Skip to content

Control 3.7: PPAC Security Posture Assessment

Overview

Control ID: 3.7 Control Name: PPAC Security Posture Assessment Regulatory Reference: FINRA 3110, OCC 2011-12, GLBA 501(b), SOX 404 Setup Time: 30-45 minutes

Purpose

The PPAC Security Posture Assessment enables financial institutions to proactively identify, prioritize, and remediate security gaps across their Power Platform tenant. By providing a centralized security score and actionable recommendations, this control ensures FSI organizations maintain a strong security posture aligned with regulatory expectations and industry best practices. Regular security assessments are critical for demonstrating due diligence during regulatory examinations and maintaining customer trust.

Description

The Power Platform Admin Center provides a Security section with security posture assessment capabilities, enabling organizations to identify and remediate security gaps across their Power Platform tenant. This proactive assessment helps FSI organizations maintain compliance and reduce risk.

See Security in Power Platform Admin Center for detailed capabilities.

Key Capabilities

Capability Description FSI Relevance
Security posture assessment Evaluate tenant security configuration Baseline risk assessment
Recommendations Actionable security improvement suggestions Remediation guidance
Compliance status Track security control implementation Audit readiness
Risk prioritization Identify high-priority security gaps Resource allocation

Prerequisites

Primary Owner Admin Role: Power Platform Admin Supporting Roles: None

Licenses Required

License Purpose Required/Optional
Power Platform Premium Required for Managed Environments and advanced security features Required
Microsoft 365 E5 Enhanced security and compliance features Recommended
Microsoft Defender for Cloud Apps Advanced threat detection for Power Platform Optional

Permissions Required

Role Purpose Scope
Power Platform Administrator Access to PPAC Security section and tenant-wide settings Tenant
Security Administrator Review and implement security recommendations Tenant
Global Reader Read-only access to security posture data for reporting Tenant
Compliance Administrator Access to audit logs and compliance settings Tenant

Dependencies

Dependency Purpose Required/Optional
Control 1.7: Audit Logging Enable audit trail for security activities Required
Control 2.1: Managed Environments Enable advanced governance features Required
Control 1.11: Conditional Access Identity protection recommendations Recommended
Control 1.5: DLP Policies Data protection recommendations Recommended

Pre-Setup Checklist

  • [ ] Verify Power Platform Administrator role assignment
  • [ ] Confirm Microsoft 365 licensing includes required security features
  • [ ] Enable Managed Environments for production environments
  • [ ] Enable audit logging in Microsoft Purview
  • [ ] Document current security baseline and score
  • [ ] Identify security assessment schedule (recommend monthly for FSI)
  • [ ] Establish escalation path for critical security findings

Governance Levels

Level 1 - Baseline

Requirement Configuration
Security access PPAC Security section accessible
Initial assessment Complete baseline security review
Critical items Address critical recommendations

Minimum requirements:

  • Access PPAC Security section
  • Review security score
  • Address any critical-rated recommendations
Requirement Configuration
Comprehensive review All recommendations reviewed
High-priority remediation High and critical items addressed
Quarterly assessment Regular security posture reviews
Documentation Security decisions documented

FSI recommendations:

  • Complete all critical and high recommendations
  • Document any accepted risks with business justification
  • Schedule quarterly security posture reviews
  • Track security score improvement over time

Level 4 - Regulated/High-Risk

Requirement Configuration
Full remediation All applicable recommendations implemented
Continuous monitoring Monthly security assessments
Executive reporting Security posture in governance reports
Third-party validation Consider independent security assessment

FSI requirements:

  • Maintain security score above organizational threshold
  • Monthly review by security team
  • Quarterly executive reporting on security posture
  • Document all risk acceptance decisions with CISO approval

Security Assessment Process

Step 1: Initial Assessment

  1. Navigate to PPAC → Security
  2. Review current security score
  3. Export recommendations list
  4. Categorize by priority and effort

Step 2: Gap Analysis

Gap Type Analysis Method Documentation
Technical Compare to recommendations Technical remediation plan
Process Review operational procedures Process improvement plan
People Assess team capabilities Training requirements

Step 3: Remediation Planning

  1. Prioritize recommendations by risk and effort
  2. Assign owners for each recommendation
  3. Set target completion dates
  4. Track progress in governance meetings

Step 4: Implementation

  1. Follow Microsoft Learn guidance for each recommendation
  2. Test changes in non-production first
  3. Document configuration changes
  4. Verify implementation effectiveness

Step 5: Continuous Improvement

  1. Schedule recurring security reviews
  2. Monitor for new recommendations
  3. Track security score trends
  4. Update risk assessments as needed

