When “Secure by Design” Isn’t Enough: A Blind Spot in Power Platform Security Access Controls

Security Groups play a pivotal role in tenant governance across platforms like Entra, Power Platform, and SharePoint. They allow administrators to control access, enforce identity-aware security, and prevent unauthorized interactions. However, we’ve identified a security group bypass risk: Application Users (App Users) - Service Principal identities from Entra - can slip past Security Group restrictions, creating misaligned identity assumptions and enabling unauthorized data access.

Our research demonstrated this issue through a simulated environment, revealing a Dataverse security gap involving unauthorized API access via Service Principals: Security Groups in Power Platform are designed to control access to environments and data. They sync with Entra ID, enabling centralized governance. However, while Security Groups effectively restrict regular user access, App Users are not governed by these controls. This means an App User not listed in a Security Group can still interact with data in Dataverse, even without elevated permissions.

Our research demonstrated this issue through a simulated environment:

1. Enterprise Application Setup: Created a new App User (Service Principal identity) in Entra with specific client credentials.
2. Security Group Restriction: Configured a Security Group for the environment, intentionally excluding the App User.
3. Unauthorized API Access: Queried Dataverse using REST APIs, and despite restrictions, the App User accessed data successfully - demonstrating how Service Principals can bypass expected Power Platform access controls.

Why This MattersThis access control gap undermines the integrity of Power Platform governance, as administrators rely on Security Groups to enforce identity-aware access policies. But App Users can bypass these controls, violating zero-trust assumptions and enabling sensitive data exposure.

• Sensitive Data Exposure: Unauthorized App Users accessing or extracting sensitive information from Dataverse.
• Misaligned Identity Assumptions: Admins may wrongly believe that Service Principal access is governed by the same group policies, exposing systems to unintended access paths.

Deeper Dive: The Dataverse Security Design Flaw You Might Be Missing

While Power Platform is often built around "Secure by Design" principles, Dataverse - its core data platform - has a critical blind spot. Even with Role-Based Access Control (RBAC) in place, granular data-level security is often insufficient, leading to potential exposure of sensitive data at the row or field level.

Real Risk: Users with limited UI access can still query sensitive records (e.g., customer credit card fields) if API or backend enforcement is misconfigured.

Mitigation Tactics:

• Conduct threat modeling focused on data-level access
• Apply least privilege policies at the row and column level
• Perform regular Dataverse access audits
• Follow Microsoft's Dataverse security best practices

A Step to Better Governance - Working with MicrosoftAfter identifying the issue, we flagged it to Microsoft and the response was swift and constructive: Upon identifying this gap, we engaged with Microsoft to ensure transparency and remediation:

1. Public Documentation Update: Microsoft updated their official documentation to explicitly state that App Users are not governed by Security Groups.
2. Future Enhancements: Microsoft is actively working on extending Security Group functionality to include App Users, enhancing the governance model for all identity types.

Their response highlights a strong commitment to addressing security concerns raised by the community.

What You Can Do Right Now

• Administrators: Reassess environments with App Users and apply alternative safeguards, such as custom monitoring or role-based access controls (RBAC).

Power Platform administrators and developers must stay vigilant by implementing enterprise-grade safeguards that address both human and Service Principal access risks. As Microsoft evolves its platform, organizations should prioritize future-ready environment controls and collaborative security governance across all identity types.

The gap between design intent and real-world enforcement is where security breaches happen. Now is the time to close it - with visibility, alignment, and accountability across your identity and access ecosystem.