This chapter covers Power Platform governance from the Microsoft 365 admin perspective, a critical topic for the MS-102 exam. You will learn how to manage environments, enforce data loss prevention (DLP) policies, control tenant-wide settings, and monitor usage — all from the Power Platform admin center and Microsoft 365 admin center. Approximately 10-15% of exam questions touch on Power Platform governance, especially in the context of tenant management and security. Mastering this chapter will help you answer questions about environment lifecycle, DLP policy configuration, and integration with Microsoft 365 compliance features.
Jump to a section
Imagine a city (your Microsoft 365 tenant) where anyone can build structures (Power Apps, Power Automate flows, Power BI reports) without any oversight. Chaos ensues: shacks blocking fire lanes, buildings with unsafe wiring, and no record of who built what. To fix this, the city introduces a Building Permit Office (the Power Platform admin center). Now, every builder must apply for a permit before starting construction. The permit specifies: who can build (maker), what they can build (app/flow type), where they can build (environment), and what materials they can use (connectors, data sources). The office issues two types of permits: 'Unrestricted' (no review needed) for trusted builders, and 'Requires Inspection' (DLP policy enforcement) for high-risk materials. The office also maintains a city map (tenant-level analytics) showing all structures, their status, and any violations. If a builder tries to use a banned material (blocked connector), the permit is automatically rejected. The office can also issue a 'Stop Work' order (disable a flow or app) if a structure becomes dangerous. This system ensures the city remains safe, organized, and compliant with local laws (regulatory requirements).
What is Power Platform Governance?
Power Platform governance refers to the set of policies, roles, and procedures that control how users create, share, and manage Power Apps, Power Automate flows, Power BI content, and Microsoft Copilot Studio (formerly Power Virtual Agents) within a Microsoft 365 tenant. The goal is to balance innovation (empowering makers) with security, compliance, and cost control. For the MS-102 exam, you must understand that governance is enforced primarily through three mechanisms: environment management, Data Loss Prevention (DLP) policies, and tenant-level settings.
The Power Platform Admin Center
All governance actions are performed from the Power Platform admin center (https://admin.powerplatform.microsoft.com). This is the central hub for administrators to manage environments, DLP policies, analytics, and tenant settings. You access it with a global admin or Power Platform admin role. The admin center provides a unified view across all environments and allows you to configure settings that apply tenant-wide.
Environments: The Foundation of Governance
An environment is a container that isolates Power Platform resources (apps, flows, connections, etc.) and data. Each environment has its own Dataverse database (optional), security roles, and policies. There are three types of environments: Production, Sandbox, and Trial. Production environments are for live apps and flows; Sandbox environments are for development and testing; Trial environments expire after 30 days (extendable once). For governance, you must understand the concept of 'default environment' — every tenant has a single default environment created automatically. It is a shared environment where all licensed users can create resources unless restricted. Best practice is to restrict the default environment and create dedicated environments for specific teams or projects.
Creating and Managing Environments
To create a new environment, navigate to Environments in the Power Platform admin center and click 'New'. You must specify:
Name and URL
Region (e.g., United States, Europe)
Type (Production, Sandbox, Trial)
Create a Dataverse database? (Yes/No) — if yes, you can enable Dynamics 365 apps.
Security group (optional) — only members of this group can access the environment.
You can also use PowerShell to create environments:
New-AdminPowerAppEnvironment -DisplayName "Marketing Dev" -Location "unitedstates" -EnvironmentType Sandbox -CreateDatabase $trueEnvironments can be deleted, but only if they contain no resources. This is a common exam trap: you cannot delete an environment that has active apps or flows.
Data Loss Prevention (DLP) Policies
DLP policies control which connectors can be used together in a single app or flow. Connectors are grouped into three tiers: Business, Non-Business, and Blocked. The default DLP policy (tenant-wide) classifies all connectors as Business. You can create custom DLP policies that apply to specific environments or to the entire tenant. The key concept is 'data grouping': you can create groups of connectors that can be used together. For example, you might create a group for Microsoft 365 connectors (SharePoint, Outlook, Teams) and another for third-party connectors (Salesforce, Twitter). A policy can then allow only connectors from the same group to be used in a single flow. This prevents data from flowing between, say, SharePoint and Twitter, which could leak sensitive data.
Configuring DLP Policies
To create a DLP policy, go to Data Policies in the Power Platform admin center. Click 'New Policy', give it a name, and choose the scope: Entire tenant or specific environments. Then, assign connectors to Business, Non-Business, or Blocked. You can also create custom connector groups. The policy is enforced in real-time: if a maker tries to add a connector that violates the policy, they get an error. Existing flows that violate a new policy are automatically suspended. The exam often tests that DLP policies are evaluated at runtime, not at design time.
