Contents

Power Platform
Administer Power Platform
Licensing changes in October 2019
PowerApps and Flow licensing FAQs
Requests limits and allocations
Administer Dynamics 365 for Customer Engagement
Administer PowerApps
Overview
Get Help + Support
Support overview
Getting started
PowerApps overview
What's the role of a PowerApps administrator?
PowerApps enterprise deployment whitepaper
Environments
Early opt-in to 2019 release wave 2
View analytics
Common Data Service analytics
Microsoft Flow analytics
PowerApps analytics
Capacity
Free storage space
Manage environments
Environments overview
Create environments
Control environment creation
Create a database in PowerApps
Create an environment in PowerApps
Copy an environment
 View and reset Sandbox environments
About Trial environments
Manage environments in PowerApps
Regions overview in PowerApps
Manage encryption key
PowerApps Preview Program
Manage settings
Common Data Service settings
Product settings
Behavior
Features
Languages
Privacy and security
Business settings
Business closures
Calendar
Currencies
Regional formatting
Users + permissions settings
Business units
Hierarchy security
Positions
Security roles
Teams
Users
Encryption
Encryption
Email settings
Email settings
Email tracking
Mailboxes
Server profiles
 Services settings
Microsoft Social Engagement
Data management settings
Announcements
Auto numbering
Automatic record creation policies
Bulk deletion
Data import wizard
Data maps
Duplicate detection
Templates
Cascading transaction processing
Platform architecture
About on-premises gateway
On-premises data gateway management
About environments
Common Data Service
Types of PowerApps
Microsoft Flow
Connectors
Solution Packages
Licensing and license management
About licensing and license management
Licensing overview
Manage licenses in your org
Purchase PowerApps
FAQs and more information
Security
Overview
Controlling access
Security concepts
System and application users
 Configure environment security
Control user access to environments
Data loss prevention policies
Create a DLP policy
Manage DLP policies
Introduction to data groups
Management and monitoring
Overview
Working with the Admin Portals
PowerShell support for PowerApps (preview)
About PowerShell support
Automation of tasks with PowerShell
Automate application lifecycle management
Automation of tasks with Microsoft Flow
View apps in your environments
Manage apps in your org
Move an app between tenants or environments
Embed an app in Teams
View active users in your tenant
Deployment scenarios
Application Lifecycle Management
About Application Lifecycle Management
Activity logging for PowerApps
Data integration
Integrate data into Common Data Service
Data Integrator Error management and troubleshooting
GDPR - Responding to DSR requests
System-generated logs
Data integrations for Common Data Service
PowerApps customer data
Overview
Export data
 Delete data
Common Data Service customer data
Compliance and data privacy
PowerApps US Government
Administer Microsoft Flow
Administer Power BI
Reference: Use the various admin centers
Reference: Videos and PowerPoint presentations
 Preview: Administer Power Platform
8/9/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

The Power Platform Admin center provides a unified portal for administrators to manage environments and
settings for Dynamics 365 for Customer Engagement, PowerApps, and Microsoft Flow. More information in this
blog post: Introducing the Power Platform Admin center.

IMPORTANT
The Power Platform Admin center is a preview feature, and we will continue to add functionality from other admin centers
until it becomes the only admin center where you can accomplish all admin tasks related to Power Platform.

A preview feature may have limited availability and restricted functionality. A preview feature is available before an official
release so that customers can get early access and provide feedback.

Power Platform Admin center capabilities

Currently, the admin center provides the following capabilities.

FEATURE DESCRIPTION

Help + support Get a list of self-help solutions or create a support ticket for
technical support. More information: Get Help + Support

Analytics Get a detailed view of key metrics for Power Platform apps.
More information: Common Data Service analytics

Environments View, create, and manage your environments. Select an

environment to see details and manage its setting. More
information: Manage environment settings

Data integration More information: Integrate data into Common Data Service

Data Gateway More information: Set up data transfer between on-premises

data and cloud services

Data policies More information: Create and manage data loss prevention
policies.
 PowerApps and Microsoft Flow licensing FAQs for
October 2019
8/29/2019 • 10 minutes to read

This topic provides information about the licensing changes for PowerApps and Microsoft Flow coming in October
2019. For the current licensing information, see PowerApps plans and Microsoft Flow plans.
What licensing changes are coming to PowerApps and Microsoft Flow in October 2019?
We’re introducing two new plans for PowerApps and two new plans for Microsoft Flow on October 1, 2019.
New PowerApps plans include:
PowerApps per app plan which allows individual users to run applications (2 apps and a single portal) for a
specific business scenario based on the full capabilities of PowerApps for $10/user/app/month. This plan
provides an easy way for customers to get started with the platform before broader scale adoption.
PowerApps per user plan which equips a user to run unlimited applications (within service limits) based on
the full capabilities of PowerApps for $40/user/month.
New Microsoft Flow plans include:
Microsoft Flow per user plan which equips a user to run unlimited flows (within service limits) with the full
capabilities of Microsoft Flow based on their unique needs for $15/user/month.
Microsoft Flow per flow plan which enables organizations to implement flows with reserved capacity that
serve teams, department, or the entire organization without having to license each end user. This plan starts at
$500/month for 5 flows.
Will non-profit, government, and academic pricing be available?
Yes.
What will happen to the existing PowerApps and Microsoft Flow plans on October 1, 2019?
The existing P1 and P2 plans for PowerApps and Microsoft Flow will be transitioning to the new PowerApps per
app and per user plans, as well as the Microsoft Flow per user and per Microsoft Flow plans. Existing customers
will be able to maintain the P1 and P2 plans for PowerApps and Microsoft Flow for the duration of their current
subscription period, and they may be eligible to also renew under current terms depending upon when their
subscription period expires. Similarly, new customers may be able to purchase the existing P1 and P2 plans prior
to April 1, 2020. Please contact your Microsoft account rep for more information.
Will full Microsoft Flow capabilities still be included with the new PowerApps licenses?
PowerApps licenses will continue to include Microsoft Flow capabilities. However, flows will need to run within the
context of the PowerApps application, which refers to using the same data sources for triggers or actions as the
PowerApps application. Consuming standalone Microsoft Flows unrelated to the PowerApps application(s) will
require purchase of a standalone Microsoft Flow license.
Will PowerApps and Microsoft Flow use rights change for Dynamics 365 applications?
PowerApps use rights with Dynamics 365 licenses: Dynamics 365 Enterprise licenses will no longer include
general purpose PowerApps capabilities. Dynamics 365 Enterprise users will continue to be able to run apps and
portals that extend and customize the licensed Dynamics 365 application, as long as those apps and portals are
located in the same environment as their licensed Dynamics 365 application. Custom apps or portals outside of
the Dynamics 365 environment will require a standalone PowerApps license.
Microsoft Flow use rights with Dynamics 365 licenses: Dynamics 365 licenses will no longer include general
purpose Microsoft Flow capabilities. Microsoft Flows will need to map to licensed Dynamics 365 application
context - Microsoft Flows should trigger from OR connect to data sources within use rights of licensed Dynamics
365 application(s). Use of standalone flows will require a Microsoft Flow license.
Will PowerApps and Microsoft Flow use rights change for Office 365 applications?
Effective October 1, 2019, the SQL, Azure, and Dynamics 365 connectors listed below will be reclassified from
Standard to Premium. Non-Microsoft connectors that had previously been classified as standard connectors will
still be available to Office 365 users. A standalone PowerApps or Microsoft Flow plan license is required to access
all Premium, on-premises and custom connectors.
Azure Application Insights
Azure Automation
Azure Blob Storage
Azure Container
Azure Cosmos
Azure Data Factory
Azure Data Lake
Azure DevOps
Azure Event Grid
Azure Event Grid Publish
Azure File Storage
Azure IoT Central
Azure Kusto
Azure Log Analytics
Azure Log Analytics Data Collector
Azure Queues
Azure Resource Manager
Azure SQL
Azure SQL Data Warehouse
Azure Table Storage
Dynamics 365
Dynamics 365 Customer Insights
Dynamics 365 for Finance & Operations
Dynamics 365 Sales Insights
Dynamics 365 Business Central
Dynamics 365 Business Central (on-premises)
Dynamics NAV
Event Hubs
Service Bus
SQL Server
Microsoft Flow plan-based limits on trigger frequency and the number of runs allocated to a tenant per month are
being removed.
PowerApps and Microsoft Flow usage will be subject to service limits described here. Per user service limits
provide capacity assurance for users and alleviate the risk of one user exhausting the tenant wide quota.
The PowerApps per app plan allows users to run specific apps. Can you explain what this means in terms of the
number and types of apps I can use?
The PowerApps per app plan is designed to help organizations solve for one business scenario at a time, which
may involve a combination of individual apps. Each “per app” license provides an individual user with rights to two
apps (canvas and/or model-driven) as well as one PowerApps Portal, all within a single environment. A single user
might be covered by multiple “per app” licenses to allow the user to use multiple solutions targeted at various
business scenarios, without requiring a per-user license. In other words, the “per app” license is stackable.
Do embedded canvas apps in model-driven apps count towards the two apps limits?
No. Embedded canvas components within the model-driven app will not count towards the two apps limit in the
per app licensing model.
When would I use the Microsoft Flow per user plan versus the Microsoft Flow per flow plan?
The per user plan is intended to support the broad adoption of an automation culture in an organization. Every
user with this plan is entitled to use an unlimited number of flows, within service limits. The per flow plan provides
an organization with the flexibility to license by the number of flows, instead of licensing each user accessing the
flows individually with the per user plan.
Which flows count in the Microsoft Flow per flow plan?
All types of enabled flows count – scheduled flows, automated flows, instant flows and business process flows.
Flows that are triggered by another flow (child flows) or that are disabled will not count against the plan.
Do flows always have to be purchased in units of 5 as part of the Microsoft Flow per flow plan?
No. After the minimum purchase of 5 flows, additional flows can be licensed individually at $100/month per flow.
Do users who run Flows need to be licensed, or do only users who create flows need to be licensed?
Any end user running a flow will need to be licensed either by the per user or per Microsoft Flow plans.
Do users who use Microsoft Flow features built on the Common Data Service like approvals or business process
flows need to be licensed?
There are features in Microsoft Flow that are not running a flow directly – such as responding to an approval
request or advancing a stage in a business process. These features are built on the Common Data Service.
Normally, any use of these features requires either a standalone Microsoft Flow per user plan, or, that the flow that
creates these business process instances or approval requests to be licensed under the per flow plan.
What Common Data Service capacity is included with the PowerApps and Microsoft Flow plans?
Every tenant with a PowerApps license gets default capacity. In addition, for each license there is additional
capacity (pooled) added to the tenant.

PER LICENSE ENTITLEMENT (POWERAPPS PER LICENSE ENTITLEMENT (POWERAPPS

POWERAPPS CAPACITY LIMITS PER APP PLAN) PER USER PLAN)

Common Data Service Database + 50 MB + 50 MB

Capacity

Common Data Service Log Capacity +0 +0

Common Data Service File Capacity + 400 MB + 400 MB

Since flows, as well as certain Microsoft Flow features like approvals, run inside of the Common Data Service,
every tenant with a Microsoft Flow license gets default capacity. In addition, for each per-user or per-flow license
there is additional capacity added to the tenant.

MICROSOFT FLOW CAPACITY LIMITS + PER USER + PER FLOW

Common Data Service Database + 50 MB + 50 MB

Capacity

Common Data Service Log Capacity +0 +0

Common Data Service File Capacity + 200 MB + 200 MB

What add-ons are available to the PowerApps and Microsoft Flow plans?
A list of add-ons applicable to all standalone PowerApps and Microsoft Flow plans are listed below:
New PowerApps Portals login capacity add-on and Portals page view capacity add-on for external users
of PowerApps Portals.
PowerApps Portals log in capacity add-ons (various volume tiers start from $200 per 100 logins per
month)
PowerApps Portals page view capacity add-on (100,000 anonymous page views for $100 per month)
New PowerApps and Microsoft Flow capacity add-on increases daily API request limits for PowerApps,
Microsoft Flow and Dynamics 365 workloads for users that exceed their usage entitlement (10,000 daily API
requests for $50 per month).
Common Data Service Database Capacity (1GB ) $40 per month
Common Data Service File Capacity (1GB ) $2 per month
Common Data Service Log Capacity (1GB ) $10 per month
Can you share more details regarding the new PowerApps Portals licensing?
PowerApps Portals can be provisioned without requiring a specific license. User access licensing is based on
persona type and details are as below.

What exactly is a considered a “login” as part of the PowerApps Portals add-on?

Think of a login as a “day pass” to a portal. Once logged in to a portal, subsequent logins (potentially from
different devices) during the 24-hour period will not be billable.
Does a single login provide access to multiple PowerApps Portals during the 24-hour period?
Logins are specific to a single portal. So if you access multiple portals belonging to same tenant, it will be counted
one login per portal.
What is the difference between PowerApps Portals and Dynamics 365 Portals in terms of licensing?
PARAMETER DYNAMICS 365 PORTALS NEW POWERAPPS PORTALS

Provisioning a portal instance Purchase Dynamics 365 Additional Provision a portal—no need to
Portal SKU at $500 per month purchase portal addons to provision a
portal

Qualifying base offers Dynamics 365 licenses only Customers can add on portal external
login or page view capacity to Dynamics
365, PowerApps and Microsoft Flow
licenses
 PARAMETER DYNAMICS 365 PORTALS NEW POWERAPPS PORTALS

Internal use rights Dynamics 365 enterprise licenses,
Dynamics 365 team member license.
Internal users can now access portals
with a PowerApps per-app/per-user
license. For a Dynamics license it is
same as custom PowerApps use
rights.

Monetization Per portal instance Per page view Per log in Per page view

Entitlement for Dynamics 365 1 portal instance for the first 10 full Not applicable―PowerApps Portals
customers Dynamics 365 USLs instances can be provisioned

Can I purchase PowerApps Portals add-on licenses with my existing PowerApps P1 or P2 plans or do I have to
upgrade to the new plans to benefit from the new portal capability?
Yes. You can purchase PowerApps Portals add-on capacity if you are an existing PowerApps Plan 1 or Plan 2
customer. You can also purchase this capacity if you are a Dynamics 365 customer.
Can you clarify the use rights to Portals for internal users?
Custom PowerApps Portals use rights:
For internal users, use rights to a “custom” portal are aligned with their “custom” PowerApps use rights. For
example,
A Dynamics 365 enterprise application license gets use rights to custom PowerApps applications within the
same environment as the Dynamics 365 application. As such, A Dynamics 365 enterprise application license
gets use rights to custom PowerApps Portals within the same environment as the licensed Dynamics 365
enterprise application.
The Team Member license does not get access to custom portal as Team Member licenses do not allow access
to a custom app.
What is the minimum number of logins and page view that I need to assign to a specific portal?
Minimum login quantity to be assigned to a portal is 100 logins/month. Once you have assigned 100 logins, you
can assign them in units of 1.
Example: If you have 3 portals and bought 4 login packs (400 logins). You can assign them in the following way:
Portal 1: 120 (min 100)
Portal 2: 151 (min 100)
Portal 3: 129 (min 100)
Page views: Minimum 50,000 per portal, after that you can assign 1 at a minimum.
Are there limits on the number of API requests PowerApps and Microsoft Flow users can make?
Yes. To help ensure service levels, availability and quality, there are limits to the number of API requests users can
make across PowerApps and Microsoft Flow. Service limits are set against normal usage patterns in both 5-minute
and per 24-hour intervals, and most customers will not reach them.
API capacity is tracked based on consumption at an individual user level, and the daily limits cannot be pooled at
any other level.
API limits are also applicable to application users, non-interactive users and administrative users in Common Data
Service platform.
More information is available here.
 Requests limits and allocations
8/29/2019 • 4 minutes to read

Starting October 2019, to help ensure service levels, availability and quality, there are limits to the number of
requests users can make across Dynamics 365 for Customer Engagement apps, PowerApps, and Microsoft Flow.
These limits are based on various parameters like the number of requests, throughput, and concurrency, and help
prevent users running applications that could interfere with each other based on resource constraints.
This document will describe the common requests limits as well as the allocation which a user gets based on the
type of license assigned to the user.

Microsoft Power Platform requests allocations based on licenses

All the users of Microsoft Power Platform can use a certain number of requests based on the license they are
assigned. The below table defines the number of requests a user can make in a 24-hour period:

USER LICENSES NUMBER OF API REQUESTS / 24 HOURS

Dynamics 365 Enterprise applications* 20,000

Dynamics 365 Professional ** 10,000

Dynamics 365 Team Member 5,000

PowerApps per user plan 5,000

Microsoft Flow per user plan 5,000

Office licenses (that include PowerApps/Microsoft Flow) 2,000

Application user / Non-interactive users See section below

* Dynamics 365 Enterprise applications include Dynamics 365 for Sales Enterprise, Dynamics 365 for Customer
Service Enterprise, Dynamics 365 for Field Service, Dynamics 365 for Project Service Automation, Dynamics 365
for Retail, Dynamics 365 for Talent.
** Dynamics 365 Professional includes Dynamics 365 for Sales Professional, Dynamics 365 for Customer Service
Professional.
Users who are running apps and flows without a user license through the PowerApps per app plan or the
Microsoft Flow per flow plan are granted the following per-user API request entitlement.

ADD-ON NUMBER OF API REQUESTS

PowerApps per app plan 1,000 per user pass

Microsoft Flow per flow plan 15,000 per flow

If a user has multiple plans assigned from different product lines, the total number of requests allowed would be
the sum of requests allocated to each license type. For example, if a user has both a Dynamics 365 for Customer
Service Enterprise plan as well as a PowerApps per app plan, then that user will have a total of 20000 + 1000 =
21000 requests available per 24 hours.
If a user has multiple licenses allocated within the same product line, for example if a user has a Dynamics 365 for
Customer Service Enterprise license as the base license and a Dynamics 365 for Sales Enterprise license attached,
the total number of requests would be what is provided by the base license - Dynamics 365 for Customer Service.
PowerApps and Microsoft Flow capacity add-on
PowerApps and Microsoft Flow capacity add-on allows customers to purchase additional requests which can be
assigned to any user who has a PowerApps/ Microsoft Flow license as well as Dynamics 365 license. These can be
assigned to an application, and administrative and non-interactive users.
Each capacity add-on provides an additional 10,000 requests/24 hours which can be assigned to any user. Multiple
capacity add-ons can also be assigned to the same user.

Non-licensed users/application users

The Common Data Service also provides the ability to have identities that do not require any user license to
interact with the service. There are three types of these users:
Application users
Non-interactive users
Administrative users.
Request limits are applicable to these users, like licensed users. By default, since these users do not have any
licenses assigned to them, they are allocated zero requests. However, PowerApps and Microsoft Flow capacity add-
on can be assigned to these users; required to enable app usage for these users.

Service protection limits currently applicable

Apart from the new daily API request limit, there are other service protections limits specific to various services
which exist currently. These limits are usually much higher when compared to the daily per user entitlements for a
24-hour period. Limits help maintain the quality of service by protecting the service from malicious or noisy
behavior that would otherwise disrupt service for all customers.
Review the following resources for information about current service protection limits for each service:
Common Data Service API request limits: applicable for Dynamics 365 for Customer Engagement apps,
PowerApps, and Microsoft Flow connecting to Common Data Service/Dynamics 365
Microsoft Flow limits: applicable for Microsoft Flow
Limits in connectors: applicable for Microsoft Flow and PowerApps

What is a Microsoft Power Platform request?

Requests in Microsoft Power Platform consist of various actions which a user makes across various products. At a
high level, below is what constitute an API call:
Connectors – all API requests to connectors from PowerApps or Microsoft Flow
Microsoft Flow – all Microsoft Flow step actions
Common Data Service – all CRUD operations, as well as special operations like “share” or “assign”. These can
be from any client or application and using any endpoint SOAP or REST. These include but are not limited to
plug-ins, async workflows, and custom controls making the above mentioned operations.
Note that for Common Data Service, there will be a small set of system internal operations that are excluded, like
login and logout, along with system metadata operations like getClientMetadata.
 Administer Dynamics 365 for Customer Engagement
4/2/2019 • 2 minutes to read

Dynamics 365 for Customer Engagement administrators can use the Dynamics 365 admin center
(https://port.crm.dynamics.com/G/manage/index.aspx) to manage the environment and settings. Dynamics 365 for
Customer Engagement admin content is available at Administrator Guide for Dynamics 365 for Customer
Engagement apps.

NOTE
In some documentation, we previously referred to Dynamics 365 (online) when we were talking more specifically about
Dynamics 365 for Customer Engagement applications (apps). We have changed this in our current documentation so that it’s
clear when we are referring to the collection of apps that include Sales, Customer Service, Marketing, Field Service, Project
Service Automation, and their related services rather than the whole Dynamics 365 product family of applications and
services, which includes Finance and Operations, Talent, Retail, and Business Central. You may still see “Dynamics 365 (online)”
in some user interfaces (UI). Those strings refer to Dynamics 365 for Customer Engagement apps.

The content from the Customer Engagement admin guide is transitioning to the Power Platform admin guide as
settings and features migrate to the Power Platform Admin center. Until the move to the Power Platform Admin
center is complete, you’ll still be able to manage settings in Customer Engagement as usual.
For example, many of these admin settings in the Dynamics 365 for Customer Engagement web client...

...are moving here.

Use links on this page to manage organization-wide settings. App-specific settings will remain in the Dynamics 365
for Customer Engagement apps, and will be accessed through the respective app settings. More information about
managing environment settings in the Power Platform Admin center: Manage environment settings
See also
Reference: Use the various admin centers
 Administer PowerApps
6/26/2019 • 2 minutes to read

PowerApps administrators can use the PowerApps Admin center (admin.powerapps.com) and the Power Platform
Admin center to manage environments and settings for PowerApps.
Features from the PowerApps Admin center are being moved to the Power Platform Admin center. Until the move
to the Power Platform Admin center is complete, you’ll still be able to manage environments and settings in
PowerApps Admin center as usual.
Start here:
PowerApps Platform overview
What's the role of a PowerApps administrator?
See also
Reference: Use the various admin centers
Reference: Videos and PowerPoint presentations
 Get Help + Support
8/14/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

Admins you can use the Help + support experience in the Power Platform Admin center to get self-help solutions
in real-time for their issue. If the issue can't be resolved through self-help, you can use the same Help + support
experience to contact a Microsoft support representative.
An example of solutions provided for Dynamics 365 App for Outlook issues:

Prerequisites
You have one of the following Office 365 admin roles to enter support requests:
Global
Tenant
Service
Support
Billing
For the following support plans:
Subscription Support
Enhanced Support
Professional Direct Support
Premier Support
Unified Support

NOTE
In the following cases, you might not be able to create a support request or we can't provide relevant solutions:
There is an issue with your Premier Support contract. Please contact your Technical Account Manager (TAM).
Your Support subscription has expired. Please renew.
We couldn't find your Support plan.
If you have a Premier Support plan, please contact your Technical Account Manager (TAM).
If you have a non-Premier Support plan, please verify the plan is active. For support information, see Dynamics
365 Community Forums.

View solutions or enter a support request through the new support center
1. Sign in to the Power Platform Admin center with your admin credentials.
2. Select Help + support > New support request.

3. Select the product with the issue.

4. To get immediate help with your issue, fill in the rest of the information on the page, and then select See
solutions.
 Based on the information you provided, you'll see a list of possible solutions to your issue. Select the
relevant solution and see if the content can successfully guide you to a fix.
5. If the guidance doesn't resolve your issue, select Create a support request and fill in the fields in the form
pages.
6. If you have a Premier support plan, select Yes for File as a Premier support request? and fill in the fields.
If you don't know your access or contract ID, please contact your service admin or Technical Account
Manager (TAM ).

NOTE
For Contract ID/Password, please enter your Premier contract ID.
The Contract ID/Password defaults to the Premier contract ID. If you have changed the password when registering
online in the Premier portal, you should use the updated password instead of the contract ID.

Once you submit your request it will appear in the list of support requests.
You can check the status and edit your request on this page.

Limited Preview: Report outage

We're rolling out a new Preview feature to a limited set of customers to try out. If you're experiencing a service
outage, we want your support request to get more timely review and action. Select the Report outage link to
report the outage. If you don't see this link, don't worry! We'll be bringing this feature to all customers in the
future.

Fill out the pages and then submit to have your support request receive an expedited review.
We'd love to know your thoughts on the new outage reporting process. Or, if you'd like to be considered for this
limited Preview, please fill out this form.
 Dynamics 365 support overview
7/16/2019 • 19 minutes to read

About Dynamics 365 Support

Where is Dynamics 365 support available?
Support is available in markets where Dynamics 365 Online services are offered. Some specific services might not
be covered in all regions immediately after general availability (GA).
For which languages does Microsoft provide support?
Microsoft provides support in English globally and provides additional languages within certain regions. These
additional languages include: Japanese, Spanish, French, German, Italian, Portuguese, Traditional Chinese, and
Simplified Chinese.

SPANISH, FRENCH, GERMAN, TRADITIONAL CHINESE,

ENGLISH JAPANESE ITALIAN, PORTUGUESE SIMPLIFIED CHINESE

* Provided globally all day, * Provided to customers
every day Japan all day, every day
in Available to customers in Available to customers in
Europe/Middle East/Africa Asia/Pacific region during
regions during those that region’s business hours
regions' business hours
Spanish/Portuguese available
to customers in South
America during that region’s
business hours

*24/7 (all day, every day) support is available based on issue severity and your support offering.

NOTE
Translation services might be available to assist with additional languages outside normal business hours.

Do I get 24/7 support?

Microsoft provides all day, every day support for all Severity A issues and might provide all day, every day
assistance for issues of other severity based on your support offering.
For those issues that do not qualify for all day, every day support, Microsoft provides assistance during local
business hours only.
What hours are considered local business hours for support?
For most countries, business hours are from 9 AM to 5 PM weekdays (weekends and holidays excluded). For
North America, business hours are defined as 6 AM to 6 PM Pacific Time, Monday through Friday, excluding
holidays. In Japan, business hours are from 9 AM to 5:30 PM weekdays.
Do I need a support plan if I need assistance with a technical issue experienced with Dynamics 365?
Yes, you need a support plan to receive one-on-one technical support. Some Dynamics 365 Online subscriptions
include subscription support plans. You can find more information about the existing support plans at Dynamics
365 Support Plans. The following table outlines the best way to submit a new support request based on your
product or service and customer support plan. Microsoft partners should use the Partner Center portal or the
Premier support path listed in the table, as applicable.
 SUBSCRIPTION PROFESSIONAL DIRECT PREMIER SUPPORT UNIFIED SUPPORT
(INCLUDED)

Customer Power Platform Admin center

Engagement and AI
apps including mixed
reality apps and
Insights apps

Dynamics 365 for Lifecycle Services

Finance and
Operations (online
and on-premises)

Dynamics 365 Support is provided through partners only. Contact your Cloud Solution Provider (CSP) for assistance.
Business Central

Software Assurance Advantage/Advantag Premier Support Unified Support

e+

Dynamics 365 on- Support for Business Services Hub

premises (Customer
Engagement,
Dynamics GP)

What support is included with a Dynamics 365 support plan?

We have designed our Dynamics 365 support plans to meet different business needs. All support plans provide
access to Technical Support for break-fix issues. Higher tiers of support plans offer Technical Support on an all
day, every day basis, faster initial response times and access to Advisory Support, and other benefits. You can
find more information about the existing support plans at Dynamics 365 Support Plans.
Dynamics 365 is covered by the Subscription, Professional Direct, Premier, and Unified support plans.
What is a break-fix issue?
Break-fix issues are technical problems you experience while using Dynamics 365 services. “Break-fix” is an
industry term that refers to “work involved in supporting a technology when it fails in the normal course of its
function, which requires intervention by a support organization to be restored to working order.”
How functionality works is not considered a break-fix issue but is more closely related to training. These “how -
to” questions involve a transfer of knowledge and can often be answered by reviewing product documentation,
raising a question in online community forums, or contacting a knowledgeable individual such as a partner.
While there might be some elements of knowledge transfer involved in solving a break-fix issue, in general,
assisted training is not included in Dynamics 365 support plans.
How does Professional Direct Limited Advisory support compare to Premier Advisory support?
Professional Direct (ProDirect) Limited Advisory support provides you access to Dynamics 365 Support guidance
based on (1) publicly available, best practices documentation regarding Dynamics 365 and (2) information from
the Dynamics 365 Forums. ProDirect advisors offer you support based on their access to Microsoft
documentation, to the Dynamics 365 support engineers, and also to the Dynamics 365 product group. Best
practices guidance might include:
Planning for deployments and migrations.
Boosting performance.
Improving reliability and recoverability.
Enhancing security.
ProDirect, however, is more limited than Premier Advisory Support. ProDirect advisors do not provide detailed
advisory assistance specific to an individual customer, such as design, architecture, or code reviews; detailed
instructions for application or configuration tuning (for example, performance tuning); or the verification of
specifications. ProDirect does not provide onsite support or engage in implementation activities such as, but not
limited to, coding or configuration for customer development or deployment on Dynamics 365.
What is a preview (beta) service or feature?
Microsoft may provide access to Dynamics 365 preview, beta, or other prerelease features, services, software, or
regions, to obtain feedback and for evaluation purposes. There are many different kinds of preview services and
features for Dynamics 365, with service availability and program access being the biggest differentiators:
Public Preview: Made available to Dynamics 365 subscribers through the Dynamics 365 admin center, these
services are intended to give subscribers an early look into what is coming and a chance to test upcoming
services and features.
Private Preview: Provided only to a small subset of customers, in direct contact with the Dynamics 365
engineering teams, focused on direct and constant feedback during the development phase of a service.
Limited Preview: A fixed and limited number of customers can have access to this preview program, and once
a maximum threshold is met, no more users are allowed into the program.
When Microsoft offers you early access to Dynamics 365 preview services and features, these preview services and
features are subject to reduced or different service terms as set forth in your service agreement and the preview
supplemental terms. Preview services and features are provided “as-is,” “with all faults,” and “as available,” and are
excluded from the Service SLAs or any Limited Warranties provided by Microsoft for Dynamics 365 Services
released to general availability (GA), and are made available to you on the condition that you agree to these terms
of use, which supplement your agreement governing use of Dynamics 365.
Do Dynamics 365 support plans cover preview (beta) services or features?
Support for Dynamics 365 services and features is provided only for “generally available” programs—see the
previous question. Public preview and/or beta services may be supported through our forums or other
channels.
Any technical support for a public preview service or feature is limited to break-fix scenarios and is available
only in English with no 24/7 support available.

Using Dynamics 365 Support

How do I contact Dynamics 365 Support?
You get easy access to Dynamics 365 Support by selecting the portal from the following table that matches the
product for which you need assistance. Microsoft partners should use the Partner Center portal or the Premier
support path listed in the table, as applicable.

SERVICE SUPPORT PORTAL

Customer Engagement and AI apps including mixed reality Power Platform Admin center
apps and Insights apps

Dynamics 365 for Finance and Operations (online and on- Lifecycle Services
premises)

Dynamics 365 Business Central Support is provided through partners only. Contact your
Cloud Solution Provider (CSP) for assistance.

Product
 SERVICE SUPPORT PORTAL

Dynamics 365 on-premises (Customer Engagement, Dynamics Support for Business

GP) or
Premier Support

Why is submitting a request online the preferred method of contacting Dynamics 365 Support?
Submitting support requests online allows us to deliver fast and deep technical expertise in the most effective and
efficient manner possible. Due to the detailed nature of the requests, it is much easier to provide relevant
information online, compared to reading this information over the phone. This model also eliminates unproductive
hold time and provides instead a simple, intuitive online process. As a result, customer problems are routed more
quickly, to the most qualified engineer.
Is there a phone number I can call to contact Dynamics 365 Support?
Contacting Dynamics 365 Support over the phone will not speed up the processing of your request, and you will
get a much better and faster experience by contacting support via the correct support portals listed earlier in this
topic. If you cannot submit a request online, you can find a local support number from our list of regional Global
Customer Service Centers.
How do I submit a support request?
Access to technical support is provided through one of the support plans included with Dynamics 365 or
through one of the premium support plans. Submit a technical support request from the correct support portal
for the product or service for which you need assistance (see the table earlier in this topic). To begin the
support-request submission process:
From the Power Platform Admin center, select Help + support from the left navigation pane and then New
support request from the top navigation.
From the Lifecycle Services portal, choose a project, select Support from the option list, and then select
Submit an incident.
From Support for Business, select the Dynamics 365 product family followed by the specific Dynamics 365
product or service for which you need help.
From the Premier Portal, select New support request from the Support requests page navigation, enter your
access ID and password or select your associated access ID, and proceed with your submission.
Access to subscription management and billing support is included with your Dynamics 365 Online
subscription. To open a Billing and Subscription Management support request, sign in to the Microsoft 365
Portal, select the Admin app, and select the Support – New Support Request option from the left navigation.
This provides access to the Need Help? pane, where you can type your Subscription Management question. If
the recommended articles do not address your issue, select the Contact Support link at the bottom of the
Need Help? pane and provide the additional information needed to submit the support request.
How do I submit a support request if I cannot sign in to the Dynamics 365 support portal for my product or
service?
If you cannot submit a support request online, you can find a local support phone number from our list of regional
Global Customer Service Centers.
How do I get support if I don’t have a Dynamics 365 subscription yet, and I get an error message while creating
one?
You can open a Subscription Management support request through the Microsoft 365 Admin Portal, as long as
you have a tenant administrator sign-in credentials to the portal. To open a Subscription Management support
request, sign in to the Microsoft 365 Admin Portal, select the Admin app, and select the Support – New Support
Request option from the left navigation. This provides access to the Need Help? pane, where you can type your
Subscription Management question. If the recommended articles do not address your issue, select the Contact
Support link at the bottom of the Need Help? pane, and provide the additional information needed to submit the
support request.
Who can submit a support request?
Any users with the tenant admin roles on the tenant containing the Dynamics 365 subscriptions can submit a
support request. End users are not enabled for opening a support request and will need to have their permissions
elevated within the tenant to accomplish this task. There is no alternative to this experience.
How do I authorize another person to submit support requests for a particular Dynamics 365 subscription?
To grant permission, you must have a tenant administrator role on the tenant that contains the Dynamics 365
subscription. Assign the Service Administrator role to all users who want to create and manage support requests
for that given tenant but do not require other permissions. Learn more about role assignments in the portal.
I am developing applications on behalf of my client or assisting my client who is running Dynamics 365. How do I
get support?
You can get support from Dynamics 365 in two ways:
Being an administrator of your customer’s tenant, you can use or purchase a Dynamics 365 Support plan for
that account, as any subscription you own under the same account is covered by the same support plan. You can
also use your Partner benefits (for example, Advanced Support for Partners or Microsoft Partner Network
Support) to submit a support request.
Get support using your customer’s account. To do so, the Partner (you) must have administrator or owner
privileges to the customer’s subscription, most often through being a Delegated Administrator on the tenant.
The Partner can then use the customer’s subscription, or the Partner can use their Dynamics 365 Support
Benefits (for example, Advanced Support for Partners or Microsoft Partner Network Support) to submit a
support request.
What is Initial Response Time, and how quickly can I expect to hear back from someone after submitting my
support request?
Initial Response Time is the period from when you submit your support request to when a Microsoft Support
Engineer contacts you and starts working on your support request. The Initial Response Time varies with both the
support plan and the Business Impact of the request (also known as Severity). Initial Response Times are calculated
using business-hours support for subscription-based support. Elevated support plans will contain non–business
hours response times.

SEVERITY LEVEL CUSTOMER’S SITUATION INITIAL RESPONSE TIME

Critical Critical business impact Unified Core/Advanced: < 1 hour, 24/7

Customer’s business has significant loss Unified Performance: < 30 minutes,
or degradation of services and requires 24/7
immediate attention.

Severity A Critical business impact Subscription: < 1 hour, 24/7

Customer’s business has significant loss ProDirect: < 1 hour, 24/7
or degradation of services and requires Premier: < 1 hour, 24/7
immediate attention.

Severity B Moderate business impact Subscription: < 4 hours

Customer’s business has moderate loss ProDirect: < 2 hours
or degradation of services, but work can Premier: < 2 hours, 24/7
reasonably continue in an impaired
manner.

Standard Standard business impact Unified Core: < 8 hours, 24/7

Customer’s business has moderate loss Unified Advanced/Performance: < 4
or degradation of services, but work can hours, 24/7
reasonably continue in an impaired
manner.
 SEVERITY LEVEL CUSTOMER’S SITUATION INITIAL RESPONSE TIME

Severity C Minimum business impact Subscription: < 8 hours

Customer’s business is functioning with ProDirect: < 4 hours
minor impediments of services. Premier: < 4 hours

How quickly will you resolve my support request?

Microsoft is committed to assist you in resolving your issue as soon as possible. Sometimes that means focusing
efforts on reducing the business impact and mitigating any negative impact to your operation, before moving to a
full solution. Therefore, we make a commitment to Initial Response Time and working with you until the impact of
your issue is mitigated, having no direct SLA for support request resolution. The time it takes to troubleshoot and
resolve a support request varies greatly based on the specifics of the issue. We will work with you to get the issue
resolved as fast as possible. This applies to all levels of support.
I’m running a non-Microsoft technology with Dynamics 365 or a custom application built using Open Source
Software (OSS ). Does my plan support it?
Microsoft offers customers the ability to run non-Microsoft technologies along with Dynamics 365. For all
scenarios that are eligible for support through a Dynamics 365 Support plan, Microsoft Support will help in
isolating the issue between the Dynamics 365 instance and your custom application.
Full technical support will be provided if the issue is determined to be caused by a Dynamics 365 service or
platform. Commercially reasonable support will be provided to all other scenarios. When an adequate solution
to your issue is not achieved, you might be referred to other support channels that are available for the non-
Microsoft software.
How do I get support during an outage or Service Interruption Event (SIE)?
View the service health in Office 365 at a glance. You can also check out more details and the service health
history.
Use Message center in Office 365 to keep track of upcoming changes to features and services. We post
announcements there with information that helps you plan for changes and understand how they might affect
users.
Finally, if service health and Message center do not show any active or recent service issues, contact support
using your technical support plan.
Which support plan do I need in order to request a Root-Cause Analysis (RCA )?
Dynamics 365 technical support does not conduct RCAs as part of any support experience. If any RCA is
conducted, the Dynamics 365 engineering team will conduct the RCA. RCAs are only provided to published
service-related incidents when multiple customers or services are not available. Any RCA created will be published
through the Microsoft 365 Message center and will not be emailed directly to tenant admins. These published
RCAs are only available in English. Any other request for an RCA to a specific scenario impacting your tenant will
not be honored by the engineering team.

Purchasing and billing

How do I purchase Dynamics 365 Support?
Dynamics 365 Support plans may be purchased either online or through an Enterprise Agreement. The
Professional Direct support plan is available online through the Microsoft 365 Admin Center. You must be the
Dynamics 365 tenant administrator or owner to purchase a support plan.
If you purchase Dynamics 365 through an Enterprise Agreement (EA), you can add a Professional Direct
support plan to your Enterprise Agreement by contacting your Large Account Reseller (LAR ).
When will I be billed for Dynamics 365 Support?
When you purchase a Dynamics 365 Support plan online, you will be charged immediately for the first month. You
will be charged the monthly amount on the first day of each subsequent billing cycle. Enterprise Agreement (EA)
purchases will follow the agreement billing cycle.
What happens at the end of the term?
At the end of your term, your plan will automatically renew to the same Dynamics 365 Support plan, using the
same payment method.
How do I change or cancel my Dynamics 365 Support plan?
Manage your support plan subscriptions through the Microsoft 365 Admin Portal.
To change your support plan, first cancel your existing support plan, and then purchase a new support plan.
To cancel your support plan, select the support plan subscription that you want to cancel, and then select
Cancel subscription. Learn more by reviewing this article.
If you still have questions, open a new support request with the Billing team in the Microsoft 365 Admin Portal.
Dynamics 365 Support requires commitment for the duration of the subscription term. Cancellation will not result
in a prorated refund.

Dynamics 365 Support for Enterprise Agreement (EA)

How do I purchase a Dynamics 365 Support plan under an Enterprise Agreement?
Enterprise Agreement (EA) customers can purchase Dynamics 365 ProDirect and Premier technical support
through their reseller.
How do I upgrade to a higher-tier Dynamics 365 Support plan?
Enterprise Agreement (EA) customers can purchase an upgrade to move from Subscription to Professional Direct,
where available. To purchase the upgrade, contact your Large Account Reseller (LAR ).
I have multiple EA enrollments. Do I need a support plan for each EA enrollment?
Yes, each EA enrollment requires a separate support plan. If you have one Dynamics 365 Support plan and
multiple EA enrollments, then support is only covered under the enrollment the support plan is tied to. Please note
that if you have multiple Dynamics 365 subscriptions under a single EA enrollment with a support plan, then all
those subscriptions will have access to Technical Support.

Dynamics 365 Support for Premier

How do I submit a Dynamics 365 support request using my Premier contract?
Power Platform Admin center (PPAC ) and the Lifecycle Services (LCS ) are designed to recognize and entitle
Premier and Unified Access IDs.
In PPAC: You can link your Premier contract to your Dynamics 365 account by entering your Premier Access ID
and Contract ID information in the Power Platform Admin center, which you can do by selecting Help + Support
and turning on the Premier support toggle in the new incident submission experience. This is a one-time process,
and your Premier contract information will be saved with your Dynamics 365 account, being accessible from all
subscriptions where you have Owner/Administrator privileges.
In LCS: You can link your Premier contract to your Dynamics 365 account by selecting a project within LCS. Select
the Support option from the drop-down menu, and then select Manage Contracts. This is a one-time process,
and your Premier contract information will be saved for use with any support incident you create in LCS.
Contact your Technical Account Manager (TAM ) if you don’t have your access ID and contract ID information.
Although Premier customers can continue to use the Microsoft Premier Online portal or phone channels to submit
a support request, using the Power Platform Admin center or Lifecycle Services has a number of significant
advantages, including:
 Self-help content to find answers to known issues quickly.
Faster resolution, thanks to a Dynamics 365–specific submission experience.
Ability to create Severity A/1 cases online.
Providing you with in-context help regarding the issue you’re facing.
How do I purchase a Premier support contract?
To purchase Premier support, you should contact your Microsoft Account Manager. If you are not sure who to
contact, please submit a request through the Premier contact form.
What if I already have a Premier contract, and I want to learn more about how to get the most from it?
Contact your Technical Account Manager (TAM ) to discuss options for best using your existing Premier support
agreement or rightsizing your Premier agreement to better suit your Dynamics 365 needs. You can find your
TAM’s name and contact information on the Microsoft Premier Online portal.
Can Partners use the Premier Support for Partner (PSfP) contract for Dynamics 365 Support?
Yes, Partners with Premier Support for Partners (PSfP ) contracts are able to use their benefits to get Dynamics 365
Support for their internal needs, as well as to assist their customers, as long as the Partner has been delegated
admin/owner access to their customer’s Dynamics 365 subscription. See the FAQ earlier in this section on how to
submit a support request using your Premier contract.

Dynamics 365 Support for Partner

I have a Microsoft plan (such as MSDN, BizSpark or TechNet) that includes as a benefit a number of technical
support requests. Can I use those for Dynamics 365 on-premises technical support?
Yes, if you are eligible for these benefits and have activated your support access on the Visual Studio subscription
portal. If you have these benefits, then from New support request, select Add contract under the Support Plan –
Add or purchase a support plan step, and enter your access ID and contract ID information to proceed.
 PowerApps Platform overview
4/19/2019 • 4 minutes to read

[This topic is pre-release documentation and is subject to change.]

The PowerApps platform is part of the larger Microsoft Power Platform that also includes PowerBI and Microsoft
Flow, leveraging the common infrastructure of the Common Data Service and Data Connectors. These capabilities
are built on and leverage Microsoft Azure cloud services. Applications built on the PowerApps platform can also
include Azure cloud services to scale from individual productivity to enterprise mission critical line of business
applications.

PowerApps includes several key concepts/components:

COMPONENT DESCRIPTION

PowerApps applications These are the applications that users interact with on their
desktop or mobile devices. There are two styles of
applications; Canvas and Model-driven. PowerApps Canvas
applications can also be embedded into SharePoint, Teams,
Power BI and Dynamics 365 applications.

Microsoft Flow Automated workflows that orchestrate across services using

connectors. Flows can be triggered to run when events occur
in other systems and services or scheduled to run at a specific
time. Users can also interact with Flows in the mobile app by
pressing virtual buttons.

Common Data Service A cloud scale datastore to manage data used by business
applications. Data is stored within a set of entities. An initial
schema is defined by the Common Data Model. Common
Data Service provides built-in capabilities for business rules,
workflows, calculated and rollup fields and more.

Common Data Model An open-sourced definition of standard entities that represent

commonly used concepts and activities. Every Common Data
Service database starts with the entities defined as “core”.
Application builders can add their own custom entities to
support specific business scenarios.
 COMPONENT DESCRIPTION

Connectors There are 200+ connectors that make it easy for application
builders to connect to both Microsoft and 3rd party services,
from Dynamics 365 to Dropbox. The connectors allow Canvas
Apps and Flows to easily use API (application programming
interfaces) services without any developer knowledge. Custom
connectors can also be configured to allow use of APIs that
aren’t covered by the public connectors.

On-premises Gateways On-premises gateway allows PowerApps and Flow to reach

back to on-premise resources to support hybrid integration
scenarios. The gateway leverages Azure Service Bus relay
technology to security allow access to on-premise resources.

Usage Scenarios
PowerApps is a flexible platform and can be utilized in several different types of scenarios:
Individual/Team Productivity Applications
With self-service scenarios, users are empowered to take their own ideas of how they can optimize what they do
every day and express them in the form of a PowerApps app or Microsoft Flow automation. These assets can be
shared with other team members and when successful promoted to be broader enterprise assets. Previously, these
scenarios were out of reach and required high cost development resources to succeed. As an enterprise
administrator your role is to put in place the guard rails to foster a healthy individual productivity while at the same
time safeguarding sensitive business data and ensuring continuity when individuals leave your company.
Dynamics 365 Applications
These 1st party Microsoft applications are built on and therefore deployed into PowerApps environments and
utilize the Common Data Service for data storage and core platform services. These applications are the quickest
way to tackle common business scenarios like customer engagement, while still allowing tailoring to your
company’s individual requirements. Custom PowerApps apps and Flows can be built to embed into or extend
Dynamics 365 applications even further.
Apps from AppSource
In addition to Microsoft built apps, 3rd party ISVs can also build on top of the PowerApps platform and are found
via the AppSource marketplace. These apps can install into your existing environments or into their own
depending on your unique needs.
SharePoint, Outlook, Teams and Excel
PowerApps apps can also be embedded into the applications users already use. Often this increases user adoption
because they don’t have to learn a totally new application from what they are already using. PowerApps is now the
primary way to customize SharePoint Online list forms. In the past, this required higher maintenance developer
code to accomplish. As an administrator you will be enabling these experiences and ensuring users have the right
permissions and policies to interact with the applications.
Mission critical line of business applications
Using the same tools and technique Microsoft uses to build Dynamics 365, enterprise customers can build their
own line of business applications. These differ from the individual productivity scenario above in that they often
solve broader more complex problems. These applications are also often built by dedicated teams tasked with
implementing them. The teams typically follow a more defined process for building the application. As an
enterprise administrator you will be helping them put in place the necessary Application Lifecycle Management
(ALM ) to facilitate development and day to day operations.
These are the key scenarios you will encounter, but not an endless list as it is really up to the capabilities and the
creativity of your organization to determine how it leverages the platform. As an enterprise administrator, you can
choose to either be a blocking force in the way of that creativity, or an enabler. As an enabler, you will put in place
the necessary licensing, policies and processes needed to ensure success of the teams.
 What's the role of a PowerApps administrator?
3/22/2019 • 2 minutes to read

Administration of PowerApps, Microsoft Flow, and Common Data Service is done through the PowerApps Admin
center.

Administration journey
The evolution of an organization adopting PowerApps, Microsoft Flow, and Common Data Service starts with the
administrator. As an administrator, you begin your journey asking how you can protect your organization's data.
What data is accessible through these services? Are there best practices to follow? What is the PowerApps security
model and how should I control access to data? Once you determine how to proceed with data access, you'll then
want to know how you can monitor and manage what users are doing with these services.
When you've figured out control and visibility, the next part of your journey takes you to deployment. Individual
users and teams can deploy apps on their own, but how do you centrally deploy solutions for your entire
organization? And how do you orchestrate updates and identify and fix issues?
The documentation in this section, which you can access from the navigation pane on the left, provides answers to
these questions and guides you on this journey.

Next steps
To get you started administering PowerApps, Microsoft Flow, and Common Data Service, check out the following
articles:
Learn how to create a data loss protection (DLP ) policy.
Learn how to download a list of active users in your tenant.
Learn about environments.
 Administering a PowerApps enterprise deployment
3/22/2019 • 2 minutes to read

PowerApps is a high-productivity application development platform from Microsoft. The platform is used by
Microsoft to build their own 1st party applications Dynamics 365 for Sales, Service, Field Service, Marketing and
Talent. This means these applications are built natively on the platform. Enterprise customers can also build their
own custom line of business applications using the same technology. Individual users and teams within your
organization can also build personal or team productivity applications with no-code or low -code.
Check out the following downloadable whitepaper: Administering a PowerApps enterprise deployment
This whitepaper is targeted toward the enterprise application administrator responsible for planning, securing,
deploying, and supporting applications built on the PowerApps platform. The goal of the paper is to help you
understand what currently is in your environment, how to proactively plan for applications being developed and
deployed and finally how to handle day to day administrative tasks to manage deployments. In this whitepaper, we
will cover key concepts, platform architecture, and decisions that will be necessary. Where possible we will help you
develop best practices for your organization to ensure successful deployments and high productivity for users
using the platform.
The PowerApps platform is part of the larger Microsoft Power Platform that also includes PowerBI and Microsoft
Flow, leveraging the common infrastructure of the Common Data Service and Data Connectors. These capabilities
are built on and leverage Microsoft Azure cloud services. Applications built on the PowerApps platform can also
include Azure cloud services to scale from individual productivity to enterprise mission critical line of business
applications.
 Early opt-in to 2019 release wave 2
8/28/2019 • 11 minutes to read

[This topic is pre-release documentation and is subject to change.]

You can enable the features coming in the 2019 release wave 2 update by opting in to the updates in the Power
Platform Admin center. Opting in will enable all changed user experience updates for Dynamics 365 for Customer
Engagement, which will be enabled by default to everyone starting in 2019 release wave 2.

Check out the new features releasing from October 2019 through March 2020 for Dynamics 365. See Dynamics
365 release schedule and early access.

NOTE
Most of the early opt-in features are end user impacting changes. Check out the "Enabled for" column in the early access
features table to know the features that will roll out to the end users automatically in October 2019.

TIP
Check out the following video: How to enable early access to 2019 release wave 2 for Dynamics 365 Customer
Engagement.

Which environment can be used for early opt-in to 2019 release wave 2
updates?
You can enable trial and Sandbox environments for the 2019 release wave 2 release. This will allow you the
flexibility to explore features, and then adopt them across your environments at a rate that suits your business.
 IMPORTANT
While you can enable a Production environment, we highly recommend that you create a copy of your Production
environment as a Sandbox environment to try out the 2019 release wave 2 updates. After enabling the 2019 release wave 2
update, it can’t be turned off. Therefore, it’s necessary to first test the updates in a Sandbox environment prior to enabling
them in a Production environment that could impact your users in the organization.
Be sure to:
Understand the Dynamics 365: 2019 release wave 2 plan.
Learn what features are included in the 2019 release wave 2 plan.
Review How do I prepare for the 2019 release wave 2 update?
Test the updates before rolling out to Production.
By activating the 2019 release wave 2 updates opt-in, you will get features and updates that are end user impacting only.
These and other changes will be enabled automatically for everyone in October 2019.

How do I enable the 2019 release wave 2 updates

Visit the Power Platform Admin center and select the environment you want to enable for the 2019 release wave 2
updates.

IMPORTANT
We highly recommend that you create a copy of your Production environment as a Sandbox environment to try out the
2019 release wave 2 updates. After enabling the 2019 release wave 2 update, it can’t be turned off. Therefore, it’s necessary
to first test the updates in a Sandbox environment prior to enabling it in a Production environment that could impact your
users in the organization.

Select Manage.

Select Update now to activate the 2019 release wave 2 updates and proceed through confirmation dialogs.
The 2019 release wave 2 update is activated for the Dynamics 365 platform, Dynamics 365 for Sales, Customer
Service, Sales Hub, Customer Service Hub, and Marketing.

NOTE
You will need to take additional steps to enable the 2019 release wave 2 updates for the Marketing app. See Enable the 2019
release wave 2 updates for Dynamics 365 for Marketing.
Current apps for which you have licenses are updated; new apps are not installed.

You can verify activation by going to Settings ( )> About where you'll see a screen like the following:

IN UNIFIED INTERFACE IN WEB CLIENT INTERFACE

NOTE
You need to select About from a Customer Engagement app page that's displayed in the Unified Interface such as Sales Hub
or Customer Service Hub pages.
The server version will not be updated to the next version after activation.

What features and experiences are available in the 2019 release wave 2
update?
The 2019 release wave 2 update has three kinds of functionalities (as with any other update):
Updates to existing user experiences that are updated automatically.
Updates to existing user experiences that are updated by the admin and maker.
Updates to admin and maker functionality.
By activating the 2019 release wave 2 updates opt-in, you will get updates to existing user experience only. The
exact list of features that are updates to existing user experiences are listed on the early access page.
The release wave 2 plan lists other features across Dynamics 365 – Sales, Service, Marketing, and PowerApps (and
platform). Features that are not updates to the existing user experience will not be part of the 2019 release wave 2
updates opt-in. They can either be new functionalities or additions to maker and admin functionality.

Check the status of the update and troubleshoot

An update can take several hours.
To check status during the update, select the environment in the Power Platform Admin center and review the
Updates section.

Use the following table to check the status of the 2019 release wave 2 update and see troubleshooting
recommendations.

APP/PLATFORM HOW TO IDENTIFY UPDATE SUCCESS TROUBLESHOOT

Common Data Service/Platform 1 About page Create a support ticket.

Look for 2019 release wave 2 enabled

Dynamics 365 for Sales 2 Internal Solution History page Updating the application might take few
hours. Wait up to 24 hours before
creating a support ticket.
 APP/PLATFORM HOW TO IDENTIFY UPDATE SUCCESS TROUBLESHOOT

Dynamics 365 for Customer Service 1 About page Create a support ticket.
Look for 2019 release wave 2 enabled

Knowledge Management 2 Internal

Solution History page / Updating the application might take few
Application tab hours. Wait up to 24 hours before
creating a support ticket.

Field Service 2 Internal

Solution History page / Updating the application might take few
Application tab hours. Wait up to 24 hours before
creating a support ticket.

Marketing 1 Internal
Solution History page / Updating the application might take few
Application tab hours. Wait up to 24 hours before
creating a support ticket.

1Select Settings ( )> About.

2Select an environment, select Open
environment > Settings > Solutions > All Solutions - Internal. Find the
app in the Display Name column and then check the version number with the following table.

DISPLAY NAME VERSION NUMBER

Dynamics 365 Sales Application 9.0.1907.4Yxx, Y is greater than or equal to 5

Knowledge Management Features 9.0.1.8xx or 9.0.1.9xx

Field Service 8.8.5.1Y, Y is greater than or equal to 0

Dynamics 365 for Marketing Check back for information

Enable the 2019 release wave 2 updates for Dynamics 365 for
Marketing
To enable 2019 release wave 2 early access features for Dynamics 365 for Marketing:
1. Opt in for early access on the environment where your Marketing instance is running, as described in How do I
enable the 2019 release wave 2 updates.
2. Run the Marketing setup wizard to update your instance to the August 2019 release. This will install both the
August 2019 Production update and the early-access features when you run it on an environment where early
access is enabled. For instructions, see Re-run the Marketing setup wizard.

NOTE
If you update your Marketing app to the August 2019 release before opting in for early access, then you must re-run the
Marketing setup wizard after opting in to install and enable the early access features.

For an overview of early access features being offered for Marketing, plus links to detailed documentation, see the
August 2019 release announcement for Marketing.

