Power Platform Security: Internal User Authentication

Introduction to Internal Authentication in Power Platform

In the context of Microsoft Power Platform, authentication is the mechanism that verifies the identity of a user or service before granting access to cloud resources such as Dataverse, Power Apps, Power Automate, or Power BI. Internal users are managed primarily through Azure Active Directory (AAD), which serves as the central identity provider and integration point with on-premises directories when needed.

Organizations can choose a pure cloud identity model or a hybrid configuration that integrates local Active Directory with AAD using components like Azure AD Connect. Hybrid integration helps maintain centralized identity provisioning, enforce security policies, and deliver a unified login experience.

Available Authentication Approaches

Microsoft supports several authentication models for internal users, each addressing specific requirements for security, control, and manageability.

1. Cloud Identity

The Cloud Identity approach is the simplest, fully cloud-managed model. Users are created and maintained directly in Azure Active Directory with no dependency on local directories. It is ideal for cloud-native organizations or startups without on-premises infrastructure.

The process involves two main steps:

1. The user requests access to a cloud service such as Power Apps or Power BI.
2. The service delegates authentication to Azure AD, which verifies credentials and issues an access token.

This model supports features such as Conditional Access, MFA, and self-service password reset.

2. Password Hash Synchronization (PHS)

Password Hash Synchronization is the most common hybrid identity implementation method. Using Azure AD Connect, password hashes from the on-premises directory are synchronized to Azure AD, allowing authentication in the cloud while maintaining local identity management.

This approach enables users to use the same credentials both on-premises and in the cloud, simplifying user experience and administrative overhead. Authentication occurs entirely in the cloud, while synchronization ensures password consistency.

3. Pass-through Authentication (PTA)

Pass-through Authentication allows Azure AD to delegate credential verification to an on-premises agent. When a user signs in, Azure AD forwards the authentication request to a local server agent that validates the credentials against the local Active Directory.

This approach avoids storing password hashes in the cloud and provides full control over authentication. It also supports Single Sign-On for domain-joined devices.

4. Federation (ADFS)

Federation is the most advanced and flexible approach, based on Active Directory Federation Services (ADFS). It is typically chosen by large multinational enterprises with established security infrastructures and customized authentication requirements.

Federation allows organizations to:

• Implement complete Single Sign-On for domain-joined devices.
• Apply advanced conditional access rules through claim rules.
• Support certificate-based or smart card authentication.
• Integrate multiple Active Directory forests.

While requiring additional infrastructure (ADFS and proxy servers), it offers maximum flexibility and control for enterprise environments.

Additional Security Features

Conditional Access (CA)

Conditional Access is one of the most powerful Azure AD features, designed to enforce access controls based on predefined conditions. Rules can evaluate signals such as:

• User type or group membership
• Device type or compliance status
• Requested application
• Geographical location
• Risk signals from Azure Identity Protection

Based on these signals, access can be granted, blocked, or require additional verification like MFA. Conditional Access requires an Azure AD Premium license.

Multi-Factor Authentication (MFA)

MFA adds a second verification factor beyond the password, significantly reducing unauthorized access risk. It can include push notifications, tokens, SMS, or hardware security keys. MFA is strongly recommended for administrators, developers, and users accessing critical Power Platform resources.

Single Sign-On (SSO)

Single Sign-On enables users to log in once and seamlessly access multiple Microsoft 365 and Power Platform services. For domain-joined or registered devices, authentication is transparent and continuous across apps.

Governance and Account Management

Effective internal authentication governance extends beyond login. It includes user lifecycle management, session policies, and environment segmentation.

• Use Security or Microsoft 365 Groups to control which users are synchronized into Dataverse environments.
• Apply session timeout and inactivity timeout to prevent misuse.
• Monitor user access through Power Platform Admin Center and Azure AD Monitoring.

These measures ensure that only authorized users access the right environments and that corporate security policies are consistently enforced.