Integration with Security Controls

Control Integration
1.5 DLP Policies Security recommendations for data protection
1.11 Conditional Access Identity security recommendations
1.7 Audit Logging Monitoring recommendations
2.1 Managed Environments Governance recommendations

Setup & Configuration

PPAC Security Section

Accessing Security

  1. Open Power Platform Admin Center
  2. Navigate to Security in left navigation
  3. Select Overview to view the security dashboard

Security Navigation Structure

The Security section contains the following subsections:

Section Path Purpose
Overview Security → Overview Security score and recommendations dashboard
Data and privacy Security → Settings → Data and privacy Encryption, connector policies, data policies
Identity and access Security → Settings → Identity and access IP firewall, tenant isolation, sharing, authentication
Threat detection Security → Settings → Threat detection Microsoft Defender integration for agents
Compliance Security → Settings → Compliance Auditing, Customer Lockbox

Security Dashboard Components (Overview)

Component Description Governance Use
Security score Percentage score (e.g., "26%") with Low/Medium/High label and points (e.g., "37 of 213 points") Executive reporting
Recommendations table Prioritized list with Impact, Recommendation, Score increase, Last modified, Category Remediation planning
Active/Dismissed tabs Filter recommendations by status Progress tracking
Learning resources Quick links to security documentation Team training

Security Score Display

The security score is displayed as:

  • Percentage (e.g., 26%)
  • Label (Low/Medium/High)
  • Points (e.g., 37 of 213 points)
  • Visual gauge (0-100 scale with color indicators)

Recommendations Table Columns

Column Description
Impact Severity indicator (High, Medium, Low)
Recommendation Description of the security improvement
Score increase Potential score improvement (e.g., "12%")
Last modified Date recommendation was last updated
Category Security area (e.g., "Identity and access")

Security Settings Categories

Category Path Key Settings
Data and privacy Security → Settings → Data and privacy Customer-managed encryption key, Advanced connector policies (Preview), Data policy, Azure Virtual Network policies
Identity and access Security → Settings → Identity and access IP firewall, Tenant isolation, IP address-based cookie binding, Environment security groups, Manage sharing, App access control, Guest access, Administrator privileges, Authentication for agents, Channel access for published agents, Global Secure Access for Agents
Threat detection Security → Settings → Threat detection Additional threat detection for Copilot Studio agents, Microsoft Defender - Copilot Studio AI Agents
Compliance Security → Settings → Compliance Auditing, Customer Lockbox

Security Recommendations

High Priority Recommendations

Recommendation Risk Level FSI Impact
Enable MFA for all users Critical Prevents unauthorized access
Configure DLP policies High Protects customer data
Enable managed environments High Governance controls
Configure conditional access High Risk-based access
Enable audit logging Medium Compliance evidence

Implementing Recommendations

  1. Review each recommendation in the Security section
  2. Click on recommendation for implementation guidance
  3. Follow the Microsoft Learn documentation
  4. Mark as implemented when complete
  5. Verify implementation with testing

PowerShell Configuration

Get Tenant Security Settings

# Prerequisites: Install Power Platform Admin modules
# Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser

# Connect to Power Platform
Add-PowerAppsAccount

# Get all environments for security assessment
$environments = Get-AdminPowerAppEnvironment

foreach ($env in $environments) {
    Write-Host "\n=== Environment: $($env.DisplayName) ===" -ForegroundColor Cyan
    Write-Host "Environment ID: $($env.EnvironmentName)"
    Write-Host "Type: $($env.EnvironmentType)"
    Write-Host "Security Group: $($env.SecurityGroupId)"
    Write-Host "Is Managed: $($env.Properties.isManaged)"
}

Export Security Recommendations

# Export environment security configuration for assessment
$SecurityReport = @()
$environments = Get-AdminPowerAppEnvironment

foreach ($env in $environments) {
    # Get DLP policies applied to environment
    $dlpPolicies = Get-AdminDlpPolicy | Where-Object {
        $_.Environments.name -contains $env.EnvironmentName -or
        $_.EnvironmentType -eq "AllEnvironments"
    }

    # Get security role assignments
    $securityRoles = Get-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName $env.EnvironmentName

    $SecurityReport += [PSCustomObject]@{
        EnvironmentName = $env.DisplayName
        EnvironmentType = $env.EnvironmentType
        IsManaged = $env.Properties.isManaged
        SecurityGroupConfigured = ($null -ne $env.SecurityGroupId)
        DLPPolicyCount = $dlpPolicies.Count
        AdminRoleCount = ($securityRoles | Where-Object {$_.RoleType -eq "SystemAdministrator"}).Count
        MakerRoleCount = ($securityRoles | Where-Object {$_.RoleType -eq "EnvironmentMaker"}).Count
        AssessmentDate = Get-Date -Format "yyyy-MM-dd"
    }
}