FAQ
When will the 2019 release wave 2 features be enabled?
Starting October 5, 2019, we will enable the 2019 release wave 2 features (end user impacting only) across our
global customer base. Your environment/org will be updated during one of the maintenance windows over a
weekend, starting on the dates listed below. The specific dates that the update will occur will be published in the
Message Center, and each post will include the date, maintenance window, and a link to the Weekly Release Notes
that contain the list of optimizations, fixes, and enhancements. Each environment/org should see the new features
and build numbers by Monday morning, local time.
Here are the current schedules.
Regions

SOUTH
JAPAN AMERICA CANADA INDIA ASIA

Fri, Oct 11 Fri, Oct 4 Fri, Oct 4 Fri, Oct 4 Fri, Oct 11
to to to to to
Sun, Oct 13 Sun, Oct 6 Sun, Oct 6 Sun, Oct 6 Sun, Oct 13

Regions continued

GREAT NORTH
BRITAIN AUSTRALIA EUROPE AMERICA

Fri, Oct 11 Fri, Oct 11 Fri, Oct 18 Fri, Oct 25

to to to to
Sun, Oct 13 Sun, Oct 13 Sun, Oct 20 Sun, Oct 27

Other1

GCC GCC HIGH DOD

Fri, Nov 1 Fri, Nov 1 Fri, Nov 1

to to to
Sun, Nov 3 Sun, Nov 3 Sun, Nov 3

1See: Dynamics 365 US Government.

On the above dates, your environments will have the 2019 release wave 2 updates automatically applied for the
Dynamics 365 platform and apps. It will not require any action from you.
For Dynamics 365 for Marketing, you need to explicitly upgrade your app in the Dynamics 365 admin center.
If you want to enable the 2019 release wave 2 features (end user impacting only) before the update reaches your
region, you can enable the updates yourself by opting in to the 2019 release wave 2 update between February 1,
2019, and the date your region will be scheduled to have the features turned on.
To know the list of end user impacting features, check our Dynamics 365 features for early access. Note: End user
impacting features for the 2019 release wave 2 are targeting the Unified Interface only. Web client
environments/orgs will not be impacted by these updates.
Will the version number be updated with the 2019 release wave 2 update?
No, the version number will not change with the 2019 release wave 2 update.
Will Microsoft provide a free Sandbox environment at no charge for testing updates?
You will need to create a Sandbox environment (a copy of the Production environment), which is not provided for
free.
When will the updates be available for testing in the Sandbox environment?
The updates are available now. All you need to do is activate the 2019 release wave 2 update as described above.
Which updates will have an opt-in switch and which ones will be provided by default?
Only the existing user experience changes are provided (and enabled by default) with the 2019 release wave 2
update opt-in; the rest will be available later. Existing user experiences will not be impacted by the update, unless
the updates are not made to the existing solutions. Here are all the features and updates provided.
What is the process for reporting issues with the update?
Create a support ticket.

How do I prepare for the 2019 release wave 2 update?

The following flow chart shows the steps needed to enable the 2019 release wave 2 release to your Production
environment prior to it being enabled by default in 2019 release wave 2. The table that follows the flow chart
provides information about the steps.
(1) Have a Sandbox environment as a copy for the
Production environment

We strongly recommend enabling the 2019 release wave 2

release first in a Sandbox environment that is a replica or copy
of the existing Production environment. This is to make sure
that a customer has validated the updates in another
environment prior to impacting the current Production apps
and environment.

Also, once the 2019 release wave 2 updates are enabled for an
environment, they cannot be turned off like any other setting.

Create a copy of the Production environment into a

Sandbox environment

If you don’t have a Sandbox copy of your Production

environment, you can create a copy in the Dynamics 365
admin center.

Create a backup of the Production environment

Recommended before merging Sandbox with changes into

Production.

(2) Enable the 2019 release wave 2 opt-in from the Power
Platform Admin center

Starting August 2, 2019, you will be able to enable the 2019

release wave 2 release for the environment. Once enabled for
an environment, you cannot turn this off for the environment.
To remove the 2019 release wave 2 updates from your
environment, you will have to reset the environment. We do
not recommend doing this unless necessary. It's important to
try the 2019 release wave 2 updates in your Sandbox
environment first prior to enabling them in your Production
environment.

(3) Do you have Dynamics 365 for Marketing?

If you have the Marketing app, you will need to manually

enable it according to the process listed above. Dynamics 365
for Customer Engagement apps on your environment like
Sales and Service will be automatically updated to the 2019
release wave 2 version once you enable the update.

(4) We recommend testing all the scenarios thoroughly in

this step

If you have any Dynamics 365 for Customer Engagement

apps in your environment like Sales, Service, and Marketing,
they need to be explicitly updated to the 2019 release wave 2
version.

(5) and (6) Validate the app upgrade progress. See Check status of the
update and troubleshoot.

(7) Updating the Marketing app requires additional action. See

Enable the 2019 release wave 2 updates for Dynamics 365 for
Marketing.
(8) and (9) Report any issues found

As you verify the experience in your preview environment, if

you find any regressions, functional, or performance issues
related to the 2019 release wave 2 updates that could impact
your business, report them to Microsoft by opening a support
ticket or through the Dynamics 365 forum.

(10) Enable the 2019 release wave 2 updates in your Sandbox

environment

You should:
1. Update customizations to leverage or respond to new
capabilities.
2. Update internal readiness materials based on new features
or user experiences.
3. Prepare internal change management to run in October
(training, communications, and so on).

(11) Enable the 2019 release wave 2 updates in your

Production environment

We recommend enabling these updates during business

downtime after you have validated that your key scenarios
work as expected. Note that once the 2019 release wave 2
update is enabled, it cannot be reversed. However, you can
restore to a prior backup version of the updated environment
if needed.
 Common Data Service analytics
5/22/2019 • 16 minutes to read

[This topic is pre-release documentation and is subject to change.]

We've improved how you view metrics for your organization. You no longer need to install or update a solution.
Instead, you can view Customer Data Service analytics right from the Power Platform Admin center to quickly view
adoption ad user metrics for your organization.
Key highlights
Deprecating the solution: Organization Insights, available as a preferred solution from AppSource, will no
longer be supported or available for use in future releases.
Deprecating Organization Insights dashboard: This dashboard will be removed from Common Data
Service in future releases.
Monitor adoption and use: Identify your most active users, the number and types of operations they’re
performing, number of pages requests, most-used entities, workflows, plug-ins, and more, over a period of
time as you work toward your adoption goals.
Manage storage and performance: Monitor storage quotas, storage use, and top tables by size to
optimize performance.
Troubleshoot effectively: Drill down into the details of your top failing workflows and API calls to quickly
diagnose and troubleshoot errors.

View Common Data Service analytics

It's simple. In the Power Platform Admin center, select analytics > Common Data Service.

Home (default)
About this dashboard
This is the default dashboard that provides information on the number of active Common Data Service users,
storage usage, the most active workflows, and more.
What's included in this dashboard
CHART ELEMENT DESCRIPTION

Active Users Number of active users (unique users) who performed an

operation that caused one of these SDK calls: Retrieve ,
Retrieve Multiple , Delete , Create , and Update .

API Calls Number of API calls that were made by the Customer Data
Service environment for the selected time period.

API Pass Rate This chart shows the API pass rate as percentage of total API
calls that were made in the Customer Data Service
environment over the specified time.

Executions This chart shows how many plug-ins have been executed in
the Customer Data Service environment over the specified
time.

Total Operations This chart shows how many operations (create, update,
deletes, reads) have occurred in the Customer Data Service
environment over the specified time.

Most Active Users Performing Operations List of most active users who performed an operation that
caused a Create , Update , Read , or Delete SDK call in
the Dynamics 365 instance over the selected time period.
 CHART ELEMENT DESCRIPTION

Top Plug-ins by Failures This chart shows top 10 most failing plug-in in the Customer
Data Service environment over the specified time.

Active Users

About this dashboard

Use this dashboard to find out how many Dynamics 365 users there are, how many licenses are in use, what
custom entities are used most frequently, and more.
What's included in this dashboard
CHART ELEMENT DESCRIPTION CHARTID

Total Active Users Total number of active users (unique 4555801D-0EAF-4100-891C-

users) who performed an operation that DB34400AB102
caused one of these SDK calls:
Retrieve , Retrieve Multiple ,
Delete , Create , and Update .

Most Used Entities Ten Entities which had the most F6F2B9FD-FCA8-427A-9A0D-
Retrieve , Retrieve Multiple , CAC619A3EE74
Delete , Create , and
Update SDK Calls .
CHART ELEMENT
Total Page Requests
Total Operations
Active Users Performing Specific
Operations
Active Users
Most Active Users Performing
Operations
Most Used Custom Entities
Most Used OOB Entities
Usage Active Users by OS
Active Users by Device Type
Active Users by Browser
Active Users by Security Roles
DESCRIPTION CHARTID
The number of page load requests for D0401D82-6E7F-4B84-8D86-
forms, dashboards, and reports. This is 825D72C68EE6
the count of requests received by the
Dynamics 365 server. Pages that are
cached while browsing won't be
counted.
This chart shows how many operations B13D7ED8-06BE-4B0E-B314-
(create, update, deletes, reads) have A16A84099F1E
occurred in the Customer Data Service
environment for the selected time
period.
Total number of active users (unique 35699BD6-6E49-463D-9DC0-
users) over time who performed an 4E968750778F
operation that caused one of these SDK
calls: Retrieve , Retrieve Multiple ,
Delete , Create , and Update .
Number of active users (unique users) in 9725801D-0EAF-4100-891C-
your instance who performed an DB34400AB102
operation that caused one of these SDK
calls: Retrieve , Retrieve Multiple ,
Delete , Create , and Update over
time.
List of most active users (unique users) B173E5EC-195E-4803-B79A-
over time who performed an operation 2B1C2704BCB7
that caused one of these SDK calls:
Retrieve , Retrieve Multiple ,
Delete , Create , and Update .
List of custom entities which had the 5FD1EF3F-64C4-429C-83BC-
most Retrieve , Retrieve Multiple , 95F0AD44B761
Delete , Create , and
Update SDK Calls .
List of out-of-box entities which had the 46A47AF1-325D-4A00-9F7E-
most Retrieve , Retrieve Multiple , 6059D5AAB722
Delete , Create , and
Update SDK Calls .
The number of active users by F37D4DEC-28E2-438A-977F-
operating system. DD3F96203559
The number of active users by device 43771A31-6350-489C-AABD-
type. F7EBB93320C4
The number of active users by browser. 1259D071-A06D-4B3F-8D32-
DCD39670F6FD
The number of active users by security 09062EF4-4195-4256-B84B-
roles. 68E9CA3C737D
 CHART ELEMENT DESCRIPTION CHARTID

Users by Business Unit The number of active users by business 8B701B71-092E-4FCF-A9E3-

unit. A005EE865921

Number of Creates by Entity How many create operations are 3AC63F0D-4661-4F19-9B31-

performed by the selected user in the DB5616187A88
Customer Data Service environment for
the selected time period.

Number of Updates by Entity How many update operations are C215FC98-BF5D-4AAB-BB0A-

performed on different entities by the 24E9F2A4F939
selected user in the Customer Data
Service environment for the selected
time period.

Number of Reads by Entity How many read operations are 3DE3E899-4BCF-482B-8896-

performed on different entities by the 657D0C8FCAE7
selected user in the Customer Data
Service environment for the selected
time period.

Number of Deletes by Entity How many delete operations are 8F92215B-C55D-451F-A546-

performed on different entities by the 48E1456E7056
selected user in the Customer Data
Service environment for the selected
time period.

Total Operations Over Time The total operations performed by the 9AD78421-6D33-4463-8C17-
selected user in the Customer Data B9C4DF52592D
Service environment over the selected
time period.

Total Operations by Entity The total operations performed on 045F5B81-CF47-4819-A4F9-

different entities by the selected user in AE366565C591
the Customer Data Service environment
for the selected time period.

Active Users by Entities Show the active users distributed over 2C569F70-7FA8-4C2E-AFCE-
different entities (refreshed hourly) E6126ED2CC52

Active Users by Client The active users distributed by client 4D6F71A8-1710-4B0B-9D7A-

type (refreshed hourly) 9590BECE611C

Active Users Using More than One The number of active users using more 149EFCC8-D336-4F51-A293-
Client than one client, distributed over E173728EC587
different client combinations (refreshed
hourly)

NOTE
Retrieve and RetrieveMultiple SDK calls are reported as Reads.

Update frequency
Active usage chart data is updated as follows.
 CHART UPDATE FREQUENCY

Total Active Users 1 hour

Most Used Entities 1 hour

Most Active Users (Reads) 1 hour

Total API Calls 1 hour

Total Page Requests 1 hour

Most Active Users (Changes) 1 hour

Total Operations 1 hour

Active Users Performing Specific Operations 1 hour

Active Users 1 hour

Most Active Users Performing Operations 1 hour

Most Used Custom Entities 1 hour

Most Used OOB Entities 1 hour

System Jobs
About this dashboard
Use this dashboard to monitor and troubleshoot workflows.
What's included in this dashboard
CHART ELEMENT
Workflow Executions
System Jobs Pass Rate
System Jobs Throughput/Minute
Executions and Backlog
Most Active Workflows
Top Workflows by Failures
Update frequency
System jobs chart data is updated as follows.
CHART
Workflow Executions
System Jobs Pass Rate
System Jobs Throughput / Hour
Most Active Workflows
System Jobs Executions and Backlog
Top Workflows by Failures
Plug-ins
DESCRIPTION CHARTID
This chart shows how many workflows 3555801D-0EAF-4100-891C-
have been executed in the Customer DB34400AB102
Data Service environment over the
specified time.
This chart shows the system job’s pass 1355801D-0EAF-4100-891C-
rate as percentage of system jobs that DB34400AB102
were executed in the Customer Data
Service environment over the specified
time.
This chart shows the average system 090F51C1-7DBA-42BA-B031-
jobs that have been executed per hour FB1C0999EE28
in the Customer Data Service
environment over the specified time.
This chart shows the number of 9D941442-759D-4C29-8348-
executions and the backlog for system ADCA2810A602
jobs in the Customer Data Service
environment over the specified time.
This chart shows top 10 most executed 7128FF54-B377-4236-ACFF-
workflows in the Customer Data Service EEDF696461AA
environment over the specified time.
This chart shows top 10 most failing 7A7C0FEE-A7BB-4C14-AF2A-
workflows in the Customer Data Service 76AC00350F82
environment over the specified time.
Click on a workflow to see the failures
and their number of occurrences.
UPDATE FREQUENCY
1 hour
1 hour
1 hour
1 hour
1 hour
1 hour
About this dashboard
Use this dashboard to monitor and troubleshoot plug-ins.
What's included in this dashboard
CHART ELEMENT
Plug-in Success Rate
Plug-in Executions
Average Plug-in Execution Time
Most Active Plug-ins
Top Plug-ins by Failures
DESCRIPTION CHARTID
This chart shows the plug-in pass rate 190F51C1-7DBA-42BA-B031-
as percentage of total plug-in FB1C0999EE28
executions that were executed in the
Customer Data Service environment
over the specified time.
This chart shows how many plug-ins D48FF5C9-BFC9-4E1C-9215-
have been executed in the Customer E76FDBFF282E
Data Service environment over the
specified time.
This chart shows average time taken to A4094693-8638-44B5-83B1-
successfully execute a plug-in in the B7EC8C8BFFF6
Customer Data Service environment
over the specified time.
This chart shows top 10 most executed E505BCFC-5B13-4190-842C-
plug-ins in the Customer Data Service E47622BF0A40
environment over the specified time.
This chart shows top 10 most failing 1193CFAC-E8CF-48E9-9A22-
plug-ins in the Customer Data Service A56AAFC1159C
environment over the specified time.
Update frequency
Plug-ins chart data is updated as follows.

CHART UPDATE FREQUENCY

Plug-in Success Rate 1 hour

Most Active Plug-ins 1 hour

Plug-in Executions 1 hour

Average Plug-in Execution Time 1 hour

Top Plug-ins by Failures 1 hour

API Call Statistics

About this dashboard

Use this dashboard to monitor and troubleshoot API calls.
What's included in this dashboard
CHART ELEMENT DESCRIPTION CHARTID
 CHART ELEMENT DESCRIPTION CHARTID

API Success Rate This chart shows the API success rate as 5555801D-0EAF-4100-891C-
percentage of total API calls that were DB34400AB102
made in the Customer Data Service
environment over the specified time.

Top API by Failures This chart shows top 10 failing API calls CCB98704-6E3F-4302-AC96-
in the Customer Data Service 0A4E286061FA
environment over the specified time.

Total API Calls This chart shows how many API calls 9555801D-0EAF-4100-891C-
have been made in total in the DB34400AB102
Customer Data Service environment
over the specified time.

Most Used API This chart shows top 10 most executed C898F79D-D3D0-4894-B2E4-
API calls in the Customer Data Service E94AC854007A
environment database.

API Calls This chart shows how many API calls 4C7B6699-9C07-478C-9C17-
have been made over time in the AF0D17160734
Customer Data Service environment
over the specified time.

Update frequency
API Call Statistics chart data is updated as follows.

CHART UPDATE FREQUENCY

API Success Rate 1 hour

Top API by Failures 1 hour

Most Used API 1 hour

Total API Calls 1 hour

API Calls 1 hour

Mailbox Usage
About this dashboard
Use this dashboard to monitor email mailbox usage.
What's included in this dashboard
CHART ELEMENT
Mailbox Details by GEO
Mailboxes by Server Type
Active Email Server Profiles by Geo
DESCRIPTION CHARTID
This chart shows mailbox details like: F90E2120-58B6-4D8B-B913-
ADABE7EA4833
- the number of server-side synch
configured mailboxes
- the number of server-side synch
enabled mailboxes
- the number of server-side synch
Appointments, Contacts, and Tasks
enabled mailboxes
- the number of server-side synch
incoming enabled mailboxes
- the number of server-side synch
outgoing enabled mailboxes categorized
by the geo location the mailbox is
hosted in
This chart shows the mailbox AFBB2C1B-6405-4D6C-8D21-
distribution by server type. D808F796405A
This chart shows active server-side AE33B341-752B-4AC3-98F7-
synch enabled mailboxes distributed FC11EA8B5DE5
over the geo location they are hosted
in.
 CHART ELEMENT DESCRIPTION CHARTID

Mailboxes by Exchange Configuration This chart shows the number of 1AF79B4C-0F75-403B-973A-

mailboxes categorized by their Exchange 573E0FDF775E
configuration.

Number of Mailbox Configuration This chart shows the number of DDFE9E31-41D9-4453-87EE-

Errors mailboxes configuration errors which 87A5C6D124F6
occurred over the user-selected time
frame.

Mailbox Usage This chart shows the number of server- 9E5E51CE-9C47-40E4-9862-

side synch mailboxes over the time B8D17D58E0EC
range selected by the user.

Number of Outlook Mailboxes This chart shows the number of BE94BA93-637E-4DEA-B8C6-

Outlook mailboxes configured for the 50DFE57846B6
organization.

Number of Active Email Server Profiles This chart shows the number of active 522D6D36-FDFE-4CF4-9086-
email server profiles for the time range 93BAA8628425
configured by the user.

Update frequency
Mailbox Usage chart data is updated as follows.

CHART UPDATE FREQUENCY

Mailbox Details by Geo 30 minutes average

Active Email Server Profiles by Geo 5 minutes average

Mailboxes by Server Type 5 minutes average

Mailbox Usage 5 minutes average

Number of Mailbox Configuration Errors 30 minutes average

Number of Active Email Server Profiles 5 minutes average

Number of Outlook Mailboxes 15 minutes average

Mailboxes by Exchange Configuration 5 minutes average

Storage
For storage information, see Preview: Common Data Service storage capacity.

Download
About this command
Use this command to download the data selected for the date range selected as an Excel spreadsheet.
What's included
DOWNLOAD DESCRIPTION

Most Active Users Performing Operations List of most active users (unique users) over time who
performed an operation that caused one of these SDK calls:
Retrieve , Retrieve Multiple , Delete , Create , and
Update .

Most Used Custom Entities List of custom entities which had the most Retrieve ,
Retrieve Multiple , Delete , Create , and
Update SDK Calls .

Most Used OOB Entities List of out-of-box entities which had the most Retrieve ,
Retrieve Multiple , Delete , Create , and
Update SDK Calls .

Active Users by Device Type List of active users by device type used to access Dynamics
365 (refreshed hourly)

Active Users by Business Unit List of active users by their business unit (refreshed hourly)

Active Users by Security Role List of active users by their security roles (refreshed hourly)

Active Users by Client List of active users, by client type used to access Dynamics
365 (refreshed hourly)

Active Users by Entities List of active users distributed by entity (refreshed hourly)

Update frequency
Download chart data is updated as follows.
 CHART UPDATE FREQUENCY

Most Active Users Performing Operations 1 hour

Most Used Custom Entities 1 hour

Most Used OOB Entities 1 hour

View data for different time ranges

You can adjust the time range for the data presented in the dashboards charts. After selecting the From and To
range, click the Play button ( ) to refresh your data.

Consider the following about the Customer Data Service analytics calendar:
The Calendar control is not available for the Storage dashboard and not applicable to any storage related
chart as only the latest information is shown for those charts.
Default time range is shown for the past 48 hours.
Data is only shown for the applied time range.
Data is available from the time of release of the solution in AppSource, and will be retained for 30 days.
Data is shown for time series at an hourly aggregation interval.
The data shown for a hourly aggregation interval represents the whole hour. For example, if the number of
active users at 2:00 PM is 5, there were 5 active users between 1:00 and 2:00 PM.
 Admin Analytics for Microsoft Flow
5/25/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

Environment admins can access analytics for Microsoft Flow in the Power Platform Admin center. The reports
provide insights into runs, usage, errors, types of flows created, shared flows, and details on connectors associated
with flows.
To access these reports:
1. Go to the navigation bar on the left side.
2. Select Analytics.
3. Select Microsoft Flow.
4. View the reports on the right side.

Data storage
When a user creates an environment in a region, the environment is hosted in that region. All data for that
environment resides within that region for a maximum period of 28 days.
The data refresh cycle is about 3 hours and you can find the last refresh time at the top right corner of the page.

Available reports
The preview contains 6 reports with multiple KPIs in each report. By default, you see reports for the last viewed
environment.

Runs report
By default, you see the Runs report. It provides a view into the daily, weekly, and monthly run data of all flows in an
environment.
Usage report
This report provides insights into the different types of flows in use, the trends, and the flow creator's names.
Created report
This report provides insights into the types of flows created, trends, and details like the created date and the
creator's email address.

Error report
This report provides insights into recurring error types and details like the error count, creator's email address, last
occurred time, and the creator's email address for each flow.
Shared report
This report provides details on the flows shared and trends in the environment.

Connectors report
This report provides details on connectors and their associated flows. Metrics like the number of calls from each
flow per connector, flow runs, and the flow creator's email address are available for both standard and custom
connectors.

Download reports
The reports are built with Power BI. Users can select the ellipsis (…) for a KPI and then select Export data.

View reports in other environments

To view reports in another environment:
1. Select Change Filters.
2. Select the new environment from the Environment list and optionally, select a Time Period.
3. Select Apply.
 Admin Analytics for PowerApps
4/2/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

Preview of analytics for the environment admin is available at the Power Platform Admin center. The admin reports
provide a view into environment level usage, errors, service performance to drive governance, and change
management services to users. To view reports, in the Power Platform Admin center menu expand Analytics and
then select PowerApps.

Where is my data stored?

When a user first creates an environment from a region, the environment is always hosted in that region. The data
is stored only in the region that an environment is hosted in. Data is stored for a maximum of 28 days. The data
refresh cycle is about 3 hours and the last refresh time in UTC time standard is displayed on the upper-right corner
of the page.

What are the available reports?

The preview contains four reports for PowerApps admins. The last viewed environment is selected by default.
Usage report is the default reports seen by the logged in environment admin. It provides total app launches and
daily active users across all apps in the environment. Admins can filter the view with attributes like device platform,
player version, country, state, and city.
Location report provides a map-based view of usage. It gives an insight into regional adoption and usage trends.

Error report provides insights into the toast error trends, types, and counts per app to help drive improvements in
app quality. The toast errors are errors displayed to the end users of the app.
Service Performance report provides details of all standard and custom connectors to understand performance
bottlenecks and client versus service API issues. An environment admin will get insights into:
Connectors used in the environment.
Best and least performant service and the API service response times.
Success rates for each service to determine areas that need attention.
The 50th, 75th, and 90th percentile response times for each service.
The number of HTTP 500 error codes of connectors indicating issues around the server not responding to calls
from the client.
The number of successful connection requests.
All the service performance KPI’s can be filtered with attributes like a specific service or connector, device platform,
player version, and country, state, or city to drill down into the specific API.
How can I download the reports?
The reports are built on Power BI. To download a report, select the ellipsis (…) of the specific KPI and select Export
data.

How do I change environments?

Select Change Filter or the Filter button ( ) in the upper-right corner of the page.

Select the environment and time period from the drop-down lists, and then select Apply to save the changes. All
the PowerApps analytics reports will now use this selection.
 Preview: Common Data Service storage capacity
8/9/2019 • 6 minutes to read

[This topic is pre-release documentation and is subject to change.]

NOTE
For introductory licensing information on the new capacity analytics model, see PowerApps plans.

Data volume continues to grow exponentially, as businesses advance their digital transformation journey and
bring data across their organization together. Modern business applications need to support new business
scenarios, manage new data types, and help organizations with the increasing complexity of compliance mandates.
To support the growing needs of today’s organizations, data storage solutions need to evolve continuously and
provide the right solution to support expanding business needs.
We have updated our capacity analytics reporting to provide important benefits to our customers. Here is a
summary of changes in capacity analytics.
New Capacity page is available in the Power Platform Admin center.
Admins can visualize the data stored in Database, Files, and Logs.
Entitlement information is added to the report to help customers understand available capacity of the tenant
level.
Existing customers get entitlements for new types of capacity (File and Log) but are not impacted by the
licensing change until renewal.
The new capacity analytics reporting provides a single place to view your capacity data.

What has changed

In the previous storage model, you viewed information in multiple places.
 Dynamics 365 Administration Center

Common Data Service analytics

About the new capacity analytics reporting

We're optimizing data management for database storage, attachments, and audit Logs. There are now three types
of storage: Database, File, and Log.

Some of the benefits of this change:

Scalability with purpose-built storage management solutions
Ability to enable new business scenarios
Reduced need to free storage space
Support for variety of data types
Additional default and full user entitlements
Flexibility to create new environments/instances

Capacity page details

Overall tab
This page provides a tenant-level view of where your organization is using storage capacity.

To view the Capacity page, select Analytics > Capacity > Overall tab in the left-side menu.

DESCRIPTION

(1) Current usage

File: The following entities are used:
Attachment
AnnotationBase
Log: The following entities are used:
AuditBase
PlugInTraceLogBase
Database: All other entities are counted for your
database

(2) Capacity types and sources

Organization base: The default capacity given at the
time of sign-up
User licenses: Additional capacity added for every
User License purchased
Additional storage: Any additional storage you
bought
Total: Total storage available

(3) What's new: Used for announcements and notifications

(4) Top capacity usage, by environment: Top environments

that consume the most capacity

Per environment tab

This page provides similar information as the Overall tab but with an environment-level view of where your
organization is using capacity.
Select an environment to see more detailed information on actual consumption.
 NOTE
The following environments do not count against capacity and show as 0GB:
Trial
Preview
Support
Developer
Admins can select environments showing 0GB to go to the Environment Analytics page and see the actual
consumption.

Environment capacity analytics

This page provides an environment-level detailed view of where your organization is using capacity as well as the
three capacity types consumption.
Details provided:
Actual Database usage
Top Database tables and their growth over time
Actual File usage
Top Files tables and their growth over time
Actual Log usage
Top tables and their growth over time
Select Applied filters at the the top of the page to filter data for different time spans.
FAQ
I see the new Capacity Report, but I have not purchased the new capacity offers. How do I interpret the report?
As an existing customer, we have added File and Log capacity to your tenant automatically based on your existing
licenses. Because you are currently in an agreement under the old offers, you are not impacted. Make sure your
Database consumption is per the entitlement. You are not expected to take any action for File and Log. At renewal,
you can use this report to get the right amount of capacity for Database, File, and Log.
I just bought the new capacity-based licenses. How do I provision an environment using this model?
Until provisioning environments is available through the Power Platform Admin center, you can provision
environments through the PowerApps/Flow/Dynamics 365 Admin center. If you still need more environments,
you can contact Support. For details, check Create an environment.
I’m an existing customer and have not purchased the new offers. The capacity report indicates I’m overusing
the Database/File/Log, what should I do?
If Database, you should not exceed the available Database capacity. Please consider freeing storage space or
purchase more storage capacity.
If File and Log, then there is no immediate action required. At renewal, you can use this report to get the right
amount of capacity for Database, File, and Log.
I’m a new customer and I recently purchased with the new offers. My usage of Database/Log/File is showing
red. What should I do?
Consider buying additional capacity using the Licensing Guide. Alternatively, you can free up storage.
Where can I read more about the new capacity offers?
Download the Licensing Guide to learn more.
I am an existing customer, will I be immediately impacted by this change?
No, there is no immediate change for existing customers as your current term will be honored for the duration of
your agreement.
I'm an existing customer with an EA agreement. Should I go buy File and Log capacity?
If you have an existing agreement, you are not impacted with the current change. We have added File and Log
capacity to your current entitlement which reduces your Database capacity. Until renewal, you can continue with
the current plan.
I'm an existing customer and my renewal is coming up. Will I be impacted?
Customers who renew existing subscriptions can choose to continue to transact using the existing offers for a
certain period of time. Please contact your Microsoft partner or Microsoft sales team for details.
I’m a PowerApps/Flow customer and have environments with and without Database. Will they consume storage
capacity?
Currently, only the environments with Database consume capacity; environments without Database do not.
However, once the Power Platform Admin center has the ability to create environments, all environments will
consume 1GB.
Why am I no longer getting storage notifications?
We have disabled email notifications with the move to the new storage model. Review the Capacity page to
monitor usage.
How can I reduce consumed storage space?
See the following: Free storage space.
I'm an existing customer. Should I expect my File and Log usage to change?
Log and Files data usage is not expected to be exactly the same size as when the same data is stored using
Database due to different storage and indexing technologies. The current set of out-of-box (OOB ) entities stored
in File and Log might change in the future.
Capacity report shows the entitlement breakdown by per license, but I have more licenses in my tenant and not
all of them are listed in the breakdown, why?
Not all licenses give per user entitlement. For example, the team member license does not give any per user
Database/File/Log entitlement. So in this case, the licenses that do not give any per user entitlement will not be
listed in the breakdown.
When is table data expected to show in the report?
Check back for availability. In addition to top tables, we will also show the table trend.
Which environments are counted in the capacity report?
Default, Production, and Sandbox environments are counted for consumption. Trial, Preview, Support, and
Developer environments are not counted.
 Free storage space
4/2/2019 • 11 minutes to read

[This topic is pre-release documentation and is subject to change.]

These are ways to reduce the amount of storage space used by removing or deleting different types of
information from Dynamics 365 apps. Use one or more of these methods to control your total data storage usage
with Dynamics 365 apps. You can delete certain categories of data as the need arises, or you can set up bulk
deletion jobs to reoccur at set intervals.

WARNING
The suggestions in this topic include deleting notes, attachments, import history, and other data. Before you delete data, be
sure that the data is no longer needed because you cannot retrieve deleted data. There is no “undo” to restore your data
once it has been deleted. This means it may make more sense for you to increase the amount of storage space you have
with your Microsoft Dynamics 365 subscription instead of reducing the amount of storage space used.

NOTE
Except for methods 3 and 5, all these methods require that you have an administrator Dynamics 365 apps scurity role,
such as System Administrator. This gives you permission to delete records in bulk and to delete system jobs.
After performing actions to free up storage, the system can take up to 24 hours to update storage information. We
recommend waiting up to 24 hours and monitoring your storage.
Storage consumed does not directly correspond to the size reported in Common Data Services for Apps; consumption
includes additional storage for metadata and encryption. For example, removing 10MB of storage from a file does not
mean the file size is reduced by 10MB.
Some platform operations require you to wait 24-36 hours to confirm data size changes. Such operations include but are
not limited to upgrades to new versions and introduction of new workflows. Such operations require system adjustments
that might result in a momentary size increase report.

Freeing storage for Common Data Service

Use the following methods to free storage for each of the capacity types.

File

Method 3: Remove email attachments using Advanced Find

Method 4: Remove email messages with attachments using a

bulk deletion job

Method 5: Remove notes with attachments using Advanced

Find

Method 6: Remove notes with attachments using a bulk

deletion job

Log
 Method 10: Delete audit logs

Delete plug-in trace logs using a bulk deletion job

Database

Method 1: Delete bulk email and workflow instances using a

bulk deletion job

Method 2: Evaluate and delete suspended workflows

Method 7: Remove bulk duplicate detection jobs and

associated copies of duplicate records

Method 8: Delete bulk import instances using a bulk deletion

job

Method 9: Delete bulk deletion job instances using a bulk

deletion job

Reduce file storage

Method 3: Remove email attachments using Advanced Find

WARNING
If you delete this data, the attachments will no longer be available in Dynamics 365 apps. However, if you have them saved
in Office Outlook, they will still be there.

1. Choose Advanced Find ( ).

2. In the Look for list, select Email Messages.
3. In the search criteria area, add criteria similar to the following:
Attachments (Item )
File Size (Bytes) – Is Greater Than - In the text box, type a byte value, such as 1,048,576 (1MB in binary).

4. Choose Results.
5. You will now have a list of email messages that have attachments that are larger than ‘X’ bytes. Review the
emails and delete the attachments as needed.

Method 4: Remove email messages with attachments using a bulk deletion job

WARNING
If you delete this data, the email messages and their associated attachments will no longer be available in Dynamics 365
apps. However, if you have them saved in Office Outlook, they will still be there.

1. Go to Settings > Data Management.

2. Choose Bulk Record Deletion, and then in the menu bar, choose New. This opens the Bulk Deletion
Wizard.
3. Choose Next.
4. In the Look for list, select Email Messages.
5. In the search criteria area, add criteria similar to the following:
Status Reason – Equals – Completed
Actual End – Older Than X Months – 1
Attachments (Item )
File Size (Bytes) – Is Greater Than – In the text box, type a byte value, such as 1,048,576 (1MB in binary).
6. Group the first two criteria rows:
a. Choose the arrow next to each criteria row, and then choose Select Row.
b. With both rows selected, choose Group AND.
 7. Choose Next.
8. In the Name text box, type a name for the bulk deletion job.
9. Select a date and time for the job start time; preferably a time when users are not in Dynamics 365 apps.
10. Select the Run this job after every check box, and then in the days list, select the frequency you want the
job to run.
11. If you want a notification e-mail sent, select the Send an email to me ([email protected] ) when this
job is finished check box.

12. Choose Next, review the bulk deletion job, and then choose Submit to create the recurring job.
Method 5: Remove notes with attachments using Advanced Find

WARNING
If you delete this data, notes and their associated attachments will no longer be available in Dynamics 365 apps.
1. Choose Advanced Find.
2. In the Look for list, select Notes.
3. In the search criteria area, add criteria similar to the following:
File Size (Bytes) – Is Greater Than – In the text box, type a byte value, such as 1048576.

4. Choose Results.
5. You will now have a list of attachments that are larger than the size you specified.

6. Select individual or a multiple attachments, and then choose Delete (X).

Method 6: Remove notes with attachments using a bulk deletion job

WARNING
If you delete this data, notes and their associated attachments will no longer be available in Dynamics 365 apps.

1. Go to Settings > Data Management.

2. Choose Bulk Record Deletion, and then in the menu bar, choose New. This opens the Bulk Deletion
Wizard.
3. Choose Next.
4. In the Look for list, select Notes.
5. In the search criteria area, add criteria similar to the following:
File Size (Bytes) – Is Greater Than – In the text box, type a byte value, such as 1048576.
Created On – Older Than X Months – 1
6. Group the two criteria rows:
a. Choose the arrow next to each criteria row, and then choose Select Row.
b. With all three rows selected, choose Group AND.
 7. Choose Next.
8. In the Name text box, type a name for the bulk deletion job.
9. Select a date and time for the job start time; preferably a time when users are not in Dynamics 365 apps.
10. Select the Run this job after every check box, and then in the days list, select the frequency you want the
job to run.
11. If you want a notification e-mail sent, select the Send an email to me ([email protected] ) when this
job is finished check box.

12. Choose Next, review the bulk deletion job, and then choose Submit to create the recurring job.

Reduce log storage

Method 10: Delete audit logs
When you enable auditing, Dynamics 365 apps creates audit logs to store the audit history of the records. You can
delete these audit logs to free space when they are no longer needed.
 WARNING
When you delete an audit log, you can no longer view the audit history for the period covered by that audit log.

1. Go to Settings > Auditing.

2. In the Audit area choose Audit Log Management.
3. Select the oldest audit log, then choose Delete Logs.

4. In the confirmation message choose OK.

NOTE
You can only delete the oldest audit log in the system. To delete more than one audit log repeat deleting the oldest available
audit log until you have deleted enough logs.

Reduce database storage

Method 1: Delete bulk email and workflow instances using a bulk deletion job

WARNING
If you delete this data, you will no longer be able to tell if an email was sent through bulk email or if a workflow rule ran
against a record. The emails that were sent and the actions that ran against the record in the workflow will remain.

1. Go to Settings > Data Management.

2. Choose Bulk Record Deletion. In the menu bar, choose New. This opens the Bulk Deletion Wizard.
3. Choose Next.
4. In the Look for list, select System Jobs.
5. In the search criteria area, add criteria similar to the following:
System Job Type – Equals – Bulk E -mail; Workflow;
Status Reason – Equals – Succeeded
Completed On – Older Than X Months – 1
6. Group the three criteria rows:
a. Choose the arrow next to each criteria row, and then choose Select Row.
 b. With all three rows selected, choose Group AND.

7. Choose Next.
8. In the Name text box, type a name for the bulk deletion job.
9. Select a date and time for the job start time; preferably a time when users are not in Dynamics 365 apps.
10. Select the Run this job after every check box, and then in the days list, select the frequency you want the
job to run.
11. If you want a notification e-mail sent, select the Send an e-mail to me ([email protected] ) when this
job is finished check box.

12. Choose Next, review the bulk deletion job, and then choose Submit to create the recurring job.
Method 2: Evaluate and delete suspended workflows
Sometimes workflows will enter a suspended state because there is a condition that will never be met or some
other reason that will not allow the workflow to continue.
 WARNING
Some workflows will be in a suspended state because they are waiting for a condition that has not yet been met, which is
expected. For example, a workflow may be waiting for a task to be completed.

1. Choose Advanced Find.

2. In the Look for list, select System Jobs.
3. In the search criteria area, add criteria similar to the following:
System Job Type – Equals – Workflow
Status Reason – Equals – Waiting
4. Group the two criteria rows:
a. Choose the arrow next to each criteria row, and then choose Select Row.
b. With all three rows selected, choose Group AND.

5. Choose Results.
6. In the results window, you can open each item to determine whether the workflow can be deleted.
Method 7: Remove bulk duplicate detection jobs and associated copies of duplicate records
Every time that a duplicate detection job runs, a copy of each duplicate record is stored in the database as part of
the duplicate detection job. For example, if you have 100 duplicate records, every time that you run a duplicate
detection job that finds these duplicates, whether it is manual or reoccurring, those 100 duplicate records will be
stored in the database under that instance of that duplicate job until the duplicates are merged or deleted, or until
the instance of that duplicate detection job is deleted.
1. Go to Settings > Data Management.
2. Choose Duplicate Detection Jobs.
3. Select the duplicate detection job instances you want to delete and then choose Delete (X).
To avoid wasting storage space, make sure duplicates are resolved promptly so that they are not reported
in multiple duplicate detection jobs.
Method 8: Delete bulk import instances using a bulk deletion job
Every time you perform a bulk import, there is a system job associated with that import. The system job details
show which records imported successfully and which records failed.

WARNING
After you delete these bulk import jobs, you will not be able to see what data was imported and you cannot roll back the
import.

1. Go to Settings > Data Management.

2. Choose Bulk Record Deletion, and then in the menu bar, choose New. This opens the Bulk Deletion
Wizard.
3. Choose Next.
4. In the Look for list, select System Jobs.
5. In the search criteria area, add criteria similar to the following:
System Job Type – Equals – Import
Status Reason – Equals – Succeeded
Completed On – Older Than X Months – 1
6. Group the three criteria rows:
a. Choose the arrow next to each criteria row, and then choose Select Row.
b. With all three rows selected, choose Group AND.
 7. Choose Next.
8. In the Name text box, type a name for the bulk deletion job.
9. Select a date and time for the job start time; preferably a time when users are not in Dynamics 365 apps.
10. Select the Run this job after every check box, and then in the days list, select the frequency you want the
job to run.
11. If you want a notification e-mail sent, select the Send an email to me ([email protected] ) when this
job is finished check box.

12. Choose Next, review the bulk deletion job, and then choose Submit to create the recurring job.
Method 9: Delete bulk deletion job instances using a bulk deletion job
When you are bulk deleting data, such as in many of the methods described in this article, a bulk deletion system
job is created and can be deleted.

WARNING
After you delete these jobs, you will lose the history of the prior bulk deletion jobs that you’ve run.

1. Go to Settings > Data Management.

2. Choose Bulk Record Deletion, and then in the menu bar, choose New. This opens the Bulk Deletion
Wizard.
3. Choose Next.
4. In the Look for list, select System Jobs.
5. In the search criteria area, add criteria similar to the following:
System Job Type – Equals – Bulk Delete
Status Reason – Equals – Succeeded
Completed On – Older Than X Months – 1
 NOTE
You could also delete jobs that have failed or been canceled.

6. Group the three criteria rows:

a. Choose the arrow next to each criteria row, and then choose Select Row.
b. With all three rows selected, choose Group AND.

7. Choose Next.
8. In the Name text box, type a name for the bulk deletion job.
9. Select a date and time for the job start time; preferably a time when users are not in Dynamics 365 apps.
10. Select the Run this job after every check box, and then in the days list, select the frequency you want the
job to run.
11. If you want a notification e-mail sent, select the Send an email to me ([email protected] ) when this
job is finished check box.
12. Choose Next, review the bulk deletion job, and then choose Submit to create the recurring job.
See also
Preview: Common Data Service storage capacity
 Environments overview
8/9/2019 • 4 minutes to read

An environment is a space to store, manage, and share your organization’s business data, apps, and flows. They
also serve as containers to separate apps that may have different roles, security requirements, or target audiences.
How you choose to leverage environments depends on your organization and the apps you are trying to build.
For example:
You may choose to only build your apps in a single environment.
You might create separate environments that group the Test and Production versions of your apps.
You might create separate environments that correspond to specific teams or departments in your company,
each containing the relevant data and apps for each audience.
You might also create separate environments for different global branches of your company.
Get early access to the upcoming PowerApps functionalities by joining PowerApps Preview Program.

Environment scope
Each environment is created under an Azure AD tenant, and its resources can only be accessed by users within
that tenant. An environment is also bound to a geographic location, like the US. When you create an app in an
environment, that app is routed to only datacenters in that geographic location. Any items that you create in that
environment (including connections, gateways, flows using Microsoft Flow, and more) are also bound to their
environment’s location.
Every environment can have zero or one Common Data Service databases, which provides storage for your apps.
The ability to create a database for your environment will depend on the license you purchase for PowerApps and
your permission within that environment. For more information, see Pricing info.
When you create an app in an environment, that app is only permitted to connect to the data sources that are also
deployed in that same environment, including connections, gateways, flows, and Common Data Service
databases. For example, let’s consider a scenario where you have created two environments named ‘Test’ and
‘Dev’ and created a Common Data Service database in each of the environments. If you create an app in the ‘Test’
environment, it will only be permitted to connect to the ‘Test’ database, it won't be able to connect to the ‘Dev’
database.
There is also a process to move resources between environments. For more information, see Migrate resources.

Environment permissions
Environments have two built-in roles that provide access to permissions within an environment:
The Environment Admin role can perform all administrative actions on an environment including the
following:
Add or remove a user or group from either the Environment Admin or Environment Maker role
Provision a Common Data Service database for the environment
View and manage all resources created within an environment
Set data loss prevention policies. For more information see Data loss prevention policies.
After creating the database in the environment, you can use System Administrator role instead of
Environment Admin role.
The Environment Maker role can create resources within an environment including apps, connections,
custom connectors, gateways, and flows using Microsoft Flow.
Environment Makers can also distribute the apps they build in an environment to other users in your organization
by sharing the app with individual users, security groups, or to all users in the organization. For more information,
see Share an app in PowerApps.
Users or groups assigned to these environment roles are not automatically given access to the environment’s
database (if it exists) and must be given access separately by a Database owner. For more information, see
Configure database security.
Users or security groups can be assigned to either of these two roles by an Environment Admin from the Power
Platform Admin center or PowerApps Admin center. For more information, see Administer environments in
PowerApps.

The default environment

A single default environment is automatically created by PowerApps for each tenant and shared by all users in
that tenant. Whenever a new user signs up for PowerApps, they are automatically added to the Maker role of the
default environment. The default environment is created in the closest region to the default region of the Azure
AD tenant.

NOTE
No users will be added to the Environment Admin role of the default environment automatically. For more information, see
Administer environments in PowerApps.

The default environment is named as follows: “{Azure AD tenant name} (default)”

Production and Trial environments
You can create environments for different purpose. A Trial environment is for trying out the environment and
database with Common Data Service experience. It expires after certain period. For more information, see
Administer environments in PowerApps.

Choosing an environment
With the introduction of environments, you will now see a new experience when you come to
https://web.powerapps.com. The apps, connections, and other items that are visible in the site will now be filtered
based on the current environment that is selected. Your current environment is specified in the environment picker
near the right edge of the header. To choose a different environment, click or tap the picker, and a list of available
environments appears. Click or tap the one you wish to enter.
An environment will show up in your picker if you meet one of the following conditions:
You are a member of the Environment Admin role for the environment.
You are a member of the Environment Maker role for the environment.
You are not an Environment Admin or Environment Maker of the environment, but you have been given
‘Contributor’ access to at least one app within the environment. For more information, see share an app. In this
case, you will not be able to create apps in this environment. You will only be able to modify the existing apps
that have been shared with you.

See also
Microsoft Learn: Create and manage environments in Common Data Service
 Create and manage environments in the Power
Platform Admin center
8/20/2019 • 5 minutes to read

An environment is a space to store, manage, and share your organization’s business data, apps, and flows. It also
serves as a container to separate apps that may have different roles, security requirements, or target audiences.
PowerApps automatically creates a single default environment for each tenant, which is shared by all users in that
tenant.

TIP
For the blog announcing the latest changes to environment creation, see Provisioning and administration updates are now
live in the Power Platform Admin center.

Provisioning a new environment

You have a choice when provisioning a new environment. You can:
Provision based on buying an instance using the Dynamics 365 Admin center.
or
Provision based on available capacity. See the section Create an environment in the Power Platform Admin
center.
What's new in provisioning environments
We're consolidating how you view, create, and manage environments.
Environments can now be provisioned in the Power Platform Admin center: You can create
environments in the Power Platform Admin center. Previously, environments could only be created in the
Dynamics 365 Admin center and the PowerApps Admin center.
Admins can govern environment creation: To limit environment creation to admins (Dynamics 365 Service
admins, Office 365 Global admins, or Delegated admins), see Control who can create environments in the
Power Platform Admin center. Previously, limiting was done by controlling who had PowerApps P2 licenses.
Admins can see all environments: Admins can see all environments (environments with and without a
database, and environments with apps) in the Power Platform Admin center. Previously, admins could not see
environments created without a database.
Trial environment provisioning: You can create one Trial environment per user. Previously, you could create
two per user.

Who can create environments?

Your license determines whether you can create environments.

LICENSE TRIAL PRODUCTION

Office 365 Plans No No

Dynamics 365 Teams Plans No No

 LICENSE TRIAL PRODUCTION

PowerApps Community Plan No No

Dynamics 365 Customer Engagement Yes (one) Yes

Trial

Dynamics 365 Plans Yes (one) Yes

Dynamics 365 Apps Plans Yes (one) Yes

PowerApps P2 Yes (one) Yes

PowerApps P2 Trial Yes (one) Yes

PowerApps P1 Yes (one) Yes

PowerApps P1 Trial Yes (one) No

Create an environment in the Power Platform Admin center

Every environment can have zero or one Common Data Service database, which provides storage for apps. When
users create an app in an environment, that app can connect to any data source, including connections, gateways,
and flows. However, the app is only permitted to connect to the Common Data Service databases in that same
environment. How you choose to leverage environments depends on your organization and the apps you're trying
to build. For more information, see Environments overview.
You have multiple options when creating an environment:
1. Create an environment with a Common Data Service database
2. Create an environment with Customer Engagement apps
3. Create an environment without a Common Data Service database

Create an environment with a database

You create a database to use Common Data Service as a data store. The Common Data Service is a cloud scale
database used to securely store data for business applications built on PowerApps. Common Data Service
provides not just data storage, but a way to implement business logic that enforces business rules and automation
against the data. For more information, see Why use Common Data Service?
Prerequisites
To create an environment with a database, you need 1GB available database capacity.
Steps
1. Sign in to the Power Platform Admin center at https://admin.powerplatform.microsoft.com as an admin
(Dynamics 365 Service admin, Office 365 Global admin, or Delegated admin).
2. In the navigation pane, select Environments, and then select New.
3. Enter the following, and then select Next.

SETTING DESCRIPTION

Name The name of your environment.

Type You can choose Production or Trial.

Region Choose a region for the environment.

Purpose A description of the environment.

Create a database for this environment? Select Yes.

4. Enter the following, and then select Save.

SETTING DESCRIPTION

Language The default language for this environment.

Currency The base currency used for reporting.

Enable Dynamics 365 apps Select Yes and make a selection to automatically deploy
apps such as Sales and Customer Service.
 SETTING DESCRIPTION

Deploy sample apps and data Select Yes to include sample apps and data. Sample data
gives you something to experiment with as you learn. You
must select No for Enable Dynamics 365 apps for this
setting to appear.

Security group Select a security group to restrict access to this

environment.

Create an environment with Customer Engagement apps

When you create an environment with a database, you can add Customer Engagement apps such as Sales and
Field Service.

NOTE
Currently, apps can only be enabled for Production environments. You can create trials at https://trials.dynamics.com.

Prerequisites
To create an environment with a database, you need 1GB available database capacity.
Steps
1. Sign in to the Power Platform Admin center at https://admin.powerplatform.microsoft.com as an admin
(Dynamics 365 Service admin, Office 365 Global admin, or Delegated admin).
2. In the navigation pane, select Environments, and then select New.
3. Enter the following, and then select Next.

SETTING DESCRIPTION

Name The name of your environment.

Type You can choose Production or Trial.

Region Choose a region for the environment.

Purpose A description of the environment.

Create a database for this environment? Select Yes.

4. Enter the language and currency settings.

5. Set Enable Dynamics 365 apps to Yes, and then select apps to include from the Automatically deploy
these apps drop-down list.
6. Select Save.
Create an environment without a database
You can create an environment without a database and use your own data store.
Prerequisites
You need 1GB available database capacity.
Steps
1. Sign in to the Power Platform Admin center at https://admin.powerplatform.microsoft.com as an admin
(Dynamics 365 Service admin, Office 365 Global admin, or Delegated admin).
2. In the navigation pane, select Environments, and then select New.

3. Enter the following, and then select Save.

SETTING DESCRIPTION

Name The name of your environment.

Type You can choose Production or Trial.

 SETTING DESCRIPTION

Region Choose a region for the environment.

Purpose A description of the environment.

Create a database for this environment? Select No.

FAQ
I’m a Dynamics 365 customer. Should I provision using the Dynamics 365 Admin center or Power Platform
Admin center?
Power Platform Admin center provisioning is only available for customers who have transitioned to the new
capacity-based licenses. If you have not transitioned, please use the Dynamics 365 Admin center for provisioning.
What are the new Trial limits for PowerApps customers?
The new trial limits are one per user.
Can an Office 365 licensed user manage and create environments?
No, Office 365 licensed users will not be able to manage environments.
If I create an environment in the Dynamics 365 Admin center, will it appear in the Power Platform Admin center?
Yes it will appear in both admin centers.
What is the PowerApps Production environment limit?
Provisioning environments is based on database capacity. Previously, it was two environments per PowerApps
Plan 2 license. Now all you need is 1GB of available capacity to provision. All environments with or without
Common Data Service will consume at least 1GB capacity.
See also
Manage environments in PowerApps
Preview: Common Data Service storage capacity
 Control who can create and manage environments in
the Power Platform Admin center
8/20/2019 • 2 minutes to read

With the new provisioning model, those with the correct licenses can create an environment as long as 1GB of
capacity is available. To restrict environment creation and management to admins, do the following:
1. Sign in to the Power Platform Admin center at https://admin.powerplatform.microsoft.com.
2. Select the Gear icon ( ) in the upper-right corner of the Power Platform site.
3. Select Only specific admins.

The following admins will be able to create new environments in the Power Platform Admin center:
Office 365 Global admins
Dynamics 365 Service admins
Delegated admins

NOTE
Environments created prior to restriction can still managed after restriction by those who created the environment.
Restriction will prevent any new environments being created and managed.

Control environment creation through PowerShell

Download and install the admin PowerShell cmdlets as described here. For more information about our cmdlets,
see PowerShell support for PowerApps (preview ) .
Use the following commands to restrict environment creation to Global admin, Dynamics 365 service admin, and
Delegated admin.

$settings = @{ DisableEnvironmentCreationByNonAdminUsers = $true }

Set-TenantSettings $settings

FAQ
Can I disable Trial environment creation for users in the tenant?
Yes. Use the following PowerShell commands to restrict Trial environment creation.

$settings = @{ DisableTrialEnvironmentCreationByNonAdminUsers = $true }

Set-TenantSettings $settings

Download and install the admin PowerShell cmdlets as described here. For more information about our cmdlets,
see PowerShell support for PowerApps (preview ) .
 Create a Common Data Service database
4/22/2019 • 2 minutes to read

You can create a database and build apps by using Common Data Service as a data store. You can either create
your own custom entities or use the predefined entities. To create a database, you first need to either create an
environment, or be assigned to an existing environment as an Environment Admin. In addition, you must be
assigned the appropriate license. For information on purchasing a plan for using Common Data Service, see
Pricing info.
There are various ways to create a database:
In the PowerApps Admin center
In the Entities pane of powerapps.com

NOTE
For security reasons, we do not support creating a copy of the database for local use.

Create a database in the admin center

1. In the admin center, in the left navigation pane, click Environments.
2. Select the environment in which you want to create the database.

3. On the Details tab, click Create a database.

4. Choose currency and language to proceed with database creation.

Create a database in the Entities pane of PowerApps
1. On powerapps.com, expand the Data section and click or tap Entities in the left navigation pane.
2. Click Create Database to create the database.

Security model for the databases

When a database is created, the users who have environment roles assigned to them, will continue to maintain
those privileges.
Users with Environment Admin role are now assigned to System Administrator role. Users with Environment
Maker continue to possess the same role.
You can assign additional users to pre-defined roles or even create custom roles. See Database Security for more
details.

NOTE
On creating the database, any security group assigned to Environment Admin or Environment Maker role will not be
honored any more. Currently, assigning permissions in database, do not support Azure AD security group.

License and security permissions

To create a database, you must be an administrator in the selected environment, and the appropriate license must
be assigned to you. From the environment, you can further configure security permissions for other users by using
the Security tab. For more information, see Configure database security.

Privacy notice
With the Microsoft PowerApps Common Data Model we collect and store custom entity and field names in our
diagnostic systems. We use this knowledge to improve the Common Data Model for our customers. The entity and
field names that Creators create help us understand scenarios that are common across the Microsoft PowerApps
community and ascertain gaps in the service’s standard entity coverage, such as schemas related to organizations.
The data in the database tables associated with these entities is not accessed or used by Microsoft or replicated
outside of the region in which the database is provisioned. Note, however, the custom entity and field names may
be replicated across regions and are deleted in accordance with our data retention policies. Microsoft is committed
to your privacy as described further in our Trust Center.
 Create and manage environments in the PowerApps
Admin center
8/9/2019 • 3 minutes to read

Create environments
Follow these steps to create a PowerApps environment and a database for that environment.
Prerequisites
To follow this topic, the following items are required:
Either a PowerApps Plan 2 or Microsoft Flow Plan 2 license. Alternatively, you can sign up for a free PowerApps
Plan 2 trial.
PowerApps Environment Admin, Office 365 Global Admin, or Azure Active Directory Tenant Admin
permissions. For more information, see Environments administration in PowerApps.
Sign in to the PowerApps Admin center
Sign in to the Admin center at https://admin.powerapps.com.
Create an environment and database
1. In the navigation pane, click or tap Environments, and then click or tap New environment.

2. In the New environment dialog box, enter a name for the environment, and then select a region and
environment type from the drop-down lists. The region defaults to the Azure Active Directory Tenant home
region, but you may select any region from the drop-down list. You cannot change the region once the
environment is created. When you're done, click or tap Create environment.
 Select Preview(United States) to get early access to the upcoming PowerApps functionalities. Learn more
about the PowerApps Preview Program.
3. Once the environment is created, you'll receive a confirmation message in the dialog box and you'll be
prompted to create a database. Click or tap Create database to enable access to the Common Data Service.
Note: At this time, you can only create a database in the Azure Active Directory Tenant home region.

