Last time out, we spoke about the Power Platform CoE Starter Kit. This largely focused on what it is, what’s available and a few tips for the installs (find the article here).
However, the installs are the easy bit. What do you do with it once it’s installed? Will it gather dust and never get any use, or can you use it to great effect? The true art & value in the CoE Starter Kit is what you do with it once it’s in place, so that’s the theme of this article.
In keeping with the series, this will be focusing on the Power Platform admins responsibilities.
Table of Contents
ToggleIntro
I remember my first proper install back in 2019, where our Lead Power Platform Developer got an install sorted for us. The day after, we decided to work from my house so we could a) analyse together in-person and b) proper nerd out. In fact, we sat in the same room that I’m typing up this article! Our first action post-install was opening the Production dashboard and looking at some of the activity.
We knew the environment landscape to a degree because, as part of the Microsoft 365 admin team, we would provision them. What we didn’t have any idea about was the sharing levels of solutions, or what connectors were being used that shouldn’t have been.
Fast forward to the present day. We take a lot from that experience to help shape CoE Starter Kit engagements with customers. More often than not, we’ll recommend starting to interrogate the key reports that you’ll have set up during the install process.
Analysis
We’ll start by saying that how to use the CoE Starter Kit is well documented by Microsoft. There is a dedicated section for how to use the kit. When expanded, you have some key articles that will help you with using the Power BI reports you should have set up:
At time of writing there’s two key reports – the Production dashboard & Governance dashboard:
Both are going to offer you some excellent insight into your Power Platform estate. We’re not going to go through every single page of the reports, that would take ages. What we can do is help to focus on what we consider are the key ones, especially if you’re attacking this for the first time.
Production dashboard
Two essential places to start will be environments and connectors. From there, we might want to further analyse activity within those environments at asset level and what connector(s) they’re using.
Environments
For some, you’ve been ‘rewarded’ with the role of Power Platform admin because “you built a few apps, so you know more than the rest of us”. So where do you start?
Environments are your containers for Power Platform assets. Each environment can have its own security, features and solutions. There’s a high chance some environments already exist in your tenant and you need to make sense of them. You may also need to starting working on a good environment strategy. There are different environment types, this dashboard page gives a good birds eye view of them and the number of apps & flows in each.
Each environment type needs its own thoughts and ideas and how they’ll fit into your strategy.
Developer
Developer environments relate to the Power Platform developer plan. This gives makers a dedicated environment to build & test Power Platform solutions. Think of it like your OneDrive for Business but for the Power Platform. By default, makers can create these. If you don’t wish for this to happen, you can adjust the related tenant setting so admins will be responsible for creating them instead.
Subsequently, there’s a balance to be had here; you want people to experiment & innovate, by the same token you don’t want a tenant full of empty environments. If admins will be responsible, what’s the process for a maker to request one? What questions will you ask? Do they agree to decommission the environment if no activity in x period of time?
Dataverse for Teams
When it comes to Dataverse for Teams environments, there’s as much to consider. These came into play in September 2020 to help business innovate quickly, for free, during Covid. Think of these like a gateway drug to full-fat Dataverse environments. You’re able to create a Dataverse for Teams environment without even knowing it. Installing one of the pre-made templates will do just that, so it’s not uncommon to see lots of these environments in your tenant:
These days, I see a lot of the following with these:
1- A D4T environment has been provisioned using a template. It’s not been extended or used, or
2- A D4T environment has been provisioned and someone is building a small solution. The solution is a duplication of effort as it’s also being built in a dedicated Power Platform environment.
It may take some time to get to the bottom of these environment types. You can use other tabs in the report, such as Apps or Cloud Flows, to filter by these environments to better understand the content.
Strategy wise, how will you approach these? You can prevent makers from provisioning these environments to build custom solutions, by using app permission policies. But to the best of my knowledge, makers can still get started with an app template and provision an environment that way.
It’s a good job then, that those awesome folks in the Microsoft Power CAT team created the D4T environment management template. This will help you manage these environment types, or give you the inspiration to build your own similar process.
