/ Docs
Operations

Security

Impliancy is designed with a clear and transparent security model that aligns with enterprise governance requirements.
This page explains how authentication, authorization, and data handling work inside Impliancy.

Authentication

User authentication

All users authenticate through your Microsoft Entra ID tenant.

  • Impliancy never stores passwords
  • MFA and conditional access policies apply normally as defined by the tenant
  • Sign-in is secured through the Microsoft identity platform

Service principal authentication

Impliancy uses a service principal to access:

  • Environment metadata
  • Apps
  • Flows
  • Desktop flows
  • Bots
  • Environment settings
  • Activity data

The service principal uses client credential flow and does not impersonate any user. See Dataverse Permissions for more details.

Authorization

Authorization is based on:

  • Power Platform Admin role
  • Global Admin role
  • Impliancy Admin role (automatic)
  • Artifact ownership and deputies

Permissions are enforced on every API call within Impliancy.

Data isolation

Single-tenant environments

All metadata is isolated by the Power Platform tenant itself.

Service provider mode (upcoming)

When multiple client tenants are connected:

  • Tenants are strictly isolated
  • Service Provider Admins only access tenants assigned to them
  • No data can leak between tenants

Data stored by Impliancy

Impliancy stores only governance-related metadata:

  • Artifact identifiers
  • Owner and deputy metadata
  • Compliance form data
  • Compliance approval decisions
  • Inactivity status
  • Audit events
  • Environment configuration

Impliancy does not store:

  • Business data inside apps or flows
  • Dataverse records
  • User content
  • Connection secrets or tokens
  • Sensitive Power Platform data beyond governance metadata

Data encryption

  • All data in transit is encrypted using HTTPS/TLS
  • All data at rest is encrypted by the hosting platform

Auditing

Every significant governance action is logged:

  • Owner changes
  • Compliance form submissions
  • Approvals
  • Environment setting changes
  • Inactivity actions

Audit logs are viewable by admins. See Audit Log for more details

Principle of least privilege

To operate Impliancy securely:

  • Limit the number of Global Admins and Power Platform Admins
  • Assign Service Provider Admins only to consultants who require access (upcoming)
  • Review admin assignments periodically

Introduction

Guidance for IT operations, security, and governance teams

Monitoring and logs