Risk assessments in Power Platform help administrators identify security risks, unauthorized access, compliance violations, and governance issues. By using PowerShell, we can automate risk assessment reports for environments, users, and apps to ensure compliance with organizational security policies.
What You’ll Learn:
Connecting to Power Platform using PowerShell
Identifying risky Power Apps and Flows
Checking security and compliance risks
Automating risk assessment reports
Step 1: Prerequisites
1. Install Required PowerShell Modules
Ensure the necessary PowerShell modules are installed:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
Install-Module -Name Microsoft.PowerApps.PowerShell -Force
Install-Module -Name ExchangeOnlineManagement -Force
Install-Module -Name Microsoft.Graph -Force
2. Connect to Power Platform and Microsoft 365
Authenticate using your administrator account:
Add-PowerAppsAccount
Connect-MgGraph
Connect-ExchangeOnline
Now, you have access to Power Platform and Microsoft 365 security data.
Step 2: Identify Risky Power Apps
To list all apps and their owners:
Get-AdminPowerApp | Select-Object DisplayName, AppName, EnvironmentName, CreatedBy, LastModifiedTime
Now, filter apps that haven’t been modified in over 6 months, which could indicate security risks:
$thresholdDate = (Get-Date).AddMonths(-6)
$riskyApps = Get-AdminPowerApp | Where-Object { $_.LastModifiedTime -lt $thresholdDate }
$riskyApps | Format-Table DisplayName, AppName, CreatedBy, LastModifiedTime
Apps that are inactive for long periods should be reviewed or removed.
Step 3: Identify Risky Power Automate Flows
To list all flows:
Get-AdminFlow | Select-Object DisplayName, EnvironmentName, CreatedBy, LastModifiedTime
Now, find orphaned flows (flows without an owner) and flows that haven’t been modified in 6 months:
$thresholdDate = (Get-Date).AddMonths(-6)
$riskyFlows = Get-AdminFlow | Where-Object { $_.LastModifiedTime -lt $thresholdDate -or $_.CreatedBy -eq $null }
$riskyFlows | Format-Table DisplayName, CreatedBy, LastModifiedTime
Review these flows to prevent security vulnerabilities.
Step 4: Check User Access and Permissions Risks
To list all users with Power Platform admin roles:
Get-MgRoleAssignment | Where-Object { $_.RoleDefinitionId -eq "Power Platform Administrator" } | Select-Object PrincipalName
To list users with risky permissions:
$highRiskRoles = @("Global Administrator", "Power Platform Administrator")
$riskyUsers = Get-MgUser | Where-Object { $_.AssignedRoles -in $highRiskRoles }
$riskyUsers | Format-Table DisplayName, UserPrincipalName, AssignedRoles
Ensure that only authorized users have admin roles.
Step 5: Check Compliance and Security Issues
To identify DLP (Data Loss Prevention) violations, list all DLP policies:
Get-AdminDlpPolicy | Select-Object DisplayName, EnvironmentName, CreatedBy
Now, find apps that violate DLP policies:
Get-AdminDlpPolicyViolation | Format-Table AppName, EnvironmentName, PolicyName
Enforce DLP policies to prevent data leakage.
Step 6: Automate Risk Assessment Reports
To generate a detailed risk report and export to a CSV file:
$riskReport = @()
$riskReport += Get-AdminPowerApp | Where-Object { $_.LastModifiedTime -lt $thresholdDate } | Select-Object DisplayName, AppName, CreatedBy, LastModifiedTime
$riskReport += Get-AdminFlow | Where-Object { $_.LastModifiedTime -lt $thresholdDate -or $_.CreatedBy -eq $null } | Select-Object DisplayName, CreatedBy, LastModifiedTime
$riskReport += Get-MgUser | Where-Object { $_.AssignedRoles -in $highRiskRoles } | Select-Object DisplayName, UserPrincipalName, AssignedRoles
$riskReport += Get-AdminDlpPolicyViolation | Select-Object AppName, EnvironmentName, PolicyName
$riskReport | Export-Csv -Path "C:\Reports\PowerPlatform_Risk_Assessment.csv" -NoTypeInformation
This script automates risk assessment reporting for Power Platform.
Step 7: Schedule Automated Reports
To schedule the risk assessment script to run daily or weekly, use Task Scheduler:
- Open Task Scheduler
- Click Create Basic Task
- Set recurrence to daily or weekly
- Choose Start a Program → PowerShell.exe
- Add script path:
-File "C:\Scripts\PowerPlatform_Risk_Assessment.ps1" - Click Finish
Now, Power Platform risks will be assessed automatically.