Take care about your default environment
The default environment is created automatically for each tenant and every user in that tenant got access to it. It’s created in the region closest to the default region of the Azure AD tenant and it comes without a database, unless you provision Dataverse to it. Therefor every user who signs up to Power Apps or gets a license assigned is added the Maker role.
Why should we care?
The default environment is different from all the other kind of environments:
- It can’t be deleted.
- It can’t be backed up.
- It can’t be restored.
- user who open the app maker studio or Power Automate will end up in the default environment automatically
- Flows which are being created from a SharePoint list will be stored in the default environment
- Customized Forms for SharePoint will be stored in the default environment
In conclusion there are two main characteristics about the default environment:
- Every user who got a license has got access
- It’s difficult to manage
hint! User can access the maker studio (make.powerapps.com or flow.microsoft.com) even without a license. They can build apps but they can’t publish it. Yet they can run it in playmode and if you haven’t blocked any connectors, flows and other functionalities within this app will actually run. Even though the users don’t have a license.
Therefore it is important for you to know a few best practices and take care about your default environment.
Rename the default environment
Microsoft intends to use the default environment for any personal productivity usecases. It’s the place for every Power Platform solution that only affects the own user account. Therefore the recommondation is, to rename it to make that clear. The most common name is “Personal Productivity”. The default naming is name of your tenant (default) and you can rename it in the Power Platform Admin Center.
Select Environments, then select your default environment. In the default menu, select Edit, choose a new name and select Save
This way all users get an indication that this environment is meant for personal productivity and not for critical usecases or solutions that affect more than the own account.
Set up a data loss prevention policy
Since every user has access to the default environment and even without a license flows can be triggered, it makes sense to set up a data loss prevention policy (short: DLP). You don’t want important and critical usecases be build in the default environment due to the special characteristics of it, so we want to allow connectors of all the Microsoft 365 services our user have access to. Yet you want to exclude Dataverse and block all connectors from 3rd parties. You will end up with the following connectors per category:
Business (exclude all the apps users don’t have access to)
- OneDrive for Business
- Defender for Cloud Apps
- Excel Online (Business)
- Microsoft Kaizala
- Dynamics 365 Customer Voice
- Office 365 Outlook
- Office 365 Groups
- Office 365 Groups Mails
- Office 365 Users
- OneNote (Business)
- Power Apps Notification
- Power Apps Notification V2
- Power BI
- Shifts for Microsoft Teams
- Skype for Business Online
- Microsoft Teams
- Microsoft To-Do (Business)
- Microsoft Dataverse (legacy)
- Microsoft Dataverse
- all the other connectors
Important! There are constantly new connectors added, so we make sure to set the default group for new connectors to Blocked. This way every new connector automatically gets sorted into the blocked category and our DLP stays always up to date.
In the Power Platform Admin Center, we select Data policies, in the Prebuild connectors menu we select the cog wheel in the upper right corner. We select Blocked and then Apply.
Change SharePoint custom forms
You can change where SharePoint custom forms are stored instead of the default environment with the PowerShell Administrator module.
Get-AdminPowerAppSharepointFormEnvironmentgets you the name of the current environment that is used for custom SharePoint forms
Set-AdminPowerAppSharepointFormEnvironment –EnvironmentName 'EnvironmentName' let’s you set a different than the default environment.
There you have it, with this we should have built a well equipped default environment to roll out Power Platform in our organization.
I welcome comments, remarks and discussions about your experiences with Power Platform Governance.