We will understand the concept of tenant isolation & restrict cross-tenant connection in Power Platform. Before we start, make sure to subscriber to CRM Crate so that you can stay to date in the field of Power Platform.
The Microsoft Power Platform boasts a robust environments of connectors leveraging Azure Active Directory (Azure AD). These connectors empower authorized Azure AD users to create engaging applications and workflows, establishing connections to business data accessible through these data stores.
Enabling tenant isolation simplifies the task for administrators, ensuring that these connectors can be utilized securely within the tenant while reducing the potential for data exfiltration beyond the tenant boundaries. Tenant isolation provides Global administrators and Power Platform administrators with the means to proficiently oversee the transfer of tenant data between Azure AD authorized data sources and their respective tenants.
It’s important to distinguish Power Platform tenant isolation from Azure AD-wide tenant restrictions. Power Platform tenant isolation specifically does not affect Azure AD-based access beyond the Power Platform scope. Its functionality is limited to connectors that employ Azure AD-based authentication, such as Office 365 Outlook or SharePoint.
How to turn ON the Tenant Isolation in Power Platform?
Follow the below steps for enabling the Tenant Isolation in Power Platform.
- Login into Power Platform Admin Center (https://admin.powerplatform.microsoft.com/) with an administrator account.
- In the menu, navigate to Policies >> Tenant Isolation.
- Here you can find the setting to turn ON the tenant isolation for your organization.
With tenant isolation turned off in Power Platform’s default configuration, cross-tenant connections can be effortlessly established when a user from tenant A, initiating the connection to tenant B, provides the requisite Azure AD credentials. Enabling tenant isolation allows administrators to restrict connections to or from their tenant to only a specific set of chosen tenants.
With tenant isolation On, all tenants are restricted. Inbound (connections to the tenant from external tenants) and outbound (connections from the tenant to external tenants) cross-tenant connections are blocked by Power Platform even if the user presents valid credentials to the Azure AD-secured data source. You can use rules to add exceptions.
Administrators have the option to define a specific list of permitted tenants for enabling inbound, outbound, or both connections, effectively bypassing tenant isolation controls when configured. By employing a special pattern “*”, admins can grant permission for all tenants in a particular direction when tenant isolation is active. Power Platform rejects any cross-tenant connections not included in the specified allow list.
What is Two-way tenant isolation?
Two-way or Bidirectional tenant isolation prevents connection initiation attempts to your tenant from other tenants. Moreover, it also prevents connection initiation attempts from your tenant to other tenants.
In the given scenario, the administrator of the CRM Crate tenant has activated two-way tenant isolation, and the external Digitek tenant has not been included in the allow list.
Despite having the necessary Azure AD credentials to establish the connection, Power Platform users signed in to the CRM Crate tenant are unable to initiate outbound Azure AD-based connections to data sources in the Digitek tenant. This is a reflection of outbound tenant isolation for the CRM Crate tenant.
Likewise, Power Platform users logged into the Digitek tenant are unable to initiate inbound Azure AD-based connections to data sources in the CRM Crate tenant, even when presenting the necessary Azure AD credentials to establish the connection. This reflects inbound tenant isolation for the CRM Crate tenant.
The below given table explains the restriction process in more details.
| Connection creator tenant | Connection sign-in tenant | Access allowed? |
|---|---|---|
| CRM Crate | CRM Crate | Yes |
| CRM Crate(tenant isolation On) | Digitek | No (outbound) |
| Digitek | CRM Crate(tenant isolation On) | No (inbound) |
| Digitek | Digitek | Yes |
How to add a tenant in tenant isolation allow list?
Inbound tenant isolation, or one-way tenant isolation, prevents attempts to establish connections to your tenant from other tenants. Let us now consider a scenario where Digitek tenant is added to the outbound allow list of CRM Crate tenant. Here, the admin adds the Digitek tenant in the outbound allow list while tenant isolation is On.
Now, the Power Platform users logged into the CRM Crate tenant have the ability to initiate outbound Azure AD-based connections to data sources in the Digitek tenant by providing the necessary Azure AD credentials for connection establishment. This permission for outbound connection to the Digitek tenant is granted through the configured allow list entry.
Nevertheless, Power Platform users within the Digitek tenant are still unable to initiate inbound Azure AD-based connections to data sources in the CRM Crate tenant, even when having the necessary Azure AD credentials for establishing the connection. The disallowance of inbound connection establishment persists, despite the configured allow list entry that permits outbound connections.
The below given table explains the restriction process in more details.
| Connection creator tenant | Connection sign-in tenant | Access allowed? |
|---|---|---|
| CRM Crate | CRM Crate | Yes |
| CRM Crate(tenant isolation On) DigiTekadded to outbound allow list | DigiTek | Yes |
| DigiTek | CRM Crate(tenant isolation On) DigiTekadded to outbound allow list | No (inbound) |
| DigiTek | DigiTek | Yes |
Follow the below steps to setup tenant isolation allow list in Power Platform.
- Turn ON the tenant isolation as shown in the above steps.
- In the top bar, click on +New Tenant rule.
- Here you can find the direction of isolation and details of external tenant as given below. Configure the direction of isolation as per your requirements.
You can edit the direction of the tenant allowlist entry based on business requirements. Note that the Tenant Domain or ID field can’t be edited in the Edit tenant rule page.
Example of tenant isolation in Power Automate & Power Apps
When Power Automate makers attempt to save a flow that incorporates connections in a flow blocked by tenant isolation policies, they will encounter the following error. Although the flow will be saved, it will be labeled as “Suspended” and won’t execute until the maker resolves the data loss prevention policy (DLP) violation.
Like wise, users involved in creating or modifying a resource impacted by the tenant isolation policy will encounter a corresponding error message. For instance, Power Apps makers will receive the following error when attempting to utilize cross-tenant connections in an app subject to tenant isolation policies. In such cases, the app will refrain from adding the connection.
In conclusion, tenant isolation in Power Apps is a critical feature that empowers administrators to manage and control the flow of data between tenants, ensuring a secure and well-defined environment. By allowing or restricting cross-tenant connections, administrators can tailor the level of interaction between different tenants according to organizational needs. The nuanced configurations, such as one-way or two-way isolation and the use of allowlists, provide a flexible framework for balancing collaboration and security. As users navigate the Power Apps environment, they must be mindful of the potential error messages and policy violations associated with tenant isolation, recognizing the importance of adhering to data loss prevention policies. Ultimately, tenant isolation in Power Apps contributes to a robust and adaptable platform that prioritizes both functionality and data security in a multi-tenant landscape.
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.