authentication, Although permissions to change and access URLs in a
see Set authentication identity for a portal and portal site map is granted via Content Authorization,
choose the model applicable to your portal version site managers will also want to secure their custom
and configuration. The user will adopt any settings web applications built with entity forms and entity
provided by the administrator upon redemption. lists. More information: Define entity forms and
An Invite Redemption Activity will be created for the Define entity lists
Invite and Contact.

6 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
STEP 5 STEP 7
Control webpage access for portals Add a CAPTCHA helper to any Publicly-facing
forms to Reduce Bot Attacks
Web page access control rules are rules that you
create for your site to control both the publishing Any time you let people register in your site, or even
actions that a web role can perform across the pages just enter a name and URL (like for a blog comment),
of your website and to control which pages are you might get a flood of fake names. These are often
visible by which web roles. left by automated programs (bots) that try to leave
URLs in every website they can find. (A common
STEP 6 motivation is to post the URLs of products for sale.)
Create website access permissions
You can help make sure that a user is real person and
Website Access Permissions is a permission set, not a computer program by using a CAPTCHA to
associated with a web role, that permits front-side validate users when they register or otherwise enter
editing of the various content managed elements their name and site. CAPTCHA stands for Completely
within the portal other than just web pages. The Automated Public Turing test to tell Computers and
permission settings determine which components Humans Apart. A CAPTCHA is a challenge-response
can be managed in the portal. test in which the user is asked to do something that
is easy for a person to do but hard for an automated
program to do. The most common type of CAPTCHA
is one where you see some distorted letters and are
asked to type them. (The distortion is supposed to
make it hard for bots to decipher the letters.)

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms 7
General Security Best Practices for the Power Apps
Platform

STEP 1 adhering to IT and business compliance standards.

Understand Power Apps The following content is intended to structure
themes often associated with governing software
Review the Power Apps Platform Overview. This and bring awareness to capabilities available for
document will help you will better understand each theme as it relates to governing Power Apps
the Power Apps Platform and architecture, how and Power Automate.
to deploy Power Apps, the role of the Power Apps
administrator, and checking the health of the Power STEP 5
Apps online service. Review Security Concepts in the Common Data
Service
STEP 2
Learn How to Manage Power App Environments One of the key features of Common Data Service
is its rich security model that can adapt to many
An environment is a space to store, manage, and business usage scenarios. This security model is
share your organization’s business data, apps, and only in play when there is a Common Data Service
flows. They also serve as containers to separate apps database in the environment. As an administrator,
that may have different roles, security requirements, you likely won’t be building the entire security model
or target audiences. How you choose to leverage yourself but will often be involved in the process
environments depends on your organization and of managing users and making sure they have the
the apps you are trying to build. proper configuration as well as troubleshooting
security access related issues.
STEP 3
Understand How Data is Stored and Processed STEP 6
Configure User Security
The Common Data Service is a cloud scale database
used to securely store data for business applications You use the Microsoft 365 admin center to create
built on Power Apps. Common Data Service is user accounts for every user who needs access
an abstraction on top of underlying Azure cloud to model-driven apps in Dynamics 365, such as
data management services to make it easier to Dynamics 365 Sales and Customer Service. The user
build business applications. Common Data Service account registers the user with Microsoft Online
provides not just data storage, but a way to Services environment. In addition to registration
implement business logic that enforces business with the online service, the user account must be
rules and automation against the data. Data in assigned a license for the user to have access to
Common Data Service is organized as entities, such the service. Note that when you assign a user the
as account and contact. These entities can have global administrator or the service administrator
relationships that define the business connection role in the Microsoft Online Services environment,
between the data stored in an entity. For example, it automatically assigns the user the System
John works for Contoso would be expressed as a Administrator security role. More information:
relationship. The security model of Common Data Differences between the Microsoft Online services
Service enables data protection down to the field environment administrative roles and security roles.
level on individual records.
STEP 7
STEP 4 Implementing Role Based Security In Your
Review Governance Considerations PowerApps App