Production/Sandbox
You’ll likely have a few of these, each with their own apps & flows. Some of these may be live, whilst others may be redundant and have been gathering dust for a while. There’s a few good questions to start asking, such as:
What’s being built in these environments?
What data is being captured and who owns it?
What’s the security/access like?
What area of the business does it relate to?
How many users currently have access?
What do I need to do with the Default environment?
You might then consider other questions and how they might impact your environment strategies:
That environment with a small number of apps, can we merge then with another environment?
Do we need dedicated test & production environments for some of this?
Do we need to convert any existing environments to Managed Environments?
What’s going to be the process to request a new environment?
What questions do we need to ask?
What role(s) will the requestor play in terms of owning data & security?
First tab in and already a few directions of travel. That leads nicely into the next important reference point – connectors.
Connectors
Followers of this blog & anyone who knows me, knows I love a bit of Power Platform DLP. Don’t ask me why, it’s just my jam. The Connector Deep Dive is a super valuable tab to support your DLP strategies:
I go back to that first every major install in 2019, it was this tab we started with as we knew our environment architecture very well. We just didn’t know what was happening in those environments.
The focus here is ensuring the connectors being used align to your business strategies & objectives. Understanding the good, bad & ugly of connectors will help you determine what you should and shouldn’t use in the Power Platform.
Microsoft-approved
Safe to say the usual suspects with high usage will be SharePoint, Teams, OneDrive, Office 365 Outlook, Dataverse etc. It’s perhaps ones with smaller numbers that might represent a bit of danger. For some orgs seeing connectors like this might raise some alarm bells:
If you’re fresh to connectors and what one’s could or should be used, please feel free to work through the Power Platform DLP articles here. I’ve shared a lot of (hopefully useful) content there. Away from that though, another set of questions (in no particular order):
Should this connector be available to everyone, specific environments only, or no-one?
Is usage of this connector in line with my company’s Acceptable Use Policy?
If I block the connector, what’s the impact?
What’s the process for someone to request a connector in future?
The further down this rabbit hole you go, you’ll likely find your DLP strategy will help with your environment strategy, and vice versa. But it’s easy to see how many questions and answers you might get just from 2 pages of the dashboard!
Makers
Your environments show you where things are being made, but who is making them? This page of the report is great to find out who your most active makers are.
Why’s this important? Perhaps you want to start to eulogise about the Power Platform internally. As an admin with endless work coming out of your ears, you can’t be an evangelist as well! But here’s a bunch of people creating things already, they might be able to help! Offer them opportunities to engage with you, for example in a dedicated Teams channel. Work with them to identify best practices, standards, common patterns and other important things that can be shared. Use them as a sounding board and testing bed for your environment, DLP and other strategies. Bring your internal community with you.
On the flipside, there’s always at least one person who wants to be a d**k. Every organisation has one, you know the kind I’m talking about:
1- Doesn’t want to follow guidelines, they’ll do things their own way.
2- Company branding? No thanks, I’ll create my own branding using my own name.
3- Dev, test & production? I’ll just make all my changes against the live app.
4- Change processes? Who needs those.
We’ve seen it countless times. So, if you have that type of maker on your radar, the Makers tab can be useful for a window into what they’re doing. Use the Apps & Cloud Flows pages to support the positive and not-so-positive Makers.
Deep dives
Specifically, the App Deep Dive and Flow Deep Dive. Here you can identify your top assets, who has access to them, when they were last launched and more. These are factors once again for helping to determine a good environment strategy – or whether the one you’ve put in place is working.
Unrelated, are you like me and remember decomposition trees in PerformancePoint? Absolutely loved those badboys. I remember when Power BI first came out, that was such a big thing that was being asked for. They made their way into Power BI a while back now, if you’ve not used them in your reports then they could add a lot of value!
Governance dashboard
The governance dashboard is a useful set of visuals to get granular with your estate! From a Power Platform admin point of view, this will be the report to focus on in terms of clean-up operations, red flags and other (potentially critical) information.