4. Select the currency and language for the data stored in the database. You cannot change the currency or
language once the database is created. When you're done, click or tap Create database.

It may take several minutes to create the database on the Common Data Service. Once the database is
created, the new environment appears in the list of environments on the Environments page.
 Click or tap the environment to view the environment details.

Creating an environment
Who can create environments?
Your license determines whether you can create environments.

LICENSE TRIAL PRODUCTION

PowerApps P2 Yes (one) Yes

PowerApps P2 Trial Yes (one) Yes

PowerApps P1 Yes (one) Yes

PowerApps P1 Trial Yes (one) No

Dynamics 365 Plans Yes (one) Yes

Office 365 Plans No No

Dynamics 365 Apps Plans Yes (one) Yes

Dynamics 365 Teams Plans No No

PowerApps Community Plan No No

Where can environments be created?

You will be able to create new environments from [https://web.powerapps.com][https://web.powerapps.com] and
from the PowerApps Admin center. If you create an environment, you will automatically be added to the
Environment Admin role for that environment. There is not be a limit on the number of environments that you can
participate in as a member of the Environment Admin or Environment Maker role. For more information about
environments, see Administer environments in PowerApps. For instructions on how to create an environment, see
Create an environment.
Managing environments for your organization
In PowerApps Admin center, you can manage all of the environments that you have created or to which you have
been added to the Environment Admin role. From the Admin center, you can perform all administrative actions on
an environment, including the following:
Add or remove a user or group from either the Environment Admin or Environment Maker role. For more
information, see Administer environments in PowerApps.
Provision a Common Data Service database for the environment. For more information, see Create a Common
Data Service database.
Set Data Loss Prevention policies. For more information, see Data loss prevention policies.
Set database security policies (as open or restricted by database roles). For more information, see Configure
database security.
Members of the Azure AD tenant Global administrator role (includes Office 365 Global admins) can also
manage all environments that have been created in their tenant and set tenant-wide policies from the
PowerApps Admin center.
 Copy an environment
5/14/2019 • 6 minutes to read

You can use Copy environment in the Power Platform Admin center to copy the Dynamics 365 for Customer
Engagement apps and all data from any environment to a Sandbox environment. You can select two levels of copy:
Everything or Customizations and schemas only.

NOTE
You can only copy an environment to a Sandbox environment.
Currently, any components that have not been added to a solution (including canvas apps, flows, custom connectors, and
connections) will not be copied to the target environment.

Copy over everything

An Everything copy includes all application data, users, and customizations, and schemas from the source
environment and is suitable for:
User acceptance testing
Upgrade testing
Preview in production (TAP/EA)
Training
An example scenario
Isaac, a business application developer, has received a request from the sales department to configure and deploy a
social media integration solution from another company vendor. Isaac has never installed a solution from this
vendor and is unsure what impact this would have on the production application. He’d like to import the solution
into an environment that is nearly identical to, but isolated from, production to learn about the solution and make
the appropriate configuration changes. Isaac submits a request to Thomas, the IT Manager for Contoso, to create
an Everything copy Sandbox environment for him.
After the Everything copy is complete, Isaac receives a mail from Thomas telling him the Sandbox environment is
ready. Isaac logs into the Sandbox environment and makes the necessary changes to make sure that production
external services will not be impacted by the Sandbox environment. Once changes are complete, Isaac turns off
administration mode and enables background services. Isaac is able to use the Everything copy Sandbox
environment to do his testing and later manually import the solution into production.
Copy over customizations and schemas only
A Customizations and schemas only copy only includes users, customizations, and schema from the source
environment and is suitable for:
Iterative team development
Partner/ISV solutions
Proof of concept
An example scenario
Isaac has a large development project starting next week for the sales department. He has a team of developers
ready to start on the project, some of whom are internal to Contoso and some are external vendors. The Contoso
sales application contains Personally Identifiable Information (PII) that the sales manager has explicitly stated must
not be made available to any external parties for privacy and legal liability reasons. Isaac requests a customizations
and schemas only copy Sandbox environment that does not contain any production data or users. In addition, Isaac
creates a Office 365 security group to give the development team access to the Sandbox environment.
After modifying and enabling some of the plug-ins, the developer Sandbox environment functions the same and is
completely isolated from the production application. The development team works on their modifications in this
environment for several weeks. They package their changes into a solution and export/import to deploy to the
Everything copy Sandbox environment. After a successful round of testing and signoffs, the changes are manually
deployed to production.
Entities copied in a Customizations and schemas only copy
The following entities are copied when you do a Customizations and schemas only copy:

ENTITIES

BusinessUnit

ConnectionRole

Currency

DuplicateRule

DuplicateRuleCondition

EmailServerProfile

FieldPermission

FieldSecurityProfile

ImportMap

InternalAddress

Mailbox

Organization

Position
 ENTITIES

Report

Resource

ResourceGroup

Role

RollupField

SavedQuery

SLAKPIenvironment

Solution

Subject

Team

TeamTemplate

Template

SystemUser

Copy an environment to a Sandbox environment

1. Go to the Power Platform Admin center and sign in using Environment Admin or System Administrator role
credentials.

NOTE
Environment Admins or System Administrators can copy all available environments. Customer Engagement System
administrators can copy environments for which they have the Environment Admin or System Administrator role.

2. From the left-side menu, select Environments, and then select an environment to copy.
3. Select Copy from the top menu bar.
4. Select the desired copy over level.
5. Select a Sandbox environment.
A target environment can be a Sandbox or Preview environment; not a Production environment.

WARNING
The target environment will be deleted and replaced with a copy of the data and customizations from the source
environment. You won’t be able to recover any deleted data.

6. To restrict environment access to people in a security group select Edit ( ).

7. Edit the details for the copied environment, and then select Copy.

8. Select Confirm to overwrite the target environment.

The overwrite process starts.
Once the copy process is complete, the target environment is placed in Administration mode and background
operations are disabled. The next section describes recommended Administrator actions for the newly created copy
(target) environment.
Next steps after copying an environment
To ensure the newly created copy (target) environment does not impact your Production environment, once the
copy operation is complete, two things happen:
1. The newly created copy environment is placed in administration mode. Only those with System
Administrator or System Customizer security roles can sign in and manage the copy environment. Regular
Customer Engagement users cannot sign in and use the copy environment.
2. Background operations are disabled in the copy environment. Disabled operations include workflows and
synchronization with Microsoft Exchange.
Review components
You should review the status of application components in the copy environment with external connections such as
Yammer, email, plug-ins, custom workflow activities, etc. Review these and consider what action to take:
1. Disable the component.
2. Redirect the component to another service environment such as one running Exchange or SharePoint.
3. Do nothing – leave the component as is in the copy environment. For example, you might decide to allow
Yammer posting to both the copy and Production environments.
Here are some possible application components in the copy environment that could have external
connections and therefore could impact services with the same connections in your Production
environment.
Email. A mailbox cannot be synced with two different environments. For an Everything copy environment,
the user mailboxes in the copy environment must be disabled so the mailboxes do not attempt to send or
receive email, or track appointments, contacts, or tasks. Set synchronization for the following to None.
Incoming Email
Outgoing Email
Appointments, Contacts, Tasks
More information: Set the delivery method for incoming and outgoing email
SharePoint. Deactivate or redirect SharePoint to a sandbox SharePoint environment to prevent impacting
documents in Customer Engagement apps managed by SharePoint. In Customer Engagement apps, go to
Settings > Documentation Management > SharePoint Sites. Select your site, and then click
Deactivate.
Yammer. Disable Yammer or redirect to a separate Yammer service to prevent posts made in the copy
environment conflicting with posts made in the Production environment. In Customer Engagement apps, go
to Settings > Administration > Yammer Configuration.
After creating a new Sandbox environment, workflows and system jobs might be pending execution. Apart
from these jobs, if you have connected Yammer to Customer Engagement apps there will be Yammer
activity streams posted from Customer Engagement apps to Yammer asynchronously. These activity
streams are not visible through the system jobs. If there were any pending Yammer activity streams before
the Disable Background Process is turned on, these activity steams will be posted to the current Yammer
configuration once the Disable Background Process is turned back off. In the Sandbox environment, if you
have your current Yammer configuration connected to the same Yammer network as your production
environment, you might see duplicate activity streams. To avoid duplicate Yammer activity streams, redirect
your Sandbox environment to another Yammer network (possibly a test network) before turning
background processes back on.
Platform extensibility. Consider disabling the following that could be running in the copy environment
and impacting external service components.
Server-side plug-ins.
Workflow custom activity.
Client extensibility. Review the following.
Client-side JavaScript. Take a look at your JavaScript and HTML web resources for read/write
operations that could impact external services.
IFRAMES. Determine if the target of an IFRAME is a Production environment.
 View and reset Sandbox environments
5/14/2019 • 2 minutes to read

A Sandbox environment is any non-production environment of Common Data Service. Isolated from production, a
Sandbox environment is the place to safely develop and test application changes with low risk.

View your Sandbox environments

Manage your Sandbox environments from the Power Platform Admin center.
1. Go to https://admin.powerplatform.microsoft.com/, and sign in using Environment Admin or System
Administrator role credentials.
2. Open the Environments page. Select the Type tab to sort by environment type.

Reset a Sandbox environment

Reset a Sandbox environment to delete and re-provision it. Consider a reset when you want to:
Create a new project
Free up storage space
Remove an environment containing Personally Identifiable Information (PII) data

IMPORTANT
You can only reset Sandbox environments.
A reset will permanently delete environment components such as canvas apps, flows, custom connectors, and
connections.

An example scenario
Thomas is looking at the storage consumed by the various Contoso environments and is getting concerned that
they’ll run out of space in one of their Production environments. He’d like to free up some space so he can give the
Production environment some additional storage. He’s also been notified that the Legal department has set a
retention policy on the use of production data in the test environment.
After contacting Isaac, Thomas resets the Sales department’s complete Sandbox environment. The environment is
re-provisioned to factory settings and ready for future use as a Sandbox environment for a future project.
To reset an environment
1. Go to the Power Platform Admin center and sign in using Environment Admin or System Administrator role
credentials.
2. From the left-side menu, select Environments, and then select an environment to reset.
3. Select Reset from the top menu bar.

4. On the Reset environment page, adjust the environment settings as needed and then select Reset.

WARNING
The Sandbox environment will be deleted and reset to factory settings. You will not be able to recover any deleted
data.

5. Select Confirm to reset the selected environment.

The reset process starts.

Administration mode
When you place a Sandbox environment in administration mode only users with Customer Engagement System
Administrator or System Customizer security roles will be able to sign in to that environment. Administration
mode is useful when you want to make operational changes and not have regular users affect your work, and not
have your work affect regular users.

NOTE
You can only place Sandbox environments in administration mode.
Processes that use code, such as plug-ins or custom workflow assemblies, continue to be processed by the Common Data
Service platform when administration mode is enabled and background operations are disabled.

On the Details page, you can set the following.

SETTING DESCRIPTION

Administration mode Select to enable administration mode for the selected Sandbox
environment. Only System Administrators or System
Customizers will be able to sign in to the selected Sandbox
environment.

Background operations Select to disable all asynchronous operations (see

Asynchronous service architecture ) such as workflows and
synchronization with Exchange. Emails will not be sent and
server-side synchronization for appointments, contacts, and
tasks are disabled. Note: Administration mode must be
enabled to disable background operations.

Custom message Enter a message that will be displayed to all users when they
attempt to sign in.

Set administration mode

1. Go to the Power Platform Admin center and sign in using Environment Admin or System Administrator role
credentials.
2. From the left-side menu, select Environments, and then select an environment.
3. Select See all.
4. On the Details page, select Edit.
5. Under Administration mode, toggle Disabled to Enabled.
6. Set Background operations and Custom message, and then select Save.
 About Trial environments
8/9/2019 • 3 minutes to read

Currently, you can create two types of Common Data Service environments: Trial or Production. A Trial
environment is useful for trying out Dynamics 365 for Customer Engagement apps at no cost. Trial environments
expire after 30 days.
Open the Environments page to see the environment types you have and the upcoming expiration date for Trial
environments:

Convert a Trial environment to Production

While using the Trial environment, if you created resources you want to retain longer than 30 days, convert the
Trial to a Production environment.
If you have 1GB of available database capacity, you can convert a Trial environment to Production. You might need
to free up or purchase additional capacity if the Trial database exceeds 1GB. To determine the size of the Trial
database see: Common Data Service storage capacity.
Follow these steps to convert a Trial environment to a Production environment:
1. Go to https://admin.powerapps.com/environments, and sign in as an admin.
2. Open the Environments page, and select the Trial environment you want to convert to Production:

3. On the Details tab, select Convert:

4. Select Confirm:

If your environment has a database, it might take several hours to convert to a Production environment. You can
monitor the progress through the notification on the Details tab:

Frequently asked questions

Who can convert a Trial environment to a Production environment?
If you have 1GB of available database capacity, you can convert a Trial environment to Production. You might need
to free up or purchase additional capacity if the Trial database exceeds 1GB. To determine the size of the Trial
database see: Common Data Service storage capacity.
What if I don’t have available quota for Production environments?
Contact your Office 365 Global admin or Azure Active Directory (Azure AD ) tenant admin to:
Assign PowerApps Plan 2 to you.
Locate another user who has available Production environment quota.
You can also purchase a PowerApps Plan.
Can every Office 365 Global admin or Azure AD tenant admin convert a Trial environment to a Production
environment?
No. Global admins and Azure AD tenant admins need to have available quota for Production environments to be
able to convert a Trial environment to a Production environment.
How can I retain my data and resources if I don’t have a way to convert the Trial environment to a Production
environment?
You can export your resources and data to another environment. If you want to retain them for a longer time, we
recommend you create a Production environment or an individual environment (with PowerApps Community
Plan) and export your resources to that environment.
Here are some guidelines for exporting resources.

TYPE OF RESOURCE IN THE ENVIRONMENT HOW DO I EXPORT IT?

Apps (canvas and model-driven) and flows You can use packaging to export apps and flows from one
environment.

Data in the database (Common Data Service environment) You have multiple options:
Export to Excel and save the data. You can import the
data into another environment.

You can use Data Integrator services and APIs to

export data into another environment.

We delete Trial environments that haven’t had any activity in the environment databases for 30 days.
How can I create a Production or an individual environment?
You need to have a PowerApps plan that provides Production environment creation.
You can create an individual environment by signing up for the PowerApps Community Plan. Note that there are
restrictions on sharing apps in individual environments—these environments are meant for personal use only.
How do I identify my plan(s)?
To determine your plan(s), select the Gear icon ( ) in the upper-right corner of the PowerApps site, and then select
Plan(s).

See also
Administer environments in PowerApps
Environments overview
Choose the right plans for your team
Licensing overview
 Manage environments in the PowerApps Admin
center
8/9/2019 • 7 minutes to read

NOTE
We are moving environment management from other admin centers to the Power Platform Admin center. Until this is
completed, some management can be or must be done in other admin centers such as the PowerApps Admin center.

In the PowerApps Admin center, manage environments that you've created and those for which you have been
added to the Environment Admin or System Administrator role. From the admin center, you can perform these
administrative actions:
Create environments.
Rename environments.
Add or remove a user or group from either the Environment Admin or Environment Maker role.
Provision a Common Data Service database for the environment.
Set Data Loss Prevention policies.
Set database security policies (as open or restricted by database roles).
Members of the Azure AD tenant Global administrator role (includes Office 365 Global admins) can also
manage all environments that have been created in their tenant and set tenant-wide policies.
For more information, see Environments overview.

Access the PowerApps Admin center

To access the PowerApps Admin center:
Go directly to admin.powerapps.com, OR
Go to powerapps.com, and then select the gear icon in the navigation header.

To manage an environment in the PowerApps Admin center, you must have one of these roles:
The Environment Admin or System Administrator role of the environment, OR
The Global Administrator role of your Azure AD or Office 365 tenant.
You also need either a PowerApps Plan 2 or Microsoft Flow Plan 2 license to access the admin center. For more
information, see the PowerApps pricing page.
 IMPORTANT
Any changes that you make in PowerApps Admin center affect the Microsoft Flow admin center and vice versa.

Create an environment
For instructions on how to create an environment, see Create an environment.

View your environments

When you open the admin center, the Environments tab appears by default and lists all the environments for
which you are an Environment Admin (as shown below ):

If you are a member of the Global Administrator role of your Azure AD or Office 365 tenant, all the
environments that have been created by users in your tenant appear, because you're automatically an
Environment Admin for all of them.

Rename your environment

1. Open the PowerApps Admin center, find the environment to be renamed in the list, and click or tap it.

2. Click or tap Details.

3. in the Name text box, enter the new name, then click Save.
 If you have created the database in the environment, then you will not see this option. You can rename
the environment from Dynamics 365 Admin center by clicking on the link in Details tab.

Delete your environment

1. In the PowerApps Admin center, click or tap the environment that you want to delete.

2. Click or tap Details.

3. Click or tap Delete environment to delete your environment.

Create a Common Data Service database for an environment

If an environment doesn't already have a database, an Environment Admin can create one in the PowerApps
Admin center by following these steps. Only users with a PowerApps Plan 2 license can create Common Data
Service databases.
1. Select an environment in the environments table.

2. Select the Details tab.

3. Select Create a database.

After you create a database, choose a security model. For more information, see Configure database security.

Manage security for your environments

Environment permissions
In an environment, all the users in the Azure AD tenant are users of that environment. However, for them to
play a more privileged role, they need to be added to a specific environment role. Environments have two built-
in roles that provide access to permissions within an environment:
The Environment Admin role (or System Administrator role) can perform all administrative actions
on an environment including the following:
Add or remove a user from either the Environment Admin or Environment Maker role.
Provision a Common Data Service database for the environment.
View and manage all resources created within an environment.
Set data loss prevention policies. For more information, see Data loss prevention policies.

NOTE
If the environment has the database, then you need to assign users the System Administrator role, instead of
the Environment Admin role.

The Environment Maker role can create resources within an environment including apps, connections,
custom connectors, gateways, and flows using Microsoft Flow. Environment Makers can also distribute
the apps they build in an environment to other users in your organization. They can share the app with
 individual users, security groups, or all users in the organization. For more information, see Share an app
in PowerApps.
To assign a user or a security group to an environment role, an Environment Admin can take these steps in the
PowerApps Admin center:
1. Select the environment in environments table.

2. Select Security tab.

3. If there is no database created in the environment:
a. Select either the Environment Admin or Environment Maker role.

b. Specify the names of one or more users or security groups in Azure Active Directory, or specify that
you want to add your entire organization.

c. Select Save to update the assignments to the environment role.

4. If database is created in the environment:
a. Add the user to the environment and click on the link to assign the user a role.
 b. Select the user from the list of users in the environment / instance.

c. Assign the role to the user.

d. Select OK to update the assignments to the environment role.

NOTE
Users or groups assigned to these environment roles are not automatically given access to the environment’s database (if
it exists) and must be given access separately by a Database owner. For more information, see Configure database
security.

Database security
The ability to create and modify a database schema and to connect to the data stored within a database that is
provisioned in your environment is controlled by the database's user roles and permission sets. You can manage
the user roles and permission sets for your environment's database from the User roles and Permission sets
section of the Security tab. For more information, see Configure database security.
Data policies
An organization's data must be protected so that it isn't shared with audiences that should not have access to it.
To protect this data, you can create and enforce policies that define which consumer services and connector-
specific business data can be shared with. Policies that define how data can be shared are referred to as data
loss prevention (DLP ) policies. You can manage the DLP policies for your environments from the Data Policies
section of the PowerApps Admin center. For more information, see Data loss prevention policies.

Frequently asked questions

How many environments and databases can I create?
Provisioning environments is based on the available storage in your organization. You need at least 1GB
minimum database storage to create an environment.For more information, see Environments overview.
Which license includes Common Data Service?
PowerApps Plan 2. See PowerApps pricing page for details on all the plans that include this license.
While trying to create a new environment, I am getting an error. How should I resolve it?
If you are getting the following error message: "Either your plan doesn’t support the environment type selected
or you’ve reached the limit for that type of environment.", it can mean one of the two things:
1. You have already utilized your quota to create a specific type of environments. Say you were creating a
Trial environment and you get this error message. That means, that you have already provisioned two
Trial environments. You can view all the environments in PowerApps Admin center. If you want, you can
delete an existing environment of that specific type and create a new one. But, please make sure that you
don't lose your data, apps, flows and other resources which you want to retain.
2. You do not have a quota to create that specific type of the environment.
If you are getting any other error message or have more questions, please connect with us here.
When will my Trial environment expire?
Trial environments expire after 30 days from their creation. If you don't want your Trial environments to expire,
you can convert them to Production environments.
Does my current database (created with previous version of the Common Data Service ) also gets counted in
the quota?
If you had a database (created with previous version of the Common Data Service), they will also get counted
with your Production environment quota. If you now create a database in an environment (created prior to
March 15, 2018) then it will also get counted as Production environment.
Can I rename an environment?
Yes, this functionality is available from the PowerApps Admin center. See Environments Administration for
more details.
Can I delete an environment?
Yes, this functionality is available from the PowerApps Admin center. See Environments Administration for
more details. Please note that you currently can't delete a Production environment with a database (with latest
version of the Common Data Service). This will be coming soon!
As an Environment Admin, can I view and manage all resources (apps, flows, APIs, etc.) for an environment?
Yes, the ability to view the apps and flows for an environment is available from the PowerApps Admin center.
See View Apps for more details.
 Regions overview in PowerApps
4/22/2019 • 2 minutes to read

How do I find out where my app is deployed?

Your app is deployed in the region that hosts the environment. For example, if your environment is created in the
Europe region, then your app is deployed in Europe data centers.
If you're an administrator, you can determine the region of each environment in the PowerApps Admin center.
Go to the admin center, and sign in with your work account.
In the admin center, all existing environments are listed on the Environments tab. This list shows the
Region where your app is deployed:

What regions are available?

Asia
Australia
Canada
Europe
India
Japan
South America
United Kingdom
United States
US Government (GCC )

Who can create environments in these regions?

With PowerApps, you can create environments in various regions across the globe, which benefits your business in
these ways:
Store your data closer to your users
Maintain the compliance requirement of your geography
You can create a database for an environment in one region (for example, United States) even if the Azure Active
Directory (Azure AD ) tenant is in another region (for example, Canada or Europe). Note the following:
Tax laws prevent you from creating a database for an environment in India and Australia, if your Azure AD
 tenant is not in India and Australia respectively. You can get an exception for Australia.
You can create an environment in the Preview (United States) region, regardless of where the Azure AD tenant
is, but you can’t provision a database in that region.
Only a US Government associated organization can create an environment in US Government (GCC ).

YOUR AZURE AD TENANT'S HOME LOCATION REGIONS WHERE YOU CAN CREATE A DATABASE

India Any region except Australia and Preview (United States)

Australia Any region except India and Preview (United States)

Any other location Any region except India, Australia, and Preview (United States)

What features are specific to a given region?

Environments can be created in different regions, and are bound to that geographic location. When you create an
app in an environment, that app is deployed in datacenters in that geographic location. This applies to any items
you create in that environment, including databases in the Common Data Service, apps, connections, gateways, and
custom connectors.
For optimal performance, if your users are in Europe, create and use the environment in the Europe region. If your
users are in the United States, create and use the environment in the U.S.

NOTE
On-premises data gateways aren't available in the India region or in custom environments. You must create gateways in the
default environment.
 Manage the encryption key
8/9/2019 • 10 minutes to read

[This topic is pre-release documentation and is subject to change.]

All environments of Common Data Service and Dynamics 365 for Customer Engagement apps use SQL Server
Transparent Data Encryption (TDE ) to perform real-time encryption of data when written to disk, also known as
encryption at rest.
By default, Microsoft stores and manages the database encryption key for your environments so you don’t have to.
The manage keys feature in the Power Platform Admin Center (preview ) gives administrators the ability to self-
manage the database encryption key that is associated with Common Data Service and Dynamics 365 (online)
apps tenant.

IMPORTANT
Self-managed database encryption keys are only available for customers who have more than 1000 P1/P2 licensed user seats
and who have opted in to the feature. To opt in to this program, contact your account or sales representative.
Encryption key management is only applicable to Azure SQL environment databases. The following features and services use
their own key to encrypt their data and can’t be encrypted with the self-managed encryption key:
Relevance Search
Mobile Offline
Activity Log (Office 365 portal)
Exchange (Server-side sync)

Introduction to key management

With key management, administrators can provide their own encryption key or have an encryption key generated
for them, which is used to protect the database for an environment.
The key management feature supports both PFX and BYOK encryption key files, such as those stored in a
hardware security module (HSM ). To use the upload encryption key option you need both the public and private
encryption key.
The key management feature takes the complexity out of encryption key management by using Azure Key Vault to
securely store encryption keys. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud
applications and services. The key management feature doesn’t require that you have an Azure Key Vault
subscription and for most situations there is no need to access encryption keys used for Common Data Service and
Dynamics 365 (online) apps within the vault.
The manage keys feature lets you perform the following tasks.
Enable the ability to self-manage database encryption keys that are associated with Common Data Service
and Dynamics 365 (online) environments.
Generate new encryption keys or upload existing .PFX or .BYOK encryption key files.
Lock and unlock tenant environments.
 WARNING
While a tenant is locked, all environments within the tenant can't be accessed by anyone. More information: Lock the
tenant

Understand the potential risk when you manage your keys

As with any business critical application, personnel within your organization who have administrative-level access
must be trusted. Before you use the key management feature, you should understand the risk when you manage
your database encryption keys. It is conceivable that a malicious administrator (a person who is granted or has
gained administrator-level access with intent to harm an organization's security or business processes) working
within your organization might use the manage keys feature to create a key and use it to lock all Dynamics 365
(online) environments in the tenant.
Consider the following sequence of events.
The malicious administrator signs in to the Power Platform Admin Center (preview ), goes to the Environments
tab and selects Manage encryption key. The malicious administrator then creates a new key with a password and
downloads the encryption key to their local drive, and activates the new key. Now all the environment databases
are encrypted with the new key. Next, the malicious administrator locks the tenant with the newly downloaded key,
and then takes or deletes the downloaded encryption key.
These actions will result in disabling all the environments within the tenant from online access and make all
database backups un-restorable.

IMPORTANT
To prevent the malicious administrator from interrupting the business operations by locking the database, the managed keys
feature doesn't allow tenant environments to be locked for 72 hours after the encryption key has changed or activated.
Additionally, anytime an encryption key is changed for a tenant, all Dynamics 365 for Customer Engagement apps (online)
administrators receive an email message alerting them of the key change. This provides up to 72 hours for other
administrators to roll back any unauthorized key changes.

Key management requirements

Privileges required
To use the manage keys feature you need one of the following privileges:
Office 365 Global administrators membership.
Office 365 Service administrators group membership.
System administrator security role for the environment of Dynamics 365 (online) apps that you want to
manage the encryption key.
Encryption key requirements
If you provide your own encryption key, your key must meet these requirements that are accepted by Azure Key
Vault.
The encryption key file format must be PFX or BYOK.
2048-bit RSA or RSA-HSM key type.
PFX encryption key files must be password protected.
For more information about generating and transferring an HSM -protected key over the Internet see How to
generate and transfer HSM -protected keys for Azure Key Vault.

Key management tasks

To simplify the key management tasks, the tasks are broken down into three areas:
1. Generate or upload the encryption key for a tenant
2. Activate an encryption key for a tenant
3. Manage encryption for an environment
Administrators can use the Power Platform Admin Center (preview ) or the Dynamics 365 for Customer
Engagement Microsoft.Xrm.OnlineManagementAPI PowerShell module cmdlets to perform the key management
tasks described here.
Generate or upload the encryption key for a tenant
All encryption keys are stored in the Azure Key Vault, and there can only be one active key at any time. Since the
active key is used to encrypt all the environments in the tenant, managing the encryption is operated at the tenant
level. Once the key is activated, each individual environment can then be selected to use the key for encryption.
Use this procedure to set the manage key feature the first time for an environment or to change (or roll-over) an
encryption key for an already self-managed tenant.

WARNING
When you perform the steps described here for the first time you are opting in to self-managing your encryption keys. More
information: Understand the potential risk when you manage your keys

1. Sign in to the Power Platform Admin Center (preview ).

2. Select the Environments tab, and then select Manage encryption keys on the toolbar.
3. Select Confirm to acknowledge the manage key risk.
4. Select New key on the toolbar.
5. On the left pane, complete the details to generate or upload a key:
Select a Region. This option is only shown if your tenant has multiple regions.
Enter a Key name.
Choose from the following options:
To create a new key, select Generate new (.pfx). More information: Generate a new key (.pfx)
To use your own generated key, select Upload (.pfx or .byok). More information: Upload a key
(.pfx or .byok)
6. Select Next.
7. Email notification is sent to all administrators. More information: Encryption key change notification
Generate a new key (.pfx )
1. Enter a password, and then re-enter the password to confirm.
2. Select Create, and then select the created file notification on your browser.
3. Download and save the file in a secure location (we recommend that this key is backed up along with its
password).
To perform this task using PowerShell, see Get-CRMGenerateProtectionkey and Set-CrmTenantProtectionKey.
Upload a key (.pfx or .byok)

1
1. Select Upload the Key, select the .pfx or .byok1 file, and then select Open.
2. Enter the password for the key, and then select Create.
1 For.byok encryption key files, make sure you use the subscription id as shown on the screen when you export the
encryption key from your local HSM. More information: How to generate and transfer HSM -protected keys for
Azure Key Vault
To perform this task using PowerShell, see New -CRMImportProtectionKey and Set-CrmTenantProtectionKey.
Activate an encryption key for a tenant
Once an encryption key is generated or uploaded for the tenant, it can be activated.
1. Sign in to the Power Platform Admin Center (preview ).
2. Select the Environments tab, and then select Manage encryption keys on the toolbar.
3. Select Confirm to acknowledge the manage key risk.
4. Select a key that has an Available state and then select Activate key on the toolbar.
5. Select Confirm to acknowledge the key change and that all administrators will be notified. More information:
Encryption key change notification
When you activate a key for the tenant, it takes a while for the key management service to activate the key. The
status of the Key state displays the key as Installing when the new or uploaded key is activated. Once the key is
activated, the following occurs:
All encrypted environments automatically get encrypted with the active key (there is no downtime with this
action).
When activated, the encryption key will be applied to all environments that are changed from Microsoft-
provided to self-managed encryption key.
To perform this task using PowerShell, see Set-CrmProtectWithTenantKey.

IMPORTANT
To streamline the key management process so that all environments are managed by the same key, the active key can't be
updated when there are locked environments. All locked environments must be unlocked before a new key can be activated.
If there are locked environments that don't need to be unlocked, they must be deleted.

NOTE
After an encryption key is activated, you can’t activate another key for 24 hours.

Manage encryption for an environment

By default, each environment is encrypted with the Microsoft-provided encryption key. Once an encryption key is
activated for the tenant, administrators can elect to change the default encryption to use the activated encryption
key. To use the activated key, follow these steps.
Apply encryption key to an environment
1. Sign in to the Power Platform Admin Center (preview ).
2. Select the Environments tab.
3. Open a Microsoft-provided encrypted environment.
4. Select See all.
5. In the Environment Encryption section, select Manage.
6. Select Confirm to acknowledge the manage key risk.
7. Select Apply this key to accept changing the encryption to use the activated key.
8. Select Confirm to acknowledge that you are managing the key directly and that there is downtime for this
action.
Return a managed encryption key back to Microsoft-provided encryption key
Returning to the Microsoft-provided encryption key configures the environment back to the default behavior
where Microsoft manages the encryption key for you.
1. Sign in to the Power Platform Admin Center (preview ).
2. Select the Environments tab, and then select an environment that is encrypted with a self-managed key.
3. Select See all.
4. In the Environment Encryption section, select Manage, and then select Confirm.
5. Under Return to standard encryption management, select Return .
6. For Production environments, confirm the environment by entering the environment's name.
7. Select Confirm to return to standard encryption key management.
To perform this task using PowerShell, see Set-CrmProtectWithMicrosoftKey.
Lock the tenant
Since there is only one active key per tenant, locking the encryption for the tenant disables all the environments
that are in the tenant. All locked environments remain inaccessible to everyone, including Microsoft, until a tenant
administrator in your organization unlocks it by using the key that was used to lock it.
Cau t i on

You should never lock the tenant environments as part of your normal business process. When you lock a
Common Data Service or Dynamics 365 for Customer Engagement tenant, all the environments will be taken
completely offline and they can't be accessed by anyone, including Microsoft. Additionally, services such as
synchronization and maintenance are all stopped. If you decide to leave the service, locking the tenant can ensure
that your online data is never accessed again by anyone.
Note the following about tenant environments locking:
Locked environments can’t be restored from backup.
Locked environments are deleted if not unlocked after 28 days.
You can’t lock environments for 72 hours after an encryption key change.
Locking a tenant locks all environments within the tenant.
Tenant locking is currently unavailable from the Power Platform Admin Center (preview ). To lock a tenant using the
PowerShell cmdlet, see Set-CrmLockTenantProtectedInstances.
Unlock locked environments
To unlock environments you must first upload and then activate the tenant encryption key with the same key that
was used to lock the tenant. Please note that locked environments do not get unlocked automatically once the key
has been activated. Each locked environment has to be unlocked individually.
Environment unlocking is currently unavailable from the Power Platform Admin Center (preview ). To unlock an
environment using the PowerShell cmdlet, see Set-CrmUnlockTenantProtectedInstance.

Encryption key change notification

IMPORTANT
When an encryption key is activated or changed, all Dynamics 365 for Customer Engagement apps (online) administrators
receive an email message alerting them of the change. This provides a means to allow other administrators to verify and
confirm that the key was updated by an authorized administrator. Since it takes time to activate the key and to encrypt all the
environments, and to send out the email notification, an encryption key can only be updated once every 24 hours.
See also
Microsoft.Xrm.OnlineManagementAPI PowerShell reference
SQL Server: Transparent Data Encryption (TDE )
 PowerApps Preview Program
4/15/2019 • 4 minutes to read

PowerApps updates the platform and its capabilities every few days or weeks. The PowerApps Preview program is
a way to get early access to those upcoming functionalities and updates prior to availability in other regions
(where customer production apps are deployed).
With the PowerApps Preview program, you can:
Try out, learn, and dogfood upcoming functionalities: Many functionalities will be rolled out first in the
preview for a few days to get feedback. By participating in the Preview program, you can learn about new
functionalities sooner and provide feedback. Also, you will be ready to quickly take advantage of new
functionalities as soon as they reach regions where their production apps are created.
Enable business continuity by ensuring current apps will continue to work with the upcoming updates
(vNext) of PowerApps.

What in PowerApps is available for preview?

To access the preview functionalities across PowerApps, you need be in a preview environment. More details on
the preview environment are given in the next section. Currently we will be rolling out preview for the following
scenarios across PowerApps:
1. Creating apps: You can create canvas-based apps using the next version of PowerApps. This can be done by
creating apps in a preview environment. Current limitations include - model-driven apps can’t be built in the
preview program - we're working on it.
2. Managing apps: You can manage and share apps using PowerApps web portal. To access the preview
functionalities, all you need to do is to be in a preview environment; it will take you to the preview version of
PowerApps web portal.
3. Playing apps: You need to play the apps in a preview environment using the web player. When you do that,
you will be automatically taken to preview version of web player. Apps will play with the vNext version of the
PowerApps web player. Current limitations include - PowerApps Mobile for iOS, Android, and Windows are
currently not available for preview. Playing the apps created in the First Release environment might not work -
we're working on it.
4. Administrating PowerApps: Admin experiences are available for preview using the preview version of
PowerApps Admin center

How to get early access to the upcoming updates?

For PowerApps, all the apps and related resources are stored in an environment. Early access to all preview
functionalities are also available with an environment created in a region where the vNext (preview ) is deployed.
For now, there is only one region, Preview (United States), as shown in the image below:
Select the region for the environment as Preview (United States) and accept the consent for joining the Preview
Program to create the environment to get access to the next version (vNext) of PowerApps. All the apps and other
resources created in this environment are on the vNext version of the platform (SAAS ).

How to learn about the latest updates?

You can get aware of the new functionalities which are available for preview at What’s new in PowerApps. The
functionalities which are just available in the preview have a ‘Preview’ tag.

Key scenarios to test with the preview program

1. Validate your production apps with the upcoming PowerApps updates (vNext)
You might like to verify your production apps, to be working fine with the next upcoming updates on
PowerApps. You can copy the apps from a production environment to an environment in First Release and
play the apps to test out the scenarios. Please note, all the other necessary resources like CustomAPI, Flow,
etc., will also need to be moved along with it. This should just create another copy of these apps and
required resources. You can start testing out the newer updates not just for playing an app, but also while
editing and managing the apps.
2. Trying out the new functionalities available in preview
We will be launching many new functionalities initially in the Preview (United States) region. You can try
out the new functionalities prior to their being available in rest of the regions (which might impact your
production environment).

How to provide feedback to the product team?

You can provide feedback on the PowerApps forum and/or contact support.

What are the known issues and limitations?

1. PowerApps portals and clients which are not available in preview
There are certain functionalities, services and portals which are available in preview:

2. Accessing apps created in First Release environment from the Desktop Studio in Windows
As mentioned above, desktop studio in Windows is not available in preview. Hence, creating or editing of
the apps in the preview environment might not be compatible with your Desktop Studio and shows the
following error message:

In such a case, we recommend you use Web Studio to create or edit an app in the preview environment.
3. Database cannot be created in Preview region
Currently, you cannot create a database with Common Data Service in an environment in Preview (United
States) region - we're working on it.
 Manage Common Data Service settings
3/22/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

You can view and manage the settings for your environments by going to the Environments page, selecting an
environment, and then selecting Settings.

Settings for the selected environment can be managed here.

Environment settings are moving
Across organization admin settings are gradually moving from the Dynamics 365 for Customer Engagement web
client to the Power Platform Admin center. Until the move to the Power Platform Admin center is complete, you’ll
still be able to manage settings in Customer Engagement as usual.
Many of these settings...

...are moving here.

Use the links on this page to manage organization-wide settings. App-specific settings will remain in Dynamics
365 for Customer Engagement apps and accessed through the app settings.
 Manage behavior settings
4/16/2019 • 3 minutes to read

[This topic is pre-release documentation and is subject to change.]

Use Behavior settings to adjust how Dynamics 365 for Customer Engagement apps appears and functions.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Behavior.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the business closures.
Check your security role
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.

Settings
SETTINGS DESCRIPTION

Basic behavior

Auto save Default: On. If On, after a record is created (initially saved), any
changes made to a form will automatically be saved thirty
seconds after the change is made. The 30-second period
starts again after a change is made. If no changes are made,
the automatic save doesn’t happen. More information:
Manage auto-save

Load default static content from Content Delivery Network
Default: On. Customer Engagement apps will load out-of-the-
box static content from the Azure Content Delivery Network
(CDN) service. For firewall restrictions and IP whitelisting
related issues, system administrators can select Off to disable
the Azure Azure Content Delivery Network feature.

Share reassigned records with original owner Default: Off. Select whether a record is shared with the original
owner of the record, or completely reassigned to another user.

Open in application mode Default: Off. Select On to enable application mode. When this
mode is enabled, Customer Engagement apps can be opened
in a browser without menus, navigation, or toolbars. Hiding
these parts of the browser causes Customer Engagement
apps to appear like a separate application rather than a
website.

Use Unified Interface only Default: Off. When you enable Unified Interface Only, all your
apps, including those designed for the legacy web client, run in
Unified Interface all the time. Environments with legacy web
client apps will show a notification on the Apps home page,
prompting System Administrators to update those apps to
Unified Interface.
SETTINGS DESCRIPTION

Use legacy form rendering Default: Off. For compatibility, use the legacy form rendering
engine. Note that performance may be adversely affected. If
you have forms that include unsupported customizations,
these enhancements can cause compatibility problems. To
avoid this, you can temporarily turn the form enhancements
off by setting to On. We recommend that you reset this
setting to Off after addressing scripting problems so you can
take advantage of optimized forms. Note: When a form that
includes unsupported customizations is used, such as
unsupported JavaScript, the form may fail to load or the user
will receive an error message.
If the form just fails, set the Use legacy form rendering
option to On. If the form loads after you select this
option, you may have unsupported customizations.
If the user receives an error, select "View the data that
will be sent to Microsoft" and see the details in the
tags.

Formatting

Full name display order Default: First Name. Select the order in which you want
customer and user names to be displayed.

Display currencies using Default: Currency symbol. Set how to display currencies, either
by a currency symbol, which is the default setting, or by
currency code. For example, a currency symbol could be $, and
the currency code could be USD.

Pricing decimal precision Default: 0. Select how many decimal points to use for a
currency.

Display behavior

Show app download message Default: On. If On, users will see a message regarding
downloading the Dynamics 365 for tablets app.

Show legacy app to everyone, not just admin
Default: On. The legacy web app, also known as Dynamics 365
- custom, is hidden from end users when a new environment
is provisioned. It is always visible to those with System
Administrator and System Customizer roles, and to other
custom roles with similar privileges. More information:
Dynamics 365 - custom.

Legacy app name Enter the label to use for the legacy app. This appears on the
Dynamics 365 for Customer Engagement apps home page.
The legacy label is Dynamics 365 - custom. More information:
Dynamics 365 - custom.

Show welcome screen on sign in Default: On. Select On to see the detailed card form in a
dashboard. If set to Off, only the header and minimal details
are displayed in the card form.

Show Microsoft Flow on forms and in the site map Default: On. Select On to enable embedded Microsoft Flows in
your organization. More information: Enable embedded Flow
to automate processes.
SETTINGS DESCRIPTION

Show dashboard cards in expanded state Default: Off. Select On to see the detailed card form in a
dashboard. If set to Off, only the header and minimal details
are displayed in the card form.
 Manage feature settings
7/26/2019 • 3 minutes to read

[This topic is pre-release documentation and is subject to change.]

Use Feature settings to adjust how Dynamics 365 for Customer Engagement apps features appear and function.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Features.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the business closures.
Check your security role
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.

Settings
SETTINGS DESCRIPTION

AI Builder (preview)

Create AI models in PowerApps Default: On. If Off, the environment will not have access to AI
Builder. Not all environments will have this setting. For
information about environments eligible for this feature and
related details, see Administer AI Builder

Embedded content

Power BI visualization embedding Default: Off. More information: Add or edit Power BI
visualizations on your dashboard

Bing Maps Default: Off. If On, Dynamics 365 for Customer Engagement
apps (on-premises) users will need to enter a Bing Maps key.
Customer Engagement apps users don’t need to enter a key.

Prevent social data in Dynamics
Default: Off. If you don’t want to receive social data in
Dynamics 365 for Customer Engagement apps, select Off. If
you disable social engagement, your organization will not be
able to receive social data in Dynamics 365 for Customer
Engagement apps. Users can continue to work with existing
social data, however.

Communications

Skype presence Default: On. If On, instant messaging will display the current
status for users, contacts, opportunities, or leads. This only
applies to lists and sub-lists for entities with an updated user
interface.
SETTINGS DESCRIPTION

Country/region code prefixing for numbers Default: On. If On, Customer Engagement apps will prefix the
country/region code to numbers that users are trying to call.

Set the telephony provider Default: On. Choose which provider to enable outbound calls
from within Dynamics 365 for Customer Engagement apps.
This setting doesn’t apply to Dynamics 365 for tablets or
Dynamics 365 for phones.

Use Skype Default: enabled. More information: Set up Dynamics 365

(online) to use Skype or Skype for Business

Use Skype for Business Default: not enabled.

Search

Relevance Search Default: Off. If On, you can use Relevance search to find
records across multiple entities, sorted by relevance.

Quick Find record limits Default: On. If On, if more than 10,000 records are found, a
message will be displayed that suggests a more selective
search. More information: Configure Relevance search for the
organization

Help features

Custom help for customizable entities Default: Off. Select On to replace the default Help content with
custom Help designed for your users. After you enable custom
Help, you can enter a Global Custom Help URL.

Global custom help URL
To replace the default Help with a single URL for all
customizable record types (entities), enter the URL here. You
also have the option of entering override URLs for each record
type (entity) for customizable record types. More information:
Create your own guided help

Append parameters to URL
Default: Not selected. Select On to append parameters to the
URL, you can make your Help content more dynamic. For
example, you can access parameters for User Language Code,
Entity Name, Entry Point, and Form ID. More information:
Create your own guided help

Learning path Default: Off. Changes access to Learning Path for an entire
organization. More information: On/off switch for Learning
Path (guided help).

Learning path authoring Default: Off. Set to On if you want enable users to author
Learning Path content. More information: Create your own
guided help (Learning Path) for your customers

Auditing

Start Auditing Default: Off. Start or stop auditing.

SETTINGS DESCRIPTION

Log access Default: Off. If enabled, Customer Engagement apps tracks

when the user started accessing Customer Engagement apps
and whether or not the user accessed the application by using
the web application or Dynamics 365 for Outlook.

Read logs Default: Off.

 Regional and language options for your environment
8/19/2019 • 2 minutes to read

Enable languages in your organization to display the user interface and Help in a language that’s different from the
base language.
The following table shows tasks that are associated with changing regional and language options for your
organization.

TASK DESCRIPTION

Set the base language The base language determines default settings for regional
and language options in Dynamics 365 apps. After the base
language is set, you can’t change it.

Enable or disable languages You can enable or disable available languages in the Settings
area.

Add and remove currencies Similar to setting the base language, you select your
organization's base currency during the purchasing process for
a subscription to Dynamics 365 apps. After the base currency
is set, you can’t change it.

However, if your organization uses more than one currency to

track financial transactions, you can add currencies.

Deactivate or activate currency records You can’t delete currency records that are being used by other
records, such as opportunities or invoices. However, you can
deactivate currency records so they won’t be available for
future transactions.

Enable the language

These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Product > Languages.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
Before users can start using a Language Pack to display a language, the Language Pack must be enabled in your
Dynamics 365 apps organization.
1. Sign in to the Power Platform Admin center.
2. Select an environment and go to Settings > Product > Languages.
Here you’ll see each Language Pack installed in your environment, with a check box to the left of each listed
Language Pack.
3. For each Language Pack that you want to provision (enable), select the check box next to it. For each
Language Pack that you want to unprovision (disable), clear the check box.
4. Select Apply.
5. Select OK on any confirmation dialog boxes that open.

NOTE
It may take several minutes to provision or unprovision the languages.

6. Select Close to close the Language Settings dialog box.

Select the language to display the user interface and Help

Each user selects the language to display in an app. See Languages tab options.
 Manage privacy and security settings
3/22/2019 • 3 minutes to read

[This topic is pre-release documentation and is subject to change.]

Use these settings to adjust Dynamics 365 for Customer Engagement apps privacy and security.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Privacy + Security.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the business closures.
Check your security role
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.

Settings
SETTINGS DESCRIPTION

Privacy preference More information: Set error reporting preferences for the
organization

Show privacy statement link for this organization Default: Off. Select to display the privacy statement link.

Privacy statement URL Provide users with a link to your organization's privacy
statement. If you show the link, it will be added to the
Settings menu.

Default action to take when an error occurs More information: Replace the privacy statement for the
organization

Ask the user for permission to send an error report to Default: Not selected.
Microsoft

Automatically send an error report to Microsoft without Default: Not selected.

asking me for permission

Never send an error report to Microsoft Default: Not selected.

Blocked attachments

Set blocked file extensions for attachments (semicolon Prevent upload or download of certain attachment types that
separated) are considered dangerous. Separate file extensions with a
semicolon.

Session expiration More information: Security enhancements: User session and

access management
 SETTINGS DESCRIPTION

Set custom session timeout Default: Off. Select On to specify values different from default
values.

Enter maximum session length Default: 1440. After the time you set is reached, users must
re-authenticate to Customer Engagement apps.

How long before the session expires do you want to show a Default: 20. After the time you set is reached, users receive an
timeout warning? expiration warning.

Inactivity timeout More information: Inactivity timeout

Set inactivity timeout Default: Off. Enable to automatically sign out a user.

Replace the privacy statement for the organization

By default, the Microsoft privacy statement is always shown to users with an administrator role only, and not to
other (business) users. As an administrator, you can add a link to specify your organization's privacy statement,
which is then shown to other users in your organization.
1. Go to Environments > [select an environment] > Settings > Privacy + Security
2. Under Privacy Preferences, turn on Show privacy statement link for this organization.
3. In the Privacy statement URL box, type the link of the webpage you want to show.

4. Select Save.

NOTE
Any user with the System Administrator security role will always see the Microsoft privacy statement and not the
organization’s privacy statement.

Set error reporting preferences for the organization

When errors occur in the product, data about the problem is sent to Microsoft. This data – an error report - allows
Customer Engagement apps to track and address errors relating to Dynamics 365. You can help Microsoft improve
products and services when you allow the system to send these error reports.
By default, individual users in Customer Engagement apps have a measure of control over whether to send error
reports to Microsoft. But you, as an administrator, can override their preferences and set up the error reporting
preferences for the entire organization.
1. Go to Environments > [select an environment] > Settings > Privacy + Security
2. Under Privacy Preferences, Default action to take when an error occurs, select an action to take.

3. Select Save.
When you use this setting, you can control error reporting for the entire organization by:
Not allowing users to make changes in how error reporting occurs.
Changing the default behavior for how error reporting happens.
 Customize regional options
8/19/2019 • 2 minutes to read

You can customize how numbers, currencies, times, and dates appear to everyone in your organization.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Business > Regional formatting.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
1. Select an environment and go to Settings > Business > Regional formatting.
2. Select the check box Enable the default country/region code, and then choose a region code.
3. Select the Formats tab.
4. From the Current Format list, select the language and country or region, and then select Customize.
5. In the Customize Regional Options dialog box, you can change the default settings for the selected
format. View how the changes will look in the preview boxes.
Select the Number tab to change the decimal symbol, digit grouping symbol, digit groups, and
negative numbers.
Select the Currency tab to change the currency format, negative currency amounts, and number of
decimal places.
Select the Time tab to change the time format, time separator, and notation for morning and
afternoon.
Select the Date tab to set the type of calendar, first day of the week, first week of the year, formats for
long and short dates, and whether or not to show week numbers in calendar views.
Select Apply to apply the changes and continue working in the dialog box, or select OK to save the
changes and close the dialog box.
6. Select OK.
 Create or edit business units
8/19/2019 • 3 minutes to read

In Dynamics 365 apps, a business unit is a logical grouping of related business activities.
If your Dynamics 365 apps organization is structured around departments or divisions that have separate
products, customers, and marketing lists, you might want to create business units. Business units are mapped to an
organization’s departments or divisions. Users can securely access data in their own business unit, but they can’t
access data in other business units.
Business units, security roles, and users are linked together in a way that conforms to the Dynamics 365 apps role-
based security model. Use business units together with security roles to control data access so people see just the
information they need to do their jobs.
Keep the following in mind when creating business units:
The organization (also known as the root business unit) is the top level of a Dynamics 365 apps business
unit hierarchy. Dynamics 365 apps automatically creates the organization when you install or provision
Dynamics 365 apps. You can’t change or delete the organization name.
Each business unit can have just one parent business unit.
Each business unit can have multiple child business units.
Dynamics 365 apps security roles and users are associated with a business unit. You must assign every user
to one (and only one) business unit.
You can assign a team to just one business unit, but a team can consist of users from one or many business
units. Consider using a team if you have a situation where users from different business units need to work
together on a shared set of records.

Create a new business unit

These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Users + permissions > Business units.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
1. Select an environment and go to Settings > Users + permissions > Business units.
2. On the Actions bar, select New.
3. In the Business Unit dialog box, type a name for the new business unit. Dynamics 365 apps automatically
fills in the Parent Business field with the name of the root business unit.
4. If you want to change the parent business unit, select the Lookup button ( ), Look Up More Records,
and then do one of the following:
Select an existing business unit from the list.
Create a new parent business unit:
 a. Choose New, and then add the information for the new parent business unit in the Business
Unit dialog box.
b. When you’re done adding information, select Save and Close.
c. In the Look Up Record dialog box, select Add.
5. In the Business Unit dialog box, fill in any of the other optional fields, such as the Division, Website, contact
information, or addresses.
6. When you’re done making entries, select Save and Close.

Change the settings for a business unit

1. Select an environment and go to Settings > Users + permissions > Business units.
2. Select a business unit name.
3. In the Business Unit dialog box, do one or more of the following:
Modify the data in one or more fields.
Select a record type under Organization to see a list of related records. For example, select Users to
view a list of users in the selected business unit.
4. When you’re done making changes select Save and Close.
Change the business unit for a user

IMPORTANT
By changing the business unit for a user, you remove all security role assignments for the user. At least one security role must
be assigned to the user in the new business unit.

1. Select an environment and go to Settings > Users + permissions > Users.

2. Select a user name.
3. On the More Commands (… ) menu, select Change Business Unit.
4. In the Change Business Unit dialog box, use the Lookup button ( ) to select a new business unit, and
then select OK.
See also
Delete a business unit
Assign a business unit a different parent business
 Hierarchy security to control access
8/20/2019 • 9 minutes to read

The hierarchy security model is an extension to the existing Dynamics 365 apps security models that use business
units, security roles, sharing, and teams. It can be used in conjunction with all other existing security models. The
hierarchy security offers a more granular access to records for an organization and helps to bring the maintenance
costs down. For example, in complex scenarios, you can start with creating several business units and then add the
hierarchy security. This will achieve a more granular access to data with far less maintenance costs that a large
number of business units may require.

Manager hierarchy and Position hierarchy security models

Two security models can be used for hierarchies, the Manager hierarchy and the Position hierarchy. With the
Manager hierarchy, a manager must be within the same business unit as the report, or in the parent business unit
of the report’s business unit, to have access to the report’s data. The Position hierarchy allows data access across
business units. If you are a financial organization, you may prefer the Manager hierarchy model, to prevent
managers’ accessing data outside of their business units. However, if you are a part of a customer service
organization and want the managers to access service cases handled in different business units, the Position
hierarchy may work better for you.

NOTE
While the hierarchy security model provides a certain level of access to data, additional access can be obtained by using other
forms of security, such as security roles.

Manager hierarchy
The Manager hierarchy security model is based on the management chain or direct reporting structure, where the
manager’s and the report’s relationship is established by using the Manager field on the system user entity. With
this security model, the managers are able to access the data that their reports have access to. They are able to
perform work on behalf of their direct reports or access information that needs approval.

NOTE
With the Manager hierarchy security model, a manager has access to the records owned by the user or by the team that a
user is a member of, and to the records that are directly shared with the user or the team that a user is a member of. When a
record is shared by a user who is outside of the management chain to a direct report user with Read-only access, the direct
report's manager only has Read-only access to the shared record.
In addition to the Manager hierarchy security model, a manager must have at least the user level Read privilege on an entity,
to see the reports’ data. For example, if a manager doesn’t have the Read access to the Case entity, the manager won’t be
able to see the cases that their reports have access to.

For a non-direct report in the same management chain of the manager, a manager has the Read-only access to the
non-direct report’s data. For a direct report, the manager has the Read, Write, Update, Append, AppendTo access to
the report’s data. To illustrate the Manager hierarchy security model, let’s take a look at the diagram below. The
CEO can read or update the VP of Sales data and the VP of Service data. However, the CEO can only read the Sales
Manager data and the Service Manager data, as well as the Sales and Support data. You can further limit the
amount of data accessible by a manager with “Depth”. Depth is used to limit how many levels deep a manager has
Read-only access to the data of their reports. For example, if the depth is set to 2, the CEO can see the data of the
VP of Sales, VP of Service and Sales and Service Managers. However, the CEO doesn’t see the Sales data or the
Support data.