Many customers wonder: How can Power Apps A very common question our customers ask is,
and Power Automate be made available to their ‘how do I implement role-based access control in
broader business and supported by IT? Governance my app?’. In other words, how do I make certain
is the answer. It aims to enable business groups to features or screens of my app available only to
focus on solving business problems efficiently while the authorized people in my organization? For

8 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
example, make Admin screen available only to the which would block outbound connections just for
users who belong to an Active Directory Group canvas apps and flows.
“Administrators” or make management views
available only to the users belonging to the Active STEP 12
Directory Group “Managers”. Use Teams to Securely Share Business Objects and
Collaborate with Business Units
STEP 8
Configure Field-level security to control access Using Teams is optional. However, Teams provide
an easy way to share business objects and let you
Record-level permissions are granted at the entity collaborate with other people across business units.
level, but you may have certain fields associated While a team belongs to one business unit, it can
with an entity that contain data that is more sensitive include users from other business units. You can
than the other fields. For these situations, you use associate a user with more than one team.
field-level security to control access to specific fields.
STEP 13
STEP 9 Collaborate with Team Templates
Configure environment security
A team is a group of users. As a group, you will be
Common Data Service uses a role-based security able to track information about the records and
model to help secure access to the database. This perform assigned tasks in much more efficient and
topic explains how to create the security artifacts coordinated way.
that you must have to help secure an app. The
user roles control run-time access to data and are STEP 14
separate from the Environment roles that govern Create a Team Template to control access rights
environment administrators and environment for automatically created Teams
makers. For an overview of environments, see
Environments overview. A team template can be used for the entities that
are enabled for automatically created access teams.
STEP 10 In the team template, you must specify the entity
Control user access to environments: security type and the access rights on the entity record.
groups and licenses For example, you can create a team template for
an account entity and specify the Read, Write, and
If your company has multiple Common Data Service Share access rights on the account record that
environments, you can use security groups to the team members are granted when the team
control which licensed users can be a member of a is automatically created. After you create a team
particular environment. template, you must customize the entity main form
to include the new team template. After you publish
STEP 11 customizations, the access team template is added
Restrict Cross-Tenant Access in all record forms for the specified entity in a form
of a list. For example, you created a team template
With tenant restrictions, organizations can control called “Sales team” for the account entity. On all
access to SaaS cloud applications, based on the account record forms you’ll see the list called “Sales
Azure AD tenant the applications use for single team”. You can add or remove team members using
sign-on. For example, you may want to allow access this list.
to your organization’s Office 365 applications, while
preventing access to other organizations’ instances STEP 15
of these same applications. Implement Azure Security Center

With tenant restrictions, organizations can specify Azure Security Center is a unified infrastructure
the list of tenants that their users are permitted to security management system that strengthens the
access. Azure AD then only grants access to these security posture of your data centers and provides
permitted tenants. advanced threat protection across your hybrid
workloads in the cloud - whether they’re in Azure or
Restricting outbound cross-tenant connections can not - as well as on premises.
be done using tenant restrictions that apply to all
Azure AD Cloud SaaS apps, or at the API Hub level

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms 9
Keeping your resources safe is a joint effort between Security Center periodically analyzing the security
your cloud provider, Azure, and you, the customer. state of your Azure resources to identify potential
You have to make sure your workloads are secure security vulnerabilities. It then provides you with
as you move to the cloud, and at the same time, recommendations on how to remove them.
when you move to IaaS (infrastructure as a service)
there is more customer responsibility than there was Each recommendation provides you with:
in PaaS (platform as a service), and SaaS (software
as a service). Azure Security Center provides you • A short description of what is being
the tools needed to harden your network, secure recommended.
your services and make sure you’re on top of your • The remediation steps to carry out in order to
security posture. implement the recommendation.
• Which resources need you performing the
STEP 16 recommended action on them?
Implement Security Recommendations in Azure • The Secure Score impact, which is the amount
Security Center that your Secure Score will go up if you
implement this recommendation.
Recommendations are actions for you to take in
order to secure your resources.

