Securing form submissions in Power Pages is critical for protecting sensitive data, ensuring the integrity of your portal, and controlling how users interact with the Dataverse. Power Pages allows you to expose Entity Forms (also known as Basic Forms) to users, and these forms can be public or private depending on your design. However, improperly configured forms can lead to unauthorized data access or data leaks.
In this guide, you’ll learn step-by-step how to secure your forms in Power Pages using best practices around Web Roles, Table Permissions, CAPTCHA, Form Modes, and more.
What Is a Secure Form?
A secure form in Power Pages:
- Only allows authorized users to submit or view the form
- Prevents unauthorized access to data
- Uses Table Permissions correctly
- Ensures data validation and sanitization
- Uses CAPTCHA to block bots
- Has role-based access control via Web Roles
Step 1: Use Authenticated Access Where Needed
If your form is collecting personal, financial, or business-critical data:
- Require user authentication before submission.
- Do not expose sensitive forms to anonymous users unless absolutely necessary.
How to Enable Authenticated Access:
- Go to Web Page > Set Page Permissions
- Enable Restrict Access
- Add Web Role(s) such as “Authenticated Users”, “Customers”, or “Admins”
Step 2: Configure Table Permissions Properly
To ensure only authorized users can submit or view form data, always configure Table Permissions.
How to Configure Table Permissions:
- Open Portal Management App
- Go to Table Permissions under Security
- Create a new permission:
- Table Name: Match the form’s table (e.g., “Contact”, “Case”, etc.)
- Access Type: Create / Read / Write / Append / Append To (choose what’s needed)
- Scope: Usually “Contact” (records linked to logged-in user)
- Web Role: Assign roles allowed to use the form
- Save the Table Permission
- Go to the Entity Form / Basic Form
- Check “Enable Table Permissions” checkbox
If Table Permissions are not enabled, any user may access the form—even anonymous ones.
Step 3: Assign the Correct Web Roles
Web Roles determine who can see and use the form. Without this, permissions won’t take effect.
Tips:
- Use descriptive role names: “CustomerUser”, “InternalReviewer”, “SalesAgent”
- Assign roles through Contacts in Portal Management
- Always test roles with dummy accounts
Step 4: Set Correct Form Mode
Form modes control what users can do:
- Insert Mode: To allow creating new records
- Edit Mode: To update existing data
- Read-Only Mode: For viewing only
Best Practice:
- Use Insert Mode for new submissions
- Use Edit Mode only with strict Table Permissions and identity validation
Step 5: Validate Input and Use Business Rules
Even with access controls, invalid or harmful input (like scripts or injections) can be submitted.
Security Tips:
- Use field validation in the Dataverse
- Apply Business Rules to validate logic (e.g., Required fields, regex for email/phone)
- Avoid allowing users to submit free-form HTML or scripts
Step 6: Use CAPTCHA for Bot Protection
CAPTCHA prevents spam and bot submissions on public forms.
How to Enable CAPTCHA:
- In Portal Management App, go to the Site Settings
- Add:
- Name:
Authentication/Registration/EnableCaptcha - Value:
true
- Name:
- Ensure captcha is enabled in your Entity Form settings
This will activate CAPTCHA for anonymous and sometimes authenticated submissions.
Step 7: Set Form Submission Redirect or Thank You Page
To prevent resubmission on refresh, always redirect after submission.
- Go to Entity Form settings
- Set Redirect URL after successful form submission
- Or show a confirmation message with a success token
Step 8: Use Liquid or JavaScript for Dynamic Security
- Use Liquid to show/hide form sections based on Web Roles
- Use JavaScript to disable form elements conditionally
- Always validate on both client side (JavaScript) and server side (Dataverse rules)
Step 9: Keep Your Table Fields Clean and Secure
- Avoid exposing internal fields to portal users
- Mark internal fields as hidden
- Remove unnecessary columns from the form
Step 10: Enable Auditing and Logging
- Turn on Auditing in the table settings (Dataverse)
- Log suspicious form access or submission patterns
- Use Azure Monitor, Application Insights, or custom logging for advanced tracking
Summary: Best Practices Checklist
| Step | Task | Required For Security? |
|---|---|---|
| 1 | Require login for private forms | ✅ |
| 2 | Enable and configure Table Permissions | ✅ |
| 3 | Use correct Web Roles | ✅ |
| 4 | Set appropriate Form Mode (Insert/Edit) | ✅ |
| 5 | Validate input with rules and constraints | ✅ |
| 6 | Enable CAPTCHA | ✅ (for public forms) |
| 7 | Redirect after submission | ✔️ |
| 8 | Use Liquid/JS to dynamically control visibility | ✔️ |
| 9 | Hide sensitive/internal fields | ✅ |
| 10 | Audit and log form activities | ✅ |
Common Mistakes to Avoid
- Leaving Table Permissions disabled
- Using Edit Mode without validating user record access
- Not restricting page access for private forms
- Allowing anonymous access to sensitive submission pages
- Not validating input fields
- No CAPTCHA on public-facing forms