Tenant-Level Settings
Under 'Tenant settings' in the Power Platform admin center, you can configure: - Analytics: Enable usage analytics for Power Apps and Power Automate. - Support: Allow users to create support tickets from Power Apps. - Self-service: Allow users to create trial environments (disable for production tenants). - Copilot: Enable or disable AI-powered features. - PowerShell: Enable or disable PowerShell commands for environment management.
These settings affect all environments. A common exam question is about disabling trial environment creation to prevent uncontrolled resource proliferation.
Power Platform and Microsoft 365 Compliance
Power Platform integrates with Microsoft 365 compliance features such as eDiscovery, audit logging, and retention policies. All actions in Power Platform (create app, edit flow, change DLP policy) are audited and can be searched in the Microsoft 365 compliance center. Retention policies can be applied to Power Platform data stored in Dataverse. For the exam, know that audit logs are enabled by default for Power Platform activities.
Monitoring and Analytics
The Power Platform admin center provides built-in analytics dashboards: - Power Apps: Usage, errors, and performance metrics. - Power Automate: Flow runs, failures, and trends. - Capacity: Dataverse storage usage per environment. - Inventory: List of all resources across environments.
You can also use PowerShell to export inventory:
Get-AdminPowerAppRole-Based Access Control (RBAC)
Governance is also enforced through roles. The key admin roles are: - Power Platform admin: Full access to admin center, can manage environments and DLP policies. - Dynamics 365 admin: Same as Power Platform admin but with additional Dynamics permissions. - Environment admin: Full control over a specific environment. - Environment maker: Can create resources within an environment.
Note that global admins have implicit Power Platform admin rights. The exam may ask which role is needed to create a DLP policy — answer: Power Platform admin or global admin.
Common Exam Scenarios
Restricting the default environment: You want to prevent users from creating apps in the default environment. Solution: Remove the 'Environment Maker' role from all users in the default environment.
Blocking a specific connector: You need to block the Twitter connector for all flows. Solution: Create a DLP policy at tenant level, set Twitter to 'Blocked'.
Auditing DLP violations: A user claims their flow was suspended. You check the audit logs in compliance center for DLP rule match events.
PowerShell for Governance
PowerShell is a powerful tool for automating governance tasks. Key cmdlets:
# List all environments
Get-AdminPowerAppEnvironment
# Create a DLP policy
New-AdminDlpPolicy -DisplayName "HR Policy" -EnvironmentName "Marketing Dev"
# Get DLP policies
Get-AdminDlpPolicy
# Remove a user's permissions
Remove-AdminPowerAppRoleAssignment -UserId user@contoso.com -RoleName "Environment Maker" -EnvironmentName "Default"The exam may test your ability to identify the correct cmdlet for a given task.
Integration with Microsoft Intune
Power Platform governance also extends to mobile devices via Intune. You can require that Power Apps mobile app uses Intune app protection policies to prevent data leakage. This is configured in the Microsoft 365 admin center under 'Mobile Device Management'.
Copilot Studio Governance
Microsoft Copilot Studio (formerly Power Virtual Agents) chatbots are also governed by environments and DLP policies. You can create a chatbot in an environment and assign it to specific security groups. DLP policies apply to the connectors used by the chatbot.
Summary of Key Numbers
Trial environments expire after 30 days, extendable once for another 30 days.
Default environment cannot be deleted.
DLP policies are evaluated at runtime.
Audit logs for Power Platform are enabled by default.
Only Power Platform admin or global admin can manage DLP policies.
Environment admins can manage resources within their environment but cannot create DLP policies.
Assess Current Governance State
Begin by auditing the current Power Platform usage in your tenant. Use the Power Platform admin center's Analytics to view active makers, apps, flows, and environments. Identify any 'shadow IT' — resources created outside approved processes. Also review existing DLP policies and security group assignments. This step is crucial to understand what needs to be governed. For the exam, know that you can use the 'Inventory' tab to list all resources across environments. PowerShell cmdlet: `Get-AdminPowerApp` to list all apps.
Define Environment Strategy
Decide how many environments you need and their purpose. Best practice: one default environment (restricted), production environments for each department or project, sandboxes for development, and possibly trial environments for training. For each environment, assign a security group to control access. The exam expects you to know that you can create up to 5 environments per tenant by default, but you can request an increase. Also, note that the default environment cannot be deleted, but you can remove the Environment Maker role from all users to prevent new creations.
Implement DLP Policies
Create DLP policies to control connector usage. Start with a tenant-wide policy that blocks high-risk connectors (e.g., social media) and creates data groups for business vs. non-business connectors. Then create environment-specific policies for sensitive environments (e.g., HR or Finance). When a policy is created, it is enforced immediately. Existing flows that violate the policy are suspended. The exam often tests that you can create a custom connector group to allow specific combinations (e.g., SharePoint and Salesforce together but not with Twitter).