10 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
Implementing Compliance and Privacy with Data
Loss Prevention

STEP 1 STEP 3
Data Loss Prevention Policies Manage Data Loss Prevention (DLP) Policies

Your organization’s data is likely one of the most An organization’s data is critical to its success. Its data
important assets you are responsible for safeguarding needs to be readily available for decision-making,
as an administrator. The ability to build apps and but it needs to be protected so that it isn’t shared
automation that uses the data allows your company with audiences that shouldn’t have access to it. For
to be successful. Power Apps and Power Automate example, an organization that uses Power Apps may
allow rapid build and rollout of these high-value not want its business data that’s stored in SharePoint
applications that allow users to measure and act on to be automatically published to its Twitter feed.
the data in real time. Applications and automation
are increasingly becoming more connected across To create, edit, or delete DLP policies, you must
multiple data sources and multiple services. Some of have either Environment Admin or Power Platform
these services might be external third-party services service admin permissions. For more information,
and might even include some social networks. Users see Environments Administration in Power Apps.
will often have good intentions but might overlook
the potential for exposure from data leakage to For instructions on how to create a DLP policy, see
services and audiences that shouldn’t have access Create a data loss prevention (DLP) policy.
to the data.

Data loss prevention (DLP) policies that help protect STEP 4

organizational data from unintended exposure are Understand and Implement Data Groups
available for administrators to create. They can act as
guardrails to help prevent users from unintentionally Data groups are a simple way to categorize services
exposing the data. DLP policies can be scoped at the within a data loss prevention (DLP) policy. The two
environment and tenant level offering flexibility to data groups available are the Business data only
craft policies that are sensible and do not block high group and the No business data allowed group.
productivity. Organizations are free to determine which services
are placed into a particular data group. A good way
DLP policies enforce rules of what connectors can to categorize services is to place them in groups,
be used together by classifying connectors as either based on the impact to the organization. By default,
Business data only or No business data allowed. all services are placed into the No business data
allowed data group. You manage the services
STEP 2 in a data group when you create or modify the
Create a data loss prevention (DLP) policy properties of a DLP policy from the admin center.

To protect data in your organization, Power Apps

lets you create and enforce policies that define
with which consumer connectors specific business
data can be shared. These policies that define
how data can be shared are referred to as data
loss prevention (DLP) policies. DLP policies ensure
that data is managed in a uniform manner across
your organization, and they prevent important
business data from being accidentally published to
connectors such as social media sites.

In this topic, you’ll learn how to create a DLP policy

for a single environment that prevents data that’s
stored in your Common Data Service and SharePoint
databases from being published to Twitter.

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms 11
Implementing Compliance with Geolocation and
Data Residency

STEP 1
Block Access by Location with Azure AD Requirements
Conditional Access
• A subscription to Azure Active Directory
You can limit access to users with block access by Premium.
location to reduce unauthorized access. When block • A federated Azure Active Directory tenant. See
access by location restrictions are set in a user’s What is Conditional Access?
profile and the user tries to log in from a blocked
location, access to model-driven apps in Dynamics
365, such as Dynamics 365 Sales and Customer
Service, are blocked.

Implementing Compliance with Data Encryption

STEP 1 STEP 3
Encrypt Data in Process and at Rest Set up Threat Protection for Azure Key Vault

Model-driven apps in Dynamics 365, such as Advanced threat protection for Azure Key Vault
Dynamics 365 Sales and Customer Service, use provides an additional layer of security intelligence.
standard SQL Server cell level encryption for a set This tool detects potentially harmful attempts to
of default entity attributes that contain sensitive access or exploit Key Vault accounts. Using the
information, such as usernames and email native advanced threat protection in Azure Security
passwords. This feature can help organizations meet Center, you can address threats without being a
FIPS 140-2 compliance. security expert, and without learning additional
security monitoring systems.
All new and upgraded organizations use data
encryption by default. Data encryption can’t be When Security Center detects anomalous activity,
turned off. it displays alerts. It also emails the subscription
administrator with details of the suspicious activity
Users who have the system administrator security and recommendations for how to investigate and
role can change the encryption key at any time. remediate the identified threats.