# Export to CSV for compliance documentation
$SecurityReport | Export-Csv -Path "PowerPlatform_SecurityAssessment_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Security assessment exported to CSV" -ForegroundColor Green

Check Security Configuration Status

# Function to check security configuration compliance
function Get-SecurityPostureScore {
    param (
        [string]$EnvironmentName
    )

    $env = Get-AdminPowerAppEnvironment -EnvironmentName $EnvironmentName
    $score = 0
    $maxScore = 100
    $findings = @()

    # Check 1: Managed Environment enabled (25 points)
    if ($env.Properties.isManaged -eq $true) {
        $score += 25
        $findings += "[PASS] Managed Environment enabled"
    } else {
        $findings += "[FAIL] Managed Environment NOT enabled - Critical for FSI"
    }

    # Check 2: Security Group configured (25 points)
    if ($null -ne $env.SecurityGroupId) {
        $score += 25
        $findings += "[PASS] Security Group configured"
    } else {
        $findings += "[FAIL] No Security Group - Environment accessible to all licensed users"
    }

    # Check 3: DLP policies applied (25 points)
    $dlpPolicies = Get-AdminDlpPolicy | Where-Object {
        $_.Environments.name -contains $EnvironmentName -or
        $_.EnvironmentType -eq "AllEnvironments"
    }
    if ($dlpPolicies.Count -gt 0) {
        $score += 25
        $findings += "[PASS] $($dlpPolicies.Count) DLP policy(ies) applied"
    } else {
        $findings += "[FAIL] No DLP policies applied - Data protection risk"
    }

    # Check 4: Limited admin access (25 points)
    $admins = Get-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName $EnvironmentName |
              Where-Object {$_.RoleType -eq "SystemAdministrator"}
    if ($admins.Count -le 5) {
        $score += 25
        $findings += "[PASS] Admin access appropriately limited ($($admins.Count) admins)"
    } else {
        $findings += "[WARN] High number of admins ($($admins.Count)) - Review access"
        $score += 10  # Partial credit
    }

    return [PSCustomObject]@{
        Environment = $env.DisplayName
        Score = "$score / $maxScore"
        Percentage = [math]::Round(($score / $maxScore) * 100, 0)
        Findings = $findings
    }
}

# Run assessment for all production environments
$environments = Get-AdminPowerAppEnvironment | Where-Object {$_.EnvironmentType -eq "Production"}
foreach ($env in $environments) {
    $result = Get-SecurityPostureScore -EnvironmentName $env.EnvironmentName
    Write-Host "\n=== $($result.Environment) - Score: $($result.Percentage)% ===" -ForegroundColor Cyan
    $result.Findings | ForEach-Object { Write-Host $_ }
}

Automation for Security Assessment

# Scheduled security assessment automation (run monthly)
# Save as scheduled task or Azure Automation runbook

$ReportPath = "C:\SecurityReports"
$Date = Get-Date -Format "yyyy-MM-dd"
$ReportFile = "$ReportPath\PPAC_SecurityAssessment_$Date.html"

# Ensure report directory exists
if (!(Test-Path $ReportPath)) {
    New-Item -ItemType Directory -Path $ReportPath -Force
}

# Generate HTML report
$html = @"
<!DOCTYPE html>
<html>
<head>
    <title>Power Platform Security Assessment - $Date</title>
    <style>
        body { font-family: Segoe UI, Arial; margin: 20px; }
        h1 { color: #0078d4; }
        table { border-collapse: collapse; width: 100%; margin: 20px 0; }
        th, td { border: 1px solid #ddd; padding: 12px; text-align: left; }
        th { background-color: #0078d4; color: white; }
        .pass { color: green; font-weight: bold; }
        .fail { color: red; font-weight: bold; }
        .warn { color: orange; font-weight: bold; }
    </style>
</head>
<body>
    <h1>Power Platform Security Posture Assessment</h1>
    <p><strong>Assessment Date:</strong> $Date</p>
    <p><strong>Generated by:</strong> Automated Security Assessment</p>
"@

$environments = Get-AdminPowerAppEnvironment
$html += "<h2>Environment Summary</h2>"
$html += "<table><tr><th>Environment</th><th>Type</th><th>Managed</th><th>Security Group</th><th>DLP Policies</th></tr>"

foreach ($env in $environments) {
    $dlpCount = (Get-AdminDlpPolicy | Where-Object {
        $_.Environments.name -contains $env.EnvironmentName -or
        $_.EnvironmentType -eq "AllEnvironments"
    }).Count

