Are you an LLM? You can read better optimized documentation at /pentesting-manual/power-platform/default-permissions-and-access.md for this page in Markdown format
Default permissions and access
1. Default permission model overview
In Power Platform (and Dataverse), permissions are managed at two levels:
- Tenant / environment level – who can create environments and access them.
- Dataverse level – who can use or manage data inside the Dataverse database.
Both are controlled primarily through Microsoft 365/Azure AD roles and Power Platform admin settings.
2. Environment creation permissions (by default)
| User type | Can create environment? | Notes |
|---|---|---|
| Global admin / Power Platform admin | Yes | Full control — can create and manage all environments. |
| Dynamics 365 admin | Yes | Can create environments related to Dynamics apps. |
| Regular (non-admin) user | Often yes | They can create developer environments for personal use (not production). |
Clarifying "developer environments"
- Every user with a Power Apps Developer Plan license (free for individuals) can create one personal developer environment.
- It’s isolated, only accessible by that user, and automatically includes Dataverse.
- Intended for learning, testing, and prototyping — not production use.
Admin control
Admins can disable environment creation for non-admin users:
- Go to the Power Platform Admin Center: https://admin.powerplatform.microsoft.com
- Navigate to Settings → Power Platform → Governance → Environment Creation.
- Toggle "Only specific admins can create environments".
3. Default Dataverse permissions
By default, users don’t automatically get access to a Dataverse database, even if they can open the environment. Access to Dataverse data is managed through security roles inside Dataverse.
| Role | Default availability | Permissions summary |
|---|---|---|
| System Administrator | Assigned to environment admins | Full control of Dataverse and environment. |
| System Customizer | For app makers | Can customize schema and manage app-related tables. |
| Basic User | Assigned automatically to licensed users in environment | Read/write access to their own records only. |
| Environment Maker | Not a Dataverse role — environment-wide | Can create apps, connections, and flows, but cannot access data unless also given Dataverse roles. |
4. "Environment maker" vs "Dataverse access"
| Capability | Environment maker | Dataverse security role |
|---|---|---|
| Create new Power Apps / flows | Yes | Not relevant |
| Access or modify Dataverse data | No | Yes, based on role |
| Create Dataverse tables | No | Yes, with System Customizer |
| Share apps | Yes | Yes, if data permissions allow |
5. How permissions flow in practice
+------------------------------------------------+
| Tenant (Microsoft 365) |
| - Global Admins |
| - Users |
+------------------------------------------------+
|
+-------------------------------+
| Power Platform Environments |
+-------------------------------+
| Environment Admins |
| Environment Makers |
+-------------------------------+
|
+-------------------------------+
| Dataverse (within Environment)|
+-------------------------------+
| Security Roles: |
| - System Administrator |
| - System Customizer |
| - Basic User |
+-------------------------------+6. Common governance best practices
- Restrict environment creation (only admins can create new environments).
- Use managed security roles and apply least privilege.
- Disable personal developer environments if not needed.
- Monitor environment creation and usage in the Power Platform Admin Center.
- Define a clear lifecycle with separate Dev/Test/Prod environments.