STEP 2 STEP 4
Manage the Encryption Key Secure Access and Data in Azure Logic Apps

All environments of Common Data Service use To control access and protect data in Azure Logic
SQL Server Transparent Data Encryption (TDE) to Apps, you can set up security in these areas:
perform real-time encryption of data when written
to disk, also known as encryption at rest. • Access to request-based triggers
• Access to logic app operations
By default, Microsoft stores and manages the • Access to run history inputs and outputs
database encryption key for your environments, so • Access to parameter inputs
you don’t have to. The manage keys feature in the • Access to services and systems called from logic
Power Platform admin center gives administrators apps
the ability to self-manage the database encryption
key that is associated with the Common Data Service
tenant.

12 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
Meet Compliance Requirements and Enforce
Secure Practices by Managing the Application
Lifecycle

Planning and
Reconnaissance
Define Test Goals and
Gather Intelligence

Analysis and WAF 1 Scanning

Configuration Results are used to Following the Cloud Service
configure WAF Settings before Prover Rules of Engagement, use
Testing is run again 5 2 automated and manual scanning
tools to better understand how a
target response to intrusions

4 3

Maintaining Access Gaining Access

Advanced Persistent Threats (APTs) Web application attacks are
are initiated to see if a vulnerability staged to uncover a target's
can be used to maintain access vulnerabilities

STEP 1 STEP 3
Review Microsoft Security Development Lifecycle Perform code reviews
(SDL) – Process Guidance
Before you check in code, conduct code reviews to
Review Microsoft Cloud Penetration Testing Rules of increase overall code quality and reduce the risk of
Engagement creating bugs. You can use Visual Studio to manage
the code review process.
Consider Web Security Testing of Power App Forms
or Other Power Apps Objects and Code STEP 4
Perform static code analysis
STEP 2
Automate application lifecycle management with Static code analysis (also known as source code
Power Apps Build Tools analysis) is usually performed as part of a code
review. Static code analysis commonly refers to
Use Power Apps Build Tools to automate common running static code analysis tools to find potential
build and deployment tasks related to Power Apps. vulnerabilities in non-running code by using
This includes synchronization of solution metadata techniques like taint checking and data flow analysis.
(solutions) between development environments and Azure Marketplace offers developer tools that
source control, generating build artifacts, deploying perform static code analysis and assist with code
to downstream environments, provisioning/de- reviews.
provisioning of environments, and the ability to
perform static analysis checks against your solution STEP 5
using the Power Apps checker service. Perform Web Application Scanning

To learn more, read the following blog post: You scan your application and its dependent libraries
Automate your application lifecycle management to identify any known vulnerable components.
(ALM) with Power Apps Build Tools (Preview). Products that are available to perform this scan
include OWASP Dependency Check, Snyk, and Black
Duck.

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms 13
Vulnerability scanning powered by Tinfoil Security Application Gateway can make routing decisions
is available for Azure App Service Web Apps. Tinfoil based on additional attributes of an HTTP request,
Security scanning through App Service offers for example URI path or host headers.
developers and administrators a fast, integrated, and
economical means of discovering and addressing STEP 8
vulnerabilities before a malicious actor can take Implement Azure DDoS Protection
advantage of them.
Distributed denial of service (DDoS) attacks are
STEP 6 some of the largest availability and security concerns
Use the Secure DevOps Kit for Azure facing customers that are moving their applications
to the cloud. A DDoS attack attempts to exhaust
The Secure DevOps Kit for Azure (AzSK) was created an application’s resources, making the application
by the Core Services Engineering & Operations unavailable to legitimate users. DDoS attacks can be
(CSEO) division at Microsoft, to help accelerate targeted at any endpoint that is publicly reachable
Microsoft IT’s adoption of Azure. We have shared through the internet.
AzSK and its documentation with the community
to provide guidance for rapidly scanning, deploying Azure DDoS protection, combined with application
and operationalizing cloud resources, across the design best practices, provide defense against DDoS
different stages of DevOps, while maintaining attacks.
controls on security and governance.
STEP 9
STEP 7 Implement Azure Web Application Firewall
Implement Azure Application Gateway
Web Application Firewall (WAF) provides centralized
Azure Application Gateway is a web traffic load protection of your web applications from common
balancer that enables you to manage traffic to your exploits and vulnerabilities. Web applications are
web applications. Traditional load balancers operate increasingly targeted by malicious attacks that
at the transport layer (OSI layer 4 - TCP and UDP) exploit commonly known vulnerabilities. SQL
and route traffic based on source IP address and injection and cross-site scripting are among the
port, to a destination IP address and port. most common attacks.

