Overview of a Tenant Isolation in the Power Platform
What is Tenant Isolation?
Tenant Isolation is a way of protecting your data from unwanted or unexpected data exchanges. Tenant Isolation allows you to isolate your tenant so that external users cannot authenticate into your tenant while also blocking any internal users from logging into external tenants. This ensures that your data is protected and cannot be easily shared or stolen by configuring simple actions that might otherwise copy or move data to external tenants. By configuring Tenant Isolation, only your domain can be used by solutions, apps, and flows within your organization. No other tenants are allowed.
As you can see, Tenant Isolation strengthens your tenant’s security by preventing any inbound or outbound data traffic.
If your organization operates multiple tenants and you’re hesitant to enable Tenant Isolation, rest assured. You have the flexibility to exclude specific domains from the Tenant Isolation policy for inbound and/or outbound connections. This means you can still authenticate using your tenant’s domain or ID, as well as the domains of other tenants you collaborate closely with, without compromising on security.
Let’s hear what Microsoft says about Tenant Isolation in the documentation:
Tenant isolation makes it easy for administrators to ensure that these connectors can be harnessed in a safe and secure way within the tenant while minimizing the risk of data exfiltration outside the tenant. Tenant isolation allows Global administrators and Power Platform administrators to effectively govern the movement of tenant data from Microsoft Entra authorized data sources to and from their tenant.
Microsoft
Tenant Isolation common questions and answers
How will current outbound/inbound connections react to the Tenant Isolation enforcement? Will they break?
- Yes, they will break, and the solutions, app, and flows can stop working if they use outbound connections.
How do I know if the Tenant Isolation is good for my organization?
- If you work with any other tenants in your organization, you should think about turning on the Tenant Isolation. But if you don’t work with any other tenants, and you are certain that there should be no inbound or outbound connections, you should definitely think about turning on the Tenant Isolation to make sure that there are any unwanted connections that can be used to steal your organization’s data. You must be sure that it’s not happening – “I am not expecting any unwanted connections” is not enough.
How do I know if any outbound or inbound connections exist in my tenant?
- As for outbound connections (those that were created from your tenant and authenticated to other tenants), you can use Power Automate and build the flow that will list all available connections for all users across all environments. In this flow, use a filter to list only connections that are not using your organization’s domains. I will to write an article showing how you can do this yourself!
How do I know if Tenant Isolation is turned on in my tenant?
- Try creating the connection in a flow or an app using an account that doesn’t belong to your organization. Remember that within the tenant, there can be many different domains. You can ask your IT department this question as well — I’m sure they will give you the answer if it’s not confidential.
Where can I turn on the Tenant Isolation?
- If you are the Power Platform Admin (you have a Power Platform Admin role assigned), you can find this option in the Power Platform Admin Center under Policies. Follow my guide below — I am showing you how to turn on tenant isolation there.
Set up Tenant Isolation in your tenant
Turning on the Tenant Isolation
!Remember. To turn on the Tenant Isolation, you must have a Power Platform Admin or a Global Admin role assigned.
To start, open the Power Platform Admin Center.
Then, under “Policies,” click “Tenant Isolation.”
Here, you can find the toggle button, that allows you to turn on the Tenant Isolation for your tenant.
Configure allowlist for Tenant Isolation policy
“Allowlist” allows you to exclude other tenants from the Tenant Isolation policy. So users will be able to establish connections
- outbound (from other tenants to your tenant)
- inbound (from your tenant to other tenants).
To add a tenant to the allowlist, click the “+ New tenant rule” button at the top of the Tenant Isolation page.
On the right, there should be a popup opened.
Provide the configuration for the direction and the tenant domain or ID. So, allow the inbound and/or outbound connections to be established for your chosen tenant.
Summary
In my opinion, Tenant Isolation is necessary for many organizations. In the Power Platform, numerous connectors could be used to steal data from your tenant. Configuring Tenant Isolation ensures that users work exclusively within your tenant, disallowing any external connections. Consider implementing Tenant Isolation, especially if you are uncertain about the presence of any inbound or outbound connections that could compromise your valuable data.
So, we are at this point where I should thank you for your time and reading this article. Feel free to rate this article and comment if you liked it. If you have any questions, feel free to contact me (via contact@poweruniverse.org), but first, you may be interested in joining a Newsletter. Hmm? (Sign up here) If you already did, wow, thanks, thanks a lot
Through my Newsletter, I share exclusive insights into my work, plans for the upcoming weeks, and in-depth knowledge about the Power Platform Universe and the IT world. If you’re interested in staying ahead in the Power Platform Universe, I invite you to join! Rest assured, I’ll be sending the latest Newsletter to everyone who signs up!
See you!
Daniel Ciećkiewicz
I am a Senior Power Platform Consultant focused on Dataverse, Power Apps, and Power Automate. I was also a Team Leader responsible for the Power Platform Team and their development paths.
In my private life, I like video games, sports, learning & gaining knowledge, and a taste of good Scotch Whisky!
Ooo, I almost forgot, I love our Polish Tatra Mountains!
Power Apps Licensing Explained
Power Apps Licensing – this is something every Power Platform expert must know. In this article I will walk you through the cons and pros of available plans.
Understand Delegation in Power Apps
In this article I will walk you through delegation in Power Apps and I will show you many interesting concepts how to work with delegation and understand Delegation in Power Apps!
Connection vs connection reference in Power Platform
In this article I will tell you what is the difference between connection and connection reference in Power Platform. It is very good to know the advantages.
Overview of a Tenant Isolation in the Power Platform
What is Tenant Isolation in the Power Platform? How does it work and how do you know it will be good for your organization? Check the article!
The most interesting Power Platform features of 2024 – Wave 1 update
Do you want to know what updates are coming in 2024? This article will tell you more about incoming updates for Power Platform in Wave 1.
Use a Service Principal to run Dataverse actions in Power Automate
Do you want to learn how to use a Service Principal to work with Dataverse actions in Power Automate? This article is for you. Check it out.
Overview of a Tenant Isolation in the Power Platform
What is Tenant Isolation in the Power Platform? How does it work and how do you know it will be good for your organization? Check the article!
The most interesting Power Platform features of 2024 – Wave 1 update
Do you want to know what updates are coming in 2024? This article will tell you more about incoming updates for Power Platform in Wave 1.