In some ways, it’s hard to pinpoint specific figures you need to look at and investigate. They’re all important to ensure a healthy tenant. However, some will provide more risk than others. Either way, for each tile on the page you can right-click to access additional options and drill into the data.
In our experience, focusing on the following first is a good place to start:
Cross-tenant connections
Are makers building apps and flows that connect to other tenants?
This is a key piece to drive any potential strategy for enabling Tenant Isolation. If enabled, do you need to enable specific tenant(s) to maintain continuity? I’ve worked with a client who has over 15,000 cross-tenant connections but they were all legitimate. I worked with another client that had 2 and they were both leaking data. So, don’t fixate on the numbers per se, but on the data.
Flows using HTTP actions
What endpoints are makers calling or sending data to?
You can also include the tile here for Custom Connectors with HTTP Endpoint, as the analysis is the same.
If you have HTTP connectors available to use, it’s worth checking what API’s they’re calling. If they’re performing a GET, what information is coming into my tenant? Are they performing a POST, if so, what information is leaving my tenant? What authentication methods are being used? Do we have data sharing agreements in place? Are my Security & Data Governance teams aware?
This will be key in shaping your DLP strategies. Agreed endpoints can continue to be allowed on a case-by-case basis, to ensure you block ones you don’t want connectivity with.
Suspended flows
Is there something that should be running, but isn’t?
If a flow is suspended, it won’t be running in any way, shape or form. The owner or co-owner will need to fix the issue(s) so it can be operational again. Unless there’s some good error handling (unlikely with your average maker?), there’s a good chance suspended flows go unnoticed. There can be a few reasons a flow might be in a suspended state:
1- the trigger keeps failing.
2- one or more actions keeps failing.
3- some kind of licensing issue.
If these are business-critical processes, get the relevant owners to fix their flow ASAP.
Apps and flows not in solutions
These won’t be part of environment backup and restore operations!
That’s right, your awesome apps and flows aren’t included in environment backups unless they’re in a Dataverse solution. If you need to restore the environment, it won’t include these apps/flows. Don’t lose all your hard work.
Adding apps & flows to a solution might not be as easy as you think, either. This is where you’ll need to work with your makers and ask them to create solutions, then add existing items.
Other mentions
Apps and flows with no owners are also something to target. By owner, it means the original creator of the app/flow. If they have since left the organisation, their Active Directory account will have been disabled. Ensure these apps and flows have assigned co-owners and/or a new nominated owner.
Apps and flows with demo or test in the name are opportunities. People in your organisation are dipping their toes in the water. Maybe you can help them, invite them to your low code/champions community. Turn those tests into something tangible.
Environments with no apps or flows is a quick win too. If they were created ages ago and have no content, chances are they’re not needed. They may have also been created without your environment strategies in mind. Repurpose and rename these environments or throw them in the virtual bin.
Apps with duplicate names is a funny one. If you are passing solutions through multiple environments (ie dev test & prod) then yes, you’ll have apps with duplicate names. Likewise, if you have x2 environments for the CoE Starter Kit (as is the recommendation). There’s also a bunch of system apps that’ll be in every environment. BUT, if you can break down the analysis after all of that, you might spot the odd app with a duplicate name, in 2 completely different, unrelated environments. Then it’s time to act & bring them together.
Quick tip
A flow might be suspended, not in a solution, have no owner and call a dodgy API endpoint.
Sometimes, cleaning up an app or flow relating to one thing will also reduce figures elsewhere. Don’t therefore think that all the numbers are bad or will take ages to remedy.
Extending the CoE Starter Kit
In the previous post, we mentioned that the CoE Starter Kit isn’t a silver bullet. It’s not going to automatically fix everything for you. It also won’t give you all the answers in the reports. So, extending the kit is the next logical step. This could be building your own reports, apps or full-scale automations to get the data you need, to then act on it.
By ‘extend’, we might also mean ‘completely rebuild from scratch, using the CoE tools as a guide’. For some tools in the kit, potentially everyone will need access (for example, the MS Teams governance process). With a tough economy & tighter budgets as a result, some orgs may not be able to afford a jump in Premium licensing but want the functionality. Seeing what’s in the kit & how it’s built offers you a guide to recreate what you need, using a more cost-effective data storing solution.