It is important to note that if a direct report has deeper security access to an entity than their manager, the manager
may not able to see all the records that the direct report has access to. The following example illustrates this point.
A single business unit has three users: User 1, User 2 and User 3.
User 2 is a direct report of User 1.
User 1 and User 3 have User level read access on the Account entity. This access level gives users access to
records they own, the records that are shared with the user, and records that are shared with the team the
user is a member of.
User 2 has Business Unit read access on the Account entity. This allows User 2 to view all of the accounts for
the business unit, including all of the accounts owned by User 1 and User 3.
User 1, as a direct manager of User 2, has access to the accounts owned by or shared with User 2, and any
accounts that are shared with or owned by a team that User 2 is a member of. However, User 1 doesn’t have
access to the accounts of User 3, even though his or her direct report may have access to User 3 accounts.
Position hierarchy
The Position hierarchy is not based on the direct reporting structure, like the Manager hierarchy. A user doesn’t
have to be an actual manager of another user to access user’s data. As an administrator, you will define various job
positions in the organization and arrange them in the Position hierarchy. Then, you add users to any given position,
or, as we also say, “tag” a user with a particular position. A user can be tagged only with one position in a given
hierarchy, however, a position can be used for multiple users. Users at the higher positions in the hierarchy have
access to the data of the users at the lower positions, in the direct ancestor path. The direct higher positions have
Read, Write, Update, Append, AppendTo access to the lower positions’ data in the direct ancestor path. The non-
direct higher positions, have Read-only access to the lower positions’ data in the direct ancestor path.
To illustrate the concept of the direct ancestor path, let’s look at the diagram below. The Sales Manager position has
access to the Sales data, however, it doesn’t have access to the Support data, which is in the different ancestor path.
The same is true for the Service Manager position. It doesn’t have access to the Sales data, which is in the Sales
path. Like in the Manager hierarchy, you can limit the amount of data accessible by higher positions with “Depth”.
The depth will limit how many levels deep a higher position has a Read-only access, to the data of the lower
positions in the direct ancestor path. For example, if the depth is set to 3, the CEO position can see the data all the
way down from the VP of Sales and VP of Service positions, to the Sales and Support positions.
 NOTE
With the Position hierarchy security, a user at a higher position has access to the records owned by a lower position user or
by the team that a user is a member of, and to the records that are directly shared to the user or the team that a user is a
member of.
In addition to the Position hierarchy security model, the users at a higher level must have at least the user level Read privilege
on an entity to see the records that the users at the lower positions have access to. For example, if a user at a higher level
doesn’t have the Read access to the Case entity, that user won’t be able to see the cases that the users at a lower positions
have access to.

Set up hierarchy security

These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Users + Permissions > Hierarchy security.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
The hierarchy security is disabled by default. To enable:
1. Select an environment and go to Settings > Users + Permissions > Hierarchy security.
2. Under Turn on Hierarchy Modelling select Enable Hierarchy Modeling.

IMPORTANT
To make any changes in Hierarchy security, you must have the Change Hierarchy Security Settings privilege.

After you have enabled the hierarchy modeling, choose the specific model by selecting the Manager Hierarchy or
Custom Position Hierarchy. All system entities are enabled for hierarchy security out-of-the-box, but, you can
exclude selective entities from the hierarchy. The Hierarchy Security window shown below:
Set the Depth to a desired value to limit how many levels deep a manager has a Read-only access to the data of
their reports. For example, if the depth equals to 2, a manager can only access his or her accounts and the accounts
of the reports two levels deep. In our example, if you log in into Dynamics 365 apps not as an Administrator, who
can see all accounts, but, as the VP of Sales, you’ll only be able to see the active accounts of the users shown in the
red rectangle, as illustrated below:

NOTE
While, the hierarchy security grants the VP of Sales access to the records in the red rectangle, additional access can be
available based on the security role that the VP of Sales has.

Set up Manager and Position hierarchies

The Manager hierarchy is easily created by using the manager relationship on the system user record. You use the
Manager (ParentsystemuserID ) lookup field to specify the manager of the user. If you have already created the
Position hierarchy, you can also tag the user with a particular position in the Position hierarchy. In the following
example, the sales person reports to the sales manager in the Manager hierarchy and also has the Sales position in
the Position hierarchy:

To add a user to a particular position in the Position hierarchy, use the lookup field called Position on the user
record’s form, as show below:

IMPORTANT
To add a user to a position or change the user’s position, you must have the Assign position for a user privilege.

To change the position on the user record’s form, on the nav bar, choose More (…) and choose a different position,
as shown below:

To create a Position hierarchy:

1. Select an environment and go to Settings > Users + Permissions > Positions.
For each position, provide the name of the position, the parent of the position, and the description. Add users
 to this position by using the lookup field called Users in this position. Below is the example of Position
hierarchy with the active positions.

The example of the enabled users with their corresponding positions is shown below:

Performance considerations
To boost the performance, we recommend:
Keep the effective hierarchy security to 50 users or less under a manager/position. Your hierarchy may have
more than 50 users under a manager/position, but you can use the Depth setting to reduce the number of
levels for Read-only access and with this limit the effective number of users under a manager/position to 50
users or less.
Use hierarchy security models in conjunction with other existing security models for more complex
scenarios. Avoid creating a large number of business units, instead, create fewer business units and add
hierarchy security.
See also
Security concepts for Microsoft Dynamics 365 for Customer Engagement
Query and visualize hierarchical data
 Hierarchy security to control access
8/20/2019 • 9 minutes to read

The hierarchy security model is an extension to the existing Dynamics 365 apps security models that use business
units, security roles, sharing, and teams. It can be used in conjunction with all other existing security models. The
hierarchy security offers a more granular access to records for an organization and helps to bring the maintenance
costs down. For example, in complex scenarios, you can start with creating several business units and then add the
hierarchy security. This will achieve a more granular access to data with far less maintenance costs that a large
number of business units may require.

Manager hierarchy and Position hierarchy security models

Two security models can be used for hierarchies, the Manager hierarchy and the Position hierarchy. With the
Manager hierarchy, a manager must be within the same business unit as the report, or in the parent business unit
of the report’s business unit, to have access to the report’s data. The Position hierarchy allows data access across
business units. If you are a financial organization, you may prefer the Manager hierarchy model, to prevent
managers’ accessing data outside of their business units. However, if you are a part of a customer service
organization and want the managers to access service cases handled in different business units, the Position
hierarchy may work better for you.

NOTE
While the hierarchy security model provides a certain level of access to data, additional access can be obtained by using other
forms of security, such as security roles.

Manager hierarchy
The Manager hierarchy security model is based on the management chain or direct reporting structure, where the
manager’s and the report’s relationship is established by using the Manager field on the system user entity. With
this security model, the managers are able to access the data that their reports have access to. They are able to
perform work on behalf of their direct reports or access information that needs approval.

NOTE
With the Manager hierarchy security model, a manager has access to the records owned by the user or by the team that a
user is a member of, and to the records that are directly shared with the user or the team that a user is a member of. When a
record is shared by a user who is outside of the management chain to a direct report user with Read-only access, the direct
report's manager only has Read-only access to the shared record.
In addition to the Manager hierarchy security model, a manager must have at least the user level Read privilege on an entity,
to see the reports’ data. For example, if a manager doesn’t have the Read access to the Case entity, the manager won’t be
able to see the cases that their reports have access to.

For a non-direct report in the same management chain of the manager, a manager has the Read-only access to the
non-direct report’s data. For a direct report, the manager has the Read, Write, Update, Append, AppendTo access to
the report’s data. To illustrate the Manager hierarchy security model, let’s take a look at the diagram below. The
CEO can read or update the VP of Sales data and the VP of Service data. However, the CEO can only read the
Sales Manager data and the Service Manager data, as well as the Sales and Support data. You can further limit the
amount of data accessible by a manager with “Depth”. Depth is used to limit how many levels deep a manager has
Read-only access to the data of their reports. For example, if the depth is set to 2, the CEO can see the data of the
VP of Sales, VP of Service and Sales and Service Managers. However, the CEO doesn’t see the Sales data or the
Support data.

It is important to note that if a direct report has deeper security access to an entity than their manager, the manager
may not able to see all the records that the direct report has access to. The following example illustrates this point.
A single business unit has three users: User 1, User 2 and User 3.
User 2 is a direct report of User 1.
User 1 and User 3 have User level read access on the Account entity. This access level gives users access to
records they own, the records that are shared with the user, and records that are shared with the team the
user is a member of.
User 2 has Business Unit read access on the Account entity. This allows User 2 to view all of the accounts for
the business unit, including all of the accounts owned by User 1 and User 3.
User 1, as a direct manager of User 2, has access to the accounts owned by or shared with User 2, and any
accounts that are shared with or owned by a team that User 2 is a member of. However, User 1 doesn’t have
access to the accounts of User 3, even though his or her direct report may have access to User 3 accounts.
Position hierarchy
The Position hierarchy is not based on the direct reporting structure, like the Manager hierarchy. A user doesn’t
have to be an actual manager of another user to access user’s data. As an administrator, you will define various job
positions in the organization and arrange them in the Position hierarchy. Then, you add users to any given position,
or, as we also say, “tag” a user with a particular position. A user can be tagged only with one position in a given
hierarchy, however, a position can be used for multiple users. Users at the higher positions in the hierarchy have
access to the data of the users at the lower positions, in the direct ancestor path. The direct higher positions have
Read, Write, Update, Append, AppendTo access to the lower positions’ data in the direct ancestor path. The non-
direct higher positions, have Read-only access to the lower positions’ data in the direct ancestor path.
To illustrate the concept of the direct ancestor path, let’s look at the diagram below. The Sales Manager position has
access to the Sales data, however, it doesn’t have access to the Support data, which is in the different ancestor path.
The same is true for the Service Manager position. It doesn’t have access to the Sales data, which is in the Sales
path. Like in the Manager hierarchy, you can limit the amount of data accessible by higher positions with “Depth”.
The depth will limit how many levels deep a higher position has a Read-only access, to the data of the lower
positions in the direct ancestor path. For example, if the depth is set to 3, the CEO position can see the data all the
way down from the VP of Sales and VP of Service positions, to the Sales and Support positions.
 NOTE
With the Position hierarchy security, a user at a higher position has access to the records owned by a lower position user or
by the team that a user is a member of, and to the records that are directly shared to the user or the team that a user is a
member of.
In addition to the Position hierarchy security model, the users at a higher level must have at least the user level Read privilege
on an entity to see the records that the users at the lower positions have access to. For example, if a user at a higher level
doesn’t have the Read access to the Case entity, that user won’t be able to see the cases that the users at a lower positions
have access to.

Set up hierarchy security

These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Users + Permissions > Hierarchy security.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
The hierarchy security is disabled by default. To enable:
1. Select an environment and go to Settings > Users + Permissions > Hierarchy security.
2. Under Turn on Hierarchy Modelling select Enable Hierarchy Modeling.

IMPORTANT
To make any changes in Hierarchy security, you must have the Change Hierarchy Security Settings privilege.

After you have enabled the hierarchy modeling, choose the specific model by selecting the Manager Hierarchy or
Custom Position Hierarchy. All system entities are enabled for hierarchy security out-of-the-box, but, you can
exclude selective entities from the hierarchy. The Hierarchy Security window shown below:
Set the Depth to a desired value to limit how many levels deep a manager has a Read-only access to the data of
their reports. For example, if the depth equals to 2, a manager can only access his or her accounts and the accounts
of the reports two levels deep. In our example, if you log in into Dynamics 365 apps not as an Administrator, who
can see all accounts, but, as the VP of Sales, you’ll only be able to see the active accounts of the users shown in the
red rectangle, as illustrated below:

NOTE
While, the hierarchy security grants the VP of Sales access to the records in the red rectangle, additional access can be
available based on the security role that the VP of Sales has.

Set up Manager and Position hierarchies

The Manager hierarchy is easily created by using the manager relationship on the system user record. You use the
Manager (ParentsystemuserID ) lookup field to specify the manager of the user. If you have already created the
Position hierarchy, you can also tag the user with a particular position in the Position hierarchy. In the following
example, the sales person reports to the sales manager in the Manager hierarchy and also has the Sales position in
the Position hierarchy:

To add a user to a particular position in the Position hierarchy, use the lookup field called Position on the user
record’s form, as show below:

IMPORTANT
To add a user to a position or change the user’s position, you must have the Assign position for a user privilege.

To change the position on the user record’s form, on the nav bar, choose More (…) and choose a different position,
as shown below:

To create a Position hierarchy:

1. Select an environment and go to Settings > Users + Permissions > Positions.
For each position, provide the name of the position, the parent of the position, and the description. Add
 users to this position by using the lookup field called Users in this position. Below is the example of
Position hierarchy with the active positions.

The example of the enabled users with their corresponding positions is shown below:

Performance considerations
To boost the performance, we recommend:
Keep the effective hierarchy security to 50 users or less under a manager/position. Your hierarchy may have
more than 50 users under a manager/position, but you can use the Depth setting to reduce the number of
levels for Read-only access and with this limit the effective number of users under a manager/position to 50
users or less.
Use hierarchy security models in conjunction with other existing security models for more complex
scenarios. Avoid creating a large number of business units, instead, create fewer business units and add
hierarchy security.
See also
Security concepts for Microsoft Dynamics 365 for Customer Engagement
Query and visualize hierarchical data
 Enhance security by encrypting your data
8/19/2019 • 2 minutes to read

Dynamics 365 apps uses standard SQL Server cell level encryption for a set of default entity attributes that contain
sensitive information, such as user names and email passwords. This feature can help organizations meet FIPS
140-2 compliance.
For Dynamics 365 (online) apps, all new and upgraded organizations use data encryption by default. Data
encryption can’t be turned off.
Dynamics 365 apps users who have the system administrator security role can change the encryption key at any
time.

Change an organization encryption key

These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Encryption > Data encryption.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
1. Select an environment and go to Settings > Encryption > Data encryption.
2. In the Change Encryption Key box type the new encryption key and then select Change.
3. Select OK in the confirmation message and then select Close to exit the Data Encryption page.
4. We recommend that you copy the key to a safe place. See the next section.

Copy your organization data encryption key

We strongly recommend that you make a copy of your data encryption key.
1. Sign in with the System Administrator or System Customizer security role or equivalent permissions.
2. Select an environment and go to Settings > Encryption.
3. In the Data Encryption dialog box, select Show Encryption Key, in the Current encryption key box
select the encryption key, and copy it to the clipboard.
4. Paste the encryption key into a text editor such as Notepad.

WARNING
By default, Dynamics 365 apps generates a passphrase that is a random collection of Unicode characters. Therefore,
you must save the system-generated passphrase by using an application and file that supports Unicode characters.
Some text editors, such as Notepad use ANSI coding by default. Before you save the passphrase using Notepad, select
Save As, and then in the Encoding list, select Unicode.

5. As a best practice, save the text file that contains the encryption key on a computer in a secure location on an
encrypted hard drive.
See also
SQL Server Encryption
FIPS 140 Evaluation
Manage Your Data
Manage configuration data
 Manage email settings
3/22/2019 • 3 minutes to read

[This topic is pre-release documentation and is subject to change.]

Use Email settings to adjust how Dynamics 365 for Customer Engagement apps features appear and function.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Email settings.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the business closures.
Check your security role
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.

SETTINGS DESCRIPTION

Security and permissions Select these check boxes if you want to

allow email processing only for users
and queues whose email addresses
have been approved by the system
administrator.

Process emails only for approved users Default: On.

Process emails only for approved Default: On.

queues

Sync information rights management- Default: Not selected. Off. Select On to

enabled emails to the server sync Customer Engagement apps
emails that have information rights
property.

Allow to delete appointments if system Default: Not selected. Off.

auto detects changes that will result in
change in ownership

Notifications

When these occur, send details to the

mailbox's notifications area

Errors Default: Enabled.

Warnings Default: Enabled. Select Warning if

you’re troubleshooting or testing or
want to get more detailed messages on
the alert wall.

Information Default: Enabled.

SETTINGS DESCRIPTION

Notify mailbox owner Default: Off. By default, the system

administrator is notified of any error
that occurs for an email server profile.
Select On if you also want to notify the
mailbox owner.

Attachments

Maximum file size attachments Default: 5 MB (5120 KB). Maximum file Increase or decrease the maximum file
size (in Kilobytes) size for attached files. The maximum size
is 128 MB (131,072 KB).

Synchronization methods For any mailbox that is automatically

created in Dynamics 365 when a user or
queue is created, the default email
settings as defined in this section will be
applied.

The selected settings will be applied to

mailboxes of all newly created users and
queues

Server profile For server-side synchronization, select

the email server profile that you want
to use. The email server profile holds
the configuration data that enables
Dynamics 365 to connect to Microsoft
Exchange. If you’re connecting
Dynamics 365 (online) with Exchange
Online, the email server profile is
automatically created for you.

Incoming email Select whether you want to use

Dynamics 365 for Outlook, the Email
Router, server-side synchronization, or a
forward mailbox for processing
incoming email. More information:
Create forward mailboxes or edit
mailboxes

Outgoing email Select whether you want to use

Dynamics 365 for Outlook, the Email
Router, or server-side synchronization
for processing outgoing email.

Appointments, contacts, and tasks Select whether you want to use

Dynamics 365 for Outlook or server-
side synchronization to synchronize
appointments, contacts, and tasks
between Outlook and Dynamics 365.
Note: You can’t synchronize
appointments, contacts, and tasks if
you’re synchronizing with a POP3 email
server.

Email form options

 SETTINGS
Use secure frames to restrict email
message content
People can send emails with unresolved
recipients
If there are multiple possible recipient
matches in the to, CC, or BCC fields, set
them as unresolved
When someone manually resolves an
unresolved email address, apply it to all
similar unresolved addresses
See also
Track Outlook email by moving it to a tracked Exchange folder
Frequently asked questions about synchronizing records between Microsoft Dynamics 365 and Outlook
Set up email through server-side synchronization
DESCRIPTION
Default: Off. If this is set to On, you may
see the following error message when
you’re reading email: “This content
cannot be displayed in a frame”.
Although this can make sending
sensitive content in email less secure,
changing the setting to Off typically
eliminates this error.
Default: Off. Set this to On if you want
to send email messages that have
unresolved recipients.
Default: Off. Use this setting to choose
which record an email address resolves
to when there are multiple possible
matches in to, cc, or bcc fields of an
email. When you select On, if the to, cc,
or bcc fields of an email have an email
address that can be resolved to multiple
contacts (or other records), the email
address will be resolved in the
unresolved mode instead of resolving to
all possible records. Unresolved email
addresses can then be resolved
individually as you encounter them.
When set to Yes, the same email
address is applied to all similar
unresolved email addresses when
resolved in one email activity. When set
to Off, the email address is applied only
to the specific email activity and does
not resolve similar addresses present in
other email activities. The default value
is On.
This setting is configurable when Set
To, cc, bcc, fields as unresolved
values is multiple matches are found
in Incoming Emails is set to On.
 Manage email tracking settings
4/16/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

Use Email settings to adjust how Dynamics 365 for Customer Engagement apps features appear and function.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Email Tracking.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the business closures.
Check your security role
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.

SETTINGS DESCRIPTION

Tracking email conversations

Use correlation Default: On. Select this check box if you want to link email
activities with other related records using the information in
the email headers. This method uses email properties for
correlation and is more accurate than smart matching, but less
accurate than folder-level tracking or tracking tokens. More
information: Email message filtering and correlation Note:
Email correlation using email headers works best when email is
processed using server-side synchronization. If you’re using
the Email Router to process email, you can use tracking tokens
or smart matching to correlate email activities with related
records.

Use tracking tokens Default: On. Select this check box to use tracking tokens and
to configure how Dynamics 365 displays them in the Subject
line of the email messages.

Tracking tokens provide 100% tracking accuracy. If you don’t

want to see tokens in Subject lines, however, consider folder-
level tracking, which also provides 100% tracking accuracy.

You can configure prefixes and other sections of tracking

tokens. Long prefixes or too many prefix changes may cause
lost data in history, however. More information: Email message
filtering and correlation

Tracking token preview More information: Use Email message filtering and correlation
to specify which emails are tracked

Prefix Default: CRM.

Base tracking number Default: 0.

Number of digits for personal numbers Default: 3.

SETTINGS DESCRIPTION

Number of digits for email activity counter Default: 3.

Use smart matching Default: Off. Select On to use smart matching to correlate
email based on the similarity between email messages. Smart
matching isn’t as accurate as tracking tokens or folder-level
tracking. More information: Email message filtering and
correlation

Folder-level tracking

Use folder-level tracking for Exchange folders (server-side Default: On. Users can set up Exchange tracking folders, and
synchronization must be enabled) then move messages to those folders to track them
automatically on virtually any device. More information: Track
Outlook email by moving it to a tracked Exchange folder

Folder-level tracking provides 100% tracking accuracy. To use

folder-level tracking:

- Select On.
- Your organization must synchronize email through server-
side synchronization. More information: Set up server-side
synchronization

Tracking items

People can use categories to track emails and appointments Default: Off. Content coming.

Allow auto-tracking on outgoing email Default: Off. Content coming.

Tracking between people

Track emails sent between people as two activities Default: Off. Select this option to create two email activities
between Dynamics 365 users, one for the sender and one for
the recipient.
 Broadcast announcements to an entire organization
8/14/2019 • 2 minutes to read

Circulate information quickly to a wide set of users at one go by using Announcements in Microsoft Dynamics 365.
Announcements can also serve as message boards, where you can post topics of your interest that you wish to
share, or get answers to.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Data management > Announcements.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.

Create an announcement
1. Select an environment and go to Settings > Data management > Announcements.
2. On the command bar, select New.
3. Fill in the information, as required.
Title (required) - Type a title for the announcement that clearly and unambiguously states the purpose
and nature of the announcement.
Body (required) - Type the text for the announcement that you want to broadcast.

TIP
You can copy and paste an announcement text from another application. However, formatting might be lost.

More Information URL (optional) - Type the address of the website that provides detailed information
about the announcement.

NOTE
A web address that does not contain "http://" is automatically expanded to a full web address. In the announcement,
the web address will appear as an active external link.

Expiration Date (optional) - Type the date on which you want to stop the broadcast and the
announcement should expire.

NOTE
You can’t edit/extend this date after expiry. Microsoft Dynamics 365 deletes the announcement after the expiration
date.

4. When you’re done, on the command bar, choose Save or Save and Close to begin the broadcast.

Broadcast an announcement
Make the announcements available to other users in your organization by using web resources and dashboards.
Create a web resource
1. In a text editor, type the following code, and save the file as “announcementsondashboard.htm”.

<html>
<body>
<script type="text/javascript">window.location.href="/home/homepage/home_news.aspx?pagemode=iframe";
</script>
</body>
</html>

2. In Dynamics 365, go to Settings > Customizations > Customize the System.

3. Under Components, select Web Resources > New.
4. Type the name as “announcements” and display name as “Announcements”.
5. In the Type drop-down list, select Web Page (HTML ).
6. In the Upload File box, choose Browse and select the “announcementsondashboard.htm” file that you
created earlier.
7. Select Save.
8. Add this new web resource to any existing or new dashboard.
 Change auto-numbering prefixes for contracts, cases,
articles, quotes, orders, invoices, campaigns,
categories, and knowledge articles
8/14/2019 • 2 minutes to read

Contracts, cases, articles, quotes, orders, invoices, marketing campaigns, categories, and knowledge articles are
automatically numbered by Dynamics 365 apps. If your organization has standard numbering formats, you can
change the default three-character prefixes and number format to match your organization.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Data management > Announcements.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
1. Select an environment and go to Settings > Data management > Auto numbering.
2. In the Set Auto-Numbering dialog box, select the record type that you want to change.
3. In the Prefix box, enter up to three characters, symbols, or numbers.
Prefixes are system-wide and are used for all system-generated numbers for the selected record type. If you
change the prefix for a record type, it won’t change the prefix of numbers that are already assigned.
The prefix of the tracking token for email messages is set in the System Settings area. More information:
System Settings dialog box - Email tab
4. In the Number box, enter the starting number.
If you haven’t set a numbering format before, the Number box displays 1000. After you set the numbering
format and save your settings, this field is set to read-only and you can’t modify it. If a custom auto-
numbering solution was used, you won’t be able to change the number.
5. Select a suffix length.
Articles and knowledge articles don’t have suffixes. The suffix is used for records that were created while you
were offline and for which the number can’t be guaranteed to be unique.
6. Select OK to save your settings.
See also
Use solutions for your customizations
 Remove a large amount of specific, targeted data
with bulk deletion
8/14/2019 • 2 minutes to read

The bulk deletion feature helps you to maintain data quality and manage the consumption of system storage in
Dynamics 365 apps by deleting data that you no longer need.
For example, you can delete the following data in bulk:
Stale data.
Data that is irrelevant to the business.
Unneeded test or sample data.
Data that is incorrectly imported from other systems.
With bulk deletion you can perform the following operations:
Delete data across multiple entities.
Delete records for a specified entity.
Receive email notifications when a bulk deletion finishes.
Delete data periodically.
Schedule the start time of a recurring bulk delete.
Retrieve the information about the failures that occurred during a bulk deletion.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Data management > Bulk deletion.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.

Delete bulk data

1. Select an environment and go to Settings > Data management > Bulk deletion.
2. Select New to run the Bulk Deletion Wizard to create a bulk deletion job with the records you want to
delete.
For information about how to implement bulk delete in code, see Delete data in bulk.
See also
Manage your data
Data Encryption
 Import data (all record types) from multiple sources
8/14/2019 • 2 minutes to read

Importing data is often the first important task that you need to perform after you have installed Customer
Engagement. You can import data from various Dynamics 365 apps systems and data sources into standard and
customized fields of most business and custom entities in Dynamics 365. You can include related data, such as
notes and attachments. To assure data integrity, you can enable duplicate detection that prevents importing
duplicate records. More information: Detect duplicate data. For more complex data import scenarios, you can write
code using the data import web service. More information: Import data using web services.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Data management > Data import wizard.
Preliminary steps before you import the data into Dynamics 365 apps include:
1. Preparing source data files in one of the following formats: comma-separated values (.csv), XML
Spreadsheet 2003 (.xml), Compressed (.zip) or text files. You can import data from one source file or several
source files. A source file can contain data for one entity type or multiple entity types.
2. Preparing data maps for mapping data contained in the source file to the Dynamics 365 apps record fields.
You must map every column in the source file to an appropriate field. Unmapped data isn’t imported. More
information: Select a data map
There are several ways to import data into Dynamics 365 apps:

NOTE
We recommend limiting your import to 20K rows or fewer.

1. To import large volumes of data, we recommend a programmatic way, as most efficient. When you import
data programmatically, you gain additional capabilities that are not available when you use other methods of
importing data. These advanced capabilities include viewing stored source data, accessing error logs and
creating data maps that include complex transformation mapping, such as concatenation, split, and replace.
See Import data.
2. For smaller import jobs, you can use the Import Data Wizard tool included in the Dynamics 365 apps web
application. For information about the Import Data Wizard or how to import specific record types, see
Import accounts, leads, or other data.

NOTE
For the Import Data Wizard, the maximum file size for .zip files is 32 MB; for the other file formats, it’s 8 MB.
With the Import Data Wizard, you can specify the “Map Automatically” option. The wizard automatically maps all the
files and the column headings with Dynamics 365 record types and fields if:
The file names exactly match the display name of the record type.
The column headings of the file you are importing exactly match the display names of the fields in the
record.

3. To add data for an individual record, the quickest way is to use Quick Create from the nav bar or New from
the entity form.
See also
Detect duplicate data
 Turn duplicate detection rules on or off for the whole
organization
8/14/2019 • 2 minutes to read

To maintain the integrity of your data, it’s a good idea to set up duplicate detection rules to reduce duplicate records
in the system. Remember that after you create duplicate detection rules, you need to turn them on.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Data management > Duplicate detection.
Make sure you have the System Administrator, System Customizer, Sales Manager, Vice President of Sales, Vice
President of Marketing, or CEO -Business Manager security role or equivalent permissions to update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
1. Select an environment and go to Settings > Data management > Duplicate detection.
2. Select or clear the Enable duplicate detection check box.

NOTE
If your system contains a large number of records, checking for duplicates can impact performance.

3. If you’re turning duplicate detection on, select or clear the check boxes to set when duplicates are detected:
When a record is created or updated
The system checks for duplicates when a user enters or updates records.

IMPORTANT
Duplicates aren’t detected when a user merges two records, activates or deactivates a record, or saves a
completed activity.

When Dynamics 365 apps for Outlook goes from offline to online
For users of Dynamics 365 apps for Outlook, the system detects duplicates when the user
synchronizes their data after working offline, as long as users have enabled duplicate detection in
Outlook. To enable duplicate detection in Outlook, select File > Dynamics 365 > Options. Choose
the Local Data tab, and then select the Enable duplicate detection during offline to online
synchronization check box.
During data import
When you use the Import Data wizard to bring in contacts, leads, accounts, or other types of data, the
wizard detects any duplicate records as long as you enable duplicate detection in the wizard. More
information: Import accounts, leads, or other data
4. Select OK.
See also
Set up duplicate detection rules to keep your data clean
Frequently asked questions about synchronizing records between Microsoft Dynamics 365 for Customer
Engagement apps and Microsoft Outlook
Run bulk system jobs to detect duplicate records
 Download a template for data import
8/14/2019 • 2 minutes to read

Whether your data is stored in spreadsheets, databases, or other systems, you'll want to import the data into
Dynamics 365 apps so you can keep track of all your customer information in one place. You use templates for
importing many types of records, such as accounts, leads or cases. There is a complete list in the Templates for
Data Import wizard.
These settings can be found in the Power Platform Admin center by going to Environments > [select an
environment] > Settings > Data management > Templates.
Make sure you have the System Administrator or System Customizer security role or equivalent permissions to
update the setting.
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
1. Select an environment and go to Settings > Data management > Templates.
2. In the Templates for Data Import dialog box, choose the record type that you want to download the
template for, and then select Download.
3. In the file download box, select Save or Save as and navigate to a location for the file.
4. Select Close.
See also
Import accounts, leads, or other data
Import contacts
 Asynchronous processing of cascading transactions
5/23/2019 • 3 minutes to read

[This topic is pre-release documentation and is subject to change.]

Certain transactions can be configured to cascade across all related records. This means the change on a parent
record will be transacted upon (cascade down through) all the child records. Cascading relationships are configured
at the entity level. For more information about cascading relationships, see Entity relationship behavior.

Synchronous versus asynchronous modes

By default, cascading operations are performed as a synchronous transaction. For a synchronous cascading
transaction, all impacted records are identified by the system. As the records are processed, they are locked by the
system. Once all the changes have been completed, the records are unlocked and the transaction is completed.
Synchronous transactions with a large number of records can cause performance issues for environments when
long running transactions fail due to server timeouts. The records are locked preventing other jobs and user
transactions that operate on the same records from executing. Also, long running transactions might result in a
backlog of pending transactions and requests that decrease system performance and might cause work stoppage.
If an environment is encountering timeouts or degraded performance while the synchronous cascading operations
are in progress, your environment could benefit by enabling the asynchronous mode. The main differences
between the modes are described here.

SYNCHRONOUS MODE ASYNCHRONOUS MODE

No other jobs can be executed on the entire set of selected Cascading changes are batched, locking only the records being
records (direct or cascading) until the cascading operation is processed within the batch. This allows other jobs to execute
complete. during the full cascading change operation.

When the job is completed all data shows the new desired As the job runs each completed batch displays the desired
value. value. This means that there will be a time when some data
shows the desired value and some shows the original value
until the full operation is completed. This is referred to as
“eventual consistency.”

If a single record fails, all data is rolled back to the original If a single job fails, it is retried multiple times to attempt
value. The roll back will require re-editing all completed completion. If the job can't be completed the failure is
records, which takes additional time. recorded in the System Jobs area. Notice that successfully
completed records retain the new value.

If one of the records in the cascading list has a value that is
different than the expected value, the job will fail and roll back.
For example, the starting record belongs to Owner 1 and the
cascading operation wants to change it to Owner 2. If one of
the downstream related records has changed to Owner 3 or is
deleted before the lock occurs, the entire job will roll back.
The operation always works in overwrite mode changing the
current value to the new value based on the parent child
relationship. There are no job failures due to an original value
mismatch.

Tracking asynchronous operation progress

Administrators can monitor the processing of asynchronous operations in the Settings area.
1. Go to Settings > System Jobs. For unified client apps, see Settings
2. Cascading operations are displayed in the System Jobs view.

TIP
To view only cascading operations, in the View selector select Cascade Operations.

Cascading operations have any one of the following statuses:

Completed. All batches of the cascading transaction have been completed successfully.
In Progress. Cascading changes are in progress.
Failed. After multiple retries some of the cascading changes have failed.

NOTE
It isn't possible to cancel an asynchronous cascading job. You must wait for it to complete by indicating a status of
Completed or Failed.

Opening a cascading operation displays:

How many retries have occurred for the particular transaction.
Created and completed dates and times.
Who created the job.
 Any messages associated with the job, such as failure reasons, or exceptions.

Which cascading transactions can be processed asynchronously?

Assign cascading transactions can be processed asynchronously.

NOTE
Other transactions, such as delete, merge, share/unshare, rollup view, and re-parent are are currently under review for
asynchronous processing.

Enable asynchronous processing of cascading transactions

At this time, changing the processing of cascading transactions to asynchronous mode is a backend change that
must be made by Microsoft.
To submit your request to have your environment changed to asynchronous mode:
1. Email: [email protected]
2. Enter the subject line: Enable Asynchronous Cascading <transaction type>. For example, Enable Asynchronous
Cascading Assign.
3. In the body of the email include your environment name, environment ID, and Microsoft 365 tenant ID. To find
the environment name and ID go to Settings > Developer Resources.
The change to asynchronous mode can take one to two business days to complete. We'll contact you when the
change has been made.
See also
Entity relationships overview
 About On-premises gateway
3/18/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

The on-premises gateway allows PowerApps and Flow to reach back to on-premise resources to support hybrid
integration scenarios. The gateway leverages Azure Service Bus relay technology to security allow access to on-
premise resources.

Gateway On-premise Install

The gateway service must run on a local server in your on-premise location. The server does not have to be the
same one as the resources it will proxy access to, however it should be on the same local network to reduce latency.
It does however need to be able to access the target resource with as low of latency as possible. Multiple
application and flow connections can use the same gateway install. You can only install one gateway on a server.
During the install the gateway is setup to use NT Service\PBIEgwService for the Windows service logon. You can
switch this to a domain user or managed service account if you’d like.

Gateway Administration Access

By default, you have this permission on any gateway that you install. As the administrator you can grant another
users permission to co-administrate the gateway. It is recommended you always have multiple administrators
specified to handle employee events in your organization.

Use of stored credentials

When you setup a data source on the gateway you will need to provide credentials for that data source. All actions
to that data source will run using these credentials. Credentials are encrypted securely, using asymmetric
encryption before they are stored in the cloud. The credentials are sent to the machine, running the gateway on-
premises, where they are decrypted when the data source is accessed.
Port Usage
The gateway service creates an outbound connection to Azure Service Bus so there are no inbound ports required
to be open. The outbound connection communicates on ports: TCP 443(default), 5671, 5672 9350 through 9354.
It is recommended that you whitelist the IP addresses for the data region in your firewall. You can download the
latest list here https://www.microsoft.com/en-us/download/details.aspx?id=41653 These IP addresses are used for
outbound communication with Azure Service Bus.

Gateway Access
Most of the PowerApps and Flow licenses have access to use the gateway with the exception of some of the lower
end Office 365 licenses (Business and Office Enterprise E1 SKUs).

Updates to the Data Gateway

Updates are not auto-installed for the On-premises data gateway. It is highly encouraged to remain current with
the latest data gateway version as the updates to the gateway is are released on a monthly basis.

Gateway Disaster Recovery

A recovery key is assigned (i.e., not auto-generated) by the administrator at the time the On-Premises Data
Gateway is installed. The recovery key is required if the gateway is to be relocated to another machine, or if the
gateway is to be restored. Therefore, the key should be retained where other system administrators can locate it if
necessary.
See also
On-premises data gateway
 On-premises data gateway management
8/8/2019 • 4 minutes to read

[This topic is pre-release documentation and is subject to change.]

The On-premises data gateway acts as a bridge, providing quick and secure data transfer between on-premises
data (data that is not in the cloud) and the Power BI, Microsoft Flow, Logic Apps, and PowerApps services.
You can use the Power Platform Admin center to get visibility into all on-premises data gateways in a tenant. To do
so, sign in as a tenant admin and select the Data Gateway option.
Users who are part of the Azure AD Global administrator role (which includes Office 365 Global admins), Power
BI service administrators, and Gateway administrators will have access to Data Gateway management on the
Power Platform Admin center. There may however be differences in the features available and the operations
which can be performed by each of these roles.
The Azure AD Global administrator role (which includes Office 365 Global admins) and Power BI service
administrators will be able to see all gateways in their organizations in addition to the gateways they manage. You
can switch between these two views using this toggle in the upper-right corner of the page:

The Gateways page lists all on-premises data gateway clusters installed on the tenant. In addition, you can review
the following information about these clusters:
Gateway Cluster Name: The name of the gateway cluster.
Contact Info: Admin contact information for the gateway cluster.
Administrators: The list of gateway administrators.
Gateways: The number of gateway members in the gateway cluster.
The gateway cluster list includes both On-premises data gateways and On-premises data gateways (personal
mode).
 NOTE
On-premises data gateways in non-default environments/regions are currently not included.

Display gateway members

Select the Open in new window icon ( ) next to the gateway cluster name to see the gateway members, device
name, and version in each gateway cluster.

Manage users
Select the People icon ( ) next to the gateway cluster name to see the list of gateway users. Add or remove
gateway admins in the Manage Users page.
For personal gateways, this would show the owner of the personal gateway and cannot be changed due to the
security scope of personal gateways.
For On-premises data gateway in standard mode, users can be added in any of the following three categories.
Admin:
Power BI: Administrators have full control of the gateway, including adding other admins, creating data
sources, managing data source users, and deleting the gateway.
PowerApps and Flow: Administrators have full control of the gateway, including adding other admins,
creating connections, additionally sharing gateways in Can use and Can use + share permission levels
and deleting the gateway.
Others: Administrators have full control of the gateway, including adding other admins and deleting the
gateway.
Can use: Users who can create connections on the gateway to use for apps and flows but cannot share the
gateway. Use this permission for users who will run apps but not share them. Applies only to PowerApps and
Microsoft Flow.
Can use + share: Users who can create a connection on the gateway to use for apps and flows, and
automatically share the gateway when sharing an app. Use this permission for users who need to share apps
with other users or with the organization. Applies only to PowerApps and Microsoft Flow.
 NOTE
Can Use and Can use + share apply only to PowerApps and Microsoft Flow.
While sharing gateways for Can use and Can use + share permission levels, you can restrict the data source type that
the user can connect over the gateway. At least one data source type should be selected for the user to be successfully
added.

Search
Use Search to find gateway clusters and see their details. You can search for gateway cluster names and contact
info, but not administrators.

Manage installers
As either an Azure AD Global administrator (which includes Office 365 Global admins) or a Power BI service
administrator, use Manage Gateway installers to manage who can install the On-premises data gateway in your
enterprise. This operation isn’t available for gateway admins.
 NOTE
This feature does not apply for On-premises data gateways (personal mode).

1. Go to the Power Platform Admin center.

2. Select Data Gateways from the left-side menu.
3. Select Manage Gateway installers.

4. Enable Restrict Users in your organization from installing gateways. This option is off by default
allowing anyone in your organization to install gateway.

5. Add users who can install gateway, and then select Add.
 NOTE
Currently, we do not support groups for Manage Installers; you can add individual users.

6. To remove users who have permission to install gateway, select Remove installer ( ), and then select
Confirm.
 NOTE
This does not impact gateways which are already installed. This feature only allows or restricts users from installing
gateways going forward.

If a person who doesn’t have access to install gateways tries to install one, they will get the following error once
they provide their credentials during the gateway registration.

See also
On-premises data gateway
Connecting to on-premises data sources with On-premises Data Gateway
 About environments
8/9/2019 • 8 minutes to read

[This topic is pre-release documentation and is subject to change.]

Environments are containers that administrators can use to manage apps, flows, connections, and other assets;
along with permissions to allow organization users to use the resources. Environments are tied to a geographic
location that is configured at the time the environment is created. Environments can be used to target different
audiences and/or for different purposes such as dev, test and production. The actual number and purpose of
environments in your tenant is up to you as an administrator. In the ALM section we will cover some potential
scenarios to help you choose what is best for you.
Common Data Service databases are created in the context of environments. Each environment, if you are licensed
for Common Data Service, can have at most one database. If your organization signs up one of the Dynamics 365
Customer Engagement apps an environment with a Common Data Service database will be created to support
that application.

Environment security roles

Environments use security roles to determine what a user is able to do in the scope of that environment. The
default roles that are available differ depending on if a Common Data Service database has been created in the
environment.
Environments without a Common Data Service database have two built-in security roles: Environment
Administrator and Environment Maker. Environment Makers can create and share apps, connectors, gateways etc.
in the environment. Users in the Environment Maker, or Office 365 tenant Global Administrator role can all
manage the environment which includes adding/removing users, creating the Common Data Service instance,
viewing and managing all resources created and setting Data Loss Prevention policies.
Once a Common Data Service database has been created in an environment all users of the Environment Admin
role will now be members of the System Administrator role instead. The Common Data Service security roles will
now take over for controlling security in the environment. Users or groups previously assigned Environment
Maker role will need to be re-assigned manually one of the Common Data Service security roles. The following are
the initial Common Data Service security roles that exist prior to you creating any custom roles.

ROLE DESCRIPTION
 ROLE DESCRIPTION

System Administrator This role takes over for the Environment Admin and has
complete ability to customize and administer the environment.
Users of the role also have full read-write access to data in the
database. The role cannot be updated to change the privileges
granted. Care should be taken in assigning this to the right
people.

System Customizer This role has full permission to customize the environment.
The role’s data access is focused only on data owned by the
user. This role can be modified but it is not recommended to
modify.

Environment Maker Can create new resources associated with the environment
including apps, connections, gateways and flows. There is no
default privileges to data included. This role can be modified
but it is not recommended to modify.

Common Data Service User This is a basic user role, with ability to run apps and perform
common tasks but no ability to customize the system. The
data access is focused on Read access to most Common Data
Model core entities with full access to records owned by the
user. This is a good role to consider copying to make a custom
security role for users.

Delegate This is a special role really design to give a user permission to

Act on behalf of another user. For more information, see
Impersonate another user.

In addition to these default roles, you can also create custom security roles. Custom security roles should be
created to support applications built in your organization. Custom security roles can also come with applications
you install from App Source or if your users sign up for Dynamics 365.

Types of environments
There are multiple types of environments. The type of environment indicates the purpose and determines the
environment characteristics. The following table summarizes the current types of environments that you might
encounter.

TYPE DESCRIPTION

Production This is intended to be used for permanent work in an

organization. It can be created and owned by an administrator
or anyone with a PowerApps license, provided there is 1GB
available database capacity. These environments are also
created for each existing Dynamics 365 Common Data Service
database when it is upgraded to version 9.0 or later.
Production environments are what you should use for any
environments on which you depend.

Default These are a special type of production environments. Each

tenant will have a default environment created automatically
and it has special characteristics described below in further
detail.
 TYPE DESCRIPTION

Sandbox These are non-production environments and when associated

with a Common Data Service database instance offer features
like reset.

Trial Trial environments are intended to support short term testing

needs and are automatically cleaned up after a short period of
time.

Developer Developer environments are created by users with the

Community Plan license. They are special environments
intended only for use by the owner. Sharing with other users is
not possible in these environments.

Default environment
Each tenant will have a default environment created automatically in the region nearest the Azure Active Directory
(Azure AD ) tenant. This environment has a few unique characteristics from other environments that you create.
This environment can’t be disabled or deleted. All tenant users are added automatically to the maker role for the
default environment and you can’t remove them from that role. They are not however added automatically to the
environment administrator role. This makes the default environment the perfect place for people to build personal
productivity apps and flows.
The default environment is also the only place you can currently create gateways to connect to on-premises
resources. So, if you have an application that needs on-premise resources the app, its connector and the gateway
must be created and run from your organization’s default environment. It is planned to allow creation of gateways
in the non-default environments in the future.
Another unique consideration of the default environment is you can’t create a Common Data Service database in
the default environment. This however will be supported in the future.

Environment regions
When you create an environment, you will pick a geographic location. Application components, including the
Common Data Service database will reside in that region. Generally, you will want to choose a location closest to
the majority of your users that will be using applications in the particular environment. If you are connecting to
other existing external resources, you should consider their location as well. You should also consider any data
residency issues when choosing a location.

Who can create environments

As a global administrator in the admin portal you will be able to see a list of all environments created by users in
your tenant. Any administrators and users will be able to create new environments, provided there is 1GB available
database capacity. Also users with the Community plan license can also create one Developer environment.
Impact of multiple environments on users
While it might be tempting to have users partitioned off into smaller environments it is important to consider the
impact on the users in that decision. When users access the PowerApps Canvas App Player or the Flow application
from the Web Browser or Windows Store the user will select and work within a single environment. By default, that
environment will be set to the tenant default environment. Users can change their environment in the players and
portals using the environment selector.

Having users’ applications and other assets spread across multiple environments will result in the user frequently
having to adjust their environment setting. The best user experience is when the user stays within a single
environment for most of their daily use.
In the mobile applications the user is presented with a consolidated list of applications across the environments
they have access to. Each application indicates the environment. This reduces the need to switch, however it
introduces the need for the user to choose the correct application. For example, imagine if you had an application
Device Ordering and it was deployed to environment Test and environment Production. If the user had access to
both environments it would show up twice on the list. The user would have to differentiate between the two. Some
of this can be minimized by only granting access as needed and then only temporarily to the Test environment.

Impact of multiple environments on Connectors

When an application uses a public connector (available for all tenants), the connector is configured for use within
the context of an environment. Custom connectors are also configured in the context of an environment. If an app
is moved to another environment the public connector references will be recreated upon import. Custom
connectors must be re-configured manually in that target environment.
Applications that use the Common Data Service connector currently only can communicate with Common Data
Service databases in the same environment. This works well for apps that need to move between a dev, test and
production instance because it adjusts automatically when imported into the next environment. Where this can be
challenging is if you have two environments; one named Team Apps and another named CRM Data (which held
your Dynamics 365 instance) an application using the Common Data Service connector in the Team Apps
environment would not be able to access data in the CRM Data instance. A current work around for this is to use
the Dynamics 365 connector instead of the Common Data Service connector since it can connect to multiple
instances. That flexibility does result in more complexity if the application is moved from a dev, test to production
and the instance needs to change as it is promoted, this must be done manually in the app once imported.

Impact of multiple environments on Common Data Service

When thinking about how to organize your environments you should consider where your data lives. Having a
single production environment with your Common Data Service is the simplest configuration as it makes accessing
data from apps the easiest. Having multiple environments, each with their own Common Data Service database,
might make sense in a few different scenarios. First, users have data that is geographically separated, and they
don’t share across those boundaries. Second, data from different applications that have conflicting incompatible
use of Common Data Service. Third, where users are building personal or team productivity applications that need
Common Data Service data but as an organization you aren’t ready to mix that with the rest of your enterprise
data.
See also
Microsoft Learn: Create and manage environments in Common Data Service
 About Common Data Service
6/29/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

Common Data Service

The Common Data Service is a cloud scale database used to securely store data for business applications built on
PowerApps. Common Data Service is an abstraction on top of underlying Azure cloud data management services
to make it easier to build business applications. Common Data Service provides not just data storage, but a way to
implement business logic that enforces business rules and automation against the data. Data in Common Data
Service is organized as entities, for example account and contact would be two examples of entities. These entities
can have relationships that define the business connection between the data stored in an entity. For example, John
works for Contoso would be expressed as a relationship. The security model of Common Data Service enables data
protection down to the field level on individual records. A more thorough discussion of security will be covered in
the security section.
Common Data Service databases are created in the context of a PowerApps environment. Each environment can
have only a single Common Data Service database. Common Data Service databases can be provisioned by you or
licensed individuals in your organization to support their custom applications. Common Data Service databases
are also automatically provisioned when a Dynamics 365 Customer Engagement application is added to your
tenant.

Managing Common Data Service database instances

The easiest way to know if you have a Common Data Service database associated with your environments is to
look at the detail page of the environment from admin.powerapps.com. If you see the Create my database button
then you don’t have one in that environment yet and can create one.

On the other hand, if you don’t see the Create my Database link then the Common Data Service database instance
exists and you can click on the Dynamics 365 Administration center link to navigate to the list of all your Common
Data Service databases.
From the Dynamics 365 Admin center you can open the instance as well as manage and view some of the instance
details. The actions you can take on each instance depends currently on if it started as an instance for Dynamics
365 Customer Engagement or if you started it with just the core Common Data Service entities. For core Common
Data Service instances, you can only copy or set notifications. On Dynamics 365 Common Data Service instances
you also have the ability to reset the instance if it is of type sandbox, and potentially convert an instance to a
sandbox to then test or reset.

Common Data Service backups and restore

From here you can also see the database backups. As you can see from the following image, backups run
automatically every day. No action is required by you, or any administrator to ensure daily backups.

You do however have the option to manually take a backup. A great use for this is before doing big data imports or
changes or deploying new releases of applications.
Once the manual backup is completed it will show in the list of other backups allowing you to select it as the
restore point.
See also
Microsoft Learn: Introduction to Common Data Service
 Types of PowerApps
3/22/2019 • 4 minutes to read

[This topic is pre-release documentation and is subject to change.]

In the overview we hinted that there are two distinct types of applications PowerApps Canvas apps and PowerApps
Model-driven apps and in this section, we will drill deeper into what you should be concerned with as an
administrator. First, model-driven apps require a Common Data Service database and are built on top of the data
modeled in that database instance. Model-driven apps materialize views and detail screens based on the data
structure. Because of this, they offer users a more consistent look and feel from one screen to the next without
much effort by the creator. Canvas apps on the other hand can be built with or without a Common Data Service
database. They use connectors to access data and services. Canvas apps start with a blank screen like an artist’s
canvas and the creator manually lays out each screen. This allows the creator to have complete control of
placements of controls on the canvas. Regardless of the two types, apps will be built in the context of a PowerApps
environment.

It is also possible as the scenarios get more complex that your solution contains both types of apps.

User access to apps

Users obtain access to apps by having them shared with them. The technical specifics of how that sharing works is
different between canvas apps and model-driven apps. For canvas apps they are shared with users, Azure AD
Security Groups or with the whole organization. Model-driven apps you share by adding a user to a Common Data
Service security role that is associated with the application. We will cover more on Common Data Service security
roles in the Security section of this paper. The following is an example of sharing an app, where you can choose to
also allow them access to edit in addition to using the app.
When you share an app the user will need access to the resources the app depends on. Some of the resources are
shared automatically, others require the users you shared the app with to take action prior to use. We will cover
more connectors shortly in the Connectors section.

Application players
Both types of applications can be used as web applications from mainstream web browsers. Both types of
applications can be discovered from web.powerapps.com. Dynamics 365 users can also discover them from
home.dynamics.com application list as well as in the common application navigation list. Mobile users can run the
application in a device installed player app on both phones and tablet devices. Currently, the player application for
canvas apps

Versions of the application

When you save a PowerApps canvas app it creates a new version of the application and it is published for the
owner of the application and anyone that has permission to edit the app. Any other user that that application is
shared with will still see the “live” version. Once ready, the new version can be published by explicitly clicking on
the “Publish this version” link.

In the event the new version has problems, a prior version can be restored by clicking the Restore button next to
that version. In the example above, there are two versions of an app. If the Restore button is clicked on version 1,
PowerApps will create a new version 3 of the application that is identical to version 1. In this way history and audit
information is preserved and the maker could elect to return to version 2 and fix issues at a later date. This light
weight application lifecycle management (ALM ) is perfect for productivity applications built by your organizations
users without introducing them to the additional overhead of deploying to multiple environments.
For model-driven applications there is also a concept of publish that happens after change of most visual
components in the application. For example, if you change the application navigation, users in the same
environment will not see the change until Publish is completed. Restore is typically accomplished with model-
driven applications by exporting a solution version and re-importing it to restore.

Exporting and importing apps

Both types of applications can be exported and then re-imported into other environments, both in the same tenant
and in different tenants. Both export into a zip file, however the organization of the apps are different in their
respective packaging. Canvas apps export standalone and model-driven will export along with any related
Common Data Service components. In the future, canvas app export functionality will be included in the Common
Data Service solution framework allowing you to have one solution package that represents all the components in
your application. Exporting and Importing would allow a more complete application lifecycle management (ALM )
than the light weight ALM versioning we described previously.
Today, when you export a canvas app, you will choose the action that will be taken in the target environment. You
can also choose to add a comment on each resource.

On import, prior to completion of the import the related resources will need to be configured to have the proper
connections established in the target environment. Custom Connectors and Common Data Service customizations
will need to be established prior to the import. If the Update action is chosen on import, the new version will be
saved as a draft and will need to be “Published” before users will be able to use it. This allows an opportunity to
test the application in the environment without impacting existing users.

What apps already exist?

From the Admin Center admin.powerapps.com you can look at each environment and inside the Resources see a
list of any apps that are associated with that particular environment.
 About Microsoft Flow
3/22/2019 • 3 minutes to read

[This topic is pre-release documentation and is subject to change.]

Microsoft Flow is an online workflow service that allows automating tasks across multiple services using
connectors. Flows are started when a triggering event occurs, this could be a record is created or a scheduled
execution, or even a button click from the Microsoft Flow mobile application. Once triggered, the flow proceeds to
execute the actions in the flow. Conditions are used to guide the flow to the proper actions. You may find that it
helpful to create some flows yourself to support your administration of your company’s PowerApp environments.
The following is a simple example of a Flow, with a trigger using the Twitter connector and three other actions that
will run in sequence.

User access to Flows

By default, only the owner of the flow can execute the flow. The owner can invite other users and groups to be
owners and this creates a “team flow”. All owners of a team flow can view the history, manage properties on the
flow, edit the flow, add and remove other owners (but not the creator), and delete the flow.

Microsoft Flow vs Logic Apps

Microsoft Flow is built on top of Logic Apps. Logic Apps is an orchestration engine and part of the Microsoft Azure
cloud service. Both services can be used to automate tasks and perform integration across systems. Using Logic
Apps directly is more Pro Developer/Integrator focused and whereas Microsoft Flow is more focused on individual
and team productivity. As flows start being able to be packaged with the Common Data Service solution
framework (coming soon) and moved between environments together with other Common Data Service
customizations expect to see more enterprise line of business applications relying on Flow in places where Logic
Apps might have been the previously preferred solution.
A key advantage of Microsoft Flow is that it shares the same environments and connectors as PowerApps. This
allows for easy interoperability between PowerApps and Flow. A PowerApp can directly invoke a Flow: for
example, a scheduling app could call a Flow that asynchronously sends calendar invites to attendees. Or a Flow
could use the push notification connector to send notifications to users’ mobile devices.
When used directly Logic Apps run in the context of an Azure subscription and you pay for each action that is
invoked in the Logic App run. Microsoft Flows on the other hand are owned and run in the context of a user and
the billing model counts the full execution towards an allotment you get with your licenses.
Exporting and Importing Flows
Flows can be exported and then re-imported into other environments, both in the same tenant and in different
tenants. Today, flows export into their own zip file, separate from applications and Common Data Service other
components. In the future, flow export functionality will be included in the Common Data Service solution
framework allowing you to have one solution package that represents all the components in your application.
Flows can also be exported in a Logic App format, allowing conversion of the flow to a Logic App. This capability
allows you to move from the flow execution model to the Logic App execution model as well as take advantage of
some of Logic Apps more advanced features.

What Flows already exist?

From the Resources -> Flows tab on the environment details page you can get a list of all flows and who owns the
flow. You also have the ability as an administrator to turn on/off the flow as well as delete it.

You can also explore this information from the PowerShell cmdlets – we cover more details on that in the
Management and Monitoring section.
 About Connectors
6/4/2019 • 4 minutes to read

[This topic is pre-release documentation and is subject to change.]

Connectors are essentially proxy wrappers around the APIs provided by services that allow Microsoft Flow,
PowerApps and Logic Apps to easily interact with the service. Connectors can be either public or custom. There are
currently over 200+ public connectors that can be used by all organizations. Examples of public connectors are
Office 365, Common Data Service, Twitter, Dropbox and more. Custom connectors are defined in the context of an
environment and are only available to apps and flows within that environment. Connectors make triggers and
actions available that can be used by the apps and flows. Triggers are used by flow or Logic Apps to start the
execution of the workflow. Actions are used by apps and flows to perform a defined set of actions during execution.
Sharing of canvas apps that use Connectors
Some connectors are shared automatically when you share the app. Others require that the user the app is shared
with create their own connections. From web.powerapps.com you can check the connection and see if the share tab
is present, if it is then the connection will be shared automatically. Otherwise, the user will need to create their own
connection. Custom connectors are shared, but users must create their own connection to it. This means that the
user shared with needs to have credentials or key if required by the custom connector.

Sharing of Flows that use Connectors

Flows can be shared with other users either as co-owners or run-only users. When a user adds another user or
group as an owner of a Flow those users will have full access to all the connections used in the flow. This means if
they run the flow it will take the action in the context of the user signed into the connection. Because they are co-
owners of the Flow they will also be able to modify the flow using the connections that already exist. They may also
change the login on the connection, however they are not required to do so. Co-owners are limited to use the
connection with that flow, they can’t create a new flow and use the same connection. The following is an example of
the warning that is presented when you add a co-owner.

Now in this example notice it is an Admin account. Since it is sending a notification probably not a great concern
but if it was a more sensitive connector this could allow escalation of privileges beyond what is intended in your
security models.
Run-only sharing is an option when the flow is manually triggered. This option allows greater control because first
of all the user does not have ability to edit the flow just to run it. Second, when you invite the user you can specify
to reuse the existing connection or require the user to provide their own. To manage the Run-Only users drill down
on the Flow from the list of Flows and you will see the following:
From here you will see a dialog to specify the user or group as well as a list of the connections and the choice for
each on how to grant access. The following shows the connection configuration and how you can choose to force
the user to sign-in to their own connection.

