View on GitHub

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines

TLP:CLEAR

CISA M365 Secure Configuration Baseline for Power Platform

Microsoft 365 (M365) Power Platform is a cloud-based enterprise group of applications comprised of a low-code application development toolkit, business intelligence software, a custom chat bot creator, and app connectivity software. This Secure Configuration Baseline (SCB) provides specific policies to help secure Power Platform security.

The Secure Cloud Business Applications (SCuBA) project, run by the Cybersecurity and Infrastructure Security Agency (CISA), provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.

The CISA SCuBA SCBs for M365 help secure federal information assets stored within M365 cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government’s threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. While use of these baselines will be mandatory for civilian Federal Government agencies, organizations outside of the Federal Government may also find these baselines to be useful references to help reduce risks.

For non-Federal users, the information in this document is being provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. Without limiting the generality of the foregoing, some controls and settings are not available in all products; CISA has no control over vendor changes to products offerings or features. Accordingly, these SCuBA SCBs for M365 may not be applicable to the products available to you. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

This document is marked TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, see https://www.cisa.gov/tlp.

Portions of this document are adapted from documents in Microsoft’s Microsoft 365 and Azure GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Source documents are linked throughout this document. The United States Government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.

Assumptions

The License Requirements sections of this document assume the organization is using an M365 E3 or G3 license level at a minimum. Therefore, only licenses not included in E3/G3 are listed.

Key Terminology

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.

The following section summarizes the various Power Platform applications referenced in this baseline:

  1. Power Apps: Low-code application development software used to create custom business applications. The apps can be developed as desktop, mobile, and even web apps. Three different types of Power Apps can be created:

    1. Canvas Apps: These are drag and drop style developed apps, where users drag and add User Interface (UI) components to the screen. Users can then connect the components to data sources to display data in the canvas app.

    2. Model-Driven Apps: These are apps developed from an existing data source. They can be thought of as the inverse of a Canvas App. Since, you build the app from the source rather than building the UI and then connecting to the source like Canvas apps.

    3. Power Pages: These apps that are developed to function as either internal or external facing websites.

  2. Power Automate: This is an online tool within Microsoft 365 and add-ins used to create automated workflows between apps and services to synchronize files, get notifications, and collect data.

  3. Power Virtual Agents: These are custom chat bots for use in the stand-alone Power Virtual Agents web app or in a Microsoft Teams channel.

  4. Connectors: These are proxies or wrappers around an API that allow the underlying service to be accessed from Power Automate Workflows, Power Apps, or Azure Logic Apps.

  5. Microsoft Dataverse: This is a cloud database management system most often used to store data in SQL-like tables. A Power App would then use a connector to connect to the Dataverse table and perform create, read, update, and delete (CRUD) operations.

BOD 25-01 Requirement: This indicator means that the policy is required under CISA BOD 25-01.

Automated Check: This indicator means that the policy can be automatically checked via ScubaGear. See the Quick Start Guide for help getting started.

Manual: This indicator means that the policy requires manual verification of configuration settings.

Baseline Policies

Baseline Policies in this document are targeted towards administrative controls that apply to Power Platform applications at either the tenant or Power Platform environment level. Additional Power Platform security settings can be implemented at the app level, connector level, or Dataverse table level. Refer to Power Platform Microsoft Learn documentation for those additional controls.

1. Creation of Power Platform Environments

By default, any user in the Microsoft Entra ID Tenant can create additional environments. Enabling these controls will restrict the creation of new environments to users with the following admin roles: Global admins, Dynamics 365 admins, and Power Platform admins.

Policies

MS.POWERPLATFORM.1.1v1

The ability to create production and sandbox environments SHALL be restricted to admins.

BOD 25-01 Requirement Automated Check

MS.POWERPLATFORM.1.2v1

The ability to create trial environments SHALL be restricted to admins.

BOD 25-01 Requirement Automated Check

Resources

License Requirements

Implementation

MS.POWERPLATFORM.1.1v1 Instructions

  1. Sign in to your tenant environment’s respective Power Platform admin center.

  2. In the upper-right corner of the Microsoft Power Platform site, select the Gear icon (Settings icon).

  3. Select Power Platform settings.

  4. Under Production environment assignments, select Only specific admins.

MS.POWERPLATFORM.1.2v1 Instructions

  1. Follow the MS.POWERPLATFORM.1.1v1 instructions up to step 3.

  2. Under Trial environment assignments, select Only specific admins.

2. Power Platform Data Loss Prevention Policies

To secure Power Platform environments, DLP policies can be created to restrict the connectors used with Power Apps created in an environment. A DLP policy can be created to affect all or some environments or exclude certain environments. The more restrictive policy will be enforced when there is a conflict.

