Security in Power Pages is built on layers. Understanding this hierarchical model is essential for implementing secure customer portals. This interactive guide visualizes how administrators, custom roles, authenticated users, anonymous visitors, and system components work together.
Click on each security level below to explore how permissions work, what each role can access, and best practices for configuring your portal's security architecture.
Hierarchical Access Control Model
Click on any security level to explore details
Security Level Details
Click on any security level
to view detailed information
Key Takeaways
🎯 Essential Security Principles
- Administrator is just a name: No automatic privileges - all access requires explicit table permissions
- Multiple roles, cumulative permissions: Users can have multiple roles, permissions add up
- Authenticated Users role is automatic: Cannot be removed, assigned to ALL logged-in users
- Prefer specific scopes: Use Contact or Account scope over Global whenever possible
- System components respect permissions: Web API, Forms, and Lists all honor table permissions
Security Best Practices
✅ Do's
- • Use Contact or Account scope for B2B scenarios
- • Apply principle of least privilege
- • Enable column permissions for field-level security
- • Configure MFA for sensitive areas
- • Regular security audits of role assignments
- • Enable Dataverse auditing for compliance
❌ Don'ts
- • Don't use Global scope unless absolutely necessary
- • Don't grant broad permissions to Authenticated Users role
- • Don't implement security logic only client-side in JavaScript
- • Don't enable Web API without proper table permissions
- • Don't mix authentication providers without clear strategy
Implementation Guide
Here's a practical step-by-step approach to implementing secure Power Pages portals:
📋 Setup Checklist
-
1. Plan Your Roles:
Map business roles (Partner, Customer, Internal) to web roles
-
2. Define Table Permissions:
Determine which tables each role needs to access and with what scope
-
3. Configure Authentication:
Set up Entra ID (internal) and Entra External ID (external) providers
-
4. Implement Row-Level Security:
Use Contact or Account scope to ensure users see only their data
-
5. Enable Field-Level Security:
Configure column permissions for sensitive fields
-
6. Test Thoroughly:
Verify permissions with test users in each role
-
7. Enable Auditing:
Turn on Dataverse auditing for compliance tracking
Conclusion
Power Pages security architecture provides enterprise-grade access control without requiring deep security expertise. By understanding the hierarchical model and following best practices, you can build secure customer portals that protect sensitive data while providing excellent user experiences.
🎯 Need Help with Security Implementation?
I offer security audits and implementation guidance for Power Pages portals. Let's discuss your specific security requirements and ensure your portal is configured correctly.
Schedule Free Security Consultation
Tino Rabe
Microsoft MVP for Power Pages
With over 10 years of experience in Microsoft technologies, I help organizations implement secure and scalable Power Pages solutions. As one of the few German-speaking MVPs for Power Pages, I specialize in security architecture, compliance, and enterprise implementations.
→ Schedule Free Consultation