One of the more recent additions is the ability to share a flow with a SharePoint List or an Office 365 Group. In this
scenario, the Flow is available to all members of the group in the case of Office 365 groups. For SharePoint Lists,
anyone with edit access to the list would have access to the flow. The flow would then show up with the ability to
execute it from the application navigation.
Restricting Use of Connectors
Within each environment using data loss prevention policies you can limit what connectors can be used together in
a single application or flow. More on this in the section where we cover Data Loss Prevention (DLP ) policies.

Connector Authentication Patterns

PowerApps and Flow authenticate with connectors to create a connection instance. It is that instance that contains
the specific configuration information necessary for the app or flow to talk to the connector API that is used in each
interaction. Connectors could choose to use no authentication, basic authentication, API key authentication or
OAuth 2.0. The most common are OAuth and API Key.
OAuth if you aren’t familiar with it is an authorization framework that allows external applications to obtain
controlled access to a target service. Many APIs support it including Common Data Service, Facebook and Twitter
to name a few. The goal of authentication is to allow the user to sign in to a familiar login dialog, consent to the
application using the service, and then setup to allow tokens to be acquired. It is the tokens that are used on each
request to prove who the user is and their right to use the API. In the PowerApps and Flow usage, a Consent
Server is involved that helps manage the tokens and their lifecycle including storing the renewal token in the
Consent Server and handling the refresh cycle. The following is a step by step look at what happens when you
authenticate a connection using OAuth.

The API Key is a little less complex as it typically involves the API assigning a key that is passed on each request.
That key is provided when the connection is established for the connector and is stored in the environment with the
other connection information in a secure way. An example of an API Key authentication connector is the Azure
Storage Blob. As you can see below it wants the Storage Account Name as well as the Access Key.
When on-premise gateways are involved the process is even a little more complex. The following diagrams what
happens when you establish a connection with the gateway data source.
 About solution packages
3/22/2019 • 3 minutes to read

[This topic is pre-release documentation and is subject to change.]

The Common Data Service Solutions Framework provides solutions as containers to track and manage
customizations in a Common Data Service instance. This includes entity metadata, forms, views, and other
resources required to run the app including developer compiled code assets. A project solution starts in the
Common Data Service instance where the app is created, and the container is used to track any change made to
support the app. The solution can then be exported from that Common Data Service instance for transit to other
Common Data Service instances. This is commonly used to promote an application from a development instance
to test and then finally to a production Common Data Service instance. Today, canvas apps and flows have their
own packaging and are not included in the Common Data Service solution package but will be in the near future.

Types of Solutions
There are two types of solutions, managed and unmanaged. Solutions start out as unmanaged, meaning their
components can be modified. Managed solutions are locked down, meaning you can’t directly modify the
components. Managed solutions are created by exporting an unmanaged solution and requesting it be exported as
managed. That solution when imported into another target Common Data Service instance is then installed in a
managed state. Components in the managed solution can’t be directly modified, but they can be added into
another unmanaged solution that tracks changes as a separate layer. Multiple managed solutions that are installed
in the same Common Data Service instance create layers that combine for what the users see as the effective set of
customizations.
What the User Sees (Calculated)
Default Solution (Unmanaged Layer)
PowerApps - Model Driven App A (managed)
PowerApps - Model Driven App B (managed)
ISV Loan Calculator (managed)
Common Data Model

Creating Solutions
Each PowerApp environment has a default solution created automatically as an empty solution when the Common
Data Service instance is created in the environment. Directly in the Common Data Service instance you can create
additional unmanaged solutions and manage their components using Solution Explorer.

Installing Solutions
Solutions can be installed into a Common Data Service instance if all their dependencies have been met. A solution
becomes dependent when it uses something from another solution. Those dependent solutions must be installed
first. Solutions can be installed directly into a target Common Data Service instance from the Solution Explorer.
Solutions can also be deployed using the Package Deployer tool which can deploy a set of solutions along with
data into a Common Data Service instance. Package deployer can be run interactively, or from PowerShell. Package
Deployer is how Microsoft AppSource marketplace installs apps. Importing a managed solution is different than
importing an unmanaged solution. When you import an unmanaged solution, the changes are merged in with
other unmanaged changes in that Common Data Service instance. These merged changes can only be removed by
manually removing each individually. The administrator must also publish the unmanaged changes to have any
non-schema (e.g. display labels) changes be visible to other users.

Uninstalling Solutions
Solutions are uninstalled by deleting them from the Common Data Service instance. The result of the delete action
varies greatly between managed and unmanaged solutions. Because unmanaged solutions are merged in with
other changes, it is not possible to remove them as a unit. Removing an unmanaged solution simply removes the
solution container and all the components remain in the instance. The remaining components must manually be
removed one by one. In fact some unmanaged changes must be reverted manually such as a label change.
Managed solutions act more like a true uninstall, it removes all the solution components that were installed if
nothing new has taken a dependency on them. This includes any data from entities that were only defined and used
by that solution being removed. So, take care when removing solutions that you no longer need the data. In many
cases you might find that you want to first export the data before the remove/uninstall.
 About licensing and license management
8/29/2019 • 7 minutes to read

[This topic is pre-release documentation and is subject to change.]

NOTE
For information about licensing changes coming to PowerApps and Microsoft Flow in October 2019, see PowerApps and
Microsoft Flow licensing FAQs for October 2019.

Organizations can obtain licenses by either licensing Microsoft PowerApps or Flow specifically or by it being
included in the license of another Microsoft cloud service offering. For example, both Office 365 and Dynamics 365
provide entitlements for PowerApps and Microsoft Flow. As with most Microsoft licensing, you can mix and match
for users as appropriate giving some additional entitlements.
Regardless of how obtained all licenses are user based. In the rest of this section we will highlight some of the key
points of licensing, but it is not the product licensing documentation, you should consult that for any of the latest
details. Links for pricing and specific plan details can be found later in this section.
First, let’s look at what you, as the administrator, will need to have the best administrator experience. While you can
do basic administration with any of the licenses with PowerApps entitlements, the best experience is with
PowerApps P2 and that is what Microsoft recommends for administrators. This provides the ability to create
additional environments as well as Common Data Service. It also provides the best experience in the
administration centers for controlling the environments.
The following summarizes the access based on various administrator role and license combination, as you can
probably easily tell Global Admin with a PowerApps P2 license provides the most complete administrator
experience. Without a PowerApps P2 the administrator can view some information but only able to administer
their own assets.

USER/LICENSE POWERAPPS MANAGE DATA LOSS DYNAMICS 365

LICENSE TYPE MANAGEMENT ADMIN PORTAL ENVIRONMENTS POLICIES ADMIN CENTER

Global Admin Yes Sees only DLP No Can create but Can view
without policies and only for all Common Data
PowerApps P2 Tenant level user environments Service instances
reports and
statistics

Global Admin Yes Full access Yes - all Full ability to Full access
with PowerApps environments view, create,
P2 modify and
remove

User Yes No access No No access No access

Management
Role

User Yes No tenant level Only own Only own No access

Management role info, only own
with PowerApps environments
P2
 USER/LICENSE POWERAPPS MANAGE DATA LOSS DYNAMICS 365
LICENSE TYPE MANAGEMENT ADMIN PORTAL ENVIRONMENTS POLICIES ADMIN CENTER

Dynamics Admin View only No access No No access No access

role

Dynamics Admin View only No tenant level Only own Only own Full access
role with info, only own
PowerApps P2 environments

PowerApps has two primary standalone licensing tiers. PowerApps P1 which is best suited for business users who
need to use basic PowerApps applications. PowerApps P2 is more focused towards Makers and Administrators
who want to create data models in the Common Data Service. Each PowerApps P2 user is entitled to create two
Production environments each having a Common Data Service database. Users of the apps built on the Common
Data Service only require PowerApps P1 unless they use advanced features like plug-ins and real-time workflows
or work with Dynamics 365 restricted entities ( a list of these can be found here
https://docs.microsoft.com/powerapps/maker/common-data-service/data-platform-restricted-entities).
For example, John could create a PowerApps Canvas application that stores data in the Contact entity and two
custom entities in a Common Data Service environment he created. For this, he would need a PowerApps P1 or P2
license to build the application and customize Common Data Service. Mary and Henry are users of the application
John built. John had shared the application with them, so they could use it. Mary and Henry would be ok with just a
PowerApps P1 license or a license that came with Dynamics 365. If either of them had only PowerApps that came
with Office 365 they would however need to upgrade their license to at least a PowerApps P1.
Building on that example, John asked George, a developer at the company to create a plug-in on one of the custom
entities. The business logic would do some automated processing every time the data was updated. This advanced
business logic usage would require now for all users that wanted to use the canvas app to be upgraded to a
PowerApps P2 license. You can find additional Entity Licensing examples here https://docs.microsoft.com/en-
us/powerapps/maker/common-data-service/data-platform-entity-licenses.
PowerApps licenses include an equivalent Microsoft Flow license. It is also possible however to license flow by
itself. Flow also has a free plan. All Flow plans offer unlimited creation of Flows but vary based on number of runs
included and the time delay for checking for new work to perform. In addition to the key differences documented in
the chart below, it is important to note that with the free plan the runs are per person where runs for other licenses
aggregate at the tenant level.

FLOW PLAN NUMBER OF RUNS CHECK FOR NEW WORK

Free 750 Every 15 minutes

Office and Dynamics 365 2,000 Every 5 minutes

P1 4,500 Every 3 minutes

P2 15,000 Every 1 minute

Organization level accumulated entitlements

Licenses for Flow include a specific number of executions of the automation for each user. These allowances are
accumulated for all users in your organization on all plans except for the Free plan. For example, if you had 100
users each with 2000, your organization would have 200,000 monthly runs. That means if one user uses a large
number you will not be penalized as long as you stay under your organization total accumulated allowance.
Use of connectors
Apps and Flows use connectors to interact with services. Connectors can be standard, premium or custom. To use
premium connectors users must be licensed with PowerApps P1 or P2 licenses.

Trial Plans
Trial plans are available for both PowerApps and Microsoft Flow plans 1 and 2. Free trials last 30 days for
PowerApps and 90 days for Microsoft Flow plans. Users can self-service sign up for these trials in your
organization. This can be done by explicitly visiting the pricing pages or by being prompted when they attempt an
action in the apps that require additional licensing.
For Microsoft Flow, an unlicensed user that signs in to flow.microsoft.com will be setup with the free Flow plan. If
later they try to perform an action like sharing a Flow, they will be prompted to sign up for a trial. In this example, if
the user accepted the offer for trial they would be signed up for a Flow Plan 2 trial. This trial would not show up
under the user licenses in the Office 365 Portal, however you would be able to see it in the PowerApps license
report discussed later in this security section.
For PowerApps, if a user signs up for a PowerApps P1 trial they will be upgraded to a PowerApps P2 trial if needed
for any of the actions they take such as creating an environment. If they sign up for the trial by visiting
web.powerapps.com it will start as a PowerApps P2 trial.
As the administrator, you will likely be assisting users that had started in a trial and either want to continue
experimenting or are ready to get a regular license to keep working with the app they are building. If you are
moving to a regular license for a user, it would also be a good time to work with them to see if their app should stay
where it was built or should be moved according to the environment strategy you adopt. For those not ready to get
a full license but want to keep experimenting you could help them get setup on the community plan and help them
move their application and flow assets into their new developer environment.

PowerApps Community Plan

In addition to the trial plans, there is also a free PowerApps Community Plan. This is a special plan that allows
individual self-service sign up and it provides an individual environment that the user can use to build apps and
flows. These environments will show up on the administrator’s list of environments and will list the type of
environment as “Developer”. The environments are for individual use, so there is no ability to share with other
users. Users in your organization can self-service signup for this plan even if they have PowerApps and Flow
license entitlements via another licensing plan. Signup for the community plan can be found here
https://powerapps.microsoft.com/en-us/communityplan/ and more details on its features here
https://docs.microsoft.com/en-us/powerapps/maker/dev-community-plan

What users are licensed

You can always look at individual user licensing in the Microsoft 365 admin center by drilling into specific users.
From the PowerApps administration center you can also produce a report focused on PowerApps licenses. This is
one of the steps we recommend you do right away as a new administrator trying to understand your current
licensing.
You can download the report from admin.powerapps.com -> Tenant -> User Licensing
The report is an Excel workbook that once downloaded you can use all of Excel’s features to filter the data to what
you are looking for. The following is an example of the downloaded workbook.
 Licensing overview
8/29/2019 • 8 minutes to read

NOTE
For information about licensing changes coming to PowerApps and Microsoft Flow in October 2019, see PowerApps and
Microsoft Flow licensing FAQs for October 2019.

About PowerApps licenses

PowerApps is licensed on a per-user basis.
User licenses are assigned on a named user basis, each user needs a separate license to run apps.
PowerApps licenses do not limit the creation of apps.
Any PowerApps license is eligible to administer apps.
PowerApps is available with two standalone plans—PowerApps Plan 1 and PowerApps Plan 2.
PowerApps Plan 1 provides access to Common Data Service to store and manage data. Users can run canvas
apps that are built on Common Data Service, use premium connectors, access data in custom applications or
on-premises data.
PowerApps Plan 2 allows users to run model-driven apps with code plug-ins and real-time workflows. For
details please visit the PowerApps pricing page.
For details please visit the PowerApps pricing page or download the Licensing guide.
In addition to the standalone plans PowerApps capabilities are also included in certain Office 365 and
Dynamics 365 plans allowing customers to extend and customize Office 365 and Dynamics 365 with
PowerApps and Microsoft Flow capabilities that these offerings include. Select Dynamics 365 apps and plans
include a full PowerApps P2 license, learn more here.
The differences in functionality between these groups of licenses are described in more detail below.

Pricing
Please see the PowerApps pricing page with the latest pricing information for each PowerApps license (Plan 1 and
Plan 2). Please see Microsoft Flow pricing page with the latest pricing information for each Microsoft Flow license.

Licenses
PowerApps for Office 365
PowerApps capabilities for Office 365 enable users to extend and customize the Office experience with
PowerApps and Microsoft Flow. Users can create Canvas applications based on Office 365 data. These
productivity apps can also utilize data outside of Office 365 by connecting to common services including Box.com,
Facebook, and many more via the use of standard connectors.

FUNCTIONALITIES POWERAPPS FOR OFFICE 365

Create, run and share apps Yes1

Run canvas apps in context of Office 365 Yes

 FUNCTIONALITIES POWERAPPS FOR OFFICE 365

Connect to Office 365 data Yes

Connect to cloud services using standard connectors Yes

Run apps in a browser or PowerApps mobile for iOS and Yes

Android

Run Canvas apps offline Yes

Support for data policies established by the Office 365 Yes

administrator

Flow runs per user/month (includes Flow for Office 365) 2,000

Access on-premises data or use premium or custom -

connectors

Data storage and management in Common Data Service -

1For PowerApps for Office 365 Enterprise F1 please refer to the section below.
The following Office 365 plans include PowerApps for Office 365

INCLUDED PLANS

Which Microsoft Office 365 plans These plans include PowerApps for
include PowerApps? Office 365:

Office 365 Business Essentials

Office 365 Business Premium
Office 365 A1 for Faculty
Office 365 A1 for Students
Office 365 A1 Plus for Faculty
Office 365 A1 Plus for Students
Office 365 A3 for Faculty
Office 365 A3 for Students
Office 365 A3 for Student Use Benefit
Office 365 A5 for Student Use Benefit
Office 365 A5
Office 365 A5 for Faculty
Office 365 A5 for Students
Office 365 Education E3 for Faculty
Office 365 Education E3 for Students
Office 365 Education for Homeschool
for Faculty
Office 365 Education for Homeschool
for Students
Office 365 Enterprise E1
Office 365 Enterprise E2
Office 365 Enterprise E3
Office 365 Enterprise E3 Developer
Office 365 Enterprise E3 without
ProPlus
Office 365 Enterprise E5
Office 365 Enterprise F1 includes
PowerApps for Office 365 Enterprise F1

PowerApps for Office 365 Enterprise F1

PowerApps is included with Office 365 Enterprise F1, with which users can run apps and automate workflows.
This table contains specifics about what users can do with PowerApps for Office 365 Enterprise F1:

FUNCTIONALITY POWERAPPS FOR OFFICE 365 ENTERPRISE F1

Run apps Yes

Flow runs per user/month (includes Flow for Office 365) 750

Run canvas apps in context of Office 365 Yes

Connect to Office 365 data Yes

Connect to cloud services using standard connectors Yes

Run apps in a browser or PowerApps mobile for iOS and Yes

Android

Run Canvas apps offline Yes

Support for data policies established by the Office 365 Yes

administrator

Create and share apps Yes

Access on-premises data or use premium or custom -

connectors

Data storage and management in Common Data Service -

PowerApps standalone Plan 1 and Plan 2

Standalone PowerApps plans provide users the ability to create and run apps across data sources that extend
beyond Office 365, such as Salesforce, on-premises and custom data sources. These plans also include access to
Common Data Service to store and manage data. Learn more about Common Data Service here.
Microsoft PowerApps Plan 1 subscriptions are for users who need to run canvas apps and access on-premises
data, data in custom applications and cloud services using premium connectors.
Microsoft PowerApps Plan 2 subscriptions are for users and administrators who need access to more
capabilities. These users can run model-driven apps that can include custom code plug-ins and real-time
workflows.
PowerApps Plan 2 free trial
Users can try PowerApps Plan 2 for free for 30 days. During the trial, users have access to all of the features in
PowerApps Plan 2. For information about how to sign up, see Self-service signup for PowerApps.
When the trial expires, users have these options:
Users who have access to PowerApps or Microsoft Flow through Office 365 or Dynamics 365 apps and plans
can still access PowerApps or Microsoft Flow. However, those users will lose access to any features that are
exclusive to Plan 2, as outlined on the PowerApps pricing page. Select Dynamics 365 apps and plans include
PowerApps Plan 2.
Users who don't have access through Office 365 or Dynamics 365 (select apps and plans) can request to
extend the trial, or they can purchase a stand-alone plan. For more information, see Purchase PowerApps for
your organization.
 NOTE
To purchase PowerApps for an organization, you must be an Office 365 Global or Billing Admin of a tenant, or you must
create a tenant.

PowerApps Community Plan

If you want to build skills and learn more about PowerApps, Microsoft Flow, and Common Data Service, the
PowerApps Community Plan is the right plan for you. The PowerApps Community Plan gives you a free
development environment for individual use to learn with full functionality of PowerApps. See here for
PowerApps Community Plan.

Resource capacity is included with each license

Default subscription capacity
PowerApps Plan 1 and Plan 2 licenses include capacities of one of more of these resources. PowerApps and
Microsoft Flow subscription capacity leverages the same tenant and infrastructure and accrue across one tenant.

DEFAULT CAPACITY PER TENANT POWERAPPS PLAN 1 POWERAPPS PLAN 2

Common Data Service Database 1 GB 10 GB

capacity

Common Data Service File capacity 20 GB 20 GB

Common Data Service Log capacity 2 GB 2 GB

Per-user licenses come with included capacity for resources used when an app or flow is executed. These
resources include data storage management and flow runs. The capacities included in the per-user licenses are
pooled at the tenant level and, when the tenant’s capacity is exhausted, customers may purchase additional
capacity through add-on licenses. For every increment of PowerApps or Flow user subscription licenses, the
included database and file capacity increases, see table. The cap on the amount of database capacity that may be
earned or purchased per tenant is subject to the technical limit of 4TB/instance, no maximum on file or log
capacity.
Accrued entitlements per user subscription license
DEFAULT CAPACITY PER TENANT POWERAPPS PLAN 1 POWERAPPS PLAN 2

Common Data Service Database 20 MB 250 MB

capacity

Common Data Service File capacity n/a 2 GB

Common Data Service Log capacity n/a n/a

Flow Runs per user/month 4,500 15,000

NOTE
We’ve removed the requirement to purchase additional production or non-production environments for Common Data
Service. New environments can be created when at least 1 GB of database capacity is available. To learn how to create new
production or non-production instances, see Create an environment.
Capacity add-ons
When the tenant’s capacity is exhausted, customers may purchase additional capacity through add-on licenses.
Subscription add-ons apply across tenant and are not tied to a specific user. Subscription add-ons can be
purchased at any time and remain a part of the subscription for the remainder of the subscription term.

POWERAPPS ADD-ON CAPACITY PER TENANT/MONTH MAXIMUM PER TENANT

Common Data Service Database $40/GB 4TB/environment

capacity

Common Data Service File capacity $2/GB n/a

Common Data Service Log capacity $10/GB n/a

Flow Runs per user/month $40/50K Runs n/a

PowerApps for Dynamics 365

PowerApps is the platform to customize and extend Dynamics 365 applications in context of the Dynamics 365
use rights.
Select Dynamics 365 Applications can be customized using PowerApps and Microsoft Flow capabilities.
Dynamics 365 Enterprise Applications and Enterprise Plans also include PowerApps Plan 2 offering the ability to
create and run standalone custom applications.
PowerApps included in select Dynamics 365 apps and plans
Select Dynamics 365 Enterprise Applications and Enterprise Plans include PowerApps Plan 2, offering more
advanced customizations as well as the ability to create and run standalone custom applications.

SELECT DYNAMICS 365 APPS

(PROFESSIONAL, TEAM MEMBER, TALENT DYNAMICS 365 ENTERPRISE APPS AND
FUNCTIONALITY ATTRACT & ONBOARD) PLANS

Customize and extend applications and Yes Yes

workflows within the context of
Dynamics 365 application use rights

Create and run apps with custom Yes, add up to 15 custom entities per Yes
entities application, customizations should map
to application context/use rights

Access to restricted Dynamics 365 Create, read, update and delete Create, read, update and delete
entities within the context of Dynamics
365 application use rights

Access to Dynamics 365 app APIs Yes1 Yes

Run standalone PowerApps (canvas - Yes

and model-driven)

Included Flow capacity (Pooled across 2,000 Flow runs per user/month 15,000 Flow runs per user/month Flow
tenant) Plan 2 included

1Team member license does not provide access to Dynamics 365 app APIs
Download the Dynamics 365 licensing guide to learn more about use rights for specific Dynamics 365
applications and plans.
These Dynamics 365 apps can be customized using PowerApps and Microsoft Flow capabilities
Dynamics 365 for Sales Professional
Dynamics 365 for Customer Service Professional
Dynamics 365 for Talent: Attract
Dynamics 365 for Talent: Onboard
Dynamics 365 Team Member
These Dynamics 365 apps and plans include PowerApps P2
Dynamics 365 Business Central
Dynamics 365 for Sales Enterprise
Dynamics 365 for Customer Service
Dynamics 365 for Field Service
Dynamics 365 for Project Service Automation
Dynamics 365 for Talent
Dynamics 365 for Retail
Dynamics 365 Customer Engagement Plan
Dynamics 365 Unified Operations Plan
Dynamics 365 Plan
 Manage PowerApps licenses in your organization
8/6/2019 • 8 minutes to read

This article describes how users in your organization can get access to use PowerApps, and how you can control
access to the PowerApps service.

Sign up for PowerApps

What is PowerApps?
Microsoft PowerApps enables users to create applications for Windows, iOS, and Android mobile devices. Using
these apps, you can create connections to common SaaS services, including Twitter, Office 365, Dropbox, and
Excel.
How do users sign up for PowerApps?
The only sign-up option for individual users in your organization is the PowerApps Plan 2 trial, which they can sign
up for through the PowerApps website:
Option 1

Users can sign up by going to powerapps.microsoft.com, selecting Sign up free, and then completing the sign-up
process for PowerApps through admin.microsoft.com.
Option 2

Users can sign up by going to powerapps.microsoft.com, selecting Sign in, signing in with their work or school
accounts, and sign up for the PowerApps Plan 2 trial by accepting the PowerApps terms of use.
When a user in your organization signs up for PowerApps, that user is assigned a PowerApps license
automatically.

NOTE
Users who sign up for a trial license from within PowerApps don't appear in the Office 365 admin portal as PowerApps Plan
2 trial users (unless they have another license to Office 365, Dynamics 365, or PowerApps).

See Self-service sign up for PowerApps for more details.

How can users in my organization gain access to PowerApps?
Users within your organization can gain access to PowerApps in three different ways:
They can individually sign up for a PowerApps Plan 2 trial as outlined in the How do users sign up for
PowerApps? section.
You can assign a PowerApps license to them within the Office 365 admin portal.
The user has been assigned an Office 365 and Dynamics 365 plans that includes access to the PowerApps
service. See the PowerApps pricing page for the list of Office 365 and Dynamics 365 plans that include
PowerApps capabilities.
Can I block users in my organization from signing up for PowerApps?
Any individual can try out the features of Microsoft PowerApps Plan 2 for 30 days, and incur no costs as outlined
in the How do users sign up for PowerApps section. This option is available to any user in a tenant and cannot be
disabled by an admin. After the user's trial expires the user will lose access to PowerApps Plan 2 capabilities.
If a person signs up for a 30 day trial of Microsoft PowerApps Plan 2, and you choose to not support them inside
of your organization, they can in no way incur costs to your company. When an individual signs up for Microsoft
PowerApps, that is a relationship between that individual and Microsoft directly, like any many public cloud
services from Microsoft, such as Bing, Wunderlist, OneDrive or Outlook.com, and does not in any way imply that
the service is provided by your organization.
Finally, if your company wishes to restrict the use of organizational-only data inside of Microsoft PowerApps, that
is possible through Data loss prevention (DLP ) policies. For more details, See Data loss prevention (DLP ) policies.

Administration of PowerApps
Why has the PowerApps icon appeared in the Office 365 app launcher?
Microsoft PowerApps is a fundamental part of the Office 365 suite and is enabled as a service as a part of existing
Office 365 SKU's. As users everywhere in the world can now use Microsoft PowerApps, it appears in 'All apps' in
the app launcher screen. See Licensing overview to understand which Office 365 SKUs now include PowerApps.
See the following section if you'd like to remove the PowerApps tile from 'All apps' by default.
How do I remove PowerApps from existing users?
If a user was assigned a PowerApps Plan 1 or PowerApps Plan 2 license then you can take the following steps to
remove the PowerApps license for that user:
1. Go to the Office 365 Admin Portal.
2. In the left navigation bar, select Users, and then select Active Users.
3. Find the user you want to remove the license for, and then select their name.
4. On the user details pane, in the Product licenses section select Edit.
5. Find the license called Microsoft PowerApps Plan 1 or Microsoft PowerApps Plan 2, set the toggle to
Off and then select Save.

If a user has access to PowerApps through their Office 365 and Dynamics 365 plan license, then you can disable
their access to the PowerApps service by taking the following steps:
1. Go to the Office 365 Admin Portal.
2. In the left navigation bar, select Users, and then select Active Users.
3. Find the user you want to remove access for, and then select their name.
4. On the user details pane, in the Product licenses section select Edit.
5. Expand the user's Office 365 or Dynamics 365 license, disable access to the service called PowerApps for
Office 365 or PowerApps for Dynamics 365 and then select Save.

Bulk removal of licenses is also possible through PowerShell. See Remove licenses from user accounts with Office
365 PowerShell for a detailed example. Finally, further guidance about bulk removal of services within a license
can be found at Disable access to services with Office 365 PowerShell.
Removing of the PowerApps license or service for a user in your organization will also result in the removal of the
PowerApps and Dynamics 365 icons from the following locations for that user:
Office.com
 Office 365 AppLauncher “waffle”

How can I restrict my users' ability to access my organization's business data using PowerApps?
PowerApps allows you to create data zones for business and non-business data, as shown below. Once these data
loss prevention policies are implemented, users are prevented from designing or running PowerApps that
combine business and non-business data. For more details, See Data loss prevention (DLP ) policies.
Why did 10,000 licenses for Microsoft PowerApps show up in my Office 365 tenant?
As a qualifying organization, users in your organization are eligible to try out Microsoft PowerApps Plan 2 for 30
days, and these trial licenses represent the available capacity for new PowerApps users in your tenant. There is no
charge for these licenses. Specifically, there are two possible reasons why you may see a capacity 10,000 (trial)
licenses for PowerApps showing up in the Office 365 admin portal:
If at least one user in your tenant participated in the PowerApps public preview that spanned from April
2016 to October 2016 then you will see 10,000 licenses labeled as "Microsoft PowerApps and Logic flows"

If at least one user in your tenant has signed-up for a PowerApps Plan 2 trial by going through trial signup
Option 1 outlined in the How do users sign up for PowerApps section then you will see 10,000 licenses
labeled "Microsoft PowerApps & Flow"
You can choose to assign additional licenses to users yourself through the Office 365 admin portal, but please note
that these are trial licenses for Microsoft PowerApps Plan 2 and they will expire after 30 days of being assigned to
a user.
Is this free? Will I be charged for these licenses?
These licenses are free trial licenses for your users to try-out the Microsoft PowerApps Plan 2 for 30 days.
How will this change the way I manage identities for users in my organization today?
If your organization already has an existing Office 365 environment and all users in your organization have Office
365 accounts, then identity management does not change.
If your organization already has an existing Office 365 environment but not all users in your organization have
Office 365 accounts, then we create a user in the tenant and assign licenses based on the user’s work or school
email address. This means that the number of users you are managing at any particular time will grow as users in
your organization sign up for the service.
If your organization does not have an Office 365 environment connected to your email domain, there is no change
in how you manage identity. Users will be added to a new, cloud-only user directory, and you will have the option
to take over as the tenant admin and manage them.
What is the process to manage a tenant created by Microsoft for my users?
If a tenant was created by Microsoft, you can claim and manage that tenant using the following steps:
1. Join the tenant by signing up for PowerApps using an email address domain that matches the tenant domain
you want to manage. For example, if Microsoft created the contoso.com tenant, then join the tenant with an
email address ending with @contoso.com.
2. Claim admin control by verifying domain ownership: once you are in the tenant, you can promote yourself to
the admin role by verifying domain ownership. To do so, follow these steps:
3. Go to https://admin.microsoft.com.
4. Select the app-launcher icon in the upper-left corner, and then choose Admin.
5. Read the instructions on the Become the admin page, and then choose Yes, I want to be the admin.

NOTE
If this option doesn’t appear, an Office 365 administrator is already in place.

If I have multiple domains, can I control the Office 365 tenant that users are added to?
If you do nothing, a tenant is created for each user email domain and subdomain.
If you want all users to be in the same tenant regardless of their email address extensions:
 Create a target tenant ahead of time or use an existing tenant. Add all the existing domains and subdomains
that you want consolidated within that tenant. Then all the users with email addresses ending in those domains
and subdomains automatically join the target tenant when they sign up.

IMPORTANT
There is no supported automated mechanism to move users across tenants once they have been created. To learn about
adding domains to a single Office 365 tenant, see Add your users and domain to Office 365.
 Purchase PowerApps for your organization
8/9/2019 • 2 minutes to read

This article shows you how to purchase PowerApps for your organization as an administrator. You can purchase
PowerApps through the PowerApps website directly, through the Microsoft 365 admin center, or through your
Microsoft representative or partner. This article will discuss the trial options available for PowerApps Plan 1 or
Plan 2 and then explain how to purchase PowerApps Plan 1 or Plan 2 as an organization. For more information,
see PowerApps in your organization Q&A.

NOTE
To purchase PowerApps for an organization, you must already be an Office 365 Global or Billing Admin of a tenant, or you
must create a tenant.

Choosing the right plan

For details about what licenses you can choose for your organization, see PowerApps licensing overview.

Purchase PowerApps directly

You can purchase PowerApps subscriptions for your organization from powerapps.microsoft.com and then assign
PowerApps licenses to your users. Learn more.
1. Open powerapps.microsoft.com, and then select Pricing.
2. Select Buy now for the plan you want.

3. Provide information to make the purchase, and then navigate to the Microsoft 365 admin center to assign
PowerApps licenses to your users.

Get PowerApps through Office 365

You can purchase PowerApps subscriptions for your organization from the Microsoft 365 admin center and then
assign PowerApps licenses to your users. Learn more.
Purchase a subscription trial
1. Browse to the Microsoft 365 admin center.
2. On the left navigation pane, select Billing -> Subscriptions.
3. Select + Add subscriptions on the right side.
4. Under Other Plans, hover over the ellipse (...) for the plan you want, and then select Start free trial.

5. On the confirmation screen, select Try now.

Under Billing -> Subscriptions, you will see Microsoft PowerApps Plan 1 Trial or Microsoft
PowerApps Plan 2 Trial listed with 100 licenses available. Your free trial will cover 90 days.
Purchase a subscription
1. Browse to the Microsoft 365 admin center.
2. On the left navigation pane, select Billing -> Subscriptions.
3. Select + Add subscriptions on the right side.
4. Under Other Plans, hover over the ellipse (...) for the plan you want, and then select Buy now.

5. Enter the number of licenses you would like to add, and then select Check out now or Add to cart.

NOTE
You can add more licenses later if needed.

6. Enter the needed information in the Checkout flow,

 Under Billing -> Subscriptions, you will see Microsoft PowerApps Plan 1 or Microsoft PowerApps
Plan 2 listed. If you decide later that you want to add more licenses, go back to Add subscriptions and
then select Change license quantity.

Add-ons
These are not supported yet.
See also
PowerApps in your organization Q&A
Self-service sign up for PowerApps
 FAQs and more information
8/29/2019 • 3 minutes to read

[This topic is pre-release documentation and is subject to change.]

NOTE
For information about licensing changes coming to PowerApps and Microsoft Flow in October 2019, see PowerApps and
Microsoft Flow licensing FAQs for October 2019.

We have found some common questions on licensing and plan options. We’ve included several here with their
answers. However, if you find you need more details, you can find that on PowerApps plans here
https://powerapps.microsoft.com/en-us/pricing/ and Microsoft Flow plans here https://flow.microsoft.com/en-
us/pricing/. For additional information on the mechanics of managing users, please refer to: Manage PowerApps
licenses in your organization.

PowerApps Pricing FAQ

Which Microsoft Office 365 plans include PowerApps?
See the PowerApps Licensing overview page for the list of Office 365 plans that include PowerApps capabilities.
Which Microsoft Dynamics 365 apps and plans include PowerApps?
See the Licenses for the list of Dynamics 365 apps and plans that include PowerApps capabilities.
Can I connect to Microsoft Dynamics for Finance and Operations?
Yes, you can use the Dynamics 365 for Finance and Operations connector to build canvas apps using this data.
How long is the free trial period?
Free trials last 30 days.
Is there a plan for developers?
Yes, we have a free Community Plan to learn and build skills on PowerApps, Microsoft Flow and Common Data
Service. Learn more.
What happens when I use all the data storage, file storage, and flow runs included in my per user licenses?
You can buy additional data storage, file storage and flow runs. See the PowerApps Licensing overview page for
more information.
Where can I find more information about pricing?
Find more detailed Q&A and answers in our pricing documentation page.
Who can buy PowerApps Plan 1 or Plan 2?
Any customer can sign up for a free trial. Office 365 admins can buy PowerApps plans for their teams or
organization. Contact your Office 365 admin when you’re ready to buy.
Do all my users need to be licensed with the same PowerApps plan, or can I mix plans?
You can mix and match PowerApps licenses, and licenses that include PowerApps capabilities, across the users in
your organization. For example, if there are 100 users in your organization, 50 may be licensed with Office 365, 20
with Dynamics plans, 25 with PowerApps Plan 1, and 5 with PowerApps Plan 2. Compare the features in each plan
to choose the mix that meets your team’s or organization’s needs.
Microsoft Flow Pricing FAQ
Which Dynamics 365 plans includes Microsoft Flow? These Dynamics 365 applications include 'Microsoft Flow for
Dynamics 365' plan:
Dynamics 365 Enterprise Sales
Dynamics 365 Enterprise Field Service
Dynamics 365 Enterprise Marketing
Dynamics 365 Enterprise Customer Service
Dynamics 365 Enterprise Project Service Automation
Dynamics 365 Enterprise Operations
Dynamics 365 Business Edition Financials
These Dynamics 365 plans include 'Microsoft Flow Plan 2':
Dynamics 365 Enterprise, Plan 2
Dynamics 365 Enterprise, Plan 1
Dynamics 365 Business Edition Plan
Flow for Dynamics 365 is also included in existing CRM Online Enterprise, Professional, Basic, and Essential
subscriptions.
Compare plans
How long is the free trial period?
Free trials are 90 days long.
Is there a way to develop my Microsoft Flow skills for more than 90 days?
Yes, with the PowerApps Community Plan you get a free environment for individual use with functionality
including the Common Data Service. In this environment you can explore and learn everything about Microsoft
Flow and PowerApps for free, but the PowerApps Community Plan is not intended for production use.
Learn more
Which Office 365 plans includes Microsoft Flow? These Office 365 plans include 'Microsoft Flow for Office 365'
plan:
Office 365 Business Essentials
Office 365 Business Premium
Office 365 Education
Office 365 Education Plus
Office 365 Enterprise E1*
Office 365 Enterprise E3*
Office 365 Enterprise E5
*Office 365 Enterprise E2 includes the same capabilities as Office 365 Enterprise E1, and Office 365 Enterprise E4
includes the same capabilities as Office 365 Enterprise E3.
Office 365 Enterprise F1 includes the same capabilities as Flow Free, but an SLA is available and the number of
flow runs is aggregated across all users in the company.
Compare plans
Are the flow runs included in the per user licenses limited to the licensed user?
Flow runs included in Microsoft Flow Free can only be used by the licensed user. Flow runs included in the Office
365, Dynamics 365, Microsoft Flow Plan 1 and Plan 2 are pooled across all users in the company.
What happens when I use all the flow runs included in my per user licenses?
You can buy more flow runs in increments of 50,000 flow runs per month.
 Security in Common Data Service
6/21/2019 • 2 minutes to read

This section provides information on how Common Data Service, the underlying data platform for PowerApps,
handles security from user authentication to authorization that allows users to perform actions with data and
services. Conceptually, security in Common Data Service is there to ensure users can do the work they need to do
with the least amount of friction, while still protecting the data and services. Security in Common Data Service can
be implemented as a simple security model with broad access all the way to highly complex security models where
users have specific record and field level access.
The following is a high-level overview of how security model is implemented in Common Data Service.
Users are authenticated by Azure Active Directory (Azure AD ).
Licensing is the first control-gate to allowing access to PowerApps components.
Ability to create applications and flows is controlled by security roles in the context of environments.
A user’s ability to see and use apps is controlled by sharing the application with the user. Sharing of canvas apps
is done directly with the user or Azure AD group. Sharing of model-drive apps is done via Common Data
Service security roles.
Environments act as security boundaries allowing different security needs to be implemented in each
environment.
Flows and Canvas apps use connectors, the specific connections credentials and associated service entitlements
determine permissions when apps use the connectors.
Environments with Common Data Service add support for more advanced security models that are specific to
controlling access to data and services in the Common Data Service instance.
Related topics
What is Common Data Service?
Security concepts in Common Data Service
 Controlling access to Common Data Service
6/19/2019 • 2 minutes to read

Common Data Service relies on Azure Active Directory (Azure AD ) for authentication. This means that you can
leverage the full functionality of Azure AD to manage and restrict access to users. This includes using Conditional
Access Policies and other premium features of Azure AD. Developers can also register applications with Azure AD
and use the oAuth2 authorization framework to allow their code to access the platform APIs.
External users from other Azure AD tenants can be added as Business Guests in your Azure AD. They can be
configured to work with some limitations with model-driven apps. Business Guests are not supported currently for
canvas apps and Microsoft Flow. Other external users beyond the capability of Business Guests, including Azure
B2C is not currently supported.
Related topics
What is Common Data Service?
Security concepts in Common Data Service
Developers: Authentication with Common Data Service web services
 Security concepts in Common Data Service
6/19/2019 • 8 minutes to read

One of the key features of Common Data Service is its rich security model that can adapt to many business usage
scenarios. This security model is only in play when there is a Common Data Service database in the environment.
As an administrator, you likely won't be building the entire security model yourself, but will often be involved in the
process of managing users and making sure they have the proper configuration as well as troubleshooting
security access related issues.

Role based security

Common Data Service uses role-based security to group together a collection of privileges. These security roles
can be associated directly to users, or they can be associated with Common Data Service teams and business units.
Users can then be associated with the team, and therefore all users associated with the team will benefit from the
role. A key concept of Common Data Service security to understand is all privilege grants are accumulative with
the greatest amount of access prevailing. Simply put, if you gave broad organization level read access to all contact
records, you can’t go back and hide a single record.

Business Units
Business units work in conjunction with security roles to determine the effective security that a user has. Business
units are a security modeling building block that helps in managing users and the data they can access. Business
units define a security boundary. Every Common Data Service database has a single root business unit.
You can create child business units to help further segment your users and data. Every user assigned to a
Common Data Service instance will belong to a business unit. While business units could be used to model 1:1 a
true organization hierarchy, more often they lean more towards just defined security boundaries to help achieve
the security model needs.
To better understand let’s look at the following example. We have three business units. Woodgrove is the root
business unit and will always be at the top, that is unchangeable. We have created two other child business units A
and B. Users in these business units have very different access needs. When we associate a user with this
Common Data Service instance, we can set the user to be in one of these three business units. Where the user is
associated will determine which business unit owns the records that user is the owner of. By having that
association allows us to tailor a security role to allow the user to see all records in that business unit.

Entity/Record Ownership
Common Data Service supports two types of record ownership. Organization owned, and User or Team owned.
This is a choice that happens at the time the entity is created and can’t be changed. For security purposes, records
that are organization owned, the only access level choices is either the user can perform the operation or can’t. For
user and team owned records, the access level choice for most privileges are tiered Organization, Business Unit,
Business Unit and Child Business Unit or only the user’s own records. That means for read privilege on contact, I
could set user owned, and the user would only see their own records.
To give another example, let’s say User A is associated with Division A, and we give them Business Unit level Read
access on Contact. They would be able to see Contact #1 and #2 but not Contact #3.
When you configure or edit security role privileges you are setting the access level for each option. The following
is an example of the Security Role privilege editor.

In the above you can see the standard privilege types for each entity Create, Read, Write, Delete, Append, Append
To, Assign and Share. You can edit each of these individually. The visual display of each will match the key below as
to what level of access you have granted.

In the above example, we have given organization level access to Contact which means that the user in Division A
could see and update contacts owned by anyone. In fact, one of the most common administrative mistakes is
getting frustrated with permissions and just over granting access. Very quickly a well-crafted security model starts
looking like swiss cheese (full of holes!).

Teams
Teams are another important security building block. Teams are owned by a Business Unit. Every Business Unit
has one default team that is automatically created when the Business Unit is created. The default team members
are managed by Common Data Service and always contain all users associated with that Business Unit. You can’t
manually add or remove members from the default team, they are dynamically adjusted by the system as new
users are associated/disassociated with business units. There are two types of teams, owning teams and access
teams. Owning Teams can own records, which gives any team member direct access to that record. Users can be
members of multiple teams. This will allow it to be a powerful way of granting permissions to users in a broad way
without micromanaging access at the individual user level. Access teams are discussed below as part of Record
Sharing.

Record Sharing
Individual records can be shared on a one by one basis with another user. This is a powerful way of handling
exceptions that don’t fall into the record ownership or member of a business unit access model. It should be an
exception though because it is a less performant way of controlling access. Sharing tougher to troubleshoot
because it is not a consistently implemented access control. Sharing can be done at both the user and team level.
Sharing with a team is a more efficient way of sharing. A more advanced concept of sharing is with Access Teams
which provides auto creation of a team and sharing of record access with the team based on an Access Team
Template (template of permissions) which is applied. Access teams can also be used without the templates, with
just manual add/remove of it’s members. Access teams are more performant because they don’t allow owning
records by the team or having security roles assigned to the team. Users get access because the record is shared
with the team and the user is a member.
Record level security in Common Data Service
You might be wondering – what determines access to a record? That sounds like a simple question but for any
given user it is the combination of all their security roles, the business unit they are associated with, the teams they
are members of and the records that are shared with them. The key thing to remember is all access is accumulative
across all those concepts in the scope of a Common Data Service database instance. These entitlements are only
granted within a single database and are individual tracked in each Common Data Service database. This all of
course requires they have an appropriate license to access Common Data Service.
Field Level Security in Common Data Service
Sometimes record level control of access is not adequate for some business scenarios. Common Data Service has
a field level security feature to allow more granular control of security at the field level. Field level security can be
enabled on all custom fields and most system fields. Most system fields that include personal identifiable
information (PII) are capable of being individually secured. Each field’s metadata defines if that is an available
option for the system field.
Field level security is enabled on a field by field basis. Access is then managed by creating a Field Security Profile.
The profile contains all fields that have field level security enabled and the access granted by that specific profile.
Each field can be controlled within the profile for Create, Update and Read access. Field Security Profiles are then
associated with a user or Teams to grant those privileges to the users to the records they already have access to.
It’s important to note that Field Level Security has nothing to do with Record Level security, a user must already
have access to the record for the Field Security Profile to grant them any access to the fields. Field level security
should be used as needed and not excessively as it can add overhead that is detrimental if over used.
Managing Security Across Multiple Environments
Security roles and Field Security Profiles can be packaged up and moved from one environment to the next using
Common Data Service solutions. Business Units and Teams must be created and managed in each Common Data
Service environment along with the assignment of users to the necessary security components.
Configuring Users Environment Security
Once roles, teams and business units are created in an environment it is time to assign the users their security
configurations. First, when you create a user you will associate the user with a business unit. By default, this is the
root business unit in the organization. They are also added to the default team of that business unit.
In addition, you would assign any security roles that user needs. You would also add them as members of any
teams. Remember teams can also have security roles, so the effective rights of the user is the combination of
directly assigned security roles combined with those of any teams they are members of. Security is always additive
offering the least restrictive permission of any of their entitlements. The following is a good walkthrough of
configuring environment security.
If you have used Field Level security, you would need to associate the user or a team of the user to one of the Field
Security Profiles you created.
Security is a complex topic and is best accomplished as a joint effort between the application makers and the team
administering the users permissions. Any major changes should be coordinated well in advance of deploying the
changes into the environment.
Related topics
Configure environment security
 System and application users
7/27/2019 • 2 minutes to read

There is a list of special system and application users that is created when the system is provisioned. Special system
users are created for integration and support scenarios. Application users are created during system provisioning
for setup and configuration management. Application users can also be used for performing back-end services.
Most of these users are hidden from user views but they can be found by using the Advanced Find on the Users
entity. Do not delete or modify these users including changing or reassigning security role.

SECURITY ROLE
USER TYPE FULL NAME USER NAME PURPOSE ASSIGNED

System SYSTEM n/a See below n/a

Support user [email protected] To allow Microsoft Support user (does

m support staff to have not have privilege to
restricted/limited customer data)
access to any
customer
environment for
customer support

Delegated admin [email protected] See For partners: the System admin

om Delegated admin

Application Business Application [email protected] To setup PowerApps System admin

Platform Service m system and
account configurations

PowerApps Checker Pacheckerapp@micro To perform static Export customization

Application soft.com analysis of PowerApps and Solution checker
solutions to assist in
identifying
performance and
stability risks

The purpose of the system account?

The System user is a built-in user account that is used to allow customers to perform system updates via plug-
ins.
The primary usage of this user account is to meet special business requirements that require elevation of
privileges; for example, running background processes to integrate with other applications.
It can also be used to handle rollup scenarios where individual users do not have the required privilege. For
example, the priority of a Case is automatically set to the highest priority of an individual user’s tasks and
individual users can only update their own task priority but not the Case priority.
Technical details on permissions?
This user account can perform any actions and has all system privileges.
Records created/updated by this user account are audited.
Technical details on the security?
This user account cannot sign in to Customer Engagement apps.
Administrators have the option to use this user account when registering their plug-ins.
This user account does not have a mailbox, so they cannot be used to send or receive emails.
The details of this user account cannot be modified from the User Form interface.
This user account does not show up in any views.
 Configure environment security
6/7/2019 • 5 minutes to read

Common Data Service uses a role-based security model to help secure access to the database. This topic
explains how to create the security artifacts that you must have to help secure an app. The user roles control run-
time access to data and are separate from the Environment roles that govern environment administrators and
environment makers. For an overview of environments, see Environments overview.

Assign security roles to users

Security roles control a user’s access to data through a set of access levels and permissions. The combination of
access levels and permissions that are included in a specific security role sets limits on the user’s view of data
and on the user’s interactions with that data.
To assign a user to an environment role, an Environment Admin can take these steps in the PowerApps Admin
center:

NOTE
Currently, roles can only be assigned to users. Please check back for when assigning a role to a security group is available.

1. Select the environment in the environments table.

2. Select Security tab.

3. View if the user already exists in the environment, by selecting view the list of users in the
environment.

4. In case user doesn’t exist, you can add the user from PowerApps Admin center Add the user by
mentioning the email address of the user, in your organization, and selecting Add user.
 Wait for a few minutes to check if the user is available in the list of users in the environment.
5. Select the user from the list of users in the environment.

6. Assign the role to the user.

7. Select OK to update the assignments to the environment role.

Predefined security roles

The PowerApps environment includes predefined security roles that reflect common user tasks with access
levels defined to match the security best-practice goal of providing access to the minimum amount of business
data required to use the app.

SECURITY ROLE *DATABASE PRIVILEGES DESCRIPTION

System Administrator
Create, Read, Write, Delete,
Customizations, Security Roles
Has full permission to customize or
administer the environment, including
creating, modifying, and assigning
security roles. Can view all data in the
environment. More information:
Privileges required for customization

System Customizer Create (self), Read (self), Write (self),
Delete (self), Customizations
Has full permission to customize the
environment. However, can only view
records for environment entities that
they create. More information:
Privileges required for customization

Environment Maker Customizations Can create new resources associated

with an environment including apps,
connections, custom APIs, gateways,
and flows using Microsoft Flow.
However, does not have any privileges
to access data within an environment.
More information: Environments
overview
 SECURITY ROLE *DATABASE PRIVILEGES DESCRIPTION

Common Data Service User
Read (self), Create (self), write (self),
delete (self)
Can run an app within the
environment and perform common
tasks for the records that they own.
Note: this only applies to non-custom
entities. See Create or configure a
custom security role.

Delegate Act on behalf of another user Allows code to run as another user or
impersonate. Typically used with
another security role to allow access to
records. More information:
Impersonate another user

*Privilege is global scope unless specified otherwise.

The Environment Maker role can not only create resources within an environment, but can also distribute
the apps they build in an environment to other users in your organization. They can share the app with
individual users. For more information, see Share an app in PowerApps.
For the users making apps which are connecting to the database and needs to create or update entities
and security roles, should be assigned System Customizer role as well, along with the Environment Maker
as Environment Maker role, has no privileges on the database.

Create or configure a custom security role

If your app uses a custom entity, its privileges must be explicitly granted in a security role before your app can be
used. You can either add these privileges in an existing security role or create a custom security role. There are a
set of minimum privileges that are required in order for the new security role to be used - see Minimum
privileges to run app.

TIP
If you want to create a custom security role with the minimum required privileges to run an app, check out the section
below: Minimum privileges to run app.

The environment might maintain the records which can be used by multiple apps, you might need multiple
security roles to access the data with different privileges. e.g.
Some of the users (Type A) might only need to read, update, and attach other records so their security role
will have read, write, and append privileges.
Other users might need all the privileges that users of Type A has, plus the ability to create, append to, delete,
and share, so their security role will have create, read, write, append, delete, assign, append to, and share
privileges.
For more information about access and scope privileges, see Security roles.
1. In PowerApps Admin center select the environment where you want to update a security role.
2. Click on the Dynamics 365 Administration Center link in the Details tab to manage the environment
in the Dynamics 365 admin center.
3. Select the instance (with the same name of environment) and select Open.

4. If you see published apps and tiles, look in the upper-right corner and select the Gear icon ( ). Then
select Advanced settings.
5. In the menu bar, select Settings > Security.

6. Select Security roles.

7. Select New.
8. From the security role designer, enter a role name in the Details tab. From the other tabs, you'll select the
 actions and the scope for performing that action.
9. Select a tab and search for your entity; for example - Custom Entities tab, for setting permissions on a
custom entity.
10. Select the privileges Read, Write, Append.
11. Select Save and Close.

Minimum privileges to run app

When you create a custom security role, you need to include a set of minimum privileges into the security role in
order for a user to run an app. We've created a solution you can import that provides a security role with the
required minimum privileges.
Start by downloading the solution from the Download Center: Common Data Service minimum privilege
security role.
Then, follow the directions to import the solution: Import, update, and export solutions.
When you import the solution, it creates the min prv apps use role which you can copy (see: Create a security
role by Copy Role). When Copying Role is complete, navigate to each tab - Core Records, Business
Management, Customization, etc - and set the appropriate privileges.

IMPORTANT
You should try out the solution in a development environment before importing into a production environment.
 Control user access to environments: security groups
and licenses
8/6/2019 • 3 minutes to read

If your company has multiple Common Data Service environments, you can use security groups to control which
licensed users can be a member of a particular environment.
Consider the following example scenario:

ENVIRONMENT SECURITY GROUP PURPOSE

Coho Winery Sales Sales_SG Provide access to the environment that

creates sales opportunities, handles
quotes, and closes deals.

Coho Winery Marketing Marketing_SG Provide access to the environment that

drives marketing efforts through
marketing campaigns and advertising.

Coho Winery Service Marketing_SG Provide access to the environment that

processes customer cases.

Coho Winery Dev Developer_SG Provide access to the Sandbox

environment used for development and
testing.

In this example, four security groups provide controlled access to a specific environment.
Note the following about security groups:
When users are added to the security group, they are added to the Common Data Service environment.
When users are removed from the group, they are disabled in the Common Data Service environment.
When a security group is associated with an existing environment with users, all users in the environment
that are not members of the group will be disabled.
If a Common Data Service environment does not have an associated security group, all users with a
Common Data Service license (Customer Engagement, Microsoft Flow, PowerApps, etc.) will be created as
users and enabled in the environment.
If a security group is associated with an environment, only users with Common Data Service licenses that
are members of the environment security group will be created as users in the Common Data Service
environment.
Removing a security group from an environment is currently not supported.
When you assign a security group to an environment, that environment will not show up in
home.dynamics.com for users not in the group.
If you do not assign a security group to an environment, the environment will show up in
home.dynamics.com even for those who have not been assigned a security role in that Common Data
Service environment.
 If you do not specify a security group, all users who have a Common Data Service license, (Customer
Engagement, Flow, PowerApps, etc.) will be added to the new environment.
You cannot yet make security groups members of other security groups. Check back for availability of
support for nested security groups.

NOTE
All licensed users, whether or not they are members of the security groups, must be assigned security roles to access
environments. You assign the security roles in the Customer Engagement web application. Users can’t access environments
until they are assigned at least one security role for that environment. For more information, see Configure environment
security.

Create a security group and add members to the security group

1. Sign in to the Microsoft 365 admin center.
2. Select Groups > Groups.
3. Select + Add a group.
4. Change the type to Security group, add the group Name and Description. Select Add > Close.
5. Select the group you created, and then next to Members, select Edit.
6. Select + Add members. Select the users to add to the security group, and then select Save > Close several
times to return to the Groups list.
7. To remove a user from the security group, select the security group, next to Members, select Edit. Select -
Remove members, and then select X for each member you want to remove.

NOTE
If the users you want to add to the security group are not created, create the users and assign to them the Common Data
Service licenses.
To add multiple users, see: bulk add users to Office365 groups.

Create a user and assign license

1. In the Microsoft 365 admin center, select Users > Active users > + Add a user. Enter the user information,
select licenses, and then select Add.
More information: Add users individually to Office 365 - Admin Help
Associate a security group with a Common Data Service environment
1. Sign in to the Power Platform Admin center at https://admin.powerplatform.microsoft.com as an admin
(Dynamics 365 Service admin, Office 365 Global admin, or Delegated admin).
2. In the navigation pane, select Environments, select an environment, and then select Edit.
3. In the Settings page, select Edit ( ).

4. Select a security group, select Done, and then select Save.

The security group is associated with the environment.

 Data loss prevention policies
3/22/2019 • 7 minutes to read

[This topic is pre-release documentation and is subject to change.]

Your organization’s data is likely one of the most important assets you are responsible for safeguarding as an
administrator. The ability to build apps and automation that uses the data allows your company to be successful.
PowerApps and Microsoft Flow allow rapid build and rollout of these high value applications that allow users to
measure and act on the data in real time. Applications and automation are increasingly becoming more connected
across multiple data sources and multiple services. Some of these services might be external 3rd party services
and might even include some social networks. Users will often have good intentions but might overlook the
potential for exposure from data leakage to services and audiences that shouldn’t have access to the data.
Data Loss Prevention (DLP ) policies that help protect organizational data from unintended exposure, are available
for administrators to create. They can act as guardrails to help prevent users from unintentionally exposing the
data. DLP policies can be scoped at the environment and tenant level offering flexibility to craft policies that are
sensible and do not block high productivity.
DLP policies enforce rules of what connectors can be used together by classifying connectors as either Business
Data only or No Business Data allowed. Simply, if you put a connector in the business data only group, it can only
be used with other connectors from that group in the same app. Keep reading and we will cover some scenarios for
using this later in this section.

