Power Pages security

An important consideration when you build public-facing websites is how to make sure that only the correct stakeholders can access critical business data. Use the Security workspace in design studio to monitor, protect, and manage your Power Pages sites.

To make sure your business information is properly protected, Power Pages has a robust security model that encompasses the following key components:

Site visibility

The site visibility setting controls who can access the sites you create in Power Pages. By default, all Power Pages sites are available to users who are internal to your organization. The extra layer of security that Microsoft Entra authentication provides helps to prevent accidental leaks of partially developed website data and designs.

When your website is ready to go live, change the site visibility to public. The public setting makes the site accessible to everyone over the Internet anonymously or to users authenticated through identity providers.

Authenticated users

Microsoft Dataverse contact records represent Power Pages users. Users can get access to your site through authentication. You can integrate Power Pages with authentication providers like Azure AD B2C, Microsoft, and LinkedIn. Authenticated users can be assigned web roles that provide specific access to information on the site.

Web roles

Web roles allow users to perform special actions or access protected content and data on the site. Web roles link to users, table permissions, and page permissions. Because users can be assigned multiple web roles, they can get cumulative access to site resources.

All authenticated users, or contacts, are automatically assigned to the Authenticated Users web role. Anonymous, or unauthenticated, users can visit a site and get access to assets through the Anonymous Users web role.

Table permissions

Access to Dataverse information through lists, forms, Liquid, and the Web API is protected by table permissions. You can configure table permissions to allow different levels of access and privileges to Dataverse records. Table permissions are associated with web roles to provide appropriate access to users.

Page permissions

Page permissions that are associated with web roles to allow access can protect content and components on individual pages.

HTTPS headers

The cross-origin resource sharing (CORS) protocol consists of a set of headers that indicates whether a response can be shared with another domain. You can configure CORS support in Power Pages using the Portal Management app by adding and configuring the site settings.

For more information, go to HTTP headers.

Security scan (preview)

Security scan allows makers to perform thorough evaluations of their websites, detect common security threats, such as cross-site scripting (XSS) or the use of insecure libraries, and offers solutions for efficient resolution of these threats to improve security for your site.

More website security

You can integrate Power Pages sites with any web application firewall infrastructure, such as Azure Front Door, to provide extra protection against common web application attacks.

Deep dive: architecture and security

The following white papers allow you to explore Power Pages architecture and security at a deeper level.

White paper Description Date
Power Pages Architecture white paper This white paper provides a comprehensive view of the capabilities of the Power Pages platform. It describes the architectural elements that enable Power Pages to scale, offer high reliability and availability, and protect business data to offer enterprise-grade compliance and security. October 2022
Power Pages Security white paper This white paper describes how Power Pages offers enterprise-grade security and the tools and capabilities it offers for administrators and makers to harden security for their external applications. October 2022

See also

Power Platform security
Azure security
Intro to Power Pages security (video)