{
	"id": "8db70304-c9d0-40e6-aed1-7947808f47e6",
	"created_at": "2026-04-06T00:09:22.436156Z",
	"updated_at": "2026-04-10T13:11:49.797827Z",
	"deleted_at": null,
	"sha1_hash": "27ff70d6154534b22e7336eb7f61150e44d79398",
	"title": "Control Access to Power Apps and Power Automate with Azure AD Conditional Access Policies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 954369,
	"plain_text": "Control Access to Power Apps and Power Automate with Azure AD\r\nConditional Access Policies\r\nBy Developer Support\r\nPublished: 2020-05-09 · Archived: 2026-04-05 22:34:53 UTC\r\nMay 9th, 2020\r\n3 reactions\r\nCloud Solution Architects\r\nApp Dev Manager Roger Lamb and Dev Consultant Adam Toth detail how to control access to Power Apps and\r\nPower Automate using Azure AD Conditional Access Policies.\r\nUPDATE 9/9/2022: Microsoft Product Support requested an update to this article to indicate that blocking only\r\none of these products at a time could introduce various issues and is not supported.  If you are going to use this\r\npolicy to block Power Platform features, make sure you block both Power Automate and Power Apps at the same\r\ntime. The reason is that some features of one application are dependencies for another, for example some Power\r\nAutomate UI features require Power Apps functionality under the cover to work (Solutions, Dataverse, etc), and\r\nthose UI operations may fail if you block Power Apps but try and use the Power Automate Portal.\r\nOverview\r\nAs companies begin adoption of Microsoft 365 citizen developer platforms, such as Microsoft Power Apps and\r\nPower Automate (Flow), there is a growing demand to control access to these platforms. Governance and\r\nadministration best-practices are paramount to ensuring only authorized users have access to critical systems.\r\nWhen combined with multiple organizations and users, varying levels of access, and the need for user-level\r\npermissions, maintaining Power Apps and Power Automate solutions may be a challenge.\r\nEach Microsoft 365 tenant has a default environment provisioned for use with PowerApps and Power Automate,\r\nwhere any licensed user can contribute Power Apps and Power Automate workflows immediately. There is\r\ncurrently no mechanism to restrict the Maker role (i.e. who can create Power Apps and Power Automate\r\nworkflows) in the Default environment, so many companies look for the ability to limit access to these systems\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 1 of 16\n\nuntil a fully-featured governance and administration process is put in place, or until the platform has been vetted\r\nthrough pilot rollouts to limited numbers of users.\r\nFortunately, this can easily be achieved using Microsoft Azure Active Directory (AD) Conditional Access Policies.\r\nAbout Conditional Access Policies\r\nConditional Access Policies in Azure AD are a flexible way for administrators to control access to Microsoft-based services for end users. The diagram below illustrates how to wire up Conditional Access policies to restrict\r\naccess to end users for both PowerApps and Power Automate.\r\nConditional Access policies at their simplest form are if-then statements: if a user wants to access a resource, then\r\nthey must complete an action.\r\nFind out more about Conditional Access (CA) policies here.\r\nConditional Access Policies are available to tenants that subscribe to Azure AD Premium capabilities, including\r\nAzure AD Premium P1, P2, or Microsoft 365 Business license.\r\nFor more information on comparisons of Azure Active Directory P1 and P2 licenses as well as pricing please\r\nreview the documentation here.\r\nCreate a Conditional Access Policy\r\nTo create a Conditional Access Policy, first access the Azure portal and navigate to the Azure Active Directory\r\nblade. Access this through portal.azure.com or from the Admin Center links in the Office365 Administration\r\nCenter.\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 2 of 16\n\nOnce in the Azure AD management blade, select Properties.\r\nOn the Properties screen, select the Manage Security Defaults option at the bottom.\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 3 of 16\n\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 4 of 16\n\nMake sure that Enable Security defaults is off in order to use Conditional Access Policies.\r\nFor more information about Security Defaults, see this link.\r\nOnce the defaults are turned off (they may already be off if Conditional Access has been used for other purposes,\r\nsuch as MFA and location-based access policies), the policy for accessing PowerApps and Power Automate\r\n(Flow) can be configured\r\nReturn to the Azure Active Directory blade and select Security.\r\nIn the next blade, select Conditional Access.\r\nIn the next screen, click the New policy button to create a new policy:\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 5 of 16\n\nName the new policy:\r\nTo configure a new Conditional Access Policy, 1) Define who/what the policy applies to, and 2) Define what\r\nactions to take for anything that matches Step 1.\r\nStep 1. Configure the users that this new policy applies to. Under Assignments, select Users and Groups.\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 6 of 16\n\nSelect which users and groups to Include and Exclude from the new policy. In the following example, access to\r\nPowerApps and Flow is blocked for most users and is enabled only for Pilot users.\r\nSince the new policy is intended to block access to most users, for the Include setting, select All Users and\r\nGroups, and for the Exclude setting select any desired pilot users and any Power Platform services administrators\r\nthat need to have access (and any break-glass accounts).\r\nIMPORTANT NOTE: Be careful here to avoid locking out administrator. Check out this guide for best practices\r\non configuring CA policies, and this guide for Block Access and exclusions.\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 7 of 16\n\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 8 of 16\n\nOnce the users have been configured, select the Cloud Apps that the new policy will apply to.\r\nClick Select apps and then the arrow to select. In the search bar on the following screen, look first for\r\nPowerApps, and check it to select it, then search for Microsoft Flow, and select it as well. Both items should\r\nshow as selected.\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 9 of 16\n\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 10 of 16\n\nClick Select at the bottom of the screen. The two apps should now appear as part of the policy.\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 11 of 16\n\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 12 of 16\n\nStep 2. Once the users have been configured, the next step to create the new policies is to define what to do when\r\nthe conditions are met. In this case, the purpose of the policy is to block access to these apps for most users but\r\nallow access for pilot users and admins.\r\nSelect the Grant option under Access controls and click the arrow.\r\nIn the Grant screen, select Block access.\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 13 of 16\n\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 14 of 16\n\nThe policy is now configured and ready for deployment. To activate the policy, select On under Enable Policy.\r\nOnce the new policy is on, if any users try and access PowerApps or Power Automate (Flow), they will receive\r\nthe following message upon logging in:\r\nSummary\r\nWith just a few quick steps using the Azure AD Conditional Access Policy, it is easy to limit access to PowerApps\r\nand Power Automate. This quick fix allows time for companies to evaluate the platform, experiment with pilot\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 15 of 16\n\nusers, and take the time to implement governance and administration best practices.\r\nAdditional resources for Power Platform governance and administration topics:\r\nPower Platform CoE Starter Kit\r\nPower Platform Governance White Paper\r\nCategory\r\nTopics\r\nAuthor\r\nCloud Solution Architects\r\nMicrosoft Developer Support helps software developers rapidly build and deploy quality applications for\r\nMicrosoft platforms.\r\nSource: https://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-acces\r\ns-policies/\r\nhttps://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://devblogs.microsoft.com/premier-developer/control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies/"
	],
	"report_names": [
		"control-access-to-power-apps-and-power-automate-with-azure-ad-conditional-access-policies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434162,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/27ff70d6154534b22e7336eb7f61150e44d79398.pdf",
		"text": "https://archive.orkl.eu/27ff70d6154534b22e7336eb7f61150e44d79398.txt",
		"img": "https://archive.orkl.eu/27ff70d6154534b22e7336eb7f61150e44d79398.jpg"
	}
}