What policies do we already have?

From the PowerApps Admin Center (admin.powerapps.com) you can see the current policies you have in place in
your tenant. This should be your first stop as a new administrator to understand what is currently active.

Creating new DLP Policies

When you create a new DLP policy you first decide on the scope. If you are only an environment administrator, you
will see a selection to choose one of your environments to associate with the DLP policy. If you are a tenant
administrator you will have the ability to apply to All Environments, Selected Environments or All Environments
EXCEPT.
For the process to create a DLP policy, see Create a data loss prevention (DLP ) policy.
Environment only admins do have the ability to view policies created by tenant admins to understand what might
apply to their environment.
One thing to consider is that environment specific policies can’t override tenant-wide DLP policies. For example, if
you only allow use of Common Data Service connectors in an environment, an individual user that is only an
environmental admin can’t override that policy to allow social network connectors to be used.

Configuring connectors for a DLP policy

By default, all connectors are considered part of the No business data allowed list and no connectors are included
in the business data only group. This effectively means that all connectors can be used with other connectors.

When new connectors are added they are added to the Default category which is No business data allowed. If you
would prefer you can change which category is considered the default, and then all new connectors will be
classified in that category by default.

Typically, though most companies will want to treat new connectors as No business data allowed until they
evaluate if it is appropriate to use with what they have classified as business data.
Let’s look at an example if we were to create a new tenant wide DLP policy that had just the Common Data Service
added to the Business Only Data and all others in No Business Data. Let’s look at a few application examples and
the outcome of this policy.
 CONNECTORS USED IN APPLICATION OR FLOW IMPACT OF DLP

SharePoint and OneDrive This would be allowed

Common Data Service This would be allowed

Common Data Service and SharePoint This would not be allowed

SharePoint and Twitter This would be allowed

SharePoint, Twitter and Common Data Service This would not be allowed

Users accessing a PowerApp or Flow impacted by the DLP policy will see a message informing of the DLP policy
conflict. As an administrator you should have a process and plan in place to handle these types of support needs if
you are using DLP policies.

One thing to keep in mind, DLP policies created for a connector do not understand that that connector could be
configured to talk to Dev, Test and Production, etc. When you configure a DLP policy it is all or nothing. So, if you
want to allow Dynamics 365 connector to talk to a test database in the test environment, but not allow it to connect
to the production database in that same test environment, then DLP policies won’t help you restrict that. Another
way to say the same thing, is DLP policies are Connector aware, but do not control the connections that are made
using the connector.

Strategies for creating DLP policies

As an administrator taking over an environment or starting to support use of PowerApps and Microsoft Flow DLP
policies should be something you evaluate and create within the first 30 days. This ensures a base set of policies
are in place before too many users start creating connections that might violate your policies.
For smaller environments where the users are highly capable and are trusted you could start out with no DLP
policies taking only the default options. This is the most flexible option and can be changed at any time. Keep in
mind introducing more restrictive policies later could conflict with existing assets. These conflicts could have
business impact when existing apps and flows stop working until either the app / flow is brought into compliance
or the DLP policy relaxed.
For larger environments it is recommend you have a plan in place for DLP policies. It is best to do this in
conjunction with your plan for managing environments in your organization. While there is an endless
combination of connectors you might have in your own environment we will be using an example that you can
tailor to fit your own needs. Let’s setup a framework for a generic DLP policy template that could apply to many
organizations, only modifying it for some of their specific needs.
First, let’s look at our environment setup and assumptions. The following are the environments we are expecting to
manage in our organization.

ENVIRONMENT EXPECTED USE / POLICY

Contoso – Default This is the default environment, and anyone can create apps
and flows in it

Contoso Enterprise Apps This is a Production environment with applications managed

with formal review before being promoted here. This could
also be more business unit aligned e.g. Marketing, Finance etc.

Community Plan Environments (0…N) These will be automatically created by any users in our org
that sign up for the free Community Plan

User Owned Environments (0…N) These are Production or Trial Environments created by users
with full P2 licenses or with Trial P2 licenses

We now are going to design a tenant wide default DLP policy. Our goal is to ensure that as people create their own
environments and test and explore they minimize mix of core business data without us first working with them.
Our goal is to apply this default global policy to all environments except Contoso Enterprise Applications which we
are going to manage by a separate DLP policy.

We have identified the following connectors as our initial set of business only data allowed connectors (remember
you can always add to this list at any time!).

With this policy in place any use outside of those business connectors will need to have exceptions handled and we
will cover that shortly.
For Contoso Enterprise Application environment since we excluded it from our policy we have two choices. We can
either leave it wide open since we only deploy to it trusted applications that we as administrators install and
configure or we establish a DLP policy for it to match its application needs. The following new DLP policy shows
how we would create a DLP specific for that environment.

The following is an example that might look like a super set of our global one – notice it includes some social
network and 3rd party connectors – but since these are all trusted apps and flows that is ok.

Now with this in place, you need a plan on how to handle exceptions. You really have three choices
1. Deny the request
2. Add the connector to the default DLP policy
3. Add the users’ environments to the All Except list for the Global default DLP and create a user specific DLP
policy with the exception included.
Hopefully that helps you understand how you might apply DLP policies in your organization. These are just some
of the many options you could configure with DLP policies.
 Create a data loss prevention (DLP) policy
3/12/2019 • 2 minutes to read

To protect data in your organization, PowerApps lets you create and enforce policies that define which consumer
connectors specific business data can be shared with. These policies that define how data can be shared are
referred to as data loss prevention (DLP ) policies. DLP policies ensure that data is managed in a uniform manner
across your organization, and they prevent important business data from being accidentally published to
connectors such as social media sites.
In this topic, you'll learn how to create a DLP policy for a single environment that prevents data that's stored in
your Common Data Service and SharePoint databases from being published to Twitter.

Prerequisites
To follow the steps, one of the following items is required:
Azure Active Directory Tenant Admin permissions
Office 365 Global Admin permissions
PowerApps Environment Admin permissions plus a PowerApps Plan 2, Microsoft Flow Plan 2, or a PowerApps
Plan 2 trial license
For more information, see Environments administration in PowerApps.

Sign in to the PowerApps Admin center

Sign in to the Admin center at https://admin.powerapps.com.

Create a DLP policy

1. In the navigation pane, click or tap Data policies, and then click or tap New policy.

2. The Data Policy Name field auto-populates with a name based on the time and date the policy is created.
Replace this with Secure Data Access for Contoso.

3. The options on the Environments tab differ depending on whether you're an Environment admin or a
Tenant admin. If you're an Environment admin, select an environment from the drop-down list, and then
click or tap Continue.
 If you're a Tenant admin, you can create DLP policies that apply to one or more environments, or to all
environments within the tenant (including those created using a trial license). For this topic, click or tap
Apply to ONLY selected environments, select an environment from the drop-down list, and then click or
tap Continue.

Note that environment DLP policies cannot override tenant-wide DLP policies.
4. On the Data groups tab, under Business data only, click or tap Add.

5. In the Add connectors window, select Common Data Service and SharePoint (you may have to scroll
down or search to find them), and then click or tap Add connectors to add them to the Business data
only data group.

Connectors can reside in only one data group at a time and are added to the No business data allowed
group by default. By moving Common Data Service and SharePoint to the Business data only group,
 you're preventing users from creating flows and apps that combine these two connectors with any of the
connectors in the No business data allowed group.
6. Click Save policy.

The Secure Data Access for Contoso policy is created and appears in the list of data loss prevention policies. Since
the Twitter connector resides in the No business data allowed data group, this policy ensures that the Common
Data Service and SharePoint do not share their data with Twitter.
It's good practice for administrators to share a list of DLP policies with their organization so that users are aware
of the policies prior to creating apps.

Next steps
In this topic, you learned how to create a DLP policy for a single environment to prevent important business data
from being accidentally published to connectors such as Twitter. To learn more about DLP policies, check out the
article about how to manage them.
Manage data loss prevention (DLP ) policies
 Manage data loss prevention (DLP) policies
3/12/2019 • 2 minutes to read

An organization's data is critical to its success. Its data needs to be readily available for decision-making, but it
needs to be protected so that it isn't shared with audiences that shouldn't have access to it. To protect this data,
PowerApps lets you create and enforce data loss prevention (DLP ) policies that define which consumer
connectors specific business data can be shared with. For example, an organization that uses PowerApps may not
want its business data that's stored in SharePoint to be automatically published to its Twitter feed.
To create, edit, or delete DLP policies, you must have either Environment Admin or Azure Active Directory Tenant
Admin permissions. For more information, see Environments administration in PowerApps.
For instructions on how to create a DLP policy, see Create a data loss prevention (DLP ) policy.

Find a DLP policy

1. Sign in to the Admin center at https://admin.powerapps.com.
2. In the navigation pane, click or tap Data policies. If you have a long list of policies, use the Search box to
find specific DLP policies.

Edit a DLP policy

1. In the list of data loss prevention policies, click or tap the pencil icon next to the policy you want to edit.

2. Make your changes, and then click or tap Save Policy.

NOTE
Environment DLP policies cannot override tenant-wide DLP policies.

To review the changes, find the DLP policy in the list of data loss prevention policies and click or tap it to
review its properties.
Delete a DLP policy
1. In the list of data loss prevention policies, click or tap the trash can icon next to the policy you want to
delete.

2. In the confirmation dialog box, click or tap Delete.

The policy is deleted and no longer appears in the list of data loss prevention policies.

Next steps
Learn more about environments
Learn more about Microsoft PowerApps
 Data groups
3/12/2019 • 3 minutes to read

Data groups are a simple way to categorize services within a data loss prevention (DLP ) policy. The two data
groups available are the Business data only group and the No business data allowed group. Organizations are
free to determine which services are placed into a particular data group. A good way to categorize services is to
place them in groups, based on the impact to the organization. By default, all services are placed into the No
business data allowed data group. You manage the services in a data group when you create or modify the
properties of a DLP policy from the admin center.

How data is shared between data groups

Data cannot be shared among services located in different groups. For example, if you place SharePoint and
Salesforce in the Business data only group and you place Facebook and Twitter in the No business data
allowed group, you cannot create a PowerApp that moves data between SharePoint and Facebook. While data
cannot be shared among services in different groups, you can share data among the services within a specific
group. So, going back to the earlier example, since SharePoint and Salesforce were placed in the same data group,
PowerApps that your end users create can share data between SharePoint and Salesforce. The key point is that
services in a specific group can share data, while services in different groups cannot share data.
Additionally, one data group must be designated as the default group. Initially, the No business data allowed
group is the default group and all services are in the data group. An administrator can change the default data
group to the business data only data group.

NOTE
Any new services that are added to PowerApps will be placed in the designated default group. For this reason, we
recommend you keep the No business data allowed as the default group and manually add services into the Business
data only group after your organization has evaluated the impact of allowing business data to be shared with the new
service.

Add services to a data group

In this walk-through, we'll add SharePoint and Salesforce to the business data only data group of a data loss
prevention (DLP ) policy.
1. Select the + Add link located inside the Business data only group box of a DLP policy:

2. Select SharePoint and Salesforce then select Add services to add both to the business data only group:
3. Select Save Policy from the menu at the top:

4. Notice that both SharePoint and Salesforce are now in the business data only group:

In this walk-through, you've added SharePoint and Salesforce to the business data only data group of a DLP
policy. If one of the person who is part of the DLP policy's environment create an app shares data between
SharePoint or Salesforce and any service in the No business data allowed data group, the app will not be
allowed to run.

Remove services from a data group

Since all services must be in one of the available data groups, to remove a service from a specific group, simply
add the service to another group then save the policy.

Change the default data group

In this walk-through, we will change the default data group from the no business data allowed data group to the
business data only data group.
 IMPORTANT
Any new services that are added to PowerApps will be placed in the designated default group. For this reason, we
recommend you keep the No business data allowed as the default group and manually add services into the Business
data only group.

1. Select the ... located at the top right corner of the data group you wish to designate as the default data group:

2. Select Set as default group:

3. Select Save Policy from the menu at the top:

4. Notice the data group is now designated as the default data group:

Next steps
Learn more about data loss prevention (DLP ) policies
Learn more about environments
Learn more about Microsoft PowerApps
 Management and monitoring
3/12/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

In this section we will focus on the tools you can use to manage and monitor what is going on in your
environments. Tooling falls into the following three categories: Portals offer an interactive experience for
performing administrative tasks. This is typically considered the primary path for completing administrative
activities. From a monitoring point of view this channel is used mostly for ad hoc interactive discovery.
PowerShell cmdlets offer a way to automate both management and monitoring tasks using PowerShell. These
cmdlets can be used in a sequence to automate multi-step administrative actions.
Connectors offer the ability to use the platform’s own tools to manage and monitor itself. The Flow Management
connector is specifically designed to help with administrative management and monitoring. But you can also use
any of the other 200+ connectors and approval process capabilities to automate your own admin work.
 Working with the admin portals
4/2/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

In a perfect world as an administrator you would only visit a single portal to perform all your administrative tasks
but given the scope and breadth of the different products involved and their differing release cycles, there are
multiple portals with which you will interact. The following outlines the different portals and the most common
tasks you perform there.

PORTAL COMMON TASKS

Power Platform Admin center The new unified administrative portal for Power Platform
https://admin.powerplatform.microsoft.com admins. Currently this portal can be used for Common Data
Service Instance Management, to submit Dynamics 365 &
flow focused support tickets, and to view PowerApps and Flow
admin analytics. Over time the following admin experience will
be migrated & replaced by the Power Platform Admin center:
1. PowerApps Admin Portal

2. Microsoft Flow Admin Portal

3. Business platform admin center

4. Dynamics 365 admin center

PowerApps Admin Portal
https://admin.powerapps.com
Creating and managing environments including security starts
here. Within each environment you can manage the apps and
flows. Monitoring to see who is licensed and building things.
Managing Data Loss Prevention Policies. Manage Common
Data Service Data Integration projects. Over time this will
migrated & replaced by the Power Platform Admin center.

PowerApps Maker Portal This portal is focused on building PowerApps but can also
https://web.powerapps.com view and manage Common Data Service components, manage
connectors and gateways. You can also see application
statistics from details on apps here.

Microsoft Flow Admin Portal This points to the same site as admin.powerapps.com. Over
https://admin.flow.microsoft.com time this will migrated & replaced by the Power Platform
Admin center.

Business platform admin center This points to the same site as admin.powerapps.com. Over
https://admin. businessplatform.microsoft.com time this will migrated & replaced by the Power Platform
Admin center.

Dynamics 365 admin center The Dynamics 365 Admin Center, that can be leveraged to
https://port.crm. dynamics.com/G/manage/index.aspx perform certain Common Data Service Environment
management activities like renaming, deleting, and resetting.
 PORTAL COMMON TASKS

Dynamics 365 Instance Management
https://port.crm.dynamics.com
/G/Instances/InstancePicker.aspx
This instance management portal is reached from
admin.powerapps.com when managing the Common Data
Service database or from the Dynamics 365 admin center.
Here you will see a list of all the Common Data Service
databases and can perform actions such as backup, as well as
other actions on a per instance basis.

Microsoft 365 admin center Here you will manage users and their license assignment as
https://admin.microsoft.com/AdminPortal well as you can launch into many of the individual admin
centers from here.

Microsoft Azure Advanced Azure AD management tasks like conditional access

https://portal.azure.com is managed here. Also if you support any developer
application registration it is also done here. This is also where
you start setup of your on-premises gateways.

Security & Compliance Center In addition to the general compliance tasks, administrators can
https://protection.office.com come here to search the Audit log to see Flow audit events

Over the near-term future we will see consolidation of the PowerApps, Flow and the Dynamics 365 administration
portals into a more unified administrative portal experience. For partners helping their customers manage their
cloud services using delegated administration capabilities you will not be able to use delegated access to the
PowerApps and Flow portals. Currently, you would need to have a user in the customers tenant and assign that
user a P2 license.

Common portal tasks

Managing Flows and Applications in an Environment

View Application Analytics

View Flow Analytics can be found from drilling down from the list of flows.

From here you will see the following details for that specific flow.
 PowerShell support for PowerApps (preview)
5/30/2019 • 11 minutes to read

With the preview launch of the PowerShell cmdlets for app creators and administrators, you can automate many
of the monitoring and management tasks that are only possible manually today in PowerApps or the PowerApps
Admin center.

Cmdlets
Cmdlets are functions written in PowerShell script language that execute commands in the Windows PowerShell
environment. Running these PowerApps cmdlets will allow you to interact with your Business Application
Platform without having to go through the admin portal in a web browser. You can combine these cmdlets with
other PowerShell functions to write complex scripts that can optimize your workflow. Note that you can still use
the cmdlets if you’re not an admin on the tenant, but you will be limited to the resources you own. Cmdlets that
start with the word ‘Admin’ are designed to be used by an administrative user account.
Cmdlets are available on the PowerShell gallery as two separate modules:
Administrator
Maker

NOTE
Regarding Dynamics 365 Government Community Cloud (GCC) level 2 support:
The default endpoint is “prod”. If a user wants to run a PowerShell script on the GCC environment, the -Endpoint parameter
needs to be changed to “usgov”. GCC High and DOD are not yet supported.

Add-PowerAppsAccount -Endpoint "usgov"

Installation
To run the PowerShell cmdlets for app creators, do the following:
1. Run PowerShell as an administrator.
2. Import the necessary modules using the following commands:

Install-Module -Name Microsoft.PowerApps.Administration.PowerShell

Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber

3. If you are prompted to accept the change to InstallationPolicy value of the repository, accept [A] Yes to all
modules by typing ‘A’ and pressing Enter for each module.

4. Before accessing any of the commands, you have the option to provide your credentials using the following
command. These credentials are refreshed for up to ~8 hours before you’re required to sign in again to
continue using the cmdlets.

# This call opens prompt to collect credentials (Azure Active Directory account and password) used by
the commands
Add-PowerAppsAccount

# Here is how you can pass in credentials (avoiding opening a prompt)

$pass = ConvertTo-SecureString "password" -AsPlainText -Force
Add-PowerAppsAccount -Username [email protected] -Password $pass

PowerApps cmdlets for app creators (preview)

Prerequisite
Users with a valid PowerApps license can perform the operations in these cmdlets, but they will only have access
to the resources (for example, apps, flows, etc.) that have been created or shared with them.
Cmdlet list - Maker Cmdlets

NOTE
We have updated some of the cmdlets function names in the latest release in order to add appropriate prefixes to prevent
collisions. See the table below for an overview of what has changed.

PURPOSE CMDLET

Add a canvas app to a Common Data Service solution SetPowerAppAsSolutionAware

Read environments Get-PowerAppEnvironment (previously Get-

PowerAppsEnvironment )
Get-FlowEnvironment

Read, update, and delete a canvas app Get-PowerApp (previously Get-App)

Remove-PowerApp (previously Remove-App)
Publish-PowerApp (previously Publish-App)
Set-AppDisplayName (previously Set-
PowerAppDisplayName)
Get-PowerAppVersion (previously Get-AppVersion)
Restore-PowerAppVersion (previously Restore-AppVersion)

Read, update, and delete canvas app permissions Get-PowerAppRoleAssignment (previously Get-
AppRoleAssignment )
Set-PowerAppRoleAssignment (previously Set-
AppRoleAssignment )
Remove-PowerAppRoleAssignment (previously Remove-
AppRoleAssignment )

Read, update, and delete a flow Get-Flow

Get-FlowRun
Enable-Flow
Disable-Flow
Remove-Flow

Read, update, and delete flow permissions Get-FlowOwnerRole

Set-FlowOwnerRole
Remove-FlowOwnerRole

Read and respond to flow approvals Get-FlowApprovalRequest

Get-FlowApproval
RespondTo-FlowApprovalRequest

Read and delete connections Get-PowerAppConnection (previously Get-Connection)

Remove-PowerAppConnection (previously Remove-
Connection)

Read, update, and delete connection permissions Get-PowerAppConnectionRoleAssignment (previously Get-

ConnectionRoleAssignment )
Set-PowerAppConnectionRoleAssignment (previously Set-
ConnectionRoleAssignment )
Remove-PowerAppConnectionRoleAssignment (previously
Remove-ConnectionRoleAssignment )
 PURPOSE CMDLET

Read and delete connectors Get-PowerAppConnector (previously Get-Connector)

Remove-PowerAppConnector (previously Remove-Connector)

Read, update, and delete custom connector permissions
Get-PowerAppConnectorRoleAssignment (previously Get-
ConnectorRoleAssignment )
Set-PowerAppConnectorRoleAssignment (previously Set-
ConnectorRoleAssignment )
Remove-PowerAppConnectorRoleAssignment (previously
Remove-ConnectorRoleAssignment )

PowerApps cmdlets for administrators (preview)

Prerequisite
To perform the administration operations in the admin cmdlets, you'll need the following:
Office 365 Global admins or Azure Active Directory Global admins no longer require a P2 license for
administrative access to the PowerApps admin PowerShell cmdlets. However, these administrators need to
sign in to the PowerApps Admin Center at least once before using the PowerShell cmdlets. If this is not
done, the cmdlets will fail with an authorization error.
Office 365 Global Administrator or Azure Active Directory Global Administrator permissions if you need to
search through another user’s resources. (Note that Environment Admins only have access to those
environments and environment resources for which they have permissions.)
Cmdlet list - Admin Cmdlets
PURPOSE CMDLETS

Read, update, and delete environments and Common Data New-AdminPowerAppEnvironment

Service databases Set-AdminPowerAppEnvironmentDisplayName
Get-AdminPowerAppEnvironment (previously Get-
AdminEnvironment )
Remove-AdminPowerAppEnvironment (previously Remove-
AdminEnvironment )
New-AdminPowerAppCdsDatabase
Get-AdminPowerAppCdsDatabaseLanguages
Get-AdminPowerAppCdsDatabaseCurrencies
Get-AdminPowerAppEnvironmentLocations

Delete Common Data Service database Remove-LegacyCDSDatabase *New*

Read, update, and delete environment permissions Get-AdminPowerAppEnvironmentRoleAssignment (previously

These cmdlets only work today for environments that do not
have a Common Data Service database.
Get-AdminEnvironmentRoleAssignment )
Set-AdminPowerAppEnvironmentRoleAssignment (previously
Set-AdminEnvironmentRoleAssignment )
Remove-AdminPowerAppEnvironmentRoleAssignment
(previously Remove-AdminEnvironmentRoleAssignment )
PURPOSE
Read, update, and remove canvas apps
Read, update, and delete canvas app permissions
Read, update, and delete flows
Read, update, and delete flow permissions
Read and delete connections
Read, update, and delete connection permissions
Read and delete custom connectors
Read, update, and delete custom connector permissions
Read a user's PowerApps user settings, user-app settings, and
notifications
Read and delete a user's Microsoft Flow settings, which are
not visible to user, but that support flow execution
CMDLETS
Get-AdminPowerApp (previously Get-AdminApp)
Remove-AdminPowerApp (previously Remove-AdminApp)
Get-AdminPowerAppConnectionReferences
Set-AdminPowerAppAsFeatured
Clear-AdminPowerAppAsFeatured
Set-AdminPowerAppAsHero
Clear-AdminPowerAppAsHero
Set-AdminPowerAppApisToBypassConsent
Clear-AdminPowerAppApisToBypassConsent
Get-AdminPowerAppRoleAssignment (previously Get-
AdminAppRoleAssignment )
Remove-AdminPowerAppRoleAssignment (previously
Remove-AdminAppRoleAssignment )
Set-AdminPowerAppRoleAssignment (previously Set-
AdminAppRoleAssignment )
Set-AdminPowerAppOwner (previously Set-AdminAppOwner)
Get-AdminFlow
Enable-AdminFlow
Disable-AdminFlow
Remove-AdminFlow
Remove-AdminFlowApprovals
Get-AdminFlowOwnerRole
Set-AdminFlowOwnerRole
Remove-AdminFlowOwnerRole
Get-AdminPowerAppConnection (previously Get-
AdminConnection)
Remove-AdminPowerAppConnection (previously Remove-
AdminConnection)
Get-AdminPowerAppConnectionRoleAssignment (previously
Get-AdminConnectionRoleAssignment )
Set-AdminPowerAppEnvironmentConnectionRoleAssignment
(previously Set-AdminConnectionRoleAssignment )
Remove-AdminPowerAppConnectionRoleAssignment
(previously Remove-AdminConnectionRoleAssignment )
Get-AdminPowerAppConnector (previously Get-
AdminConnector)
Remove-AdminPowerAppConnector (previously Remove-
AdminConnector)
Get-AdminPowerAppConnectorRoleAssignment (previously
Get-AdminConnectorRoleAssignment )
Set-AdminPowerAppConnectorRoleAssignment (previously
Set-AdminConnectorRoleAssignment )
Remove-AdminPowerAppConnectorRoleAssignment
(previously Remove-AdminConnectorRoleAssignment )
Get-AdminPowerAppsUserDetails
Get-AdminFlowUserDetails
Remove-AdminFlowUserDetails
 PURPOSE CMDLETS

Create, read, update and delete data loss prevention policies
for your organization
Get-AdminDlpPolicy (previously Get-AdminApiPolicy)
New-AdminDlpPolicy (previously Add-AdminApiPolicy)
Remove-AdminDlpPolicy (previously Remove-
AdminApiPolicy)
Set-AdminDlpPolicy (previously Set-AdminApiPolicy)
Add-ConnectorToBusinessDataGroup
Remove-ConnectorFromBusinessDataGroup
Add-CustomConnectorToPolicy
Remove-CustomConnectorFromPolicy

Read and update tenant settings Get-TenantSettings

Set-TenantSettings

Tips
Use Get-Help ‘CmdletName’ to get a list of examples.

To cycle through the possible options for input tags, click on the tab key after typing out the dash (-)
character, after the cmdlet name.
Example commands:

Get-Help Get-AdminPowerAppEnvironment
Get-Help Get-AdminPowerAppEnvironment -Examples
Get-Help Get-AdminPowerAppEnvironment -Detailed

Operation examples
Below are some common scenarios that show how to use new and existing PowerApps cmdlets.
Environments Commands
PowerApps Commands
Flow commands
API connection commands
Data Loss Prevention (DLP ) policy commands
Environments commands
Use these commands to get details on and update environments in your tenant.
Display a list of all environments

Get-AdminPowerAppEnvironment

Returns a list of each environment across your tenant, with details of each (e.g., environment name (guid), display
name, location, creator, etc).
Display details of your default environment

Get-AdminPowerAppEnvironment –Default

Returns the details for only the default environment of the tenant.
Display details of a specific environment

Get-AdminPowerAppEnvironment –EnvironmentName ‘EnvironmentName’

Note: The EnvironmentName field is a unique identifier, which is different from the DisplayName (see first and
second fields in the output in the following image).

PowerApps commands
These operations are used to read and modify PowerApps data in your tenant.
Display a list of all PowerApps

Get-AdminPowerApp

Returns a list of all PowerApps across the tenant, with details of each (e.g., application name (guid), display name,
creator, etc).
Display a list of all PowerApps that match the input display name

Get-AdminPowerApp 'DisplayName'

Returns a list of all the PowerApps in your tenant that match the display name.
Note: Use quotation characters (”) around input values that contain spaces.
Feature an application
 Set-AdminPowerAppAsFeatured –AppName 'AppName'

Featured applications are grouped and pushed to the top of the list in the PowerApps mobile player.
Note: Like environments, the AppName field is a unique identifier, which is different from the DisplayName. If
you want to perform operations based on the display name, some functions will let you use the pipeline (see next
function).
Make an application a Hero app, using the pipeline

Get-AdminPowerApp 'DisplayName' | Set-AdminPowerAppAsHero

A Hero app will appear at the top of the list in the PowerApps mobile player. There can only be one Hero app.
The pipeline (represented as the ‘|’ character between two cmdlets) takes the output of the first cmdlet and passes
it as the input value of the second, assuming the function has been written to accommodate the pipeline feature.
Note: an app must already be a featured app before it is changed to a hero.
Display the number of apps each user owns

Get-AdminPowerApp | Select –ExpandProperty Owner | Select –ExpandProperty displayname | Group

You can combine native PowerShell functions with the PowerApps cmdlets to manipulate data even further. Here
we use the Select function to isolate the Owner attribute (an object) from the Get-AdminApp object. We then
isolate the name of the owner object by pipelining that output into another Select function. Finally, passing the
second Select function output into the Group function returns a nice table that includes a count of each owner’s
number of apps.

Display the number of apps in each environment

Get-AdminPowerApp | Select -ExpandProperty EnvironmentName | Group | %{ New-Object -TypeName PSObject -

Property @{ DisplayName = (Get-AdminPowerAppEnvironment -EnvironmentName $_.Name | Select -ExpandProperty
displayName); Count = $_.Count } }

Download PowerApps user details

 Get-AdminPowerAppsUserDetails -OutputFilePath '.\adminUserDetails.txt' –UserPrincipalName
‘[email protected]’

The above command will store the PowerApps user details (basic usage information about the input user via their
user principal name) in the specified text file. It will create a new file if there is no existing file with that name, and
overwrite the text file if it already exists.
Set logged in user as the owner of a PowerApp

Set-AdminPowerAppOwner –AppName 'AppName' -AppOwner $Global:currentSession.userId –EnvironmentName

'EnvironmentName'

Changes the owner role of a PowerApp to the current user, and replaces the original owner as a “can view” role
type.
Note: The AppName and EnvironmentName fields are the unique identifiers (guids), not the display names.
Flow commands
Use these commands to view and modify data related to Microsoft Flow.
Display all flows

Get-AdminFlow

Returns a list of all flows in the tenant.

Display flow owner role details

Get-AdminFlowOwnerRole –EnvironmentName 'EnvironmentName' –FlowName ‘FlowName’

Returns the owner details of the specified flow.

Note: Like Environments and PowerApps, FlowName is the unique identifier (guid), which is different from the
display name of the flow.
Display flow user details

Get-AdminFlowUserDetails –UserId $Global:currentSession.userId

Returns the user details regarding flow usage. In this example we’re using the user Id of the current logged in user
of the PowerShell session as input.
Remove flow user details

Remove-AdminFlowUserDetails –UserId 'UserId'

Deletes the details on a flow user completely from the Microsoft database. All flows the input user owns must be
deleted before the flow user details can be purged.
Note: The UserId field is the Object ID of the user’s Azure Active Directory record, which can be found in the
Azure Portal under Azure Active Directory > Users > Profile > Object ID. You must be an admin to access this
data from here.
Export all flows to a CSV file
 Get-AdminFlow | Export-Csv -Path '.\FlowExport.csv'

Exports all the flows in your tenant into a tabular view .csv file.
API connection commands
View and manage API connections in your tenant.
Display all native Connections in your default environment

Get-AdminPowerAppEnvironment -Default | Get-AdminConnection

Displays a list of all API connections you have in the default environment. Native connections are found under the
Data > Connections tab in the maker portal.
Display all custom connectors in the tenant

Get-AdminPowerAppConnector

Returns a list of all custom connector details in the tenant.

Data Loss Prevention (DLP) policy commands
These cmdlets will control the DLP policies on your tenant.
Display all policies

Get-AdminDlpPolicy

Returns a list of all the policies.

Display a filtered list of policies

Get-AdminDlpPolicy 'DisplayName'

Uses the display name to filter the policies

Display all ‘Business data only’ API connectors in a policy

Get-AdminDlpPolicy 'PolicyName' | Select –ExpandProperty BusinessDataGroup

Lists the API connections that are in the Business data only(or BusinessDataGroup) field in an input policy.
Add a connector to the ‘Business data only’ group

Add-ConnectorToBusinessDataGroup -PolicyName 'PolicyName' –ConnectorName 'ConnectorName'

Adds a connector to the ‘Business data only’ group in a given DLP policy. See the list of connectors by
DisplayName and ConnectorName (used as input) here.

Version History
DATE UPDATES
DATE UPDATES

04/23/2018 1. Initial launch of the PowerApps cmdlets for app

creators (preview) including management cmdlets for
Environments, Apps, Flows, Flow approvals,
Connections, and Custom Connectors
2. Initial launch of the PowerApps cmdlets for
administrators (preview) including administrative
cmdlets for Environments, Apps, and Flows

05/24/2018 1. Minor bug fixes in both the cmdlets for app creators
and administrators
2. Added the following new administrative cmdlets:
Get-AdminConnection
Remove-AdminConnection
Get-AdminConnectionRoleAssignment
Set-AdminConnectionRoleAssignment
Remove-AdminConnectionRoleAssignment
Get-AdminConnector
Remove-AdminConnector
Set-AdminConnectorRoleAssignment
Get-AdminConnectorRoleAssignment
Remove-AdminConnectorRoleAssignment
Get-AdminPowerAppsUserDetails
Get-AdminFlowUserDetails
Remove-AdminFlowUserDetails
Get-AdminApiPolicy
Add-AdminApiPolicy
Remove-AdminApiPolicy
Set-AdminApiPolicy
Add-ConnectorToBusinessDataGroup
Remove-ConnectorFromBusinessDataGroup

07/30/2018 1. Added the ability to pass-in credentials to the Add-

PowerAppsAccount (to enable recurring scripting)
2. Minor bug fixes in both the cmdlets for app creators
and administrators
3. Added the "PowerApp" or "Flow" prefix to each cmdlet
for app creators
4. Added the "AdminPowerApp" or "AdminFlow" prefix to
each cmdlet for administrators
5. Added the following new administrative cmdlets:
New-AdminPowerAppEnvironment
Set-AdminPowerAppEnvironmentDisplayName
New-AdminPowerAppCdsDatabase
Get-AdminPowerAppCdsDatabaseLanguages
Get-AdminPowerAppCdsDatabaseCurrencies
Get-AdminPowerAppEnvironmentLocations
Get-AdminPowerAppConnectionReferences
Set-AdminPowerAppAsFeatured
Clear-AdminPowerAppAsFeatured
Set-AdminPowerAppAsHero
Clear-AdminPowerAppAsHero
Set-AdminPowerAppApisToBypassConsent
Clear-AdminPowerAppApisToBypassConsent
Remove-AdminFlowApprovals
 DATE UPDATES

08/15/2018 Added an optional parameter to the New-

AdminPowerAppCdsDatabase to make the function
synchronous, by default (i.e. it will not return until the
database is successfully provisioned)

08/24/2018 Fixed an issue where the Flow admin cdmlets where not
returning data for some using based on their security settings

01/09/2019 1. Cmdlets are now available on the PowerShell gallery as

two separate modules: Administrator and Maker.
2. Added administrative cmdlet: Remove-
LegacyCDSDatabase
3. Added operation examples
4. Added the ability to manage HTTP and custom
connectors in data loss prevention (DLP)

03/05/2019 Added content for Government Community Cloud (GCC) level

2 support.

03/07/2019 Added a cmdlet: Add a canvas app to a Common Data Service

solution - SetPowerAppAsSolutionAware

04/29/2019 Revised GCC terminology.

05/10/2019 Revised links for Cmdlets available on the PowerShell gallery

to remove preset version.

05/20/2019 Added support for environment-specific Data Loss Prevention

(DLP) policies.

Questions?
If you have any comments, suggestions, or questions, post them on the Administering PowerApps community
board.
 Automation of tasks with PowerShell
3/22/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

The PowerShell cmdlets allow you to do similar tasks that you would do with the admin portals but do them in
scripting where you can sequentially execute multiple commands or pipe output from one to automate common
tasks. There are multiple PowerShell cmdlets that you can work with. The following is an overview of each that you
would likely interact with.

POWERSHELL CMDLET LIBRARY COMMON TASKS

PowerApps cmdlets Designed for app makers and administrators to automate

PowerShell support for PowerApps (preview) tasks with environments and associated apps, flows and
connectors.
Note: These cmdlets are currently in preview.

Office 365 cmdlets These are focused on Office 365 related tasks and can be used
https://docs.microsoft.com/en- to automate user-related actions and tasks, for example,
us/office365/enterprise/powershell/getting-started-with- assignment of licenses.
office-365-powershell

Dynamics 365 cmdlets
https://docs.microsoft.com/en-
us/powershell/dynamics365/customer-engagement/overview
These are useful if you have any environments with Common
Data Service databases. Modules include support for using the
Common Data Service online admin API, as well as to
automate solution deployment to the Common Data Service
instances.

Microsoft Azure cmdlets The Azure cmdlets are useful if you are including any Azure
https://docs.microsoft.com/en-us/powershell/azure/overview components in your overall solution. This could also be used
to script setup of the on-premise application gateway.

Common PowerShell tasks

Displaying a list of environments

```
Get-AdminPowerAppEnvironment
```

This will give you key information such as the Display Name and GUID of the environment. This is often what is
needed for follow on operations.
Adding parameters such as -Default will allow you to generically find the default environment in the tenant.

```
Get-AdminPowerAppEnvironment -Default
```

Using the GUID you got back (which is the non-display name for the environment) you can drill into details of that
specific environment Get-AdminPowerAppEnvironment -Environment ‘EnvironmentName’
Which would produce the following detailed information:

Another useful one is getting a list of connections in an environment. The following lists all the connections in the
tenant’s default environment.

```
Get-AdminPowerAppEnvironment -Default | Get-AdminPowerAppConnection
```

And finally, a little more complex example. This one pipes the output from one cmdlet to others and presents a nice
list of number apps in each environment in the tenant.

```
Get-AdminPowerApp | select -ExpandProperty EnvironmentName | Group | %{ New-Object -TypeName PSObject -Property
@{ DisplayName = (Get-AdminPowerAppEnvironment -EnvironmentName $_.Name | select -ExpandProperty displayName);
Count = $_.Count } }
```

Which would produce the following detailed information:

 Automate application lifecycle management with
PowerApps Build Tools
7/12/2019 • 2 minutes to read

Use PowerApps Build Tools to automate common build and deployment tasks related to PowerApps. This includes
synchronization of solution metadata (solutions) between development environments and source control,
generating build artifacts, deploying to downstream environments, provisioning/de-provisioning of environments,
and the ability to perform static analysis checks against your solution using the PowerApps checker service.
Interested? Check out the blog: Automate your application lifecycle management (ALM ) with PowerApps Build
Tools (Preview ).
 Automation of tasks with Flow
3/12/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

One of the unique things about Microsoft Flow is you can use it to manage itself along with other parts of the
Microsoft Power platform. The following connectors can be helpful to automate administrator tasks with Microsoft
Flow.

CONNECTOR POSSIBLE USES

Flow management connector Can be used to automate working with Flows including
https://docs.microsoft.com/en- getting lists of new flows or connectors in your environments.
us/connectors/flowmanagement/

Office 365 Users connector Useful for automating actions around users. For example, you
https://docs.microsoft.com/en-us/connectors/office365users/ could use the connector to get the manager of a user that
owns an environment to be able to send them an e-mail for
approval.

Approval connector Often administrators need to get approvals and Flow offers a
https://docs.microsoft.com/en-us/connectors/approvals/ rich approval set of tasks you can automate this process.

Microsoft Forms Forms is an easy way to collect information to start an admin

https://docs.microsoft.com/en-us/connectors/microsoftforms/ task. This can be combined with the Approval connector to
get manager approval.

Azure AD connector Useful to perform tasks such as adding a user to a group or

https://docs.microsoft.com/en-us/connectors/azuread/ even creating the group.

Common Flow tasks

daily on schedule, and uses the Flow Management connector to get a list of the connection in the environment and
sends you an e-mail. You can add it to your flows quickly using the template https://us.flow.microsoft.com/en-
us/galleries/public/templates/5a6ef26db3b749ed88b7afb377d11ecf/list-new -microsoft-flow -connectors/
If you want to try building it yourself, there is a good walkthrough of creating the flow from scratch here:
https://flow.microsoft.com/en-us/blog/new -flow -connector-notifications/
 Download a list of apps created in your environments
3/12/2019 • 2 minutes to read

If you're an Environment admin, you can view and download a list of apps created in the environments that you're
administering. If you're a 365 Global admin or Azure Active Directory Tenant admin, you can view and download a
list of apps created in all of the environments in your organization.
In this topic, you'll learn how to download a list of apps created in a single environment to a .csv file, and then view
that list in Excel.

Prerequisites
To follow the steps, the following items are required:
Either a PowerApps Plan 2 or Microsoft Flow Plan 2 license. Alternatively, you can sign up for a free
PowerApps Plan 2 trial.
PowerApps Environment Admin, Office 365 Global Admin, or Azure Active Directory Tenant Admin
permissions. For more information, see Environments administration in PowerApps.

Sign in to the PowerApps Admin center

Sign in to the Admin center at https://admin.powerapps.com.

Download the list of apps

1. In the navigation pane, click or tap Environments, and then click or tap the environment for which you
want to download the list of apps.

2. On the Resources tab, click or tap Apps, and then click or tap Download the list of apps.
 The list of apps is downloaded into a .csv file. This process could take several minutes. Make sure that you
don't close the window before the list completely downloads or you may have to restart the process.

View the list

After the .csv file is created, open it in Excel. The list contains the app display name, the owner of the app, any
connectors that the app uses to connect to data sources, and other information.

Next steps
In this topic, you learned how to download and view a list of apps created in an environment within your
organization. Next, learn how to manage the apps created in your organization.
Manage apps created in your organization
 Manage apps created in your organization
3/12/2019 • 2 minutes to read

If you're an Environment Admin, Office 365 Global Admin, or Azure Active Directory Tenant Admin, you can
manage the apps created in your organization.
Admins can do the following from the PowerApps Admin center:
Add or change the users with whom an app is shared
Delete apps not currently in use
View the data sources used by an app

Prerequisites
Either a PowerApps Plan 2 or Microsoft Flow Plan 2 license. Alternatively, you can sign up for a free
PowerApps Plan 2 trial.
PowerApps Environment Admin, Office 365 Global Admin, or Azure Active Directory Tenant Admin
permissions. For more information, see Environments administration in PowerApps.

Manage an app
1. Sign in to the Admin center at https://admin.powerapps.com.
2. In the navigation pane, click or tap Environments, and then click or tap the environment that contains the
app that you want to manage.
If you don't see Environments in the navigation pane, that indicates you don't have a PowerApps Plan 2,
Microsoft Flow Plan 2, or PowerApps Plan 2 trial license.

3. On the Resources tab, click or tap Apps, and then click or tap the app that you want to manage.
 This takes you to the app Details page.

4. Do any of the following:

Click or tap the trash can icon to delete the app.
View data connections, flows, and other details associated with the app.
Click or tap Share to view or modify the users with whom the app is shared.

Next steps
Check out other how -to guides to learn what else you can do from the PowerApps Admin center.
 Environment and tenant app migration through
Packaging
3/22/2019 • 5 minutes to read

Learn how to migrate resources from one environment to another with packaging. These environments can be
within the same tenant or across different tenants.

The scenario
One common scenario where you may want to migrate resources is where you have Test or Dev environments
and a Production environment. Developers and testers have wide access to the apps in their environments. But
when it comes time to migrate a new app to production, that environment has rigorous control over permissions
to update and change it.
Another scenario is one where each customer has their own environment and data. When a new customer is
added, a new environment is created for them, and you would migrate apps into their environment.

Which resources can I migrate through packaging?

When you export an app, the dependent resources for your app will also get exported into the package. Initially
only a subset of all possible resource types will be supported as outlined in the table below.

RESOURCE TYPE SUPPORTED IMPORT OPTIONS

App Yes There are two options to import an app

into an environment:
1. Create new – The app will be
created as a new app in the
environment where the package
is imported.
2. Update - the app already exists
in the environment and will be
updated when this package is
imported.

Flow Yes There are two options to import a flow

into an environment:
1. Create new – The flow will be
created as a new flow in the
environment where the package
is imported.
2. Update - The flow already exists
in the environment and will be
updated when this package is
imported.
Note: All resources that the flow
depends on will also be included within
the app package that is exported and
will need to be configured with the
package is imported.
 RESOURCE TYPE SUPPORTED IMPORT OPTIONS

Custom Connectors No If an app depends on a custom

connector we do not currently support
exporting the connector as a part of
the package.
If you have an app that relies on a
custom connector, your only
current option is to manually re-
create or update the connector in
your target environment and select
that connector when you import
the package.

Connections No If an app depends on a connection

(such as a SQL connection w/
credentials), we do not currently
support exporting the connection or
credentials as a part of the package.
If you have an app that relies on a
shared connection (like SQL), your
only current option is to manually
re-create that connection with the
appropriate credentials in your
target environment and select that
connection when you import the
package.

Common Data Service Customizations No Exporting Common Data Service

customizations is no longer supported
as a part of packaging. This is now
supported through export and
importing the environment default
solution as outlined in the article below.

Gateways No Gateways are only supported in the

default (and {tenant name} (from
preview) ) environments, so
export/migration is not supported.

How do I get access to packaging for my app?

The ability to export an app is available to any user with "Can edit" permission to the app.
The ability to import an app is available to any user with "Environment Maker" permission in the destination
environment.
A user must have a PowerApps Plan 2 or PowerApps Plan 2 trial license in order to export or import any app.

NOTE
While packaging is in preview, any user with a valid PowerApps license will be able to try out packaging for their apps and
environments.

Exporting an app
1. In http://web.powerapps.com, click or tap Apps, select the ellipses for the app you want to migrate, and
 then select Export (preview).

2. When the export package page opens, enter a Name and Description for the package.

3. Within the ‘Review Package Content’ section you can optionally add comments or notes or change the
setting for how each individual resource will be imported into the target environment during package
import.

4. When you are done select Export and the package file will begin downloading within a few seconds.

Importing an app
1. In http://web.powerapps.com, click or tap Apps, and then select Import package (preview).
2. Select Upload and select the app package file that you want to import.

3. Once the package has been uploaded you will need to review the package contents and will need to provide
additional input for any item marked with a red icon by selecting the wrench icon for each item and
entering the required information.

4. Once you have provided all of the required information select Import.

5. When import completes you will be automatically redirected to a page (similar to the one below ) that
outlines whether or not the import operation was successful.
 NOTE
If you are importing an app and chose to Update an existing app, the new changes will be saved as a draft of the
applications. You will need to publish those changes in order for them to be available all other users of the applications.

Exporting Common Data Service customizations and model-driven

apps
Exporting any entity or option set customizations or any model-driven apps that you have built in
https://web.powerapps.com is supported by exporting the default environment solution as follows:

NOTE
If you would like to learn more about solutions in PowerApps, please see Introduction to solutions.

1. In http://web.powerapps.com, select the Model-driven (preview) design mode in your environment.

2. Select Advanced in the left-navigation bar to launch the solution explorer for this environment's default
solution
3. Select Export Solution and complete the required steps. A solution package file will begin downloading
within a few seconds.

Importing Common Data Service customization and model-driven apps

Importing a Common Data Service solution package unfortunately requires a manual workaround in the
experience, one that we are actively working to fix:
1. In http://web.powerapps.com, select the Model-driven (preview) design mode in your environment.
2. Select Advanced in the left-navigation bar to launch the solution explorer for this environment's default
solution.

3. Copy the Url from your browser, make the following changes and then navigate to the new URL in your
browser:
Current URL structure:
https://{orguniquename}.crm.dynamics.com/tools/solution/edit.aspx?id={solutionname}
 New URL structure:
https://{orguniquename}.crm.dynamics.com/tools/solution/SolutionImportWizard.aspx

4. Select the Common Data Service solution package file that you want to import, and complete the wizard.
5. If import is successful you will see the following confirmation dialog. In order for the solution changes to be
available to other customizers within the environment select Publish All Customizations
 Embed an app in Microsoft Teams
8/21/2019 • 3 minutes to read

As an admin, you can share apps created in PowerApps to users in your tenant through Microsoft Teams. Upload
the apps so they show up for all teams in your tenant under the All tabs section.
Individuals can share an app they've created in PowerApps in a Team they are a member of by following these
instructions.

NOTE
Team custom app policies must be set to allow uploading custom apps. Check out custom app settings.

Prerequisites
Have a PowerApps license
Be a tenant administrator
Created a canvas app

Locate your app's GUID

Find and make note of your app's GUID to use in a later step.
1. Sign in to https://web.powerapps.com, and then select Apps in the menu.

2. Select More Commands (...) for the app you want to share in Teams, and then select Details.
3. Record the App ID for later use.

Install App Studio

You can skip these steps if App Studio is already installed.

1. In Teams, select Apps in the lower-left of the Teams menu ( ).

2. Search for "App Studio" in the search box and then select it.
3. Select Install.

4. Select Open for the App feature.

Create a Teams app

1. In Teams, open App Studio.
2. Select the Manifest editor tab, and then select Create a new app under Welcome.

3. Fill in information about your app in the App Details page. For the App ID GUID, you should use your
app's ID GUID you recorded above. This will avoid duplication of Teams apps for a particular app.
FIELDS DESCRIPTION

App names

Short name Required. The short display name for the app. 30 character
limit.

Long name The full name of the app, used if the full app name exceeds
30 characters.

Identification

App ID Required. The unique Microsoft-generated identifier for

this app.

Package Name Required. A unique identifier for this app in reverse domain
notation; for example, com.example.myapp.

Version Required. The version of the specific app. If you update

something in your manifest, the version must be
incremented as well.

Descriptions

Short description Required. A short description of your app experience, used

when space is limited. 80 character limit.

Long description Required. The full description of your app.

Developer information

Name Required. The display name for the company or developer.

Website Required. The https:// URL to the website for your app via
powerapps.com. When someone clicks to install and sees
the About page, it should link to the web version of your
app.

App URLs These links will show up in the About page along with the
website URL.

Privacy statement Required. The https:// URL to the developer's privacy

policy. Example.

Terms of use Required. The https:// URL to the developer's terms of use.
Example.

Branding

Full color A relative file path to a full color 192x192 PNG icon.

Transparent outline A relative file path to a transparent 32x32 PNG outline

icon.
 FIELDS DESCRIPTION

Accent color A color to use in conjunction with and as a background for

your outline icons.

For more information, see Manifest Editor and Manifest schema.

4. Scroll down to the Branding section and add your logos and the accent color desired for your app. These are
the logos that will appear for your app in Teams.

5. Under Capabilities, select Tabs.

Add a Team tab (Steps 6 and 7) or a Personal tab (Steps 8 and 9)
6. Under Team tab select Add.

7. Add your app's configuration URL in the "Configuration URL" input field, using the following format:
https://web.powerapps.com/webplayer/teamsapptabsettings?appid=<your App ID>
 Replace <App ID> with the App ID GUID you recorded above.
Select the scope for your app to appear in. Ensure Can update configuration is checked, select Save, and
then skip to Step 10.

--OR--
8. To configure the Teams manifest, under Add a personal tab select Add.

9. Fill in the following fields, and then select Save.

Name: your app name
Entity ID: your app ID
Content URL: https://web.powerapps.com/webplayer/iframeapp?appId=<your app ID>&source=teamstab
Website URL: https://web.powerapps.com/webplayer/app?appId=<your app ID>&source=teamsopenwebsite
 Add the app to all teams in your tenant
10. Under Finish, select Valid domains. Add apps.powerapps.com and apps.preview.powerapps.com as
valid domains for the Teams application.

11. To set device permissions for your app, under Device permissions select Set up.
12. Under Finish, select Test and distribute, and then select Download.
13. Go to Store > Upload a custom app > Upload for [your tenant name].

14. Locate your app file and select it. Then, navigate to your team and select +.
15. You app will appear as a tile under All Tabs. Search for your app, select it, and then select Save.

The app now appears as a tab for all teams in your tenant.
 Download a list of active users in your tenant
3/21/2019 • 2 minutes to read

If you're a 365 Global admin or Azure Active Directory Tenant admin, you can download a list of active users in
your tenant, so you can see not only who's accessed PowerApps, Microsoft Flow, or both, but also the licenses
assigned to those users.
In this topics, you'll learn how to download a list of active users to a .csv file, and then view that list in Excel.
To follow the steps, you need Office 365 Global Admin or Azure Active Directory Tenant Admin permissions.

Sign in to the PowerApps Admin center

Sign in to the Admin center at https://admin.powerapps.com.

Download the list of users

In the navigation pane, click or tap User licenses, and then click or tap Download a list of active user licenses.

The list of users is downloaded into a .csv file. This process could take several minutes. Make sure that you don't
close the window before the list completely downloads or you may have to restart the process.

View the list

After the .csv file is created, open it in Excel. The list contains each user’s name, email address, license type, and
other information.
A user who's accessed a product at least once is considered an active user. Since this is a list of active users, it does
not contain users who have licenses for PowerApps and Microsoft Flow but have never accessed them. You can
view all user licenses from the Microsoft 365 admin center.
The following example shows two users who have licenses to both PowerApps and Microsoft Flow. Jane Doe has
access through a subscription to Office 365, and John Doe has a trial license for each product.

If a user has left the organization, the list will show Unknown in the User name and Email address columns. If
the list shows Unknown but nobody has left the organization, wait several minutes, and then download the list
again.
To add user licenses, open the Microsoft 365 admin center.

Next steps
In this topic, you learned how to download and view a list of active users in your tenant. To learn how to download
and view a list of apps created in your environments, continue to the next topic.
Download a list of apps created in your environments
 Deployment scenarios
3/22/2019 • 4 minutes to read

[This topic is pre-release documentation and is subject to change.]

Now that you have read through the platform architecture section and the data protection concepts, and have a
good grasp of all the individual components, let’s look at some scenarios and how you might handle deploying
them. This assumes you created some default data loss prevention policies like what we suggested in the
compliance and data protection section of the document. These scenarios represent possible deployment
configurations but are not the only ways you could deploy the given scenario. Use them to inspire how you want to
handle things in your organization.

Canvas app or Flows that are built to share with others (wp)
In this scenario a user built a flow in the default environment that uses only connectors that are allowed by your
DLP policies.
For this scenario there is no need for additional DLP policies or environments. The user can share the flow
themselves, with other users either as co-owners if they want them to be able to edit it, or for run-only.

Canvas app or Flows with connectors violating existing DLP (wp)

A user started building a PowerApp, canvas app or a Flow and after adding two connectors, was informed that one
of the connectors violated the DLP policies. They approached you for how they could get an exception.
For this scenario you have three primary options; deny the request, add the connector to your existing tenant wide
policy or create environment(s) to support the exception. If you decide to update your existing tenant-wide DLP do
so understanding it would apply to all environments and all PowerApps and Flows; there are not exceptions to that
policy.
If you decide to allow an exception in a special environment, this could be a shared environment that is used by any
users you give an exception to or it could be a separate environment for the user or team needing the exception.

Canvas app or Flows with existing Common Data Service database (wp)
A user or team wants to build an application that leverages data that already exists in Common Data Service. They
do not plan to make any schema changes to Common Data Service.
For this scenario the Common Data Service database would exist in an environment other than default (since you
can’t currently create a Common Data Service instance in default). The canvas apps or flows can’t therefore be built
in the default environment using the Common Data Service connectors but could if they use the Dynamics 365
connector which allows you to select the Common Data Service instance from a separate environment.
The next decision comes down to if there is need for test data. If there is, then building the app in the test
environment with the Common Data Service connector would allow the app to be promoted to the production
Common Data Service environment once development and testing was completed. Since the app used the
Common Data Service connector it would be able to be simply exported and re-imported into the production
environment without having to change the references to test. This assumes that test and production Common Data
Service environments have the same schema.

Canvas or model-driven apps and/or Flow with Common Data Service –

Multiple Teams (wp)
Multiple teams in your organization want to build applications with each having either a PowerApp model-driven
app component or some of their own Common Data Service schema customizations. In this scenario some teams’
applications might want to leverage some of the data from other teams’ applications. The goal is to have a
centralized Common Data Service that all these teams interact with, and not a silo of data for each teams’
applications.
For this scenario you could have one main Common Data Service production environment that contains all the
applications once they are deployed for use by the broad set of organization users. Each team that is building an
application would have their own Common Data Service environment. Each team would release updates to their
application in the form of managed Common Data Service solutions. These managed Common Data Service
solutions would be imported into the Common Data Service production environment. If there were test or staging
or UAT environments that would happen prior to the import to production to support testing. But it would be the
same managed solution imported into each that was exported from the development instance.
If a team depended on other teams’ schema or other Common Data Service assets, they would import that
dependent team’s managed solution into their Common Data Service development environment. That would of
course make their solution dependent on the other team’s application.
By having each team do their development work in their own environment allows each application to develop
independently of the other applications in your organizations. While at the same time keeping a centralized data
repository that all apps could interact across the enterprise data.
Some governance is needed in this type of environment to ensure applications coming into the shared
environment do not make conflicting design decisions. For a simple example, some of the shared common entities
like Account or Contact, you wouldn’t want individual applications trying to rename those entities differently. With
this setup, the Common Data Service environment could also contain Dynamics 365 applications co-existing with
your internally built applications.
 Application Lifecycle Management
6/4/2019 • 10 minutes to read

[This topic is pre-release documentation and is subject to change.]