Virtual Network <...>

Customers
Application Azure load VPN
Gateway balancer Gateway
Azure DDoS
Protection
Attacker
Azure
Backbone Web App App Service Service Fabric

Azure DDoS protection, combined with application design best practices, provide defense against
DDoS attacks.

14 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
Monitor and Protect Azure App Services including
Power Apps

STEP 1 STEP 3
Protect your Azure App Service web apps and Export Security Alerts and Recommendations
APIs with Azure Security Center
Azure Security Center generates detailed security
Azure App Service is a fully managed platform alerts and recommendations. You can view them in
for building and hosting your web apps and APIs the portal or through programmatic tools. You may
without worrying about having to manage the also need to export this information or send it to
infrastructure. It provides management, monitoring, other monitoring tools in your environment.
and operational insights to meet enterprise- This article describes the set of tools that allow
grade performance, security, and compliance you to export alerts and recommendations either
requirements. manually or in an ongoing, continuous fashion.
Using these tools, you can:
Azure Security Center leverages the scale of the
cloud, and the visibility that Azure has as a cloud • Continuously export to Log Analytics
provider, to monitor for common web app attacks. workspaces
Security Center can discover attacks on your • Continuously export to Azure Event Hubs (for
applications and identify emerging attacks - even integrations with third-party SIEMs)
while attackers are in the reconnaissance phase, • Export to CSV (one time)
scanning to identify vulnerabilities across multiple
Azure-hosted applications. As an Azure-native STEP 4
service, Security Center is also in a unique position Setup Email Notifications
to offer host-based security analytics covering the
underlying compute nodes for this PaaS, enabling Azure Security Center will recommend that you
Security Center to detect attacks against web provide security contact details for your Azure
applications that were already exploited. For more subscription if you haven’t already. This information
details, see Threat protection for Azure App Service. will be used by Microsoft to contact you if the
Microsoft Security Response Center (MSRC) discovers
that your customer data has been accessed by an
STEP 2 unlawful or unauthorized party. MSRC performs
Automate Responses to Alerts and select security monitoring of the Azure network and
Recommendations infrastructure and receives threat intelligence and
abuse complaints from third parties.
Every security program includes multiple workflows
for incident response. These processes might An email notification is sent on the first daily
include notifying relevant stakeholders, launching a occurrence of an alert and only for high severity
change management process, and applying specific alerts. Email preferences can only be configured
remediation steps. Security experts recommend that for subscription policies. Resource groups within
you automate as many steps of those procedures as a subscription will inherit these settings. Alerts are
you can. Automation reduces overhead. It can also available only in the Standard tier of Azure Security
improve your security by ensuring the process steps Center.
are done quickly, consistently, and according to
your predefined requirements. Alert email notifications are sent:

• To a single email recipient per alert type, per day

• No more than 3 email messages are sent to a
single recipient in a single day
• Each email message contains a single alert, not
an aggregation of alerts
• Only for high severity alerts

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms 15
STEP 5
Protect and Defend Azure Applications including
Power Apps Intake Forms using Azure Sentinel

Azure Sentinel is an enterprise wide solution for response system. Azure Sentinel can analyze log
threat detection, visibility, hunting and response. data collected into an associated log analytics
In other words, it is a security information event workspace.
management (SIEM) and security orchestration

