Power Platform Center of Excellence – A Real World Governance Journey Part 1: Recognizing Risks

By Cathy Ashbaugh, Vice President, Client Success and Qais Gharib, Practice Manager, Business Applications.

Today’s modern enterprise demands speed.  Business users need automation, data insights, and applications more than ever to be effective and efficient in a fast-paced environment, but often IT lacks resources to meet this growing demand.  The Power Platform, Microsoft’s industry-leading Low-Code Application Platform (LCAP) helps to bridge this gap by empowering the pro-code developers and citizen developers alike to build apps, automations, and reporting solutions within a trusted, secure, and reliant platform.

Although it’s clear the LCAP model of enabling citizen and pro developers is addressing a critical, unmet need (7 million+ users of Power Platform as of Jan 2023 and counting) to design and build business applications quickly, the picture is not all rosy.  In fact, there’s a constant whisper (or perhaps scream) nagging at many IT professionals who are aware of the risks associated with unleashing the Power Platform to their organizations and are pushing for mature governance processes and procedures. Recognizing this need, Microsoft released the Power Platform Center of Excellence (“CoE”) Starter Kit to help organizations support the drive for innovation and process improvement while providing a framework for implementing standards, consistency, and governance.  It’s a great tool but, as the name implies, the Power Platform CoE Starter Kit is designed to get you started on the governance journey. Most enterprise organizations will require a more customized solution to meet compliance and security requirements.

In this three-part blog series, we’ll share the real-world journey that we and our customer, a well-respected, diverse F-100 global organization, experienced on the way to enabling Power Platform governance by establishing a Power Platform Center of Excellence. This is not a fictional company, however, for the sake of privacy, we’ll call this organization, Company X.  We’ll outline the end-to-end use case, from what initiated the journey, to making the business case, to leveraging the Power Platform CoE Starter Kit, to building out several custom solutions to address the gaps and wrap up with the vision for this governance program’s ongoing care and feeding.  We’ve enjoyed working with Company X’s Power Platform owner and visionary throughout the process, and together, we’re sharing some lessons learned that may help others in their journey to Power Platform governance.

Part 1: Recognizing Risks

As any Microsoft 365 IT leader or platform owner knows, Microsoft 365 is constantly evolving with new features and products made available on a routine and rapid basis. The Power Platform is one such suite of tools that was announced and released in 2017. Originally, there were no additional licensing costs, and citizen developers and technologists alike were encouraged to try to build out some automations. And they did.

In Company X, the usage of Power Apps, Power Automate, Power Virtual Agents, and Power BI took off much faster than had been anticipated. Folks throughout the organization of more than 200,000 employees, working in diverse business units and departments across the globe, were creating apps and automations for personal productivity and more, in record numbers. Given the low barrier to entry for anyone with a desire to automate and enterprise licensing, usage of the Power Platform took off like wildfire throughout the organization.

Recognizing the risks

While self-service innovation is appreciated and encouraged at Company X, of equally high importance are security and governance. IT leadership very quickly recognized the potential security risks associated with having 10,000+ citizen developers, or makers, creating solutions. A Power Platform maker may be a non-IT professional with deep expertise in a business process who builds custom apps for their team to simplify, automate or transform tasks and processes. Makers help businesses become more productive and innovative and accelerate transformation. However, building apps, bots, and workflows with little to no oversight in a non-enterprise-grade fashion and environment presents a governance challenge. Recognizing that the Power Platform is here to stay and highly valued as a productivity tool in Company X, IT leadership and platform owners began to raise the alarm of potential risks with accelerated usage of the Power Platform by the maker community. In addition to security risks, there’s also the issue of having an operational structure and process in place to support the multitude of apps, flows, and bots being created.

Some of the areas of concern for IT leaders included:

  • How many apps do we have? What and where are they?
  • Are apps being built in a sustainable manner?
  • What data sources are being accessed?
  • Are the apps compliant with security and data loss policies?
  • Are environments being used?
  • What happens if someone leaves?
  • What about Application Lifecycle Management?
  • Do we have the proper people, processes, and methods to support these apps?

For Company X, one highly sensitive risk is the use of confidential data (PII, HIPPA, or other restricted data) in the apps being built by the makers. IT leadership asked, “Who is monitoring the use of this data and its adherence to security and DLP policies?” Other key areas of risk are the usage of a single default environment to build, test, run and modify apps and the open use of connectors (services used to enable connections to other apps, data, and devices in the cloud). By this time, there were over 30,000 assets (apps, flows, bots) in active use, and it was clear that a governance strategy needed to be put in place or that makers’ access to the tool would need to be limited or removed.

Committing to the process

Fueled by passion and real-world data to support their case, as well as a leadership team willing to listen, the Microsoft 365 and Power Platform owners were able to gain a commitment from management to address this growing concern. As a result, Company X chose to invest the time, money, and resources to create a Power Platform Governance Program to support their growing demand for productivity solutions, beginning with the exploration of the Microsoft Power Platform Center of Excellence (CoE) Starter Kit to fit their needs.

Read more about the Power Platform CoE Starter Kit, what it provides, and what work was needed to fully enable governance for Company X in our Real-World Governance Journey Part 2: Leveraging and Building Upon the Power Platform CoE Starter Kit.

Begin your Power Platform CoE Journey

If you are ready to empower your citizen developers in a safe, secure, operationally efficient way, our Power Platform Center of Excellence program is for you. If you would like to learn more about services to get your Power Platform Center of Excellence up and running, please contact us to arrange a complimentary consultation.

Compass365, a Microsoft Gold Partner, delivers SharePoint, Microsoft Teams, and Power Platform solutions that help IT and business leaders improve how their organizations operate and their employees work.


Join over 3,000 business and IT professionals who receive our monthly newsletter with the latest Microsoft 365 tips, news, and updates.