Application Lifecycle Management (ALM ) is important as the applications your organization builds becomes more
complex and as more of your company depends on their stability. In other sections we discussed some of the ALM
building blocks that just happen such as versioning of PowerApps canvas apps. We also covered some of the self-
service actions that makers can do such as exporting and importing their Common Data Service solutions. In this
section we are going to have a more cohesive discussion about ALM bringing together some of these individual
concepts and using them to handle more complex scenarios.
Let’s look first at things you should consider as an administrator to consider to help guide the application through
its lifecycles from new to production and then ongoing maintenance and enhancements. For purposes of this
section, application refers to the whole set of components form PowerApps canvas or model-driven apps, flows
and any Common Data Service customizations.

NEW APPLICATIONS EXISTING APPLICATIONS BEING UPGRADED

Who is the application owner, and who is involved in Are any new connectors being used by the application?
maintaining it?

Who are the users of the apps? Are they already licensed? Is there any new reference data to update?

What environment did you build the app in? Are there any new Canvas, Flows or Common Data Service
solutions added in this update?

Are there any PowerApps canvas or model-driven apps as Any changes to how users are assigned security roles?
part of the application?

Are there any flows? Any impact on existing Common Data Service data?

What connectors are the apps using? Any changes in the required licenses?

Does anything require an on-premises gateway? Potentially any of the considerations from the New Application
column, if it was not a consideration at the time.

Does the application use Common Data Service entities?

Is the application dependent on any other existing applications

or external services?

Are there different security roles for different types of users?

Is there any existing data that must be migrated into the new
production system?

Does the application have reference data that needs to be in

the production environment?
 NEW APPLICATIONS EXISTING APPLICATIONS BEING UPGRADED

Who will be testing the application? Will it be in a separate

environment?

How will users report problems or enhancements?

How frequently do you plan to do updates?

The answers to these questions will help you put together an application profile and decide how best to support
the team with deploying the application. This is not an exhaustive list, but a starting point for you to develop your
own set of questions for applications.

Getting ready for a new application

Armed with the above information, consider each of the following as you get ready to deploy the new application:
Licensing – acquire licenses and assign them for users
Azure AD Group – consider if having a group that had all the app users would help with sharing the
applications with them (good for canvas apps)
Environments – if necessary create the new environments, considering how the application will be tested prior
to production deployment
Data Loss Prevention policies – do current ones support the app? Are new ones needed?
Automation – is there any automation that would help with ongoing app administration?

Tools to help Manage, Plan, Track, and Deploy

Depending on the complexity of the application, anything from using a SharePoint List to track work to be done
and new features, and a OneDrive to store exported assets to a more complete solution like Visual Studio Team
Services can help add some structure to your application life cycle process. What is appropriate for your
organization depends on the size and maturity of the team that is building the overall application. The less technical
will probably find a solution like OneDrive and SharePoint more approachable. Visual Studio Team Services
(VSTS ) has several features that are tailored to support application lifecycle management. VSTS is also free to get
started https://visualstudio.microsoft.com/team-services/. The following are some of those features:
Work item planning and tracking
Version control – offers a way to store exported assets – using Dynamics 365 SDK tools like Solution Packager
allows this to scale up to larger teams working on Common Data Service Solution package customizations.
Build and release automation – This can be helpful for automating everything from exporting of Common Data
Service solutions for backup, to compiling developer-built components. The release automation can take
solutions and developer assets and coordinate deploying to test and production environments. These
deployments can also leverage approval checkpoints as appropriate. Using community tools like
Xrm.CI.Framework https://marketplace.visualstudio.com/items?itemName=WaelHamze.xrm-ci-framework-
build-tasks you can deploy Common Data Service solution packages from the release tasks.
The following is an example of the Team Status Dashboards that gives the team an all up view of their progress.
Exporting from the source environment
We’ve already covered the concept of exporting from PowerApps, Flow and Common Data Service earlier in the
document. Let’s look at some additional things to consider when exporting as part of an application lifecycle
management process.
Always save a copy of the exported PowerApp, Microsoft Flow or Common Data Service solution file.
For Common Data Service Solutions make sure if you are publishing a managed solution, that you also export
an unmanaged solution as well. If you are not familiar with the differences, we cover that in the Platform
Architecture section.
For Common Data Service solution export you should always perform a publish on the solution or publish all
for all solutions prior to export to ensure all changes are exported as expected.
For Flows and canvas apps review the connectors that are used. Any custom connectors will need to be re-
created prior to import in the target environment.

Importing into the target environment

We also covered import, but let’s look at a few more things to consider.
Always evaluate what is already in the target environment.
Create any necessary custom connectors prior to import
If you are importing a Common Data Service solution that is dependent on other Common Data Service
solutions make sure those are already imported into the Common Data Service instance
If you import an unmanaged Common Data Service solution make sure you publish all after import has
completed
Remember when you import an update to a PowerApps canvas application you must publish the new version
before others will see it
If you are importing Common Data Service changes that remove any entities and data, consider a proactive on
demand backup prior to the import.

Updating existing applications

Shown earlier, the import feature allows the maker to update an existing app in the target environment. Here are
some considerations.
Custom connectors updates must be performed first, as your app may rely on new data definitions.
 Custom connector updates may take a few minutes to be reflected in the portal. During that time, new
operations may return a 404 error when invoked.
If extensive changes are being made, consider creating a new custom connector and leaving the old connector
intact. This can also be beneficial in the event the maker needs to roll back, as the previous version of the app
will use the old (existing) connector.
PowerApps uses caching for the web and mobile clients, so changes may not be immediate. For the web client,
be sure to clear your cache to see the new changes. On the mobile client, swipe down to refresh app metadata.

Ongoing application maintenance

Once your application has been deployed you can mostly go into maintenance mode responding to user inquires
as needed. Here are a few things to consider while you are between updates.
PowerApps canvas applications need to be periodically republished for best performance and stability. About
every six months you should re-publish your deployed PowerApps canvas applications even if they haven’t
changed. This ensures the application picks up the latest runtime changes in the environments.
Keep an eye on your Common Data Service instance storage usage as well as your Flow quotas and adjust
resources and licensing as needed.

Retiring and removing an application

As your organization evolves it’s likely one or more of the applications deployed will no longer be needed. In this
section we will walk through some of the things to consider when retiring an application.
Confirm that if there are users they understand the shutdown. Consider shutdown notifications in advance to
ensure business continuity and minimize impact
Removing access to the application components is often a good first step. Leaving it in this state for a period of
time also helps to ensure users know and have a chance to argue their case or save any data needed.
Deleting an environment will remove all associated PowerApps, Flows and Common Data Service data. This is
not the approach to take if you have multiple applications sharing the environment and you are just retiring a
single application.
PowerApps canvas apps and Flows can usually be removed without lots of dependency considerations.
Currently it is necessary to remove these one at a time even if you imported both a PowerApp canvas app and a
Flow at the same time. The connections for these will not be removed automatically.
When removing connections, you need to first consider the PowerApps canvas apps and Flows that might still
be using them. This can be checked by looking at what is associated with the connection prior to deleting.
Custom connections are sometimes better to be left if they might be reused later as they would require extra
effort to re-establish in the future.
To remove a PowerApps model-driven app depends if the Common Data Service solution containing it was
installed as managed or unmanaged. If it was installed as unmanaged you can delete the application module to
remove it from users. Removing unmanaged Common Data Service solution components requires manually
removing one item at a time from the environment. Removing the Common Data Service solution itself in this
situation only removes the container and not the components. This is one of the key benefits of managed
solution is the ability to uninstall them as a unit.
If the solution installed is managed, you would uninstall/remove the Common Data Service solution containing
it from the instance. When you remove the Common Data Service solution that contains that application it’s
important to note that also removes any other components and data as well. If only desiring to remove the
application best approach would be to remove the application in the development environment for that
Common Data Service solution and then import the update in using the Stage for Upgrade option on import.
This will cause only that component to be removed leaving all other components and data intact.

Moving reference data to another environment

Often applications have data that is configuration, or reference data. This could be, for example, a list of territories,
product lists, or other data that configures and makes the app work. Often components in the application take
dependencies on the IDs of this data. The Configuration Migration Tool is designed to move this type of data from
one Common Data Service instance to another. The key features of the tool are:
Select only the entities and fields you for which you want to move data
Maintain unique IDs of the records as they are moved
Avoid duplicate records by defining a uniqueness condition for each entity based on combination of fields
Support updating of existing records
Ability to define a schema for what data is moved and use it over and over.
The following outlines the basic process for using the tool.

The output from the tool is a zip file containing the data and the schema file. The same tool can be used to import
the data into the target Common Data Service instance. You can also package the data with a Solution Deployer
package that we will discuss shortly allowing it to be deployed alongside one or more Common Data Service
solutions. You can read more about how to use the tool here https://docs.microsoft.com/en-
us/dynamics365/customer-engagement/admin/manage-configuration-data.

Using the Dynamics 365 Package Deployer

So far, we’ve only talked about importing Common Data Service solutions manually via the user interface. The
Dynamics 365 package deployer also works for Common Data Service solutions. The package deployer allows
building a package that contains one or more Common Data Service solutions as well as one or more data files to
import after the solutions are imported. It is also possible for developers to build custom code that reacts to events
from the package deployment process. This code can be used to handle updates to the target environment. Once
the package is built, the package can be deployed interactively via the tool, or by command line using PowerShell.
You can read more about package deployer here https://docs.microsoft.com/en-us/dynamics365/customer-
engagement/developer/create-packages-package-deployer.
 Activity logging for PowerApps
4/22/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

PowerApps activities are now tracked from the Office 365 Security & Compliance Center. Office 365 tenant
administrators reach the Security & Compliance Center by navigating to https://protection.office.com. From there,
the Audit log search is found under the Search and investigation dropdown.

Within the Audit log search screen, tenant administrators can search audit logs across many popular services
including eDiscovery, Exchange, Power BI, Azure AD, Microsoft Teams, Dynamics 365 for Customer Engagement
apps, and now Microsoft PowerApps.
Once the Audit log search screen is accessed, an administrator can filter for specific activities by pulling down the
Activities dropdown. By scrolling down the list, a section dedicated to Microsoft PowerApps activities can be
found.

What events are audited

Logging takes place at the SDK layer which means a single action can trigger multiple events that are logged. The
following are a sample of user events you can audit.

EVENT DESCRIPTION

Created app When the app gets created for the first time by a maker

Launched app When the app gets launched

Marked app as Featured Every time the app is marked as Featured

Restored app version The version of the app when restored

Edited app Any updates made to the app by the maker

Published app When the app is published and is now made available to
others in the environment

Edited app permission Every time a user's permissions to the app is changed

Deleted app When the app is deleted

 EVENT DESCRIPTION

Marked app as Hero Every time the app is marked as Hero

Deleted app permission Every time a user's permissions to the app is removed

Base schema
Schemas define which PowerApps fields are sent to the Office 365 Security and Compliance Center. Some fields
are common to all applications that send audit data to Office 365, while others are specific to PowerApps. The Base
schema contains the common fields.

FIELD NAME TYPE MANDATORY DESCRIPTION

Date Edm.Date No Date and time of when the

log was generated in UTC

App Name Edm.String No Unique Identifier of the

PowerApp

Id Edm.Guid No Unique GUID for every row

logged

Result Status Edm.String No Status of the row logged.

Success in most cases.

Organization Id Edm.Guid Yes Unique identifier of the

organization from which the
log was generated.

CreationTime Edm.Date No Date and time of when the

log was generated in UTC

Operation Edm.Date No Name of operation

UserKey Edm.String No Unique Identifier of the User

in Azure AD

UserType Self.UserType No The audit type (Admin,

Regular, System)

Additional Info Edm.String No Additional information if any

(e.g. the environment name)

Review your audit data using reports in Office 365 Security and
Compliance Center
You can review your audit data in the Office 365 Security and Compliance Center. See Search the audit log for user
and admin activity in Office 365.
To use the preconfigured PowerApps reports, go to https://protection.office.com > Search & investigation >
Audit log search and select the PowerApps app activities tab.
See also
Search the audit log for user and admin activity in Office 365
Office 365 Management APIs overview
Permissions in the Office 365 Security & Compliance Center
 Integrate data into Common Data Service
5/15/2019 • 16 minutes to read

The Data Integrator (for Admins) is a point-to-point integration service used to integrate data into Common Data
Service. It supports integrating data from multiple sources—for example, Dynamics 365 for Finance and
Operations, Dynamics 365 for Sales and SalesForce (Preview ), SQL (Preview )—into Common Data Service. It
also supports integrating data into Dynamics 365 for Finance and Operations and Dynamics 365 for Sales. This
service has been generally available since July 2017.
We started with first-party apps—for example, Dynamics 365 for Finance and Operations and Dynamics 365 for
Sales. With the help of Power Query or M -based connectors, we are now able to support additional sources like
SalesForce (Preview ) and SQL (Preview ) and will extend this to 20+ sources in the near future.

TIP
Check out the blog: Data Integrator Updates – New features with an intuitive user interface providing a fluent experience.

How can you use the Data Integrator for your business?
The Data Integrator (for Admins) also supports process-based integration scenarios like Prospect to Cash that
provide direct synchronization between Dynamics 365 for Finance and Operations and Dynamics 365 for Sales.
The Prospect to Cash templates that are available with the data integration feature enable the flow of data for
accounts, contacts, products, sales quotations, sales orders, and sales invoices between Finance and Operations
and Sales. While data is flowing between Finance and Operations and Sales, you can perform sales and marketing
activities in Sales, and you can handle order fulfillment by using inventory management in Finance and
Operations.
The Prospect to Cash integration enables sellers to handle and monitor their sales processes with the strengths
from Dynamics 365 for Sales, while all aspects of fulfillment and invoicing happen using the rich functionality in
Finance and Operations. With Microsoft Dynamics 365 Prospect to Cash integration, you get the combined power
from both systems.
See the video: Prospect to cash integration
For more information about the Prospect to Cash integration, see the documentation on the Prospect to Cash
solution.
We also support Field Service integration and PSA (Project Service Automation) integration to Dynamics 365 for
Finance and Operations.

Data Integrator Platform

The Data Integrator (for Admins) consists of the Data Integration platform, out-of-the-box templates provided by
our application teams (for example, Dynamics 365 for Finance and Operations and Dynamics 365 for Sales) and
custom templates created by our customers and partners. We have built an application-agnostic platform that can
scale across various sources. At the very core of it, you create connections (to integration end points), choose one
of the customizable templates with predefined mappings (that you can further customize), and create and execute
the data integration project.
Integration templates serve as a blueprint with predefined entities and field mappings to enable flow of data from
source to destination. It also provides the ability to transform the data before importing it. Many times, the schema
between the source and destinations apps can be very different and a template with predefined entities and field
mappings serves as a great starting point for an integration project.
How to set up a data integration project
There are three primary steps:
1. Create a connection (provide credentials to data sources).
2. Create a connection set (identify environments for connections you created in the previous step).
3. Create a data integration project using a template (create or use predefined mappings for one or more
entities).
Once you create an integration project, you get the option to run the project manually and also set up a schedule-
based refresh for the future. The rest of this article expands on these three steps.
How to create a connection
Before you can create a data integration project, you must provision a connection for each system that you intend
to work with in the Microsoft PowerApps portal. Think of these connections as your points of integration.
To create a connection
1. Go to PowerApps.
2. Under Data, select Connections and then select New connection.
3. You can either select a connection from the list of connections or search for your connection.
4. Once you select your connection, select Create. Then you will be prompted for credentials.
5. After you provide your credentials, the connection will be listed under your connections.

NOTE
Please make sure that the account you specify for each connection has access to entities for the corresponding applications.
Additionally, the account for each connection can be in a different tenant.

How to create a connection set

Connection sets are a collection of two connections, environments for the connections, organization mapping
information, and integration keys that can be reused among projects. You can start using a connection set for
development and then switch to a different one for production. One key piece of information that is stored with a
connection set is organization unit mappings—for example, mappings between the Finance and Operations legal
entity (or company) and Dynamics 365 for Sales organization or business units. You can store multiple
organization mappings in a connection set.
To create a connection set
1. Go to PowerApps Admin center.
2. Select the Data Integration tab in the left-hand navigation pane.
3. Select the Connection Sets tab and select New connection set.
4. Provide a name for your connection set.
5. Choose the connections you created earlier and select the appropriate environment.
6. Repeat the steps by choosing your next connection (think of these as source and destination in no specific
order).
7. Specify the organization to business unit mapping (if you are integrating between Finance and Operations
and Sales systems).

NOTE
You can specify multiple mappings for each connection set.

8. Once you have completed all the fields, select Create.

9. You will see the new connection set you just created under the Connection sets list page.

Your connection set is ready to be used across various integration projects.

How to create a data integration project
Projects enable the flow of data between systems. A project contains mappings for one or more entities. Mappings
indicate which fields map to which other fields.
To create a data integration project
1. PowerApps Admin center.
Go to

2. Select the Data Integration tab in the left navigation pane.

3. While in the Projects tab, select New Project in the top right corner.

4. Provide a name for your integration project.

5. Select one of the available templates (or create your own template). In this case, we are moving the
Products entity from Finance and Operations to Sales.

6. Select Next and choose a connection set you created earlier (or create a new connection set).
7. Make sure you have chosen the right one by confirming the connection and environment names.
 8. Select Next and then choose the legal entity to business unit mappings.

9. Review and accept the privacy notice and consent on the next screen.
10. Proceed to create the project and then run the project which in turn executes the project.

On this screen, you will notice several tabs—Scheduling and Execution history—along with some
buttons—Add task, Refresh entities, and Advanced Query—that will be described later in this article.
Execution history
Execution history shows the history of all project executions with project name, timestamp of when the project
was executed, and status of execution along with the number of upserts and/or errors.
 Example of project execution history.

Example of successful execution, showing status as completed with # of upserts. (Update Insert is a logic to
either update the record, if it already exists, or to insert new record.)

For execution failures, you can drill down to see the root cause.
Here is an example of a failure with project validation errors. In this case, the project validation error is due
to missing source fields in the entity mappings.

If the project execution is in ‘ERROR’ state, then it will retry execution at the next scheduled run.
If the project execution is in ‘WARNING’ state, then you will need to fix the issues on the source. It will retry
execution at the next scheduled run.
In either case, you could also choose to manually ‘re-run execution.’

NOTE
Anytime you execute a project, manually or schedule based, it generates a detailed log which shows project name, last
updated timestamp along with status. You can view this under the execution history for each project. Project execution
history is maintained for 45 days after which it is automatically purged.

How to set up a schedule -based refresh

We support two types of executions/writes today:
Manual writes (execute and refresh project manually)
Schedule-based writes (auto-refresh)
After you create an integration project, you get the option to run it manually or configure schedule-based writes,
which lets you set up automatic refresh for your projects.
To set up schedule-based writes
1. Go to PowerApps Admin center.
2. You can schedule projects in two different ways.
Either select the project and select the Scheduling tab or launch the scheduler from the project list page by
clicking the ellipsis next to the project name.

3. Select Recur every and once you have completed all the fields, select Save schedule.

You can set a frequency as often as 1 minute or have it recur a certain number of hours, days, weeks, or months.
Note that the next refresh won't start until the previous project task completes its run.
Also note that under Notifications, you can opt in for email-based alert notifications, which would alert you on job
executions that either completed with warnings and/or failed due to errors. You can provide multiple recipients,
including groups separated by commas.
 NOTE
Currently, we support scheduling 50 integration projects at any given time per paid tenant. However you can create
more projects and run them interactively. For trial tenants, we have an additional limitation that a scheduled project
would only run for first 50 executions.
While we support scheduling projects to run every minute, please bear in mind that this may put a lot of stress on your
apps and in turn impact overall performance. We highly encourage users to test project executions under true load
conditions and optimize for performance with less frequent refreshes. In production environments, we do not
recommend running more than 5 projects per minute per tenant.
To optimize performance and not overload the apps, we currently limit project executions to 500k rows per execution per
project.
Anytime you execute a project, manually or schedule based, it generates a detailed log which shows project name, last
updated timestamp along with status. You can view this under the execution history for each project. Project execution
history is maintained for 45 days after which it is automatically purged.

Customizing projects, templates, and mappings

You use a template to create a data integration project. A template commoditizes the movement of data that in
turn helps a business user or administrator expedite integrating data from sources to destination and reduces
overall burden and cost. A business user or administrator can start with an out-of-the-box template published by
Microsoft or its partner and then further customize it before creating a project. You can then save the project as a
template and share with your organization and/or create a new project.
A template provides you with source, destination, and direction of data flow. You need to keep this in mind while
customizing and/or creating your own template.
You can customize projects and templates in these ways:
Customize field mappings.
Customize a template by adding an entity of your choice.
How to customize field mappings
To create a connection set
1. Go to PowerApps Admin center.
2. Select the project for which you want to customize field mappings and then select the arrow between
source and destination fields.
3. This takes you to the mapping screen where you can add a new mapping by selecting Add mapping at the
top right corner or Customize existing mappings from the dropdown list.

4. Once you have customized your field mappings, select Save.

How to create your own template
To create your own template by modifying existing templates
1. Go to PowerApps Admin center.
2. Identify source and destination and direction of flow for your new template.
3. Create a project by choosing an existing template that matches your choice of source and destination and
direction of flow.
4. Create the project after choosing the appropriate connection.
5. Before you save and/or run the project, at the top right corner, select Add task.
 This will launch the Add task dialog.
6. Provide a meaningful task name and add source and destination entities of your choice.

7. The dropdown list shows you all your source and destination entities.
 In this case, a new task was created to sync User entity from SalesForce to Users entity in Common Data
Service.

8. Once you create the task, you will see your new task listed and you can delete the original task.
 9. You just created a new template—in this case, a template to pull User entity data from SalesForce to
Common Data Service. Select Save to save your customization.
10. Follow the steps to customize field mappings for this new template. You could run this project and/or save
the project as a template from the Project list page.

11. Provide a name and description and/or share with others in your organization.

To create your own template from blank templates

1. Go to PowerApps Admin center.
2. Create a data integration project. Select the Data integration tab in the left navigation pane.
3. Select New project and provide a name for your project. For example, "Demo_CreateYourOwnTemplate
project".
4. In the Select a template list page, pick a generic blank template. For this example, choose the Sales to Fin
and Ops template since we want to move data from Dynamics 365 for Finance and Operations to
Dynamics 365 for Sales.

5. Follow the steps 6 through 9 here to finish creating a data integration project. Select Save.
6. You’ll see the Tasks page which is empty since it’s a blank template, without any tasks. Select Add task to
pick an entity from the drop-down list and add a new task. In this case, for demo purposes, we will create an
Activities Sales to Fin and Ops task by picking Activities entity for Dynamics 365 for Finance and
Operations and Dynamics 365 for Sales. Select Create.

7. You'll see a new task has been added Activities Sales to Fin and Ops. Select Save to save your changes.

8. The project is created. Select Save as template from the Projects list page.
9. Provide and name and description, then select Save. Additionally, select Share with everyone in my
organization to share this template.

You'll see the newly created template listed on the Templates list page.

Additionally, after creating a new integration project, when you choose Select a template you'll see your newly
created template as part of the Select a template list.

Advanced data transformation and filtering

With Power Query support, we now provide advanced filtering and data transformation of source data. Power
Query enables users to reshape data to fit their needs, with an easy-to-use, engaging, and no-code user
experience. You can enable this on a project-by-project basis.
How to enable advanced query and filtering
To set up advanced filtering and data transformation
1. Go to PowerApps Admin center.
2. Select the project where you want to enable advanced query and then select Advanced Query.
3. You will get a warning that enabling advanced query is a one-way operation and cannot be undone. Select
OK to proceed and then select the source and destination mapping arrow.

4. You are now presented with the familiar entity mapping page with a link to launch Advanced Query and
Filtering.

5. Select to link to launch the Advanced Query and Filtering user interface, which gives you source field data
in Microsoft Excel-type columns.
6. From the top menu, you get several options for transforming data such as Add conditional column,
Duplicate column, and Extract.

7. You can also right-click any column for more options such as Remove columns, Remove duplicates, and
Split column.
 8. You also can filter by clicking each column and using Excel-type filters.

9. Default value transforms can be achieved using the conditional column. To do this, from the Add Column
dropdown list, select Add Conditional Column and enter the name of the new column. Fill in both Then
and Otherwise with what should be the default value, using any field and value for If and equal to.

10. Notice the each clause in the fx editor, at the top.

11. Fix the each clause in the fx editor and select OK.
12. Each time you make a change, you apply a step. You can see the applied steps on the right-hand pane (scroll
to the bottom to see the latest step). You can undo a step in case you need to edit. Additionally, you can go
to the Advanced editor by right-clicking the QrySourceData on the left pane, at the top to view the M
language that gets executed behind the scenes, with the same steps.

13. Select OK to close the Advanced Query and Filtering interface and then, on the mapping task page, pick the
newly created column as the source to create the mapping accordingly.

For more information on Power Query, see Power Query documentation.

Performance tuning
There are several factors that impact the performance of an integration scenario. Performance is highly dependent
on:
 Which applications you are integrating: Dynamics 365 for Finance and Operations and Common Data
Service
Which entities are used: the entities' shape, validation, and business logic (standard and customizations)
The Data Integrator takes the data from the source application and pushes it into the target application. The main
performance considerations are on how source and target applications scale with the concerned entities. It
leverages the best available technologies to pull/push data in a performant manner.
Dynamics 365 for Finance and Operations uses the data management framework which provides a way to
pull/push data in the most performant fashion. The data management framework is used to manage data entities
and data entity packages in Microsoft Dynamics 365 for Finance and Operations.
Dynamics 365 for Common Data Service uses OData APIs along with parallelism to maximize the performance.
You can use the following settings to tune the performance of Dynamics 365 for Finance and Operations based on
load, entity, and resources.
Exporting data from Dynamics 365 for Finance and Operations:
Direct export ( skip Staging On) Make sure the entities used for integration support direct export ( skip
Staging On). This allows export to run in bulk fashion and the staging table is bypassed. If you run with
skip Staging Off, then it falls back to row by row calls and data is inserted in the staging table.
Enable change tracking for entities Change tracking enables incremental export of data from Microsoft
Dynamics 365 for Finance and Operations by using data management. In an incremental export, only
records that have changed are exported. To enable incremental export, you must enable change tracking on
entities. Without change tracking, you will do full exports which may affect performance. For complex
scenarios, use custom query for change tracking.
Importing data to Dynamics 365 for Finance and Operations:
Make sure the entity itself is performant. If possible, create set-based entities.
If the number of rows to be imported are high and entity does not support set operations: Data
management can be configured to import the entity with parallel tasks. This can be configured in data
management (parameters), by configuring the entity execution parameters. This would use batch
framework to create parallel tasks, which is based on resource availability to run in parallel.
Turning off validations (optional): While the Data Integrator does not bypass any business logic and
validations, you may optionally turn off the ones that are not required to improve performance.
Consider the following tips to ensure performance while importing or exporting data from Dynamics 365 for
Customer Engagement environments.
Importing/Exporting data to/from Dynamics 365 for Customer Engagement
Ensure indexes are defined for integration keys.
 Data Integrator error management and
troubleshooting
4/19/2019 • 5 minutes to read

The Data Integrator is a point-to-point integration service used to integrate data from multiple sources--for
example, Dynamics 365 for Finance and Operations, Dynamics 365 for Sales, Salesforce, and Microsoft SQL
(Preview )--into Common Data Service. It also supports integrating data into Dynamics 365 for Finance and
Operations and Dynamics 365 for Sales. The Integrate data into Common Data Service topic provides detailed
step-by-step instructions to help you set up projects for process-based integration scenarios like Prospect to Cash,
Field Service, and Project Service integrations.
While we are constantly evolving and driving fixes into the platform based on customer feedback, we understand
there is a need to provide guidance when you run into issues. This topic walks you through error management and
troubleshooting some of these issues.

View health of project executions

Every time a data integration project is executed (manually or scheduled), you can view the status of the execution
on the admin dashboard and/or the project list page.

The admin dashboard provides a one-stop real-time view of all your project runs and their status with a drill-down
to view execution details. The dashboard shows you the individual and summarized count of executions. These are
color-coded to show the status of each project: green for completed projects, yellow for completed projects with
warnings, and red for projects with an error status. Similarly, the green, yellow, and red icons on the project list
page indicate the status of your projects.
Additionally, to view more details, you can drill through project executions via the admin dashboard by selecting
individual bar charts.
Now you can drill through individual errors.

You can also view project execution details by selecting the individual projects on the project list page and viewing
the historical executions and status on the Execution history tab.

If you get a warning or error, you can drill down more by clicking through the executions on the Execution
history tab.

Project monitoring
We highly encourage our customers and partners to subscribe to email-based notifications so you receive email
alerts on project executions that completed with either warnings or errors. For each project, on the Scheduling
tab, you can select email-based notifications and provide multiple email addresses (including group addresses),
separated by commas.
Any time a project completes with a warning or is in the error state, you get an email notification indicating the
project execution status with a drillthrough link to the specific failure.

Selecting the link takes you directly to your project execution status, which you can further drill through for specific
errors.

Project execution status

When a data integration project is executed (manually or scheduled), it creates a detailed log with project name, a
time stamp showing the last update, and the project status.
Each project execution is marked with the status Completed, Warning, or Error:
Completed
Status if all records were upserted successfully. ("Upsert" or "update insert" is a logic to either update the
 record, if it already exists, or to insert a new record.)

Warning
Status if some records were upserted successfully, while some failed or errored out.

Error
Status if none of the records were successful and/or errored out, and there were no upserts or inserts in the
destination.

If the project execution is in the Error state, then it will automatically retry execution at the next scheduled
run.
You can also manually retry an execution by selecting Re-run execution via the ellipsis (...) on the Execution
history page.

Quick tips on troubleshooting common scenarios

Here are some quick tips that will help you troubleshoot some of the common scenarios.
Connection or environment issues
If you are unable to see your connections or environments in the drop-down while trying to create a Connection
set, here are some of the things you can do to troubleshoot the issue:
Connection: Ensure you have created your connections under Data/Connections on
https://web.powerapps.com and that they are in the Connected state. If you see a Fix Connection
notification, you should double-check the credentials used for the account, and use the Switch account
option from the ellipsis (...) to reauthenticate.

Environment: If you don’t see your environments in the drop-down, ensure that the account you used to
create the connections has the appropriate access to the entity. A good way to test this is by creating a flow
(using Microsoft Flow ).
Here is an example of creating a simple flow to test your connection to Dynamics 365 for Finance and
Operations:
1. Create a new flow (choose Create from blank) under Business logic/Flow from
https://web.powerapps.com.
2. Select a Recurrence trigger. Under New Step, search for and select Dynamics 365 for Finance
and Operations connector.

3. Select Create record as an action. In the drop-down, ensure that you are logged in with the
appropriate account. This is the same account you use to create a connection for your data integration
projects.

4. Select the drop-down under Instance to show all the Dynamics 365 Finance and Operations
environments. This is a good step to verify that your account (from the previous step) has access to
the environments.

5. Once you have picked your environment, confirm that you have access to all the entities under it.
 Organizations: This is where you would specify the legal entity (for example, USMF ) for Dynamics 365 for
Finance and Operations, the business unit for Dynamics 365 for Sales, or the Common Data Service
organization name. If you miss this step, you get a message that contains valid names corresponding to your
application that you then need to plug in under Organizations.
Project validation errors
First, you validate a data integration project, and then execute it. Some of the top reasons for validation errors
include:
Incorrect company/business unit selected during project creation
Missing mandatory columns
Incomplete or duplicate mapping
Field type mismatch
Here is an example of how the error manifests in the case of duplicate mapping. The orange banner indicates
mapping issues.

When you drill further into the project execution history, you see there is a duplicate field issue.

When you inspect the mapping, you can identify duplicates. In this case, the source field fax is incorrectly mapped
to ADDRESSCITY.
Once you fix the mapping, the error should go away, and you should be able to execute the project successfully.

Project execution issues

If you are notified of a project execution that completed with a warning or is in an error state, the first step is to drill
into the execution history. From the project list page, select the individual project and review the latest execution on
the Execution history tab. You can then click through to the specific error.

If this is an integration project where Dynamics 365 for Finance and Operations is the source, go to the Data
Management workspace in Dynamics 365 Finance and Operations. Then filter projects based on your data
integration project name, or specifically choose the type of import or export job.

Additionally, you can open the job history of the project and drill through the job ID based on the time stamp of
your execution. You can also inspect the execution log, view historical runs, and view the staging data.
 Responding to DSR requests for system-generated
logs in PowerApps, Microsoft Flow, and Common
Data Service
3/22/2019 • 6 minutes to read

Microsoft gives you the ability to access, export, and delete system-generated logs that may be deemed personal
under the European Union (EU ) General Data Protection Regulation (GDPR ) broad definition of personal data.
Examples of system-generated logs that may be deemed personal under GDPR include:
Product and service usage data, such as user activity logs
User search requests and query data
Data generated by product and services as a product of system functionality and interaction by users or other
systems
Note that the ability to restrict or rectify data in system-generated logs is not supported. Data in system-generated
logs constitutes factual actions conducted within the Microsoft cloud, and diagnostic data—including modifications
to such data—would compromise the historical record of actions and increase fraud and security risks.

Prerequisites
This article focuses on responding to DSR requests for system-generated logs in managed and unmanaged
tenants. To determine whether or not you belong to a managed or unmanaged tenant, please see the Determining
Tenant Type section below.

Accessing and exporting system-generated logs for Managed Tenants

Administrators can access system-generated logs associated with a user’s use of PowerApps, Microsoft Flow, and
Common Data Service services and applications.
To access and export system-generated logs, do the following:
1. Go to the Microsoft Service Trust Portal and sign in using Office 365 Global Administrator credentials.
2. From the Privacy drop-down list at the top of the page, select Data Subject Request.
3. On the Data Subject Request page, under System Generated Logs, select Data Log Export. The Data
Log Export displays and shows a list of export data requests submitted by your organization.
4. To create a new request for a user, click Create Export Data Request.
After you create a new request, the request is listed on the Data Log Export page, where you can track its
status. After a request is complete, you can click a link to access the system-generated logs, which will be
exported to your organization’s Azure storage location within 30 days of creating the request. The data will
be saved in common, machine-readable file formats such as XML, CSV, or JSON. If you don't have an Azure
account and Azure storage location, you'll need to create an Azure account and/or Azure storage location for
your organization so that the Data Log Export tool can export the system-generated logs. For more
information, see Introduction to Azure Storage.
The following table summarizes accessing and exporting system-generated logs for managed tenants:
 QUESTION ANSWER

How long does the Microsoft Data Log Export tool take to This depends on several factors. In most cases it should
complete a request? complete in one or two days, but it can take up to 30 days.

What format will the output be in? The output will be in the form of structured, machine-readable
files such as XML, CSV, or JSON.

Who has access to the Data Log Export tool to submit access Office 365 Global Administrators will have access to the GDPR
requests for system-generated logs? Log Manager tool.

What data does the Data Log Export tool return? The Data Log Export tool returns system-generated logs that
Microsoft stores. Exported data spans across various Microsoft
services including Office 365, Azure, Dynamics, PowerApps,
Microsoft Flow, and Common Data Service.

How is data returned to the user? Data will be exported to your organization's Azure storage
location; it will be up to administrators in your organization to
determine how they will show/return this data to users.

What will data in system-generated logs look like?
Example of a system-generated log record in JSON format:
[{
"DateTime": "2017-04- 28T12:09:29-07:00",
"AppName": "SharePoint",
"Action": "OpenFile", "IP": "154.192.13.131",
"DevicePlatform": "Windows 1.0.1607"
}]

NOTE
For security and audit purposes, some features do not allow you to export or delete system-generated logs in order to
maintain the integrity of personal information.

Deleting system-generated logs for Managed Tenants

To delete system-generated logs retrieved through an access request, you must remove the user from the service
and permanently delete his or her Azure Active Directory account. For instructions on how to permanently delete a
user, see the Deleting a user section in the Azure Data Subject Request GDPR documentation that can be found
on the Office 365 Service Trust Portal. It's important to note that permanently deleting a user account is
irreversible once initiated.
Permanently deleting a user account removes the user’s data from system-generated logs for PowerApps,
Microsoft Flow, and Common Data Service services within 30 days.

Accessing and exporting system-generated logs for Unmanaged

Tenants
Users can access system-generated logs associated with their use of PowerApps, Microsoft Flow, and Common
Data Service services and applications.
To access and export system-generated logs, do the following:
1. Go to the Work and School Privacy portal.
2. On the My data requests page, a user can request a data export by clicking on the New export request
button.
3. Upon clicking this button, you will be asked for to confirm your request. Click Yes to continue.
4. New export requests may take up to 1 month to complete. During this time, you will see a status of Running.
5. Once complete, the Date Completed column will be populated and a link to your system -generated logs will
be provided.
6. Click on this link to download your data. You can use a text editor to view this data.
7. Also note, the Expiry date for this content is being populated within the Expiry Date column. You have up until
this time to retrieve your system-generated logs.
The following table summarizes accessing and exporting system-generated logs for unmanaged tenants:

QUESTION ANSWER

How long does the Microsoft Data Log Export tool take to This depends on several factors. In most cases it should
complete a request? complete in one or two days, but it can take up to 30 days.

What format will the output be in? The output will be in the form of structured, machine-readable
files such as XML, CSV, or JSON.

Who has access to the Data Log Export tool to submit access Users who are a member of an unmanaged tenant have
requests for system-generated logs? access to submit requests.

What data does the Data Export tool return? The Data Export tool returns system-generated logs that
Microsoft stores. Exported data spans across various Microsoft
services including Office 365, Azure, Dynamics, PowerApps,
Microsoft Flow, and Common Data Service.

How is data returned to the user? Data will be exported to a Microsoft website where a link will
be securely provided to the user who made the DSR request.

What will data in system-generated logs look like?
Example of a system-generated log record in JSON format:
[{
"DateTime": "2017-04- 28T12:09:29-07:00",
"AppName": "SharePoint",
"Action": "OpenFile", "IP": "154.192.13.131",
"DevicePlatform": "Windows 1.0.1607"
}]

NOTE
For security and audit purposes, some features do not allow you to export or delete system-generated logs in order to
maintain the integrity of personal information.

Deleting system-generated logs for Unmanaged Tenants

To delete system-generated logs retrieved through an access request, you must close your account, which will
delete your system-generated logs and remove your data in PowerApps, Microsoft Flow, and Common Data
Service services within 30 days.
To delete system-generated logs, do the following:
1. Go to the Work and School Privacy portal.
2. On the My data requests page, a user can request the deletion of their data by clicking on the Close account
button.
3. Upon clicking this button, you will be asked for to confirm your request. Click Yes to continue.
4. Once the account has been closed, you will not have access to PowerApps, Microsoft Flow, and Common Data
 Service.

Determining Tenant Type

To determine whether or not you are a user of a managed or unmanaged tenant, perform the following actions:
1. Open the following URL in a browser, making sure to replace your email address in the
URL:https://login.microsoftonline.com/common/userrealm/[email protected]?api-version=2.1.
2. If you are a member of an unmanaged tenant then you will see an "IsViral": true in the response.

{
...
"Login": "[email protected]",
"DomainName": "unmanagedcontoso.com",
"IsViral": **true**,
...
}

3. Otherwise, you belong to a managed tenant.

 Responding to Data Subject Rights (DSR) requests for
Data Integration for Common Data Service customer
data
3/22/2019 • 2 minutes to read

Introduction to DSR requests

The European Union (EU ) General Data Protection Regulation (GDPR ) gives rights to people (known in the
regulation as data subjects) to manage the personal data that's been collected by an employer or other type of
agency or organization (known as the data controller or just controller). Personal data is defined very broadly
under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data
subjects the right to do the following, as it pertains to their personal data:
Obtain copies
Request corrections
Restrict processing
Delete it
Receive it in electronic format so it can be moved to another controller
A formal request by a data subject to a controller to take an action on his or her personal data is called a Data
Subject Rights (DSR ) request.
This article describes how Microsoft is preparing for the GDPR, and also provides examples of steps you can take
to support GDPR compliance when using Data Integration for Admins via the administrator portal in Common
Data Service . You'll learn how to use Microsoft products, services, and administrative tools to help controller
customers find, access, and act on personal data in the Microsoft cloud in response to DSR requests.
Searching for and identifying personal data
Data Integration for Admins in Common Data Service allows any user of the integrator application to view their
data by using the data integration tab at:
https://admin.powerapps.com/dataintegration
The data stored for the user is shown in the portal. All projects are visible on the projects tab:
All connection sets are visible on the connection sets tab:

All Templates are visible on the Templates tab:

Securing and controlling access to personal information
In the Data Integration for Admins in Common Data Service, data stored by the data integration application can
only be accessed through the administrator portal.

Deleting personal data

In Data Integration for Admins in Common Data Service user-authored data, projects, and connection sets can be
deleted by the user the data is associated with. To delete their personal data, users can log on to the administrator
portal: https://admin.powerapps.com
Users can delete projects by navigating to the projects tab and clicking on the ellipses next to the project, and then
selecting the delete option:

Users can delete templates by navigating to the templates tab and clicking the ellipses next to the template, and
then selecting the delete option:
Users can delete connection sets by navigating to the connection sets tab and clicking on the ellipses next to the
connection set, and then selecting the delete option:

Exporting personal data

In Data Integration for Admins in Common Data Service, user-authored data can be exported by the user the data
is associated with. To export their personal data, users can log on to the administrator portal:
https://admin.powerapps.com
To export projects or projects with execution history, users can navigate to the projects tab and click the ellipses
next to the project, and then select the desired export option:
To export templates, users can navigate to the templates tab and click on the ellipses next to the template, and then
select the export option:

To export connection sets, users can navigate to the connection set tab and click on the ellipses next to the
connection set, and then select the export option:
 Responding to Data Subject Rights (DSR) requests for
PowerApps customer data
3/22/2019 • 7 minutes to read

Introduction to DSR Requests

The European Union (EU ) General Data Protection Regulation (GDPR ) gives rights to people (known in the
regulation as data subjects) to manage the personal data that's been collected by an employer or other type of
agency or organization (known as the data controller or just controller). Personal data is defined very broadly
under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data
subjects the right to do the following, as it pertains to their personal data:
Obtain copies
Request corrections
Restrict processing
Delete it
Receive it in electronic format so it can be moved to another controller
A formal request by a data subject to a controller to take an action on his or her personal data is called a Data
Subject Rights (DSR ) request.
This article describes how Microsoft is preparing for the GDPR, and also provides examples of steps you can take
to support GDPR compliance when using PowerApps, Microsoft Flow, and Common Data Service. You'll learn
how to use Microsoft products, services, and administrative tools to help controller customers find, access, and act
on personal data in the Microsoft cloud in response to DSR requests.
The following actions are covered in this article:
Discover — Use search and discovery tools to more easily find customer data that may be the subject of a
DSR request. Once potentially responsive documents are collected, you can perform one or more of the
following DSR actions to respond to the request. Alternatively, you may determine that the request doesn't
meet your organization’s guidelines for responding to DSR requests.
Access — Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of that
data available to the data subject.
Rectify — Make changes or implement other requested actions on the personal data, where applicable.
Restrict — Restrict the processing of personal data, either by removing licenses for various online services
or turning off the desired services where possible. You can also remove data from the Microsoft cloud and
retain it on-premises or at another location.
Delete — Permanently remove personal data that resides in the Microsoft cloud.
Export — Provide an electronic copy (in a machine-readable format) of personal data to the data subject.

Discover
The first step in responding to a DSR request is to find the personal data that is the subject of the request. This first
step—finding and reviewing the personal data at issue—will help you determine whether a DSR request meets
your organization's requirements for honoring or declining a DSR request. For example, after finding and
reviewing the personal data at issue, you may determine the request doesn’t meet your organization’s
requirements because doing so may adversely affect the rights and freedoms of others.
Step 1: Find personal data for the user in PowerApps
Below is a summary of the types of PowerApps resources that contain personal data for a specific user.

RESOURCES CONTAINING PERSONAL DATA PURPOSE

Environment An environment is a space to store, manage, and share your

organization’s business data, apps, and flows. Learn more

Environment permissions Users are assigned to environments roles to be granted maker

and administrative privileges within an environment. Learn
more

Canvas app Cross-platform business apps that can be built from a power
of a blank canvas and connected to over 200 data sources.
Learn more

Canvas-app permissions Canvas apps can be shared with users within an organization.
Learn more

Connection Used by connectors and allow for connectivity to APIs,

systems, databases, etc. Learn more

Connection permissions Certain types of connections can be shared with users within
an organization. Learn more

Custom connector Custom connectors that a user has created to provide access
to a data source not offered through one of the PowerApps
standard connectors. Learn more

Custom-connector permissions Custom connectors can be shared with users within an

organization. Learn more

PowerApps user and user-app settings PowerApps stores several user preferences and settings that
are used to deliver the PowerApps runtime and portal
experiences.

PowerApps notifications PowerApps sends several types of notifications to users

including when an app is shared with them and when a
Common Data Service export operation has completed.

Gateway Gateways are on-premises data gateways that can be installed

by a user to transfer data quickly and securely between
PowerApps and a data source that isn’t in the cloud. Learn
more

Gateway permissions Gateways can be shared with users within an organization.

Learn more

Model-driven apps and model-driven app permissions Model-driven app design is a component-focused approach to
app development. Model-driven apps and their user access
permissions are stored as data within the Common Data
Service database. Learn more

PowerApps offers the following experiences to find personal data for a specific user:
Website access: PowerApps site, PowerApps Admin center, and Office 365 Service Trust Portal
 PowerShell access: PowerApps cmdlets (for app creators and administrators) and On-premises gateway
cmdlets
For detailed steps on how you can use these experiences to find personal data for a specific user for each of these
types of resources, see Responding to Data Subject Rights (DSR ) requests to export PowerApps customer data.
After you find the data, you can then perform the specific action to satisfy the request by the data subject.
Step 2: Find personal data for the user in Microsoft Flow
PowerApps licenses always include Microsoft Flow capabilities. In addition to being included in PowerApps
licenses, Microsoft Flow is also available as a standalone service.
For guidance on how to discover personal data stored by the Microsoft Flow service, see Responding to GDPR
Data Subject Requests for Microsoft Flow.

IMPORTANT
It is recommended that admins complete this step for a PowerApps user

Step 3: Find personal data for the user in instances of Common Data Service
Certain PowerApps licenses, including the PowerApps Community Plan, give the ability for users within your
organization to create instances of Common Data Service and to create and build apps on Common Data Service.
The PowerApps Community Plan is a free license that allows users to try out Common Data Service in an
individual environment. See the PowerApps Pricing page for which capabilities are included in each PowerApps
license.
For guidance on how to discover personal data stored by Common Data Service, see Responding to Data Subject
Rights (DSR ) requests for customer data in Common Data Service.

IMPORTANT
It is recommended that admins complete this step for a PowerApps user.

Rectify
If a data subject asks you to rectify the personal data that resides in your organization’s data, you and your
organization must determine whether it’s appropriate to honor the request. Rectifying data may include editing,
redacting, or removing personal data from a document or other type of item.
You can use Azure Active Directory to manage the identities (personal data) of your users withih PowerApps.
Enterprise customers can manage DSR rectify requests by using the limited editing features within a given
Microsoft service. As a data processor, Microsoft does not offer the ability to correct system-generated logs,
because they reflect factual activities and constitute a historical record of events within Microsoft services. See
GDPR: Data Subject Requests (DSRs) for details.

Restrict
Data subjects may request that you restrict processing of their personal data. We provide both pre-existing
application programming interfaces (APIs) and user interfaces (UIs). These experiences provide the enterprise
customer’s tenant administrator the capability to manage such DSRs through a combination of data export and
data deletion. A customer may request:
Export an electronic copy of the personal data of the user, including:
account(s)
 system-generated logs
associated logs
Delete the account and associated data residing within Microsoft systems.

Export
The “right of data portability” allows a data subject to request a copy of his or her personal data in an electronic
format (that’s a “structured, commonly used, machine read-able and interoperable format”) that may be
transmitted to another data controller.
See Responding to Data Subject Rights (DSR ) requests to export PowerApps customer data for details.

Delete
The “right to erasure” by the removal of personal data from an organization’s customer data is a key protection in
the GDPR. Removing personal data includes system-generated logs but not audit-log information.
PowerApps allows users to build line-of-business applications that are a critical part of your organization’s day-to-
day operations. When a user leaves your organization, you will need to manually review and determine whether to
delete certain data and resources that they have created. Other customer data will be automatically deleted
whenever the user’s account is deleted from Azure Active Directory.
See Responding to Data Subject Rights (DSR ) requests to delete PowerApps customer data for details.
 Responding to Data Subject Rights (DSR) requests to
export PowerApps customer data
8/9/2019 • 11 minutes to read

The “right of data portability” allows a data subject to request a copy of his or her personal data in an electronic
format (that is, a structured, commonly used, machine readable and interoperable format) that may be transmitted
to another data controller:
Website access: PowerApps portal, PowerApps Admin center, and Office 365 Service Trust Portal
PowerShell access: PowerApps App creator cmdlets, Admin cmdlets and On-premises gateway cmdlets
Below is a summary of the types of personal data that PowerApps can store for a specific user and which
experiences you can use to find and export it.

RESOURCES CONTAINING PERSONAL DATA WEBSITE ACCESS POWERSHELL ACCESS

Environment PowerApps Admin center PowerApps cmdlets

Environment permissions** PowerApps Admin center PowerApps cmdlets

Canvas App PowerApps Admin center PowerApps cmdlets

PowerApps Portal

Canvas App permissions PowerApps Admin center PowerApps cmdlets

PowerApps Portal

Gateway PowerApps Portal*** On-premises gateway cmdlets

Gateway permissions PowerApps Portal***

Custom connector App creator: Available

Admin: Available

Custom connector permissions App creator: Available

Admin: Available

Connection App creator: Available

Admin: Available

Connection permissions App creator: Available

Admin: Available

PowerApps user settings, user-app App creator: Available

settings, and notifications Admin: Available

** With the introduction of Common Data Service, if a database is created within the environment,
environment permissions and model-driven app permissions are stored as records within the Common Data
Service database instance. For guidance on how to respond to DSR requests for users that use Common Data
Service, see Responding to Data Subject Rights (DSR ) requests for Common Data Service customer data.
 *** An administrator can access these resources from the PowerApps portal only if the owner of the resource
has explicitly granted him or her access. If the administrator has not been granted access, he or she will need
to leverage the PowerApps Admin PowerShell cdmlets.

Prerequisites
For users
Any user with a valid PowerApps license can perform the user operations outlined in this document using the
PowerApps portal or App creator cmdlets.
For admins
To perform the administration operations outlined in this document using the PowerApps Admin center, Microsoft
Flow Admin Center, or PowerApps Admin PowerShell cdmlets, you'll need the following:
A paid PowerApps Plan 2 license or a PowerApps Plan 2 trial license. You can sign-up for a 30-day trial
license at http://web.powerapps.com/trial. Trial licenses can be renewed if they've expired.
Office 365 Global Administrator or Azure Active Directory Global Administrator permissions if you need to
search through another user’s resources. (Note that Environment Admins only have access to those
environments and environment resources for which they have permissions.)

Step 1: Export personal data contained within environments created by

the user
PowerApps Admin center
Administrators can export all environments created by a specific user from the PowerApps Admin center by
following these steps:
1. From the PowerApps Admin center, select each environment in your organization.

2. If the environment was created by the user from the DSR request, go to the Details page, copy the details,
and then paste them into a document editor, such as Microsoft Word.
PowerShell cmdlets for app creators
Users can export the environments they have access to in PowerApps by using the Get-
PowerAppsEnvironment function in the PowerApps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-PowerAppsEnvironment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all of the environments that have been created by a user by using the Get-
AdminEnvironment function in the PowerApps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "7557f390-5f70-4c93-8bc4-8c2faabd2ca0"
Get-AdminEnvironment -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 2: Export the user’s environment permissions

Users can be assigned permissions (such as Environment Admin, Environment Maker, etc.) in an environment,
which are stored in PowerApps as a role assignment. With the introduction of Common Data Service, if a database
is created within the environment, the role assignments are stored as records within the Common Data Service
database instance. For more information, see Administer environments within PowerApps.
For environments without a Common Data Service database
PowerApps Admin center
Administrators can export a user’s environment permissions from the PowerApps Admin center by following
these steps:
1. From the PowerApps Admin center, select each environment in your organization. You must be an Office
365 Global Administrator or Azure Active Directory Global Administrator to be able to review all
environments created within your organization.
2. Select Security.
If your environment does not have a Common Data Service database, you'll see a section for Environment
Roles.
3. Select both Environment Admin and Environment Maker separately, and then using the search bar,
search for the user’s name.

4. If the user has access to either role, go to the Users page, copy the details, and then paste them into a
document editor, such as Microsoft Word.
PowerShell cmdlets for admins
Administrators can export all environment role assignments for a user across all environments without a
Common Data Service database by using the Get-AdminEnvironmentRoleAssignment function in the
PowerApps Admin PowerShell cdmlets:
 Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminEnvironmentRoleAssignment -UserId $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

IMPORTANT
This function only works for environments that do not have a Common Data Service database instance.

For environments with a Common Data Service database

With the introduction of the Common Data Service, if a database is created within the environment, role
assignments are stored as records within the Common Data Service database instance. For information on how to
remove personal data from a Common Data Service database instance, see Common Data Service User personal
data removal.  

Step 3: Export personal data contained within canvas apps created by

the user
PowerApps portal
A user can export an app from the PowerApps portal. For step-by-step instructions on how to export an app, see
Exporting an app.
PowerApps Admin center
An administrator can export apps created by a user starting from the PowerApps Admin center by following these
steps:
1. From the PowerApps Admin center, select each environment in your organization. You must be an Office
365 Global Administrator or Azure Active Directory Global Administrator to be able to review all
environments created within your organization.

2. Select Resources, and then select Apps.

3. Using the search bar, search for the user’s name, which brings up any apps that user created within this
environment:
4. Select Share for each of the apps created by that user and give yourself Can edit access to the app:
5. Once you have access to each of the user’s apps you can export an app from the PowerApps portal. For
step-by-step instructions on how to export an app, see Exporting an app.
PowerShell cmdlets for admins
Administrators can export apps created by a user by using the Get-AdminApp function in the PowerApps Admin
PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminApp -Owner $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 4: Export the user’s permissions to canvas apps

Whenever an app is shared with a user, PowerApps stores a record called a role assignment that describes the
user’s permissions (CanEdit or CanUser) to the application. For more information, see Share an app.
PowerShell cmdlets for app creators
Users can export the app role assignments for all apps that they have access to by using the Get-
RoleAssignment function in the PowerApps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-AppRoleAssignment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

PowerApps Admin center

Administrators can export app roles assignments for a user from the PowerApps Admin center by following these
steps:
1. From the PowerApps Admin center, select each environment in your organization. You must be an Office
365 Global Administrator or Azure Active Directory Global Administrator to be able to review all
environments created within your organization.
2. For each environment, select Resources, and then select Apps.
3. Select Share for each of the apps in the environment.