Connectors can be separated by creating a DLP policy assigning them to one of three groups: Business, Non-Business, and Blocked. Connectors in different groups cannot be used in the same Power App. Connectors in the Blocked group cannot be used at all. (Note: Some M365 connectors cannot be blocked, such as Teams and SharePoint connectors).

In the DLP policy, connectors can be configured to restrict read and write permissions to the data source/service. Connectors that cannot be blocked cannot be configured. Agencies should evaluate the connectors and configure them to fit agency needs and security requirements. The agency should then create a DLP policy to only allow those connectors to be used in Power Platform.

When the Microsoft Entra ID tenant is created, by default, a Power Platform environment is created in Power Platform. This Power Platform environment will bear the name of the tenant. There is no way to restrict users in the Microsoft Entra ID tenant from creating Power Apps in the default Power Platform environment. Admins can restrict users from creating apps in all other created environments.

Policies

MS.POWERPLATFORM.2.1v1

A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.

BOD 25-01 Requirement Automated Check

MS.POWERPLATFORM.2.2v1

Non-default environments SHOULD have at least one DLP policy affecting them.

Automated Check

Resources

License Requirements

Implementation

MS.POWERPLATFORM.2.1v1 Instructions

  1. Sign in to your tenant environment’s respective Power Platform admin center.

  2. On the left pane, select Security -> Data and privacy.

  3. Select Data policy, then select + New Policy icon to create a new policy.

  4. Give the policy a suitable agency name and click Next.

  5. At the Prebuilt connectors section, search and select the connectors currently in the **Non-business default** tab containing sensitive data that can be utilized to create flows and apps.

  6. Click Move to Business. Connectors added to this group can not share data with connectors in other groups because connectors can reside in only one data group at a time.

  7. If necessary (and possible) for the connector, click Configure connector at the top of the screen to change connector permissions. This allows greater flexibility for the agency to allow and block certain connector actions for additional customization.

  8. For the default environment, move all other connectors to the Blocked category. For non-blockable connectors noted above, the Block action will be grayed out and a warning will appear.

  9. At the bottom of the screen, select Next to move on.

  10. Add a custom connector pattern. Custom connectors allow admins to specify an ordered list of Allow and Deny URL patterns for custom connectors. View DLP for custom connectors | Microsoft Learn for more information.

  11. Click Next.

  12. At the Scope section for the default environment, select Add multiple environments then click Next.

  13. Select the default environment, then select the + Add to policy button at the top of the screen, then select Next.

  14. Select Next-> Create Policy to finish.

MS.POWERPLATFORM.2.2v1 Instructions

  1. Repeat steps 1 to 11 in the MS.POWERPLATFORM.2.1v1 instructions.

  2. At the Scope section for the default environment, select Add multiple environments and select the non-default environments where you wish to enforce a DLP policy upon. If you wish to apply the DLP policy for all environments including environments created in the future select Add all environments.

  3. Select Next-> Create Policy to finish.

3. Power Platform Tenant Isolation

Power Platform tenant isolation is different from Microsoft Entra ID wide tenant restriction. It does not impact Microsoft Entra-based access outside of Power Platform. Power Platform tenant isolation only works for connectors using Microsoft Entra-based authentication, such as Office 365 Outlook or SharePoint. The default configuration in Power Platform has tenant isolation set to Off, allowing for cross-tenant connections to be established. A user from tenant A using a Power App with a connector can seamlessly establish a connection to tenant B if using appropriate Microsoft Entra ID credentials.

If admins want to allow only a select set of tenants to establish connections to or from their tenant, they can turn on tenant isolation. Once tenant isolation is turned on, inbound (connections to the tenant from external tenants) and outbound (connections from the tenant to external tenants) cross-tenant connections are blocked by Power Platform even if the user presents valid credentials to the Microsoft Entra-secured data source.

Policies

MS.POWERPLATFORM.3.1v1

Power Platform tenant isolation SHALL be enabled.