Configure Tenant Settings
In the Power Platform admin center, go to Tenant settings. Disable 'Allow users to create trial environments' to prevent uncontrolled growth. Enable analytics to track usage. If using Copilot, configure AI settings. Also, consider enabling or disabling PowerShell access for environment management. The exam may ask which setting prevents users from creating trial environments — answer: 'Allow users to create trial environments' must be set to Off.
Assign Roles and Monitor
Assign Power Platform admin, environment admin, and environment maker roles as needed. Use security groups to manage role assignments at scale. Monitor audit logs in the Microsoft 365 compliance center for DLP violations, environment changes, and resource creation. Set up alerts for suspicious activities. The exam expects you to know that global admins can manage all aspects, but for delegated administration, use Power Platform admin role.
Scenario 1: Large Enterprise with Multiple Departments Contoso Corporation has 10,000 employees across HR, Finance, Sales, and Marketing. Each department wants to build Power Apps and flows. The IT team creates separate production environments for each department (HR-Prod, Finance-Prod, etc.) and a shared sandbox environment for development. They restrict the default environment by removing the Environment Maker role from all users. DLP policies are created: a tenant-wide policy blocks all social media connectors (Twitter, Facebook), and department-specific policies allow only relevant connectors (e.g., Finance environment allows only SharePoint, SQL, and Excel). Security groups are used to grant access: only HR members can access the HR environment. The IT team monitors usage via analytics and receives alerts when a flow is suspended due to DLP violation. This setup ensures data isolation and compliance with regulatory requirements (e.g., SOX for Finance).
Scenario 2: Mid-Sized Company with External Contractors Fabrikam Inc. has 500 employees and frequently works with external contractors who need to build flows for specific projects. The IT team creates a dedicated environment 'External' for contractors. They assign a security group containing contractor accounts as Environment Makers. A strict DLP policy is applied to this environment: only Microsoft 365 connectors (SharePoint, Outlook) are allowed; all third-party connectors are blocked. Additionally, the environment is set to expire after 90 days (by manually deleting it). The default environment is restricted to internal employees only. This prevents contractors from accessing internal data or using unapproved connectors.
Scenario 3: Compliance-Focused Tenant A healthcare organization (HIPAA-regulated) uses Power Platform to automate patient data processes. They create a single production environment with a Dataverse database that is HIPAA-compliant (by choosing the appropriate region and enabling Customer Lockbox). DLP policies are extremely restrictive: only connectors that are HIPAA-compliant (e.g., SharePoint, Dynamics 365) are allowed; all other connectors are blocked. Audit logging is enabled, and all DLP policy changes require approval from the compliance officer. The IT team also uses Microsoft 365 retention policies to retain Power Platform audit logs for 7 years. This scenario highlights the need for integration with Microsoft 365 compliance features, which the exam may test.
Common Mistakes in Production: - Not restricting the default environment leads to sprawl of apps and flows. - Creating DLP policies that are too restrictive, causing maker frustration and shadow IT. - Forgetting to assign security groups to environments, leaving them open to all users. - Not monitoring audit logs, missing DLP violations until a data breach occurs.
Objective Codes: MS-102 exam domain 'Tenant Management' includes objective 1.2: 'Manage Power Platform governance'. This includes environment management, DLP policies, tenant settings, and monitoring. Expect 3-5 questions on this topic.
Common Wrong Answers: 1. 'You can delete the default environment.' — Wrong. The default environment is created automatically and cannot be deleted. However, you can remove all permissions from it. 2. 'DLP policies are enforced at design time.' — Wrong. They are enforced at runtime. A maker can design a flow using blocked connectors, but it will fail when run. 3. 'Only global admins can create DLP policies.' — Wrong. Power Platform admins can also create DLP policies. Global admins have implicit Power Platform admin rights but are not the only ones. 4. 'Trial environments never expire.' — Wrong. They expire after 30 days, extendable once.
Key Numbers and Terms:
- Default environment: cannot be deleted, shared environment.
- DLP policy scope: entire tenant or specific environments.
- Connector groups: Business, Non-Business, Blocked. Custom groups can be created.
- Environment types: Production, Sandbox, Trial.
- Trial environment expiry: 30 days (extendable once for 30 more).
- Roles: Power Platform admin, Dynamics 365 admin, Environment admin, Environment maker.
- PowerShell cmdlets: New-AdminPowerAppEnvironment, New-AdminDlpPolicy, Get-AdminPowerApp.
Edge Cases: - If you create a DLP policy that blocks a connector used by an existing flow, the flow is suspended immediately. - You can have multiple DLP policies applied to the same environment; the most restrictive policy wins. - An environment can have a Dataverse database; if you delete the environment, the database is also deleted. - To move a resource between environments, you must export and import (no direct move).