Costs aside, some orgs will choose to rebuild because they want additional fields or steps in the processes. The Environment Request tool is awesome, but if you want it to provision different environments based on internal business decisions/politics/structures, you’ll need your own process.
There’s a lot of data collated for you in the tables that make up the Core Components solutions. So, whether you want to take syncs/copies to other data sources or make your own Power BI reports, the root information is there for you to work with. You don’t have to completely reinvent the wheel.
Further reading/best practices
Before you embark on extending anything in the CoE Starter Kit, we urge you to read this article first. It’s super important. Knowing what you can & can’t customise is going to be helpful for your extension planning.
As per the CoE guidance, it’s important to have x2 installs of the kit; one for testing and one as your production instance. You therefore have a light ALM model to build, test and deploy your extensions.
I usually recommend creating a new solution in the CoE test environment. Copy the apps/flows you need and butcher them, build your own stuff, do whatever in this solution. When you’re ready, port it over to your CoE production instance.
Good apps to use
In the CoE Starter Kit, there are a few great apps any aspiring Power Platform administrator can make good use off. These can all be found within the Core Components solution of the kit.
CoE Admin Command Center
This app is a useful one-stop-shop for all your high-level admin needs. There are several options available in the left-hand menu, designed to give you easy access and visibility of:
Command Center: Are there any issues with the flows that pull data into your CoE Starter Kit tables? Are there any unmanaged layers in any of the CoE flows, that will cause issues during upgrades. View and resolve issues here.
CoE configuration: update environment variables or email body text in this section.
Platform news: keep abreast of latest news & changes or outages here.
I highly recommend bookmarking this app and should become part of your daily routine to check for key events.
CoE Setup and Upgrade Wizard
This one is kind of a no-brainer, as you’ll need it to set up the CoE Starter Kit for the first time. You’ll also be running through the wizard for each update.
For the latter, our biggest advice is to not ignore the messages you’ll see post-upgrade. Make sure to absorb the changes incase they’ll have any impact on your operations.
Don’t forget, setup for all CoE components and tools is done from this app in the first instance. Other parts with their own config steps are under More features:
DLP Impact Analysis
An important app for helping build your Data Loss Prevention strategies and implementations. Use this app to see what apps and flows might be impacted by DLP. I’ve covered this app in more detail here if you’d like to know more.
Manage Permissions
At time of writing, this is a new addition to the CoE Starter Kit. This is in part to modernise previous apps but also provides some other functionality as well.
As an admin, you may need to change ownership of an app or flow. Maybe the original creator has left & didn’t assign co-ownership. You may also have to perform some clean up operations or investigative work, and you’ll need access yourself.
Previously, we’d use the Set App Permissions or Set Flow Permissions apps. These have now been deprecated in favour of the Manage Permissions app:
The latter keeps the same functionality, with the ability to also view and manage Dataverse security roles and connections. Top work from the Power CAT team, as always.
Power Platform Admin View
If you’re not one for Power BI reports, we highly recommend using this app instead. This app sits on top of all the key CoE Starter Kit tables. It will give you insights into the same things as the Production dashboard and, as it’s a Model-Driven app, everything is clickable to drill down further.
You can also use this app to build custom views that are of interest, export data to Excel for one-of exercises and a load more.
What valuable insights do you get from the CoE Starter Kit? How have you extended it? What are your go-to tips for using the kit? Let us know in the comments below.
Thanks for reading. If you liked this article and want more helpful insights into life as a Power Platform Administrator, don’t forget to follow us on socials 😊.
All articles in this focused series will be curated here. Feel free to add it your favourites for your one-stop-shop for all your Power Platform Admin needs. Is there a topic we’ve not covered? Reach out to us and let us know!
Lindsay’s Blog, Twitter & LinkedIn.
Michael’s Blog, Twitter & LinkedIn.
Craig’s Twitter & LinkedIn.