4. If the user has access to the app, go to the app’s Share page, copy the details, and then paste them into a
document editor, such as Microsoft Word.
PowerShell cmdlets for admins
Administrators can export all app role assignments for a user across all apps in their tenant by using the Get-
AdminAppRoleAssignment function in the PowerApps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminAppRoleAssignment -UserId $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 5: Export personal data contained within connections created by

the user
Connections are used in conjunction with connectors when establishing connectivity with other APIs and SaaS
systems. Connections include references to the user who created them and, as a result, can be deleted to remove
any references to the user.
PowerShell cmdlets for app creators
Users can export all of the connections they have access to by using the Get-Connection function in the
PowerApps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-Connection | ConvertTo-Json | out-file -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all connections created by the user using the Get-AdminConnection function in the
PowerApps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminConnection -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

 
Step 6: Export the user’s permissions to shared connections
PowerShell cmdlets for app creators
Users can export the connection role assignments for all connections that they have access to by using the Get-
ConnectionRoleAssignment function in the PowerApps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-ConnectionRoleAssignment | ConvertTo-Json | Out-file -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all connection role assignments for a user using the Get-
AdminConnectionRoleAssignment function in the PowerApps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminConnectionRoleAssignment -PrincipalObjectId $userId | ConvertTo-Json | Out-File -FilePath
"UserDetails.json"

Step 7: Export personal data contained within custom connectors

created by the user
Custom Connectors supplement the existing out-of-box connectors and allow for connectivity to other APIs, SaaS,
and custom-developed systems.
PowerApps App creator PowerShell cmdlets
Users can export all custom connectors they've created by using the Get-Connector function in the PowerApps
App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-Connector -FilterNonCustomConnectors | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all custom connectors created by a user using the Get-AdminConnector function in
the PowerApps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminConnector -CreatedBy $userId | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

Step 8: Export the user’s permissions to custom connectors

PowerShell cmdlets for app creators
Users can export all connector role assignments for the custom connectors to which they have access by using the
Get-ConnectorRoleAssignment function in the PowerApps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-ConnectorRoleAssignment | ConvertTo-Json | Out-File -FilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export all custom connector role assignments for a user using the Get-
AdminConnectorRoleAssignment function in the PowerApps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminConnectorRoleAssignment -PrincipalObjectId $userId | ConvertTo-Json | Out-File -FilePath
"UserDetails.json"

Step 9: Export PowerApps Notifications, User Settings, and User-App

Settings
PowerApps sends several types of notifications to users, including when an app is shared with them and when a
Common Data Service export operation has completed. A user’s notification history is visible to them within the
PowerApps portal.
PowerApps also stores several different user preferences and settings that are used to deliver the PowerApps
runtime and portal experiences, including when a user last opened an application, pinned an app, etc.
PowerShell cmdlets for app creators
Users can export their own PowerApps notifications, user settings, and user-app settings using the Get-
AdminPowerAppsUserDetails function in the PowerApps App creator PowerShell cmdlets:

Add-PowerAppsAccount
Get-AdminPowerAppsUserDetails -WriteToFile -OutputFilePath "UserDetails.json"

PowerShell cmdlets for admins

Administrators can export the PowerApps notifications, user settings, and user-app settings for a user using the
Get-AdminPowerAppsUserDetails function in the PowerApps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$userId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
Get-AdminPowerAppsUserDetails -WriteToFile -OutputFilePath "UserDetails.json" -UserPrincipalName
[email protected]

Step 10: Export personal data contained for a user-stored gateway or in

the user’s gateway permissions
PowerApps Portal
Users can export the personal data stored within the gateway service from the PowerApps portal by following
these steps:
1. From the PowerApps portal, within the default environment for your tenant, select Gateways, and then
select Details for each gateway to which you have access.
2. On the Details page, if the gateway details contain any personal data, copy the details, and then paste them
into a document editor, such as Microsoft Word.

3. Select Share, copy the contents of the page, and then paste it into a document editor, such as Microsoft
Word.
Gateway PowerShell cmdlets
There are also PowerShell cmdlets that allow you to retrieve, manage, and delete your personal gateways. For
more information, see On-premises gateway cmdlets.
Administrators
Please refer to the Tenant Administration section in the Understand on-premises data gateways for Microsoft
PowerApps article for guidance around managing gateways for your organization.

Step 11: Export the user’s personal data in Microsoft Flow

PowerApps licenses always include Microsoft Flow capabilities. In addition to being included in PowerApps
licenses, Microsoft Flow is also available as a standalone service. For guidance on how to respond to DSR
requests for users that use the Microsoft Flow service, see Responding to GDPR Data Subject Requests for
Microsoft Flow.

IMPORTANT
We recommend that administrators complete this step for PowerApps users.

Step 12: Export the user’s personal data in Common Data Service
instances
Anyone with a PowerApps license, provided there is 1GB available database capacity, can create Common Data
Service environments and create and build apps on Common Data Service; this includes the PowerApps
Community Plan, which is a free license that allows users to try out Common Data Service in an individual
environment. To see which Common Data Service capabilities are included in each PowerApps license, see the
PowerApps Pricing page.
For guidance on how to respond to DSR requests for users that use Common Data Service, see Responding to
Data Subject Rights (DSR ) requests for Common Data Service customer data.
IMPORTANT
We recommend that administrators complete this step for PowerApps users.
 Responding to Data Subject Rights (DSR) requests to
delete PowerApps customer data
4/15/2019 • 14 minutes to read

The “right to erasure” by the removal of personal data from an organization’s customer data is a key protection in
the European Union (EU ) General Data Protection Regulation (GDPR ). Removing personal data includes removing
system-generated logs but not audit log information.
PowerApps allows users to build line-of-business applications that are a critical part of your organization’s day-to-
day operations. When a user leaves your organization, you'll need to manually review and determine whether to
delete certain data and resources that the user created. Other personal data will be automatically deleted whenever
the user’s account is deleted from Azure Active Directory.
Here is the breakdown between which personal data will be automatically deleted and which data will require your
manual review and deletion:

AUTOMATICALLY DELETED WHEN THE USER IS DELETED FROM

REQUIRES MANUAL REVIEW AND DELETION AZURE ACTIVE DIRECTORY

Environment** Gateway

Environment permissions*** Gateway permissions

Canvas app** PowerApps notifications

Canvas-app permissions PowerApps user settings

Connection** PowerApps user-app settings

Connection permissions

Custom connector**

Custom-connector permissions

** Each of these resources contains “Created By” and “Modified By” records that include personal data. For security
reasons, these records will be retained until the resource is deleted.
*** For environments that include a Common Data Service database, environment permissions (that is, which
users are assigned to the Environment Maker and Admin roles) are stored as records in that database. For
guidance on how to respond to DSRs for users of Common Data Service, see Responding to Data Subject Rights
(DSR ) requests for Common Data Service customer data.
For the data and resources that require manual review, PowerApps offers the following experiences to reassign (if
necessary) or delete personal data for a specific user:
Website access: PowerApps site, PowerApps Admin center, and Office 365 Service Trust Portal
PowerShell access: PowerApps cmdlets for app creators and administrators and cmdlets for on-premises
gateways.
Here is the breakdown of which experiences are available to delete each type of resource that can contain personal
data:

RESOURCES CONTAINING PERSONAL DATA WEBSITE ACCESS POWERSHELL ACCESS

Environment PowerApps Admin center PowerApps cmdlets

Environment permissions** PowerApps Admin center PowerApps cmdlets

Canvas app PowerApps Admin center PowerApps cmdlets

PowerApps

Canvas-app permissions PowerApps Admin center PowerApps cmdlets

Connection App creator: Available

Admin: Available

Connection permissions App creator: Available

Admin: Available

Custom connector App creator: Available

Admin: Available

Custom-connector permissions App creator: Available

Admin: Available

** With the introduction of Common Data Service, if a database is created within the environment, environment
permissions and model-driven app permissions are stored as records within the instance of that database. For
guidance on how to respond to DSRs for users of Common Data Service, see Responding to Data Subject Rights
(DSR ) requests for Common Data Service customer data.

Prerequisites
For users
Any user with a valid PowerApps license can perform the user operations outlined in this document using the
PowerApps or PowerShell cmdlets for app creators.
Unmanaged tenant
If you are a member of an unmanaged tenant, meaning that your Azure AD tenant does not have global
administrator, then you will still be able to follow the steps outlined in this art to remove your own personal data.
However, since there is no global administrator for your tenant you will need to follow the instructions outlined in
Step 11: Delete the user from Azure Active Directory below to delete your own account from the tenant.
In order to determine if you are a member of an unmanaged tenant please follow these steps:
1. Open the following URL in a browser, making sure to replace your email address in the URL:
https://login.microsoftonline.com/common/userrealm/[email protected]?api-version=2.1
2. If you are a member of an unmanaged tenant then you will see an "IsViral": true in the response.
 {
...
"Login": "[email protected]",
"DomainName": "unmanagedcontoso.com",
"IsViral": true,
...
}

3. Otherwise, you belong to a managed tenant.

For administrators
To perform the administrative operations outlined in this document using the PowerApps Admin center, Microsoft
Flow admin center, or PowerShell cmdlets for PowerApps administrators, you'll need the following:
A paid PowerApps Plan 2 license or a PowerApps Plan 2 trial license. You can sign-up for a 30-day trial
license at http://web.powerapps.com/trial. Trial licenses can be renewed if they've expired.
Office 365 Global Administrator or Azure Active Directory Global Administrator permissions if you need to
search through another user’s resources. (Note that Environment Admins only have access to those
environments and environment resources for which they have permissions.)

Step 1: Delete or reassign all environments created by the user

As an administrator, you have two decisions to make when processing a DSR delete request for each environment
that the user created:
1. If you determine that the environment is not being used by anyone else in your organization, you can
choose to delete the environment.
2. If you determine that the environment is still required, you can choose not to delete the environment and
add yourself (or another user in your organization) as an Environment Admin.

IMPORTANT
Deleting an environment will permanently delete all resources within the environment, including all apps, flows, connections,
etc. So please review the contents of an environment before deletion.

Give access to a user’s environments from the PowerApps Admin center

An admin can grant administrative access to an environment created by a specific user from the PowerApps
Admin center by following these steps:
1. From the PowerApps Admin center, select each environment in your organization.
2. If the environment was created by the user from the DSR request, select Security, and proceed with the
steps outlined in Administer environments to give admin privileges to yourself or another user in your
organization.

Delete environments created by a user from the PowerApps Admin center

An admin can review and delete environments created by a specific user from the PowerApps Admin center by
following these steps:
1. From the PowerApps Admin center, select each environment in your organization.
2. If the environment was created by the user from the DSR request, select Delete and then proceed with the
steps to delete the environment:

Give access to a user’s environments using PowerShell

An administrator can assign themselves (or another user within their organization) access to all environments
created by a user by using the Set-AdminEnvironmentRoleAssignment function in the PowerShell cmdlets for
PowerApps administrators:
 Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
$myUserId = $global:currentSession.UserId

#Assign yourself as an admin to each environment created by the user

Get-AdminEnvironment -CreatedBy $deleteDsrUserId | Set-AdminEnvironmentRoleAssignment -RoleName
EnvironmentAdmin -PrincipalType User -PrincipalObjectId $myUserId

#Retrieve the environment role assignments to confirm

Get-AdminEnvironment -CreatedBy $deleteDsrUserId | Get-AdminEnvironmentRoleAssignment

IMPORTANT
This function works only in environments that do not have an instance of a database in Common Data Service.

Delete environments created by a user using PowerShell

An administrator can delete all environments created by a user by using the Remove-AdminEnvironment
function in the PowerShell cmdlets for PowerApps administrators:

Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"

# Retrieve all environments created by the user and then delete them
Get-AdminEnvironment -CreatedBy $deleteDsrUserId | Remove-AdminEnvironment

Step 2: Delete the user’s permissions to all other environments

Users can be assigned permissions (such as Environment Admin and Environment Maker) in an environment,
which are stored in the PowerApps service as a “role assignment.” With the introduction of Common Data Service,
if a database is created within the environment, these “role assignments” are stored as records within the instance
of that database. For more information, see Administer environments.
For environments without a Common Data Service database
PowerApps Admin center
An administrator can delete a user’s environment permissions starting from the PowerApps Admin center by
following these steps:
1. From the PowerApps Admin center, select each environment in your organization.
You must be an Office 365 Global Administrator or Azure Active Directory Global Administrator to be able
to review all environments that have been created within your organization.
2. Select Security.
If your environment does not have a Common Data Service database, you will see a section for
Environment Roles.
3. Within Environment Roles, select both Environment Admin and Environment Maker separately and,
using the search bar, search for the user’s name.

4. If the user has access to either role, from within the Users screen, remove their permission, and select Save.
PowerShell
An administrator can delete all environment role assignments for a user across all environments without a
Common Data Service database by using the Remove-AdminEnvironmentRoleAssignment function in the
PowerShell cmdlets for PowerApps administrators:
 Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"

#find all environment role assignments for the user for environments without a Common Data Service instance
and delete them
Get-AdminEnvironmentRoleAssignment -UserId $deleteDsrUserId | Remove-AdminEnvironmentRoleAssignment

IMPORTANT
This function works only for environments that do not have an instance of a Common Data Service database.

For environments WITH a Common Data Service database

With the introduction of the Common Data Service, if a database is created within the environment, these “role
assignments” are stored as records within the instance of that database. Please refer to the following
documentation on how to remove personal data from an instance of a database in Common Data Service:
Common Data Service User personal data removal

Step 3: Delete or reassign all canvas apps owned by a user

Reassign a user’s canvas apps using the PowerApps Admin PowerShell cmdlets
If an admin decides not to delete a user’s canvas apps, they can reassign the apps owned by a user by using the
Set-AdminAppOwner function in the PowerApps Admin PowerShell cdmlets:

Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"
$newAppOwnerUserId = "72c272b8-14c3-4f7a-95f7-a76f65c9ccd8"

#find all apps owned by the DSR user and assigns them a new owner
Get-AdminApp -Owner $deleteDsrUserId | Set-AdminAppOwner -AppOwner $newAppOwnerUserId

Delete a user’s canvas app using the PowerApps site

A user can delete an app from the PowerApps site. For the full steps on how to delete an app, please see deleting
an app.
Delete a user’s canvas app using the PowerApps Admin center
An admin can delete apps created by a user starting from the PowerApps Admin center by following these steps:
1. From the PowerApps Admin center, select each environment in your organization.
You must be a Office 365 Global Administrator or Azure Active Directory Global Administrator to be able to
review all environments that have been created within your organization.
2. Select Resources > Apps.
3. Using the search bar, search for the user’s name, which will bring up any apps that have been created by
that user within this environment:

4. Select Details for each of the apps owned by the user:

5. Select Delete to delete each app:
Delete a user’s canvas app using the PowerApps Admin PowerShell cmdlets
If an admin decides to delete all canvas apps owned by a user, they can do so using the Remove-AdminApp
function in the PowerApps Admin PowerShell cmdlets:

Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"

#find all apps owned by the DSR user and deletes them
Get-AdminApp -Owner "0ecb1fcc-6782-4e46-a4c4-738c1d3accea" | Remove-AdminApp

Step 4: Delete the user’s permissions to canvas apps

Whenever an app is shared with a user, PowerApps stores a record called a “role assignment” that describes the
user’s permissions (CanEdit or CanUse) to the application. For more information, see the Share an app article.

NOTE
An app’s role assignments will be deleted when the app is deleted.

NOTE
The app owner's role assignment can only be deleted by assigning a new owner for the app.

PowerApps Admin center

An admin can delete app-role assignments for a user starting from the PowerApps Admin center by following
these steps:
1. From the PowerApps Admin center, select each environment in your organization.
You must be an Office 365 Global Administrator or Azure Active Directory Global Administrator to be able
to review all environments that have been created within your organization.
2. For each environment select Resources > Apps.
3. Select Share for each of the apps in the environment:

4. If the user has access to the app, from within the app’s Share screen, remove their permission and select
Save.
PowerShell cmdlets for admins
An admin can delete all of a user’s canvas-app role assignments by using the Remove-
AdminAppRoleAssignmnet function in the PowerApps Admin PowerShell cmdlets:

Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"

#find all app role assignments for the DSR user and deletes them
Get-AdminAppRoleAssignment -UserId $deleteDsrUserId | Remove-AdminAppRoleAssignment

Step 5: Delete connections created by a user

Connections are used in conjunction with connectors when establishing connectivity with other APIs and SaaS
systems. Connections do include references to the user who created them and, as a result, can be deleted to
remove any references to the user.
PowerShell cmdlets for app creators
A user can delete all of their connections by using the Remove-Connection function in the PowerShell cmdlets for
app creators:

Add-PowerAppsAccount

#Retrieves all connections for the calling user and deletes them
Get-Connection | Remove-Connection

PowerShell cmdlets for PowerApps administrators

An admin can delete all of a user’s connections by using the Remove-AdminConnection function in the
PowerApps Admin PowerShell cmdlets:

Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"

#Retrieves all connections for the DSR user and deletes them
Get-AdminConnection -CreatedBy $deleteDsrUserId | Remove-AdminConnection
Step 6: Delete the user’s permissions to shared connections
PowerShell cmdlets for app creators
A user can delete all of their connection role assignments for shared connections by using the Remove-
ConnectionRoleAssignment function in the PowerShell cmdlets for app creators:

Add-PowerAppsAccount

#Retrieves all connection role assignments for the calling users and deletes them
Get-ConnectionRoleAssignment | Remove-ConnectionRoleAssignment

NOTE
Owner role assignments cannot be deleted without deleting the connection resource.

PowerShell cmdlets for admins

An admin can delete all of a user’s connection role assignments by using the Remove-
AdminConnectionRoleAssignment function in the PowerApps Admin PowerShell cmdlets:

Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"

#Retrieves all connection role assignments for the DSR user and deletes them
Get-AdminConnectionRoleAssignment -PrincipalObjectId $deleteDsrUserId | Remove-AdminConnectionRoleAssignment

Step 7: Delete custom connectors created by the user

Custom Connectors supplement the existing out of box connectors and allow for connectivity to other APIs, SaaS
and custom-developed systems. You may want to transfer Custom Connector ownership to other users in the
organization or delete the Custom Connector.
PowerShell cmdlets for app creators
A user can delete all of their custom connectors by using the Remove-Connector function in the PowerShell
cmdlets for app creators:

Add-PowerAppsAccount

#Retrieves all custom connectors for the calling user and deletes them
Get-Connector -FilterNonCustomConnectors | Remove-Connector

PowerShell cmdlets for admins

An admin can delete all custom connectors created by a user using the Remove-AdminConnector function in the
PowerApps Admin PowerShell cmdlets:

Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"

#Retrieves all custom connectors created by the DSR user and deletes them
Get-AdminConnector -CreatedBy $deleteDsrUserId | Remove-AdminConnector

Step 8: Delete the user’s permissions to shared custom connectors

PowerShell cmdlets for app creators
A user can delete all of their connector role assignments for shared custom connectors with the Remove-
ConnectorRoleAssignment function in the PowerShell cmdlets for app creators:

Add-PowerAppsAccount

#Retrieves all connector role assignments for the calling users and deletes them
Get-ConnectorRoleAssignment | Remove-ConnectorRoleAssignment

NOTE
Owner role assignments cannot be deleted without deleting the connection resource.

PowerShell cmdlets for admins

An admin can delete all custom connector role assignments for a user using the Remove-
AdminConnectorRoleAssignment function in the PowerApps Admin PowerShell cmdlets:

Add-PowerAppsAccount
$deleteDsrUserId = "0ecb1fcc-6782-4e46-a4c4-738c1d3accea"

#Retrieves all custom connector role assignments for the DSR user and deletes them
Get-AdminConnectorRoleAssignment -PrincipalObjectId $deleteDsrUserId | Remove-AdminConnectorRoleAssignment

Step 9: Delete the user’s personal data in Microsoft Flow

PowerApps licenses always include Microsoft Flow capabilities. In addition to being included in PowerApps
licenses, Microsoft Flow is also available as a standalone service. For guidance on how to respond to DSRs for
users who use the Microsoft Flow service, see Responding to GDPR Data Subject Requests for Microsoft Flow.

IMPORTANT
It is recommended that admins complete this step for a PowerApps user.

Step 10: Delete the user’s personal data in instances of Common Data
Service
Certain PowerApps licenses, including the PowerApps Community Plan, give the ability for users within your
organization to create instances of Common Data Service and to create and build apps on Common Data Service.
The PowerApps Community Plan is a free license that allows users to try out Common Data Service in an
individual environment. See the PowerApps pricing page for which capabilities are included in each PowerApps
license.
For guidance on how to respond to DSRs for users who use Common Data Service, see Responding to Data
Subject Rights (DSR ) requests for Common Data Service customer data.

IMPORTANT
It is recommended that admins complete this step for a PowerApps user.

Step 11: Delete the user from Azure Active Directory

Once the above steps have been complete the final step is to delete the user’s account for Azure Active Directory.
Managed tenant
As an admin of a managed Azure AD tenant you can delete the user's account by following the steps outlined in
the Azure Data Subject Request GDPR documentation that can be found on the Office 365 Service Trust Portal.
Unmanaged tenant
If you are a member of an unmanaged tenant then you will need to follow these steps in order to delete your
account from your Azure AD tenant:

NOTE
Please see the Unmanaged tenant section above to see how to detect if you are a member of an unmanaged or managed
tenant.

1. Navigate to the Work and School privacy page and sign-in with your Azure AD account.
2. Select Close account and follow the instructions to delete your account from your Azure AD tenant.
 Responding to Data Subject Rights (DSR) requests
for Common Data Service customer data
4/19/2019 • 17 minutes to read

Introduction to DSR requests

The European Union (EU ) General Data Protection Regulation (GDPR ) gives rights to people (known in the
regulation as data subjects) to manage the personal data that's been collected by an employer or other type of
agency or organization (known as the data controller or just controller). Personal data is defined very broadly
under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data
subjects the right to do the following, as it pertains to their personal data:
Obtain copies
Request corrections
Restrict processing
Delete it
Receive it in electronic format so it can be moved to another controller
A formal request by a data subject to a controller to take an action on his or her personal data is called a Data
Subject Rights (DSR ) request.
This article describes how Microsoft is preparing for the GDPR, and also provides examples of steps you can take
to support GDPR compliance when using PowerApps, Microsoft Flow, and Common Data Service. You'll learn
how to use Microsoft products, services, and administrative tools to help controller customers find, access, and
act on personal data in the Microsoft cloud in response to DSR requests.
The following actions are covered in this article:
Discover — Use search and discovery tools to more easily find customer data that may be the subject of a
DSR request. Once potentially responsive documents are collected, you can perform one or more of the
following DSR actions to respond to the request. Alternatively, you may determine that the request doesn't
meet your organization’s guidelines for responding to DSR requests.
Access — Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of that
data available to the data subject.
Rectify — Make changes or implement other requested actions on the personal data, where applicable.
Restrict — Restrict the processing of personal data, either by removing licenses for various online services
or turning off the desired services where possible. You can also remove data from the Microsoft cloud and
retain it on-premises or at another location.
Delete — Permanently remove personal data that resides in the Microsoft cloud.
Export — Provide an electronic copy (in a machine-readable format) of personal data to the data subject.

Common Data Service customer data

IMPORTANT
Applies to both Common Data Service and the previous version of Common Data Service
Common Data Service and the previous version of Common Data Service have separate processes for
interacting with personal data.
You can identify which type of Common Data Service environment you have by logging into PowerApps and
following these steps:
1. In the Environment drop-down list, select your environment.
2. In the navigation pane, click or tap Data, and then click or tap Entities.
Your environment is Common Data Service if you see the following entities listed:

Your environment is the previous version of Common Data Service if you see the following entities listed:

After you determine which type of Common Data Service environment you have, follow the steps in the
following sections to identify personal data.

NOTE
You may have some environments in Common Data Service and others in the previous version of Common Data Service,
so you'll need to repeat the processes outlined below for each environment in your organization.
User personal data in Common Data Service
Prerequisites
You must create users in the Microsoft 365 admin center and assign them an appropriate user license and
security role before they can access and use Common Data Service.
Standard user personal data (for example, UserName, UserID, Phone, Email, and Address) is kept and maintained
in the Microsoft 365 admin center. System administrators can update this personal data only in the Microsoft 365
admin center, and the data is then automatically synced to the Common Data Service system User entity in all
environments. System administrators can also create custom attributes to capture additional user personal data
within the Common Data Service system User entity, and then manually maintain and manage these attributes.
To avoid interruption to business applications that may be critical to your organization’s operations, a user's
records are not automatically removed from the Common Data Service system User entity when that user is
deleted from within the Microsoft 365 admin center. The user’s status is set to Disabled in Common Data Service,
but a Common Data Service System Administrator must locate and remove the user's personal data from
Common Data Service within the application.
Only Office 365 Global Administrators and Common Data Service System Administrators can perform the
discover, rectify, export, and delete actions listed below.
Discover
System Administrators can create multiple Common Data Service instances. These instances can be used for trial,
development, or production purposes. Each of these instances has a copy of the system User entity with any
custom attributes that may have been added by the system administrator, as well as the user personal data
synced from the Microsoft 365 admin center.
System administrators can find a list of all the Common Data Service instances by navigating to the Dynamics
365 Administration Center from the PowerApps Admin center.
From the PowerApps Admin center, do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center.

A list of all the instances displays.

You can find personal data from Common Data Service users within the following resources:

RESOURCE PURPOSE WEBSITE ACCESS PROGRAMMATIC ACCESS

Entity record Known as the system User PowerApps Admin center Through the Web API
entity, it stores a user's
personal data.

Audit history Allows customers to identify PowerApps Admin center Through the Web API
resources that users
created, accessed, changed,
or deleted at an entity level.

User
User personal data is stored in the Azure Active Directory and is automatically synced to all Common Data
Service environments. System administrators cannot update this personal data directly in Common Data Service
while the user is active—they must update the data from within the Office 365 Administration Center. System
administrators can add personal data (for example, custom attributes) directly to Common Data Service, but they
must manually manage this data.
To find a user and his or her personal data, go to the PowerApps Admin center and do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center, select an environment from the list, and then click or
tap Open.
3. Go to Settings > Security > Users.
4. Enter the name of the user in the Search box, and then click or tap Search.
5. To view the user's personal data, double-click or double-tap the user's name.

Audit history
When audit tracking is enabled for an entity in Common Data Service, a user's personal data is logged in the
audit history along with the actions that the user performs.
Rectify
If a data subject asks you to rectify the personal data that resides in your organization’s data, you and your
organization must determine whether it’s appropriate to honor the request. Rectifying data may include editing,
redacting, or removing personal data from a document or other type of item.
You can use Azure Active Directory to manage the identities (personal data) of your users within Common Data
Service. Enterprise customers can manage DSR rectify requests by using the limited editing features within a
given Microsoft service. As a data processor, Microsoft does not offer the ability to correct system-generated logs,
because they reflect factual activities and constitute a historical record of events within Microsoft services. See
GDPR: Data Subject Requests (DSRs) for details.
Once a user record is deleted from Azure Active Directory, System Administrators can then remove any
remaining personal data related to that user (such as custom attributes) from all the instances.
Export
System user
You can export a user's personal data stored in the system User entity to Excel from the user list within the
administration center.
From the PowerApps Admin center, do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center, select an environment from the list, and then click or
tap Open.
3. Go to Settings > Security, and then select Enabled Users View.
4. Click Export to Excel.
Audit history
You can take screenshots of the audit history from within the adminisration center.
From the PowerApps Admin center, do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center, select an environment from the list, and then click or
tap Open.
3. Go to Settings > Auditing, and then select Audit Summary View.

4. Locate the user audit record, and then press Alt+PrtScn to take the screenshot.

5. Save the screenshot to a file, which you can then send to the DSR requestor.
Delete
User
To avoid interruption to business applications that may be critical to your organization’s operations, a user's
records are not automatically removed from the Common Data Service system User entity when that user is
deleted from within the Microsoft 365 admin center. The user’s status is set to Disabled in Common Data Service,
but a Common Data Service System Administrator must locate and remove the user's personal data from
Common Data Service within the application.
Remove a user's personal data from the user's Summary page
When a user record is deleted from the Azure Active Directory, the following message is displayed on the user's
Summary page:
This user’s information is no longer managed by Office 365. You can update this record to respond to DSR
requests by removing or replacing all personal data associated with this user.
From the PowerApps Admin center, do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center, select an environment from the list, and then click or
tap Open.
3. Go to Settings > Security > Users, and then select Disabled Users View.
4. Enter the name of the user in the Search box, and then click or tap Search.
5. Double-click the user's name in the search results list.
6. On the user's Summary page, remove all personal data, and then click or tap Save.
Remove a user's personal data by using Excel
From the PowerApps Admin center, do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center, select an environment from the list, and then click or
tap Open.
3. Go to Settings > Security > Users, and then select Disabled Users View.
4. Create and download an Excel template file from the user's personal data. For step-by-step instructions,
see Create a new Excel template.
5. Open the downloaded Excel template file, remove the user's personal data, and then save the file.
6. Return to the Disabled Users View page and click or tap Import Data.
7. Select the Excel template file in the Upload data file dialog box and make all the necessary changes in
the Map Fields window.
8. Click or tap Next, and then click or tap Submit.
Remove audit history from the Audit Summary View page
From the PowerApps Admin center, do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center, select an environment from the list, and then click or
tap Open.
3. Go to Settings > Auditing, and then select Audit Summary View.
4. Locate the user's change history, click or tap the check box next to the row (s), and then click or tap Delete
Change History.

Personal data stored in databases of Common Data Service

Prerequisites
You may be storing personal data from individuals (such as your own customers) within your Common Data
Service entities.
Common Data Service System Administrators are responsible for maintaining an inventory of where personal
data is being stored within various entities for each individual so that he or she can locate that data in response to
any DSR requests.
Personal data can then be exported, rectified, or deleted in an entity using the in-product functionality.
Discover
When Common Data Service System Administrators receive a DSR request from an individual, they must
identify which environments/Common Data Service instances contain personal data for that individual. Personal
data is typically stored in key entities (for example, Account, Contact, Lead, Opportunity, etc.), but it’s your
responsibility to develop policies and procedures for maintaining an inventory of where you store each
individual's personal data so you're prepared to respond to DSR requests.
Using an inventory, Common Data Service System Administrators can configure the search entities and fields
and then access the Common Data Service environment to discover personal data. For more information, see
Configure Relevance Search.
From the PowerApps Admin center, do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center, select an environment from the list, click or tap the
search button, and then click or tap Relevance Search.

3. Enter the individual’s personal data in the search box, and then click or tap Search.

Rectify
Common Data Service System Administrators can update an individual’s personal data by using the list of results
from the Relevance Search. However, an individual’s personal data may also be stored in other custom entities.
Common Data Service System Administrators are responsible for maintaining an inventory of these other
custom entities and making the appropriate updates to an individual’s personal data.
From the Relevance Search results, do the following:
1. Click or tap an item that contains the individual's personal data.
2. Update the individual's personal data where appropriate, and then click or tap Save.

Export
You can take a screenshot of the data and share it with your DSR requestor.
From the PowerApps Admin center, do the following:
1. In the navigation pane, click or tap Environments, and then select an environment from the list.
2. Click or tap Dynamics 365 Administration Center, select an environment from the list, click or tap the
search button, and then click or tap Relevance Search.

3. Enter the individual’s personal data in the search box, and then click or tap Search.
4. Double-click the item in the search results list.
5. Press Alt+PrtScn to take the screenshot.
6. Save the screenshot to a file, which you can then send to the DSR requestor.
Delete
Common Data Service System Administrators can delete an individual’s personal data from records where that
data is stored. The Common Data Service System Administrator can choose to either delete the record where the
personal data is stored, or remove the contents of the personal data from the record.

NOTE
Common Data Service administrators can customize an environment to prevent a record from being deleted from an entity.
If configured in this way, you'll have to remove the contents of the personal data from the record rather than delete the
record itself.

From the Relevance Search results, to the following:

1. Click or tap an item that contains the individual's personal data.
2. In the ribbon, click or tap Delete. (Note that Delete is disabled if the record cannot be deleted).
Personal data stored in databases of the previous version of Common
Data Service
Prerequisites
You may be storing personal data from individuals (such as your own customers) within your Common Data
Service entities.
Common Data Service System Administrators are responsible for maintaining an inventory of where personal
data is being stored within various entities for each individual so that he or she can locate that data in response to
any DSR requests.
Personal data can then be exported, rectified, or deleted in an entity using the in-product functionality.
Discover
When Common Data Service System Administrators receives a DSR request from an individual, they must
identify which environments/Common Data Service instances contain personal data from that individual.
Personal data is typically stored in key entities (for example, Account, Contact, Lead, Opportunity, etc.), but it’s
your responsibility to develop policies and procedures for maintaining an inventory of where you store each
individual's personal data so you're prepared to respond to DSR requests.
You can find personal data from users of the previous version of Common Data Service within the following
resources:

RESOURCE PURPOSE WEBSITE ACCESS PROGRAMMATIC ACCESS

Entity records Captures business PowerApps No

transactions in the
respective business entity.

Entity records
An individual's personal data can be stored in any business entity.
This version of the Common Data Service contains its own database schema and infrastructure. It has its own
entities, and you manage these entities in PowerApps.
To see a list of your entities, do the following:
1. In the Environment drop-down list, select your environment.
2. In the navigation pane, click or tap Data, and then click or tap Entities.
3. From the list of entities, click or tap an entity (for example, the Account entity), as shown below.

4. Click or tap the Data tab. A list of records for the entity displays.

5. Click or tap Export data.

6. When the export is complete, click or tap Open in Excel, and then click or tap Enable editing.
7. Click or tap the search button, enter the individual’s personal data in the search box, and then click or tap
Search.
8. Using your inventory list, repeat the above steps for each of the business entities to discover all of the
individual's personal data.
Rectify
If a data subject asks you to rectify the personal data that resides in your organization’s data, you and your
organization must determine whether it’s appropriate to honor the request. Rectifying data may include editing,
redacting, or removing personal data from a document or other type of item.
You can use Azure Active Directory to manage the identities (personal data) of your users within the previous
version of Common Data Service. Enterprise customers can manage DSR rectify requests by using the limited
editing features within a given Microsoft service. As a data processor, Microsoft does not offer the ability to
correct system-generated logs, because they reflect factual activities and constitute a historical record of events
within Microsoft services. See GDPR: Data Subject Requests (DSRs) for details.
To rectify personal data that resides in the Common Data Service environment, you can export the entity data
into an Excel spreadsheet, update it, and then import the updates back to the database.
Common Data Service System Administrators are responsible for identifying all entities that contain personal
data for an individual and repeating the following steps for each of those entities.
From PowerApps, do the following:
1. In the navigation pane, click or tap Data, and then click or tap Entities.

2. From the list of entities, click or tap an entity (for example, the Account entity), as shown below.

3. Click or tap the Data tab. A list of records for the entity displays.
 4. Click or tap Export data.
5. When the export is complete, click or tap Open in Excel, and then click or tap Enable editing.
6. In the menu bar, click or tap File, click or tap Save As, and then select a location in which to save the file.
7. Make the necessary personal data updates and save the spreadsheet.
8. In PowerApps, go back to the Data tab of the entity, and then click or tap Import data.
9. Click Search, and then select and open the Excel spreadsheet that you just updated.
10. Click Import.
Export
You can export personal data from each entity into an Excel spreadsheet and view it.
From PowerApps, do the following:
1. In the navigation pane, click or tap Data, and then click or tap Entities.

2. From the list of entities, click or tap the entity that you want to export and view (for example, the Account
entity), as shown below.
3. Click or tap the Data tab. A list of records for the entity displays.

4. Click or tap Export data.

The export operation runs in the background and you'll be notified when it’s complete.
5. To view the exported data, click or tap Open in Excel.
Delete
You can delete personal data that's stored in entities by using the Export/Import data feature.
Common Data Service System Administrators are responsible for identifying all entities that contain personal
data for an individual and repeating the following steps for each of those entities.
From PowerApps, do the following:
1. In the navigation pane, click or tap Data, and then click or tap Entities.
2. From the list of entities, click or tap the entity from which you want to remove personal data (for example,
the Account entity), as shown below.

3. Click or tap the Data tab. A list of records for the entity displays.
 4. Click or tap Export data.
5. When the export is complete, click or tap Open in Excel, and then click or tap Enable editing.
6. In the menu bar, click or tap File, click or tap Save As, and then select a location in which to save the file.
7. Delete the rows containing the personal data that you want to remove from the entity and save the
spreadsheet.
8. In PowerApps, go back to the Data tab of the entity, and then click or tap Import data.
9. Click Search, and then select and open the Excel spreadsheet that you just updated.
10. Click Import.
 Compliance and data privacy
6/4/2019 • 5 minutes to read

[This topic is pre-release documentation and is subject to change.]

Microsoft is committed to the highest levels of trust, transparency, standards conformance, and regulatory
compliance. Microsoft’s broad suite of cloud products and services are all built from the ground up to address the
most rigorous security and privacy demands of our customers.
To help your organization comply with national, regional, and industry-specific requirements governing the
collection and use of individuals’ data, Microsoft provides the most comprehensive set of compliance offerings
(including certifications and attestations) of any cloud service provider. There are also tools for administrators to
support your organization’s efforts. In this part of the document we will cover in more detail the resources
available to help you determine and achieve your own organization requirements.

Trust Center
The Microsoft Trust Center (https://www.microsoft.com/en-us/trustcenter) is a centralized resource for obtaining
information on Microsoft’s portfolio of products. This includes information on security, privacy, compliance, and
transparency. While this content may contain some subset of this information for PowerApps, it is important to
always refer to the Microsoft Trust Center for the most up to date authoritative information.
For quick reference, you can find the Trust Center Information for the Microsoft Power Platform here
https://www.microsoft.com/en-us/TrustCenter/CloudServices/business-application-platform/default.aspx This will
include information on PowerApps, Microsoft Flow and Power BI.

Data Location
Microsoft operates multiple data centers world-wide that support the Microsoft Power platfrom applications.
When your organization establishes a tenant, it establishes the default geographical (geo) location. In addition,
when creating environments to support applications and contain Common Data Service data the environments can
be targeted for a specific geo. A current list of the geos for the Microsoft Power Platform can be found here
https://www.microsoft.com/en-us/TrustCenter/CloudServices/business-application-platform/data-location
To support continuity of operations, Microsoft may replicate data to other regions within a geo, but the data will
not move outside the geo to support data resiliency. This supports the ability to fail over or recover more rapidly in
the event of a severe outage. There are some reasonable exceptions to keeping data in the specific geo that are
listed on the above site primary focused on legal and support. It’s also important to note, that you or your users
can take actions that expose data outside of the geo. Other services can also be configured to access the data and
expose it outside of the geo. By default, authorized users can access the platform and your applications and data
from anywhere in the world where there is connectivity.

Data Protection
Data as it is in transit between user devices and the Microsoft datacenters are secured. Connections established
between customers and Microsoft datacenters are encrypted, and all public endpoints are secured using industry-
standard TLS. TLS effectively establishes a security-enhanced browser to server connection to help ensure data
confidentiality and integrity between desktops and datacenters. API access from the customer endpoint to the
server is also similarly protected. Currently, TLS 1.2 (or higher) is required for accessing the server endpoints.
Data transferred through the on-premises data gateway is also encrypted. Data that users upload is typically sent
to Azure Blob storage, and all metadata and artifacts for the system itself are stored in an Azure SQL database and
Azure Table storage.
All instances of the Common Data Service database use SQL Server Transparent Data Encryption (TDE ) to
perform real-time encryption of data when written to disk, also known as encryption at rest.
By default, Microsoft stores and manages the database encryption keys for your instances so you don’t have to.
The manage keys feature in the Dynamics 365 admin center gives administrators the ability to self-manage the
database encryption keys that are associated with instances of Dynamics 365 (online). You can read more about
managing your own keys here https://docs.microsoft.com/en-us/dynamics365/customer-
engagement/admin/manage-encryption-keys-instance but generally it is recommended have Microsoft manage
the keys unless you have a specific business need to maintain your own.

Resources to manage GDPR Compliance

The European Union General Data Protection Regulation (GDPR ) is one of the newest privacy regulations enacted
that gives rights to people to manage their personal data. In this section we will look at some of the tools and
resources available for the Microsoft Power Platform to assist administrators in their efforts to comply with GDPR.
Some of these resources and tools may also helpful to assist you in other data privacy related tasks not directly
related to GDPR. A complete discussion of GDPR is beyond the scope of this content, however in this section we
will focus on the tools and resources to support your efforts. Additionally, Microsoft has a section on the trust
center dedicated to GDPR resources and information that can be helpful. You can find that here
https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
First, let’s review at some of GDPR’s terminology that matters in this context:

TERM RELEVANCE

Data Subject GDPR identifies people as data subjects. It is their personal

data that might have been collected by your organization
either in the employment of the person or some interaction
collecting their personal data

Data Controller Organizations that collect and process data for their own
purposes

Data Processor Organizations that process data on behalf of others

Personal Data Any information relating to an identified or identifiable natural

person.

As an administrator one of the key activities in support of GDPR will be related to Data Subject Rights (DSR )
requests. These are formal requests from a Data Subject to a Data Controller (likely your organization) to act on
their personal data in your systems. GDPR gives rights to Data Subjects to obtain copies, request corrections,
restrict processing of the data, delete the data and to receive copies in an electronic format so it could be moved to
another Data Controller.
The following links point to detailed information to help you respond to DSR requests depending on the features
your organization is using.

PLATFORM FEATURE AREA LINK TO DETAILED RESPONSE STEPS

PowerApps Responding to Data Subject Rights (DSR) requests to export

PowerApps customer data
 PLATFORM FEATURE AREA LINK TO DETAILED RESPONSE STEPS

Common Data Service Responding to Data Subject Rights (DSR) requests for
Common Data Service customer data

Microsoft Flow https://docs.microsoft.com/flow/gdpr-dsr-summary

Microsoft Accounts (MSAs) https://docs.microsoft.com/flow/gdpr-dsr-summary-msa

Dynamics 365 https://docs.microsoft.com/microsoft-365/compliance/gdpr-

dsr-dynamics365

Office 365 Security and Compliance Center

You may also find Microsoft Compliance Manager helpful to manage your compliance efforts across Microsoft
cloud services in a single place. More details about Compliance Manager can be found here
https://aka.ms/compliancemanager .

Microsoft Flow Audit Log Events

In the compliance center Audit Log Search administrators can now search and view Microsoft Flow events. Events
include Created flow, Edited flow, Deleted flow, Edited Permissions, Deleted Permissions, Started a paid trial,
Renewed a paid trial. Using the portal you can choose what you want to search and a time window.

From the resulting query results when you drill down into an item you get a details page with the following type of
information.
The real good information comes from clicking on the More Information and drilling down into the real detail
page:
Audit data is retained for 90 days. You can do CDSV exports of the data allowing you to move it into Excel or
PowerBI for further analysis. You can find a complete walkthrough of using the audit information here
https://flow.microsoft.com/en-us/blog/security-and-compliance-center/
 Microsoft PowerApps US Government
8/13/2019 • 11 minutes to read

In response to the unique and evolving requirements of the United States public sector, Microsoft has created
PowerApps US Government, which consists of several plans for US government organizations. This section
provides an overview of features that are specific to PowerApps US Government. It is recommended that you read
this supplementary section alongside the PowerApps documentation, which covers information about the general
PowerApps service description. For brevity, this service is commonly referred to as PowerApps Government
Community Cloud (GCC ).
The PowerApps US Government service description is designed to serve as an overlay to the general PowerApps
service description. It defines the unique commitments of this service and the differences from PowerApps
offerings that have been available to our customers since October 2016.

About PowerApps US Government environments and plans

PowerApps US Government plans are monthly subscriptions and can be licensed to an unlimited number of users.
The PowerApps GCC environment provides compliance with federal requirements for cloud services, including
FedRAMP High, DoD DISA IL2, and requirements for criminal justice systems (CJI data types).
In addition to the features and capabilities of PowerApps, organizations that use PowerApps US Government
benefit from the following features unique to PowerApps US Government:
Your organization's customer content is physically segregated from customer content in Microsoft's
commercial PowerApps services.
Your organization's customer content is stored within the United States.
Access to your organization's customer content is restricted to screened Microsoft personnel.
PowerApps US Government complies with certifications and accreditations that are required for US public
sector customers.

Customer eligibility
PowerApps US Government is available to (1) US federal, state, local, tribal, and territorial government entities and
(2) other entities that handle data that is subject to government regulations and requirements and where use of
PowerApps US Government is appropriate to meet these requirements, subject to validation of eligibility.
Validation of eligibility by Microsoft will include confirmation of handling data subject to International Traffic in
Arms Regulations (ITAR ), law enforcement data subject to the FBI's Criminal Justice Information Services (CJIS )
policy, or other government-regulated or controlled data. Validation might require sponsorship by a government
entity with specific requirements for the handling of data.
Entities with questions about eligibility for PowerApps US Government should consult their account team. Upon
renewal of a customer's contract for PowerApps US Government, revalidation of eligibility is required.

PowerApps US Government plans

Access to PowerApps US Government plans is restricted to the following offerings; each plan is offered as a
monthly subscription and can be licensed to an unlimited number of users:
PowerApps/Flow Plan 1 US Government
 PowerApps/Flow Plan 2 US Government
In addition to the standalone plans, PowerApps and Microsoft Flow capabilities are also included in certain
Office 365 US Government and Dynamics 365 US Government plans, allowing customers to extend and
customize Office 365 and Dynamics 365. Please note that this licensing will automatically show up and be
available in customer tenants around mid-April.
Additional information about the differences in functionality between these groups of licenses is described in more
detail on the PowerApps licensing information page. PowerApps US Government is available through the Volume
Licensing and Cloud Solution Provider purchasing channels.

What is customer data and customer content?

Customer data, as defined in the Online Services Terms, means all data, including all text, sound, video, or image
files, and software, that are provided to Microsoft by, or on behalf of, customers through the use of the Online
Service. Customer content refers to a specific subset of customer data that has been directly created by users, such
as content stored in databases through entries in the Common Data Service entities (for example, contact
information). Content is generally considered confidential information and in normal service operation is not sent
over the internet without encryption.
For more information on PowerApps protection of customer data, see the Microsoft Online Services Trust Center.

Data segregation for Government Community Cloud

When provisioned as part of PowerApps US Government, the PowerApps service is offered in accordance with the
National Institute of Standards and Technology (NIST) Special Publication 800-145.
Microsoft refers to this offer as the Government Community Cloud (GCC ).
In addition to the logical separation of customer content at the application layer, the PowerApps US Government
service provides your organization with a secondary layer of physical segregation for customer content by using
infrastructure that is separate from the infrastructure used for commercial PowerApps customers. This includes
using Azure services in the Azure Government cloud. To learn more, see Azure Government.

Customer content located within the United States

PowerApps US Government services are provided from datacenters physically located in the United States.
PowerApps US Government customer content is stored at rest in datacenters physically located only in the United
States.

Restricted data access by administrators

Access to PowerApps US Government customer content by Microsoft administrators is restricted to personnel
who are US citizens. These personnel undergo background investigations in accordance with relevant government
standards.
PowerApps support and service engineering staff do not have standing access to customer content hosted in
PowerApps US Government. Any staff who request temporary permission elevation which would grant access to
customer content must first have passed the following background checks.

MICROSOFT PERSONNEL SCREENING AND BACKGROUND CHECKS 1 DESCRIPTION

U.S. Citizenship Verification of U.S. citizenship

Employment History Check Verification of seven (7) year employment history

 MICROSOFT PERSONNEL SCREENING AND BACKGROUND CHECKS DESCRIPTION

Education Verification Verification of highest degree attained

Social Security Number (SSN) Search Verification that the provided SSN is valid

Criminal History Check A seven (7) year criminal record check for felony and
misdemeanor offenses at the state, county, and local level and
at the federal level

Office of Foreign Assets Control List (OFAC) Validation against the Department of Treasury list of groups
with whom U.S. persons are not allowed to engage in trade or
financial transactions

Bureau of Industry and Security List (BIS) Validation against the Department of Commerce list of
individuals and entities barred from engaging in export
activities

Office of Defense Trade Controls Debarred Persons List (DDTC) Validation against the Department of State list of individuals
and entities barred from engaging in export activities related
to the defense industry

Fingerprinting Check Fingerprint background check against FBI databases

CJIS Background Screening State-adjudicated review of federal and state criminal history
by state CSA appointed authority within each state that has
signed up for the Microsoft CJIS IA program

1 Applies only to personnel with temporary or standing access to customer content hosted in PowerApps US
Government (GCC ).

Certifications and accreditations

PowerApps US Government is designed to support the Federal Risk and Authorization Management Program
(FedRAMP ) accreditation at a High Impact level. This infers alignment to DoD DISA IL2. FedRAMP artifacts are
available for review by federal customers who are required to comply with FedRAMP. Federal agencies can review
these artifacts in support of their review to grant an Authority to Operate (ATO ).
Note that, at the present time, the PowerApps US Government services are under review with FedRAMP but have
been granted a Security Assessment Report (SAR ) by a qualified Third Party Assessment Organization (3PAO ). As
Microsoft moves to refresh FedRAMP artifacts as part of the standard audit cycles, content will be updated
accordingly.
PowerApps US Government has features designed to support customer’s CJIS Policy requirements for law
enforcement agencies. Please visit the PowerApps US Government products page in Trust Center for more detailed
information related to certifications and accreditations.

PowerApps US Government and other Microsoft services

PowerApps US Government includes several features that allow users to connect to and integrate with other
Microsoft enterprise service offerings such as Office 365 US Government, Dynamics 365 US Government, and
Microsoft Flow US Government. PowerApps US Government is deployed within Microsoft datacenters in a
manner consistent with a multi-tenant, public cloud deployment model; however, client applications including but
not limited to the web-user client, PowerApps mobile applications any third-party client application that connects
to PowerApps US Government are not part of PowerApps US Government's accreditation boundary and
government customers are responsible for managing them.
PowerApps US Government leverages the Office 365 customer administrator UI for customer administration and
billing—PowerApps US Government maintains the actual resources, information flow, and data management,
while relying on Office 365 to provide the visual styles that are presented to the customer administrator through
their management console. For purposes of FedRAMP ATO inheritance, PowerApps US Government leverages
Azure (including Azure Government) ATOs for infrastructure and platform services, respectively.
If you adopt the use of Active Directory Federation Services (AD FS ) 2.0 and set up policies to help ensure your
users connect to the services through single sign-on, any customer content that is temporarily cached will be
located in the United States.

PowerApps US Government and third-party services

PowerApps US Government provides the ability to integrate third-party applications into the service through
connectors. These third-party applications and services might involve storing, transmitting, and processing your
organization’s customer data on third-party systems that are outside of the PowerApps US Government
infrastructure and therefore are not covered by the PowerApps US Government compliance and data protection
commitments.
We recommend that you review the privacy and compliance statements provided by the third parties when
assessing the appropriate use of these services for your organization.

PowerApps US Government and Azure services

The PowerApps US Government services are deployed to Microsoft Azure Government. Azure Active Directory
(Azure AD ) is not part of the PowerApps US Government accreditation boundary, but takes a reliance on a
customer’s Azure AD tenant for customer tenant and identity functions, including authentication, federated
authentication, and licensing.
When a user of an organization employing AD FS attempts to access PowerApps US Government, the user is
redirected to a login page hosted on the organization’s AD FS server. The user provides his or her credentials to
their organization's AD FS server. The organization's AD FS server attempts to authenticate the credentials using
the organization’s Active Directory infrastructure.
If authentication is successful, the organization’s AD FS server issues a SAML (Security Assertion Markup
Language) ticket that contains information about the user’s identity and group membership.
The customer’s AD FS server signs this ticket using one half of an asymmetric key pair and then it sends the ticket
to Azure AD via encrypted Transport Layer Security (TLS ). Azure AD validates the signature using the other half of
the asymmetric key pair and then grants access based on the ticket.
The user's identity and group membership information remain encrypted in Azure AD. In other words, only limited
user-identifiable information is stored in Azure AD.
You can find full details of the Azure AD security architecture and control implementation in the Azure SSP. End-
users do not interact directly with Azure AD.

PowerApps US Government service URLs

You use a different set of URLs to access PowerApps US Government, as shown in the following table.

COMMERCIAL VERSION URL US GOVERNMENT VERSION URL

https://web.powerapps.com https://gov.web.powerapps.us
 COMMERCIAL VERSION URL US GOVERNMENT VERSION URL

https://create.powerapps.com https://gov.create.powerapps.us

https://admin.powerapps.com https://gov.admin.powerapps.us

https://flow.microsoft.com/connectors https://gov.flow.microsoft.us/connectors

Connectivity between PowerApps US Government and public Azure

Cloud Services
Azure is distributed among multiple clouds. By default, tenants are allowed to open firewall rules to a cloud-specific
instance, but cross-cloud networking is different and requires opening specific firewall rules to communicate
between services. If you are a PowerApps customer, and you have existing SQL instances in the Azure public cloud
that you need to access, you must open specific firewall rules in SQL to the Azure Government cloud IP space, for
the following datacenters:
USGov Virginia
USGov Texas
Please refer to the Azure IP Ranges and Service Tags – US Government Cloud document, focusing attention on
AzureCloud.usgovtexas and AzureCloud.usgovvirginia. Also note that these are the IP ranges required in order for
your end users to have access to the service URLs.

Configure mobile clients

To sign in with the PowerApps mobile client requires a few extra configuration steps.
1. On the sign-in page, select the gear icon in the lower-left corner.
2. Select Enable GCC mode.
3. Select Enable.
4. On the sign-in page, select Sign in.
The mobile application will now use the US Government Cloud domain to look up users.

On-premises data gateway configuration

Install an on-premises data gateway to transfer data quickly and securely between a canvas app that's built in
PowerApps and a data source that isn't in the cloud, such as an on-premises SQL Server database or an on-
premises SharePoint site.
If your organization (tenant) has already configured and successfully connected the on-premises data gateway for
Power BI US Government, then the process and configuration your organization executed to enable that will also
enable on-premises connectivity for PowerApps. However, if you are unable to connect to your tenant, you might
need to go through a “whitelisting” process, which will enable this capability for your tenant. Should this occur,
please open a support ticket to address your needs. The support team will follow an established process to address
your request.

PowerApps US Government feature limitations

Some of the features available in the commercial version of PowerApps are not available to PowerApps US
Government customers. The PowerApps team is actively working on making the following features available to US
Government customers and will update this article when these features become available:
 Embed in SharePoint Online, Microsoft Teams, and other products.
Data integration and Power Query.
Common Data Service analytics.
Mobile push notifications.
Connectors: The most popular connectors in use in our commercial service (based on usage telemetry) have
been published; if there is a connector available in the commercial offering that you do not see deployed,
please contact support, and we will review your request.
Power Platform Admin center: The admin center can be used to open support tickets, but other functionality
is currently not available in US Government tenants.
Customize a SharePoint list form by using PowerApps.
See also
Microsoft Flow US Government
 Administer Microsoft Flow
3/12/2019 • 2 minutes to read

Microsoft Flow administrators can use the Flow admin portal ( admin.flow.microsoft.com) to manage an
organization’s data policies and environments. Microsoft Flow admin content is available at Microsoft Flow
documentation.
See also
Reference: Use the various admin centers
 Administer Power BI
3/12/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

Power BI administrators use the Power BI admin portal to manage a Power BI tenant, including the configuration
of governance policies, usage monitoring, and provisioning of licenses, capacities, and organizational resources.
Power BI admin content is available at What is Power BI administration?
See also
Reference: Use the various admin centers
 Use the various admin centers
3/22/2019 • 2 minutes to read

Curently, there are multiple admin centers you use to manage and monitor your environments and setting. This
topic provides guidance on the basic role of each admin center.

ADMIN CENTER COMMON TASKS

Power Platform Admin center The new unified administrative portal for Power Platform
https://admin.powerplatform.microsoft.com admins. Currently this portal can be used for Common Data
Service environment management, to submit Common Data
Service and Flow support tickets, and to view PowerApps and
Flow admin analytics.

PowerApps Admin center Creating and managing environments including security

https://admin.powerapps.com starts here. Within each environment you can manage the
apps and flows. Monitor who is licensed and building things.
Create and manage Data Loss Prevention policies. Manage
Common Data Service Data Integration projects.

Microsoft Flow Admin Portal This points to the same site as admin.powerapps.com.
https://admin.flow.microsoft.com

Business platform admin center This points to the same site as admin.powerapps.com. Over
https://admin.businessplatform.microsoft.com time, this will be migrated to and replaced by the Power
Platform Admin center.

Dynamics 365 Admin center The Dynamics 365 Admin Center, that can be leveraged to
https://port.crm.dynamics.com/G/manage/index.aspx perform certain Common Data Service environment
management like renaming, deleting, and resetting.

Dynamics 365 Instance Management This instance management portal is reached from
https://port.crm.dynamics.com/G/Instances/InstancePicker.as admin.powerapps.com when managing the Common Data
px Service database or from the Dynamics 365 Admin center.
Here you will see a list of all the Common Data Service
databases and can perform actions such as backup, as well as
other actions on a per instance basis.

Microsoft 365 admin center Here you manage users and their license assignment as well
https://admin.microsoft.com/adminportal as launch into many of the individual admin centers.

Microsoft Azure Advanced Azure AD management tasks like conditional access

https://portal.azure.com and support for developer application registration is done
here. This is also where you start setup of your on-premises
gateways.

Security and Compliance Center In addition to the general compliance tasks, administrators
https://protection.office.com can come here to search the Audit log to see Flow audit
events.
 Videos and PowerPoint presentations
7/9/2019 • 2 minutes to read

[This topic is pre-release documentation and is subject to change.]

TOPIC VIDEO POWERPOINT

Center of Excellence: Tried and tested Video Deck

techniques

Blog: Center of Excellence starter kit

(preview)

Top 10 tips to securely roll out Video Deck

Microsoft PowerApps and Microsoft
Flow

What's new for PowerApps and Video Deck

Microsoft Dynamics 365 admins

Best practices for managing and Video Deck

automating (ALM)

Modernizing the way we update Video Deck

Dynamics 365, PowerApps, and
Common Data Service

Monitoring and supporting PowerApps Video Deck

at scale

How to get the best support for Video Deck

PowerApps, Microsoft Flow, and
Dynamics 365

Planning your enterprise deployment - Video Deck

Capacity Management

Best practices for setting up security Video Deck

and environments in the Power
Platform Admin center