Collect
Security data across
your enterprise

Respond Detect
Rapidly and automate Azure Sentinel Threats with vast threat
protection intelligence
Cloud-native
SIEM+SOAR

Investigate
Critical incidents
guided by Al

16 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
STEP 6 STEP 7
Using Azure Sentinel with Azure App Gateway to Monitoring Cloud Security for Zero Trust with
Investigate Web Attacks Azure Sentinel

Use Azure Sentinel to monitor and investigate This is the third in a six-part blog series where we
incidents of cyber-attacks on a web application by will demonstrate the application of Zero Trust
having a layer of protection by leveraging the Azure concepts for securing federal information systems
Application Gateway’s Web Application Firewall. with Microsoft Azure. In this blog, we will explore
how to leverage Azure Sentinel for security
monitoring in Zero Trust models. Additional blogs
in the series include leveraging policy, investigating
insider attacks and monitoring supply chain risk
management.

Internet

Web App

User OWASP ZAP Application

Tool Gateway Web
App Firewall
Log Analytics Azure
Workspace Sentinel

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms 17
Implement Data Privacy for Power Apps

STEP 1 STEP 4
Track Activity logging for Power Apps Datacenter Regions and Data Sovereignty - About
the Microsoft Cloud Canada Datacenter
Power Apps activities are now tracked from
the Office 365 Security & Compliance Center. Model-driven apps in Dynamics 365, such as
Office 365 tenant administrators reach the Dynamics 365 Sales and Customer Service are
Security & Compliance Center by navigating to currently available and served from the datacenter
https://protection.office.com. From there, the regions in Toronto and Quebec City, joining Azure
Audit log search is found under the Search and and Office 365 in providing the trusted Microsoft
investigation dropdown. Cloud in Canada.

STEP 2 STEP 5
Ensure Data Privacy Compliance in Azure Manage Access to Apps by Using Security Roles

Microsoft is committed to the highest levels of You can choose what users see and access from the
trust, transparency, standards conformance, and My Apps page or the Customer Engagement home
regulatory compliance. Microsoft’s broad suite of page by giving app access to specific security roles.
cloud products and services are all built from the Users will have access to apps based on the security
ground up to address the most rigorous security roles they’re assigned to.
and privacy demands of our customers.
No Best Practice Guide guarantees that your
STEP 3 application will be 100% secure, compliant, or
Responding to DSR requests for system- following the hundreds of data privacy regulations
generated logs in Power Apps, Power Automate, throughout the world, so it’s important to keep up to
and Common Data Service date with the steps for technology implementation
and configurations or any new Microsoft Security
Microsoft gives you the ability to access, export, and services or features outlined above but it is also
delete system-generated logs that may be deemed important to focus on people and process. Ensure
personal under the European Union (EU) General the supporting internal or managed service provider
Data Protection Regulation (GDPR) broad definition is educated and trained, make Secure Application
of personal data. Examples of system-generated Lifecycle and Change/Release Management a part
logs that may be deemed personal under GDPR of your routine process, and ensure continuous
include: monitoring in order to identify, protect, detect,
respond and recover.
Product and service usage data, such as user activity
logs
R IDE
User search requests and query data OVE NT
I
Data generated by product and services as a product C
FY
RE

of system functionality and interaction by users or

other systems

Note that the ability to restrict or rectify data in

system-generated logs is not supported. Data
CT
RESPO

in system-generated logs constitutes factual FRAMEWORK

OT E

actions conducted within the Microsoft cloud, and

diagnostic data—including modifications to such
PR
ND

data—would compromise the historical record of

actions and increase fraud and security risks.
DETECT

18 Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly Facing Microsoft Power Apps Intake Forms
© 2020 Microsoft Corporation. All rights reserved. This document is provided “as-is.” Information and views expressed in this document,
including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples are for illustration only and are fictitious. No real association is intended or inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this
document for your internal, reference purposes.

Best Security, Compliance, and Privacy Practices for the Rapid Deployment of Publicly
Facing Microsoft Power Apps Intake Forms