How to Eliminate Wrong Answers: - If a question asks about deleting an environment, look for 'default' — that cannot be deleted. - If a question asks about DLP enforcement, remember 'runtime' not 'design time'. - If a question asks who can create DLP policies, look for Power Platform admin or global admin. - If a question asks about trial environments, remember the 30-day limit.
Exam Tip: The exam often presents a scenario where a user cannot create a flow because of a DLP policy. The solution is to modify the DLP policy to allow the connector or assign the flow to a different environment with a less restrictive policy.
The default environment cannot be deleted; restrict it by removing the Environment Maker role.
DLP policies are enforced at runtime, not design time.
Only Power Platform admin, Dynamics 365 admin, or global admin can create DLP policies.
Trial environments expire after 30 days (extendable once).
Environments can be Production, Sandbox, or Trial.
Use security groups to control access to environments.
Audit logs for Power Platform are enabled by default in Microsoft 365 compliance center.
PowerShell cmdlets: New-AdminPowerAppEnvironment, New-AdminDlpPolicy, Get-AdminPowerApp.
These come up on the exam all the time. Here's how to tell them apart.
Default Environment
Created automatically for every tenant.
Cannot be deleted.
All licensed users can create resources by default.
Often used for personal productivity apps.
Harder to govern due to shared nature.
Custom Environment
Created manually by admin.
Can be deleted if empty.
Access controlled by security group.
Used for departmental or project-specific apps.
Easier to enforce governance policies.
Mistake
The default environment can be deleted.
Correct
The default environment is created automatically for every tenant and cannot be deleted. However, you can restrict access by removing the Environment Maker role from all users.
Mistake
DLP policies are enforced when a maker adds a connector in the designer.
Correct
DLP policies are enforced at runtime, not design time. A maker can add any connector in the designer, but if the connector violates a DLP policy, the flow will be suspended when it runs.
Mistake
Only global administrators can create DLP policies.
Correct
Power Platform administrators and global administrators can create DLP policies. Dynamics 365 administrators also have this ability.
Mistake
Trial environments never expire.
Correct
Trial environments expire after 30 days. They can be extended once for another 30 days, after which they are disabled and eventually deleted.
Mistake
You can move resources between environments directly.
Correct
Power Platform does not support direct movement of resources between environments. You must export the resource (app or flow) and import it into the target environment.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Remove the 'Environment Maker' role from all users in the default environment. This prevents them from creating new apps or flows. You can do this via the Power Platform admin center: select the default environment, go to 'Security', then 'Users', and remove the Environment Maker role for each user. Alternatively, use PowerShell: `Remove-AdminPowerAppRoleAssignment -UserId user@contoso.com -RoleName 'Environment Maker' -EnvironmentName 'Default'`. Note that existing apps and flows remain, but no new ones can be created.
Existing flows that use a connector that becomes blocked will be suspended immediately. The flow owner will see a 'Suspended' status in the flow details. To resume the flow, the owner must modify the flow to remove the blocked connector, or the admin must adjust the DLP policy to allow the connector. This enforcement is runtime-based, so flows that are already running will complete but subsequent runs will fail.
Yes, you can have multiple DLP policies applied to the same environment. However, the most restrictive policy takes precedence. For example, if one policy blocks Twitter and another allows it, the block wins. This is important to know for the exam — when troubleshooting a connector being blocked, check all policies applied to that environment.
To delete an environment, it must contain no resources (apps, flows, connections, etc.). If it has resources, you must delete them first. Go to the Power Platform admin center, select the environment, and click 'Delete'. You will be prompted to confirm. Note that the default environment cannot be deleted. Also, environments with a Dataverse database may take longer to delete.
Both roles have full access to the Power Platform admin center, including environment management and DLP policies. The Dynamics 365 admin role also has additional permissions related to Dynamics 365 applications (e.g., Sales, Customer Service). For Power Platform governance without Dynamics, the Power Platform admin role is sufficient. Global admins automatically have both roles.
DLP policy violations are logged in the Microsoft 365 compliance center. Search the audit log for activities such as 'DLP rule match' or 'Flow suspended due to DLP policy'. You can also use the 'Data Loss Prevention' section in the compliance center to view alerts. For the exam, know that audit logging is enabled by default for Power Platform.
Yes, PowerShell is a powerful tool for managing DLP policies. Key cmdlets include: `New-AdminDlpPolicy` to create a policy, `Get-AdminDlpPolicy` to list policies, `Set-AdminDlpPolicy` to modify, and `Remove-AdminDlpPolicy` to delete. You can also add connectors to groups using `Add-AdminDlpPolicyConnector`. The exam may test your ability to identify the correct cmdlet for a given task.
You've just covered Power Platform Governance from M365 Admin — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?