Compliance for cloud flows and for service principals

[PPCan]

Does this question already exist in our backlog?

• [X] I have checked and confirm this is a new question.

What is your question?

I'm building a new developer centre in a Developer Environment, for the CoE Toolkit as our Makers only have E5 and can't use the included Dev Centre as it needs Premium.

I've installed the Toolkit in the Developer environment, and limited the compliance to just one environment that has a Canvas app for testing. It has been shared to 20 people, and the threshold has been set to 10. This should trigger a compliance email.

It doesn't.

The issue seems to be that while there is data in the audit table there is nothing for this app, and therefore the flow doesn't think there is any issue. Only LaunchApp events are present.

What's missing from the tables for the compliance flow to send the email..?

What solution are you experiencing the issue with?

None

What solution version are you using?

No response

What app or flow are you having the issue with?

No response

What method are you using to get inventory and telemetry?

None

AB#3835

[Jenefer-Monroe]

In the CoE, sharing is not tracked by the audit logs, its gathered instead by this flow which only runs once every two weeks as its long running, so you'll need to ensure this has run before you can continue your testing: CLEANUP - Admin | Sync Template v3 (App Shared With)

[PPCan]

Ah! Ok. Should for Testing I have a simple Canvas app, that is shared and I have launched. I've sent the thresholds for compliance to 1 or less (except sharing) where possible.

Is that the only flow I should trigger to work through the different compliance scenario's?

My testing steps are: 1- run driver 2 - run audit syncs 3 - run CLEAN UPs (All???) 4- what am I missing???

[PPCan]

I changed my mind on the sharing. :) 1 it is!

[Jenefer-Monroe]

Seems like you have this resolved then yes? Please let me know if you need anything else!

[PPCan]

I could use some help understanding what flags some of the compliance 'tabs'. For example, there are Model Driven apps listed if you choose 'All', but 'Missing Details' has no Model Driven apps listed. This is the case for the other tabs too.

Is missing details is the only compliance item for Model Driven apps, why are there no Model Driven Apps listed? And is there no info for sharing model I guess?

Also, all the compliance emails I got were for 'sharing', and nothing for launching, or groups etc.

Is there a list of what Power Platform 'type' (i.e Canvas, Model, Bot, Flow etc) and what compliance will be triggered?

[PPCan]

@Jenefer-Monroe

Maybe a better way to put it is, which Flows/Tables Map to these environment variables considering they represent the compliance 'thresholds'. I'm only getting emails for 'shared/published' compliance.

Also, does the 'request details' flow actual flag Flows as non compliant or is that initiated from the Admin View only?

[PPCan]

Ok... after much digging.. it looks like the only items that are flagged for non compliance on a schedule are Canvas Apps and Chatbots. Flows etc do not have a scheduled flow that checks for compliance and the compliance request has to be started from the Power Platform Admin View.

Even though Flows has fields that could be used for compliance purposes like exceeding the 'sharing' threshold there is no scheduled flow.

Is that correct?

[Jenefer-Monroe]

Hello that is correct yes. We just released flow shared with in July and it was not integrated with the DCC feature. Only chatbots and canvas apps have any automated flagging.

[PPCan]

Hmmm. Okay, how do we see all non compliant items, so we can reach out to the owners from the Admin View? Right now you have to select the specific record. That's not practical.

[PPCan]

Also, we have a large Pro development side, which uses ALM with Service Principals and Service Accounts. Email notifications are not going to work in that scenario, as Service Accounts are not typically Mailbox enabled and noone is monitoring them if they are.

What's a good approach to get an overview of all non compliance / inactive/ orphaned for Pro ALM implementations?

It feels like there is a whole module missing that can do Pro and cit dev management.

[Jenefer-Monroe]

Yes I think you're right. Unfortunately today we don't have a solution here. I can place this on the backlog to consider and hopefully resolve in the future. In the near term we are completely booked prepping for the next version of Data Export for more performant inventory, so we wont be able to work on this in the next few months.

[PPCan]

Ok great!

We can assess building something in the mean time, but what would you recommend in general for an approach?

At a minimum we need something that we can see all the apps/flows/bots that are non compliance/inactive/orphaned from one management module, just for that purpose. The necessary fields are only available by app/flow/bot, as columns. We could sort by fields by module I guess, but that's pretty painful...

[Jenefer-Monroe]

Sorry I would need to take some time to get my head around it before I could offer a recommendation. Please feel free to put your thoughts / plans here, and I can read them as you go to provide feedback as can the general community

[PPCan]

@Jenefer-Monroe Ok! First question.

We can use a Power Pages Site, with authenticated page requests, to enable E5 users to access the CoE Toolkit dataverse.

The site would basically be a duplicate of the Model Driven app.

On a side note, I highly suggest replacing (or including a minimal version) any user facing UX that is a Model Driven App, with Power Pages. At least then we can use the authenticated Power Pages licensing to 'grant' premium access without having to license everyone, considering it's an unknown user base. There is no impact on any org that could use the existing Model Driven approach as Power Apps Premium has Power Pages usage right.

Back to the question.

The Flow has the Developer Compliance Centre URL as an environment variable, however all the parameters are hard coded in the flow. I don't want to modify the Flow as we are not in a position to take on managing changes to the Toolkit.

When I change the Dev Comp Centre URL to a Power Pages URL I get the below, which makes sense based on the text merge that is happening in the flow.

However, what in the URL is needed to look up the record the email is referring too? Just the admin_app=&Id? We may be able to simply ignore the other params, and use the Power Pages to load the correct record for the user to enter Biz justification etc.

Finally, will this approach work? I can't think why not, unless there is something in the URL that Power Pages will never work with.

[Jenefer-Monroe]

I'm afraid I dont know the answer to questions about Power Pages as I dont know their licensing model nor am I that familiar with their capabilities.

[PPCan]

Fair enough. Is there someone on the team that could speak to Power Pages?

[Jenefer-Monroe]

Unfortunately its just me over here doing support.

[PPCan]

Ok. I understand. So, if we wanted to modify the flow so that the flow step that merges the email template with the Model Driven params would the best approach be to copy the flow, modify it, add to new solution called say, 'Dev Center E5 Modification', and apply to the Production environment as a managed solution?

[Jenefer-Monroe]

Yes I imagine you will be making quite a few changes to the flow so you will likely want to just make a copy to be the one you use. Here is our article on how to extend the kit. It shows you that you should create a new solution and so on.

Regarding that url, you are correct it pieces together the MDA, the custom page, and the target ogbject as shown here

I hope that helps!