    $managedClass = if ($env.Properties.isManaged) { "pass" } else { "fail" }
    $sgClass = if ($env.SecurityGroupId) { "pass" } else { "fail" }
    $dlpClass = if ($dlpCount -gt 0) { "pass" } else { "fail" }

    $html += "<tr>"
    $html += "<td>$($env.DisplayName)</td>"
    $html += "<td>$($env.EnvironmentType)</td>"
    $html += "<td class='$managedClass'>$($env.Properties.isManaged)</td>"
    $html += "<td class='$sgClass'>$(if($env.SecurityGroupId){'Configured'}else{'Not Set'})</td>"
    $html += "<td class='$dlpClass'>$dlpCount</td>"
    $html += "</tr>"
}

$html += "</table></body></html>"
$html | Out-File -FilePath $ReportFile -Encoding UTF8

Write-Host "Security assessment report generated: $ReportFile" -ForegroundColor Green

# Optional: Send report via email
# Send-MailMessage -To "security-team@contoso.com" -Subject "Monthly PPAC Security Assessment" -Body "See attached report" -Attachments $ReportFile -SmtpServer "smtp.contoso.com"

Financial Sector Considerations

Regulatory Mapping

Regulation Requirement How This Control Helps Evidence Required
FINRA 3110 Supervisory system security Identifies security gaps in supervisory tools; tracks remediation Security assessment reports, remediation logs
OCC 2011-12 Operational risk management Proactive security posture monitoring reduces operational risk Monthly assessment scores, trend analysis
GLBA 501(b) Administrative safeguards Ensures appropriate security controls protect customer information Security recommendations status, implementation evidence
SOX 404 IT general controls Security posture assessment supports ITGC compliance Control testing documentation, exception reports
SEC Regulation S-P Safeguard customer records Security gaps identified before they become incidents Assessment history, remediation timelines
NIST CSF Identify, Protect, Detect Aligns with NIST functions for comprehensive security program Mapped recommendations to NIST controls

Tier-Specific Security Posture Requirements

Tier Minimum Security Score Assessment Frequency Escalation Threshold Remediation SLA
Tier 1 (Personal) 60% Quarterly Score drops below 50% 30 days for High, 90 days for Medium
Tier 2 (Team) 75% Monthly Score drops below 65% 14 days for High, 45 days for Medium
Tier 3 (Enterprise) 85% Weekly Score drops below 80% 7 days for Critical, 14 days for High

FSI Example YAML

# FSI Security Posture Assessment Configuration
# Save as: security-posture-config.yaml

organization:
  name: "Contoso Financial Services"
  industry: "Financial Services - Broker-Dealer"
  regulatory_framework:
    - FINRA
    - SEC
    - GLBA
    - SOX

security_posture:
  global_settings:
    minimum_score_target: 80
    assessment_frequency: "monthly"
    report_retention_days: 2555  # 7 years for FSI
    auto_remediation: false  # Require approval for changes

  escalation_matrix:
    critical_findings:
      notify:
        - ciso@contoso.com
        - security-team@contoso.com
      sla_hours: 48
      require_acknowledgment: true
    high_findings:
      notify:
        - security-team@contoso.com
        - platform-admins@contoso.com
      sla_hours: 168  # 7 days
      require_acknowledgment: true
    medium_findings:
      notify:
        - platform-admins@contoso.com
      sla_hours: 720  # 30 days
      require_acknowledgment: false

  zone_configurations:
    zone_1_personal:
      minimum_score: 60
      assessment_frequency: "quarterly"
      required_controls:
        - basic_dlp_policy
        - audit_logging
      recommended_controls:
        - managed_environments

    zone_2_team:
      minimum_score: 75
      assessment_frequency: "monthly"
      required_controls:
        - managed_environments
        - dlp_policy
        - security_groups
        - audit_logging
      recommended_controls:
        - conditional_access
        - threat_detection

    zone_3_enterprise:
      minimum_score: 85
      assessment_frequency: "weekly"
      required_controls:
        - managed_environments
        - strict_dlp_policy
        - security_groups
        - conditional_access
        - audit_logging
        - threat_detection
        - customer_lockbox
      recommended_controls:
        - ip_firewall
        - tenant_isolation

