Governance in Power Platform is essential for maintaining security, compliance, and cost optimization. PowerShell enables organizations to automate governance tasks such as monitoring usage, managing licenses, enforcing security policies, and auditing user access.
This guide will cover:
Managing Power Platform environments
Monitoring user activities
Enforcing Data Loss Prevention (DLP) policies
Automating license management
Auditing Power Platform security
Step 1: Prerequisites
1. Install Required PowerShell Modules
Ensure you have the necessary modules installed:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
Install-Module -Name Microsoft.PowerApps.PowerShell -Force
Install-Module -Name AzureAD -Force
Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force
2. Connect to Power Platform
To interact with Power Platform, authenticate with PowerShell:
# Connect to Power Platform
Add-PowerAppsAccount
# Connect to Microsoft 365 (for user/license management)
Connect-AzureAD
Connect-MgGraph -Scopes User.Read.All, Organization.Read.All
You are now connected to Power Platform and Microsoft 365.
Step 2: Automating Governance Tasks
Task 1: List All Power Platform Environments
To get a list of all environments, run:
Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName, Location, EnvironmentSku
This lists all Power Platform environments and their details.
Task 2: Identify Inactive Power Apps and Power Automate Flows
To find inactive Power Apps (unused for 90 days):
$startDate = (Get-Date).AddDays(-90).ToString("yyyy-MM-dd")
Search-UnifiedAuditLog -StartDate $startDate -EndDate (Get-Date) -RecordType PowerApps |
Group-Object -Property UserIds | Where-Object { $_.Count -eq 0 } |
Select-Object Name | Export-Csv -Path "C:\InactiveApps.csv" -NoTypeInformation
To find unused Power Automate flows:
Get-AdminFlow | Where-Object { $_.CreatedTime -lt (Get-Date).AddDays(-90) -and $_.State -eq "Suspended" } |
Select-Object DisplayName, CreatedTime, LastModifiedTime | Export-Csv "C:\InactiveFlows.csv" -NoTypeInformation
Now you have reports of inactive Power Apps and Flows.
Task 3: Enforce Data Loss Prevention (DLP) Policies
To list existing DLP policies:
Get-DlpPolicy | Select-Object DisplayName, EnvironmentName, ConnectorAction
To apply a new DLP policy (restricting external connectors):
New-DlpPolicy -DisplayName "Restrict External Connectors" -EnvironmentName "Default"
Now your DLP policy prevents unauthorized data sharing.
Task 4: Automate Power Platform License Management
To list all users with Power Platform licenses:
Get-MgUser -All | ForEach-Object {
$user = $_
$licenses = Get-MgUserLicenseDetail -UserId $user.Id
$powerPlatformLicenses = $licenses | Where-Object { $_.SkuPartNumber -match "POWERAPPS|FLOW|POWERBI" }
if ($powerPlatformLicenses) {
[PSCustomObject]@{
UserPrincipalName = $user.UserPrincipalName
DisplayName = $user.DisplayName
Licenses = ($powerPlatformLicenses.SkuPartNumber -join ", ")
}
}
} | Export-Csv -Path "C:\PowerPlatform_Licenses.csv" -NoTypeInformation
To revoke unused licenses from inactive users:
$unusedUsers = Import-Csv "C:\InactiveApps.csv"
foreach ($user in $unusedUsers) {
$userId = (Get-MgUser -UserPrincipalName $user.Name).Id
$licenses = Get-MgUserLicenseDetail -UserId $userId
$powerPlatformLicenses = $licenses | Where-Object { $_.SkuPartNumber -match "POWERAPPS|FLOW|POWERBI" }
foreach ($license in $powerPlatformLicenses) {
Remove-MgUserLicense -UserId $userId -AddLicenses @() -RemoveLicenses @($license.SkuId)
Write-Output "Revoked $($license.SkuPartNumber) from $($user.Name)"
}
}
Now unused licenses are automatically revoked.
Task 5: Audit Power Platform Security & User Access
To generate a security access report:
Get-AdminPowerAppUser -EnvironmentName "Default" | Export-Csv "C:\UserAccessReport.csv" -NoTypeInformation
To audit user access logs:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType PowerApps, Flow, PowerBI |
Select-Object UserIds, CreationTime, Operation | Export-Csv "C:\AuditLogs.csv" -NoTypeInformation
Now you have security reports for monitoring user access.
Step 3: Automate These Tasks with Task Scheduler
To run these tasks automatically, schedule them in Windows Task Scheduler.
- Open Task Scheduler
- Click Create Basic Task
- Set a schedule (e.g., Weekly)
- Select Start a Program → PowerShell.exe
- Add script path:
-File "C:\Scripts\PowerPlatform_Governance.ps1" - Click Finish
Now, Power Platform governance tasks run automatically!