BOD 25-01 Requirement Automated Check

MS.POWERPLATFORM.3.2v1

An inbound/outbound connection allowlist SHOULD be configured.

Manual

Resources

License Requirements

Implementation

MS.POWERPLATFORM.3.1v1 Instructions

  1. Sign in to your tenant environment’s respective Power Platform admin center.

  2. On the left pane, select Security -> Identity and access -> Tenant Isolation.

  3. Set the slider Restrict cross-tenant connections to On, then click Save on the bottom of the screen.

MS.POWERPLATFORM.3.2v1 Instructions

  1. Follow steps 1 and 2 in MS.POWERPLATFORM.3.1v1 instructions to arrive at the same page.

  2. The tenant isolation exceptions can be configured by clicking + Add exceptions on the Tenant Isolation page.

  3. Select the Direction of the rule and add the Tenant Domain or ID this rule applies to.

  4. If Tenant Isolation is switched Off, these rules will not be enforced until tenant isolation is turned On.

4. Power Apps Content Security Policy

Content Security Policy (CSP) is an added security layer that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS), clickjacking, and data injection attacks. When enabled, this setting can apply to all current canvas apps and model-driven apps at the Power Platform environment level.

Policies

MS.POWERPLATFORM.4.1v1

Content Security Policy (CSP) SHALL be enforced for model-driven and canvas Power Apps.

Manual

Resources

License Requirements

Implementation

MS.POWERPLATFORM.4.1v1 Instructions

  1. Sign in to your tenant environment’s respective Power Platform admin center.

  2. On the left-hand pane click on Manage -> Environments and then select an environment from the list.

  3. Select the Settings icon at the top of the page.

  4. Click on Product then click on Privacy + Security from the options that appear.

  5. At the bottom of the page under the Content security policy section, set Enforce content security policy to On for Model-driven and Canvas.

  6. At the same location, set Enable reporting to On and add an appropriate endpoint for reporting CSP violations can be reported to.

  7. Repeat steps 2 to 6 for all active Power Platform environments.

5. Power Pages Creation

Power Pages formerly known as Power Portals are Power Apps specifically designed to act as external facing websites. By default any user in the tenant can create a Power Page. Admins can restrict the creation of new Power Pages to only admins.

Policies

MS.POWERPLATFORM.5.1v1

The ability to create Power Pages sites SHOULD be restricted to admins.

Automated Check

Resources

License Requirements

Implementation

MS.POWERPLATFORM.5.1v1 Instructions

  1. This setting currently can only be enabled through the Power Apps PowerShell modules.

  2. After installing the Power Apps PowerShell modules, run Add-PowerAppsAccount -Endpoint $YourTenantsEndpoint. To authenticate to your tenant’s Power Platform. Discover the valid endpoint parameter here. Commercial tenants use -Endpoint prod, GCC tenants use -Endpoint usgov and so on.

  3. Then run the following PowerShell command to disable the creation of Power Pages sites by non-administrative users.

     Set-TenantSettings -RequestBody @{ “disablePortalsCreationByNonAdminUsers” = $true }

6. Power Apps Sharing Controls

Power Apps supports discovery of apps by allowing makers to share canvas apps with individuals and security groups. Sharing with Everyone, or all users present in the directory, is disabled by default. When the Share with Everyone feature is disabled, only Dynamics 365 administrators, Power Platform administrators, and global administrators have the ability to share an application with everyone in the environment.

Policies

MS.POWERPLATFORM.6.1v1

The Share with Everyone feature SHOULD be disabled.

Automated Check

Resources

License Requirements

Implementation

MS.POWERPLATFORM.6.1v1 Instructions

  1. This setting currently can only be enabled through the Power Apps PowerShell modules.

  2. After installing the Power Apps PowerShell modules, run Add-PowerAppsAccount -Endpoint $YourTenantsEndpoint. To authenticate to your tenant’s Power Platform. Discover the valid endpoint parameter here. Commercial tenants use -Endpoint prod, GCC tenants use -Endpoint usgov and so on.

  3. Then run the following PowerShell commands to get the settings object and set the variable disableShareWithEveryone to $true.

     $tenantSettings = Get-TenantSettings
 $tenantSettings.powerPlatform.powerApps.disableShareWithEveryone = $true
 Set-TenantSettings $tenantSettings

TLP:CLEAR