    zone_4_regulated:
      minimum_score: 95
      assessment_frequency: "continuous"
      required_controls:
        - managed_environments
        - strict_dlp_policy
        - security_groups
        - conditional_access
        - phishing_resistant_mfa
        - audit_logging
        - threat_detection
        - customer_lockbox
        - ip_firewall
        - tenant_isolation
        - cmk_encryption
      mandatory_reviews:
        - governance_committee
        - legal
        - compliance

  reporting:
    executive_dashboard:
      frequency: "monthly"
      recipients:
        - cio@contoso.com
        - ciso@contoso.com
        - cro@contoso.com
      metrics:
        - overall_security_score
        - score_trend_30_day
        - critical_findings_count
        - remediation_completion_rate

    regulatory_evidence:
      retention_years: 7
      include_in_exam_package: true
      formats:
        - pdf
        - csv
        - json

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of PPAC Security Posture Assessment controls that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply the control for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain evidence (screenshots/exports/logs).
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for PPAC Security Posture Assessment controls and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain evidence (screenshots/exports/logs).
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Step Action Expected Result
1 Navigate to PPAC → Security Security dashboard displayed
2 Review security score Current score visible
3 Review recommendations Prioritized list available
4 Click on recommendation Implementation guidance shown
5 Verify completed items Status shows implemented

Reporting

Executive Security Report

Include in quarterly governance reports:

Metric Description Target
Security score Overall tenant security >80%
Critical items Unresolved critical recommendations 0
High items Unresolved high recommendations <5
Trend Score improvement over time Positive

Compliance Evidence

For regulatory examinations, document:

  • Current security score
  • Implemented recommendations
  • Accepted risk decisions with justification
  • Remediation timeline for open items

Troubleshooting & Validation

Common Issues and Solutions

Issue Cause Resolution
Security score not updating Assessment runs on schedule, not real-time Wait 24-48 hours after implementing recommendations; manually refresh the Security dashboard
Recommendations not appearing Insufficient permissions or feature not enabled Verify Power Platform Administrator role; ensure Managed Environments are enabled
Cannot access Security section Missing admin role or license Confirm Microsoft 365 E3/E5 license and Power Platform Administrator role assignment
Score lower than expected New recommendations added or configuration drift Review new recommendations; check for recent environment changes that may have affected score
PowerShell commands failing Module not installed or connection expired Run Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force; reconnect with Add-PowerAppsAccount

Diagnostic Steps

  1. Verify Admin Access:
  2. Navigate to Entra Admin Center > Users > Select your account
  3. Confirm Power Platform Administrator or Global Administrator role

  4. Check license assignments include required SKUs

  5. Check Managed Environment Status:

  6. In PPAC, navigate to Manage > Environments
  7. Verify production environments show "Managed" status

  8. Enable Managed Environments if not already active

  9. Validate Audit Logging:

  10. Navigate to Microsoft Purview > Audit
  11. Confirm auditing is enabled for the organization

  12. Search for recent Power Platform events to verify logging

  13. Review Security Dashboard Permissions:

  14. Security section requires tenant-level admin permissions
  15. Environment-level admins may not see all recommendations

  16. Global Reader role provides read-only access

  17. Check for Service Health Issues:

  18. Review Microsoft 365 Service Health
  19. Check Power Platform status for any ongoing incidents
  20. Delays in score updates may indicate service processing

Additional Resources

Topic Link
Security in Power Platform Admin Center https://learn.microsoft.com/en-us/power-platform/admin/security/overview
Managed Environments Overview https://learn.microsoft.com/en-us/power-platform/admin/managed-environment-overview
Power Platform Security Best Practices https://learn.microsoft.com/en-us/power-platform/admin/security/security-overview
Data Loss Prevention Policies https://learn.microsoft.com/en-us/power-platform/admin/prevent-data-loss
Conditional Access for Power Platform https://learn.microsoft.com/en-us/power-platform/admin/restrict-access-online-trusted-ip-rules
Power Platform Admin PowerShell https://learn.microsoft.com/en-us/power-platform/admin/powerapps-powershell
Control Relationship
Control 1.5: DLP Policies Data protection recommendations in security assessment
Control 1.7: Audit Logging Audit logging status affects security score
Control 1.11: Conditional Access Identity and access recommendations
Control 1.15: Encryption Data protection and CMK recommendations
Control 2.1: Managed Environments Required for advanced security features
Control 3.1: Admin Analytics Security metrics in admin reporting
Control 3.4: Environment Monitoring Complements security posture with operational health

Support & Questions

For implementation support or questions about this control, contact:

  • AI Governance Lead (governance direction)
  • Information Security Officer (security requirements)
  • Power Platform Admin (technical setup)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification