Learning Power Platform administration and monitoring

Administration and monitoring are very important aspects when it comes to using the Power Platform ecosystem in a company. The more complex and diverse the landscape and the greater variety of user groups who start using the Power Platform, the more important proper administration and monitoring is to achieving the necessary level of governance.

It is increasingly important, with the growing complexity of your own ecosystem, to ensure governance, so that you can keep control, and have the ability to take timely action in case of any disturbances, policy violations, and so on.

Power Platform can be administered and monitored in a multitude of ways. In this section, you will learn about all the different options available, from manual administration using admin centers to fully automated possibilities using various tools the platform offers. You will also learn about different monitoring options, from built-in analytics to more sophisticated automated possibilities.

Understanding Power Platform administration centers

Currently, there are three administration centers that are used to administer and monitor various components of the Power Platform. In the following sections, we will start by describing the administration and monitoring capabilities of those administration centers.

Microsoft 365 admin center

Microsoft 365 admin center is used for administration purposes regarding the Microsoft 365 central services, as described earlier in this chapter. The admin center provides a unified URL for every customer: https://admin.microsoft.com. You can perform the following Power Platform-relevant tasks in this admin center:

• Purchase Power Platform licenses and manage billing.
• Create user accounts and assign them Power Platform licenses.
• Create groups and assign members to groups.

The admin center is also a starting point for all the other admin centers in the Microsoft SaaS cloud services.

Microsoft 365 admin center provides a high-level monitoring overview of the platform and all the services included within Microsoft 365 and Power Platform. Monitoring analytics consist of the following areas:

• Service health contains the overall health status of all cloud services, service incident information, advisories, history of incidents, as well as management of issues.
• Message center provides important messages about upcoming platform and product feature updates, as well as the deprecation and decommissioning of services.

For mobile administration, there is a mobile app version of Microsoft 365 Admin that offers a subset of administration and monitoring capabilities for Microsoft 365, including users, groups, and license management.

Power Platform admin center

The Power Platform admin center is the main administration center and is an entry point with links to other underlying administration centers. The admin center provides a unified URL for every customer: https://admin.powerplatform.microsoft.com.

The admin center provides the following administration and monitoring capabilities:

• Environments management: This capability encompass features such as creating a new environment, configuring environment parameters and settings, managing Dynamics 365 apps, managing updates, managing solutions, managing backups and restores, managing environment copies, resetting environments, deleting environments, assigning Microsoft 365 groups to environments, and opening environments.
• Analytics capabilities: This capability provides a detailed analytical overview of many important environment and application-related metrics. A more detailed description about this capability will be provided in the upcoming sections.
• Management of support tickets
• Management of data integration projects using Power Query
• Management of on-premises data gateways
• Management of DLP policies
• Links to the other administration centers

The Power Platform admin center contains comprehensive administration and monitoring analytics of all the areas of the platform, as described in the following sections. This capability does not contain any analytics of the business data contained in the applications; instead, it just serves the administration and monitoring purposes.

Capacity analytics

Capacity analytics reflects the new storage model (database, file, log) and provides comprehensive analytics about the storage space of an environment equipped with the CDS database:

• Storage capacity by storage type, by source, and by environment.
• Detailed storage capacity at the individual environment level. This provides analytics about the top capacity resources that are consuming the most storage.

Common Data Service analytics

Common Data Service analytics provides detailed insights into the following areas of the CDS structure:

• Users analytics (active users, their usage patterns over time, and so on)
• Modes of access analytics (active users by OS, browser, device type, business units, security roles, entities, and so on)
• Entity usage analytics (most used entities and custom entities)
• System jobs, plugin, API usage, and mailbox usage analytics

Power Automate analytics

Power Automate analytics provides detailed insights into the following areas:

• Flows runs analytics (daily, weekly, monthly)
• Flows usage, created flows, flow errors, and sharing analytics
• Connectors analytics

Power Apps analytics

Power Apps analytics provides detailed insights into Power Apps usage, location, errors, and performance analytics.

Learning about the Power BI admin center

The Power BI admin center has the following unified URL: https://app.powerbi.com/admin-portal.

This admin center is used for Power BI administration and monitoring, including the following capabilities:

• Power BI tenant settings (overall settings for the whole Power BI environment within the tenant)
• Management of custom visuals and branding
• Management of dataflows (switching to your own Azure Data Lake storage instead of Power BI provided storage) and more

Power BI monitoring analytics, which is contained within the Power BI admin center, provides detailed insights into usage metrics analytics (number of user and group datasets, reports, dashboards, top users and groups with the most dashboards, packages, reports, and so on).

Understanding PowerShell administration and monitoring

PowerShell administration provides an automated way to administer cloud environments, and compared to the admin portals, it provides some more features that are not available in the portals.

Important note

For those not familiar with PowerShell, it is recommended that you refer to an introductory learning resource such as https://en.wikipedia.org/wiki/PowerShell.

In this section, we will provide an overview of how PowerShell can administer and monitor various parts of the Power Platform.

Microsoft 365 administration

There are two different PowerShell modules for administering Microsoft 365:

• Azure Active Directory PowerShell for Graph (module name: AzureAD)
• Azure Active Directory Module for Windows PowerShell (module name: MSol)

For the purpose of Power Platform, both modules provide administration capabilities for users, licenses, groups, and so on.

The following simple PowerShell code example illustrates how to create a new Azure Active Directory user using the AzureAD module:

$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$PasswordProfile.Password = 'ContosoUserPassword'

New-AzureADUser -DisplayName 'Contoso User 1' -PasswordProfile $PasswordProfile -UserPrincipalName 'user1@contosoinc.onmicrosoft.com' -AccountEnabled $true -MailNickName 'user1'

The preceding example demonstrates how to create a new Azure Active Directory user account with a password and nickname and enable this account at the same time.

Important note

The Azure Active Directory module for the Windows PowerShell module is planned for future deprecation once its capabilities are fully available in Azure Active Directory PowerShell for Graph.

One of the interesting options would be to create a set of PowerShell scripts such as the previous one and perform user, groups, and licenses management in an automated way.

Power Apps administration

There are multiple PowerShell modules for administering Power Apps, as well as Dynamics 365. The following are the three modules for Power Apps administration:

• The module for Power Apps administrators (module name: Microsoft.PowerApps.Administration.PowerShell) provides the following capabilities:

  CDS administration

  Management of canvas apps

  Management of Power Automate flows

  Management of connections

  Management of custom connectors

  Management of user settings

  Management of DLP policies

• The module for Power Apps app makers (module name: Microsoft.PowerApps.PowerShell) provides the following capabilities:

  Management of canvas apps

  Management of Power Automate flows

  Management of connections

• The last module (module name: Microsoft.PowerApps.Checker.PowerShell) is used to manage the Power App checker service.

There is another group of three modules for administering Dynamics 365 instances, as follows:

• The module for administering Dynamics 365 instances and Bring Your Own Key (BYOK) encryption keys (module name: Microsoft.Xrm.OnlineManagementAPI)
• The module for connecting to Dynamics 365 instances and retrieving instance details (module name: Microsoft.Xrm.Tooling.CrmConnector)
• The module for administering package deployments (module name: Microsoft.Xrm.Tooling.PackageDeployment)

The following simple PowerShell code example illustrates how to create a new Power Platform environment with the CDS database using the Microsoft.PowerApps.Administration.PowerShell module:

New-AdminPowerAppEnvironment -DisplayName 'Contoso Production' -Location unitedstates -EnvironmentSku Production -ProvisionDatabase -CurrencyName 'USD' -LanguageName 'EN'

This example demonstrates creating a new Power Platform environment with a specified display name in the region of the United States with an environment type of Production. It is specified that a CDS database will be created for this environment. For environments created with the CDS database, the primary currency and primary language are mandatory parameters.

This example illustrates one possible approach to administering Power Platform; that is, by creating and using a set of PowerShell scripts for all the typical administration tasks you will encounter.

Power BI administration

Microsoft Power BI also provides a set of useful PowerShell modules for all typical administration and monitoring tasks. The following PowerShell modules are available for Power BI:

• The rollup module, which is used to install all the other modules in a single installation step (module name: MicrosoftPowerBIMgmt).
• The administration module, which is used for encryption and auditing management (module name: MicrosoftPowerBIMgmt.Admin).
• The capacities module, which is used for capacity management (module name: MicrosoftPowerBIMgmt.Capacities).
• The data module, which is used for managing datasets, dataflows, data sources, tables, columns, and rows (module name: MicrosoftPowerBIMgmt.Data).
• The profile module, which is used for logging in and out and executing calls to the Power BI REST API (module name: MicrosoftPowerBIMgmt.Profile).
• The reports module, which is used for managing reports, dashboards, tiles, exports, and imports (module name: MicrosoftPowerBIMgmt.Reports).
• The workspaces module, which is used for workspace management (module name: MicrosoftPowerBIMgmt.Workspaces).

The following simple PowerShell code example illustrates how to upload a new Power BI report file to the Power BI service using the MicrosoftPowerBIMgmt.Reports module:

New-PowerBIReport -Path '.\contososales1.pbix' -Name 'Contoso Sales Analysis Report' -Workspace ( Get-PowerBIWorkspace -Name 'Contoso Sales Workspace' )

This example demonstrates how to automatically upload a Power BI report package into a workspace specified by name. As for the previous examples, we now know how to create a set of PowerShell modules to automate all the typical Power BI management tasks.

PowerShell monitoring

The PowerShell modules that we mentioned earlier provide certain monitoring automation capabilities, such as the following:

• Collect Power Platform environment usage metrics (number of environments, apps, flows)
• Collect Power Platform connector usage metrics (how many of a certain type of connector are being used by which apps and flows)
• Collect on-premises data gateway metrics
• Write the collected monitoring information into the appropriate repository for reporting

When creating administration and monitoring automations with PowerShell, it is very important, besides other things, to get an overview of all the existing environments in the organization's tenant.

The following simple PowerShell code example illustrates generating a detailed list of all Power Platform environments containing the string Contoso in their display name, using the Microsoft.PowerApps.Administration.PowerShell module:

Get-AdminPowerAppEnvironment *Contoso*

This very simple example demonstrates how to use one of the monitoring PowerShell commands that's available. This can be a starting point for subsequent commands that perform administration tasks with the environment list.

Learning about API administration

API administration provides another automated way to administer cloud environments, where a customer can develop the required administration procedures with code and integrate those procedures into their own overall management and administration IT system.

This approach is best suited for organizations that have their own centralized administration tool for administering their existing IT ecosystem and would, therefore, prefer to have the new Microsoft cloud environment managed the same way. In order to provide this capability, the Microsoft cloud solutions are equipped with a standardized set of administration APIs. These are implemented using the widely used REST endpoint technology.

Important note

For those not familiar with the concept of APIs, it is recommended that you refer to an introductory learning resource such as https://en.wikipedia.org/wiki/Application_programming_interface.

In this section, we will provide an overview of how the available APIs can administer and monitor various parts of Power Platform.

Microsoft 365 administration

The Microsoft Graph API is used for Microsoft 365 administration with code. The Microsoft Graph API has a rich set of programmability models for managing Office 365, Windows 10, as well as Enterprise Mobility and Security. The Microsoft Graph API provides a single REST-based endpoint at https://graph.microsoft.com for accessing all the resources in all Microsoft 365 products. For the purpose of Power Platform, the Microsoft Graph API provides administration capabilities for users, licenses, groups, and so on.

The following example demonstrates a HTTP request against the Microsoft Graph API for creating a new Azure Active Directory user:

POST https://graph.microsoft.com/v1.0/users

Content-type: application/json

{

  'accountEnabled': true,

  'displayName': 'Contoso User 1',

  'mailNickname': 'user1',

  'userPrincipalName': 'user1@contosoinc.onmicrosoft.com',

  'passwordProfile' : {

    'forceChangePasswordNextSignIn': true,

    'password': 'ContosoUserPassword'

  }

}

The preceding example demonstrates how to create a new Azure Active Directory user account with the same attributes as in the PowerShell example earlier in this section.

Power Apps administration

Administering CDS with code can be performed using the REST-based Online Management API for CDS. This service is provided using a region-dependent URL: https://admin.services.crmX.dynamics.com.

The X in the URL is the Power Platform region code.

This API supports most of the operations that are available in the admin centers:

• General environment/instance management (create, configure, update, delete, backup, restore, get instance information)
• Management of encryption keys
• Notification management
• Management of application identities
• Testing management

Power BI administration

The Power BI API allows us to automate certain Power BI processes such as performing management tasks, pushing data into Power BI datasets, automatically refreshing datasets, and so on. Power BI provides the following API technologies:

• Power BI REST API
• Power BI .NET API
• Power BI JavaScript API

The APIs described in this section can support those who wish to build a management solution or extend an existing management solution, as shown in the following diagram:

Figure 3.5 - Centralized API-based management solution

Using a solution similar to the preceding one would greatly simplify and consolidate the administration efforts needed to manage the cloud environment in the following areas:

• Provisioning a new user account in the corporate network can be extended by provisioning an Azure Active Directory account for the user at the same time. This can be done using the Graph API.
• Granting permissions to corporate IT systems to users can be extended to grant such permissions to Power Platform solutions at the same time. This can be done by using the Graph API for assigning licenses.
• Administration of corporate IT systems can be extended with administration of Power Platform cloud environments and the Power BI instance. This can be done by using the Online Management API and Power BI API.

  Important note

  The example solution provided here does not cover a possible integration between on-premises active directory and Azure Active Directory. You will learn about this integration in more detail in Chapter 7, Microsoft Power Platform Security.

In the next section, we'll look at administering and monitoring with Power Automate.

Administration and monitoring using Power Automate

Since Power Automate is an automation solution, it can be used to manage and administer the Power Platform itself as well. For this purpose, Power Automate provides a set of management connectors, described as follows:

• Microsoft Forms connector, which can be used as part of an administration logic to collect manual input needed to perform the respective administration tasks.
• Approvals connector, which can be used as part of an administration logic for approval purposes.
• Office 365 Users connector, which can be used for searching for users, retrieving users' information, and updating the current user's details.
• Azure Active Directory connector, which can be used for users and groups management.
• Power Platform for Admins connector, which can be used for retrieving, creating, updating, and deleting environments, as well as managing tenant and environment DLP policies.
• Power Apps for Admins connector, which can be used for retrieving information about Power Apps, managing permissions, and Power Apps.
• Power Apps for App Makers connector, which can be used for retrieving information about Power Apps, managing permissions, Power Apps, connectors, and connections.
• Power Automate Management connector, which can be used for managing flows, connectors, and access rights.
• Power BI connector, which can be used for adding rows to a dataset and refreshing a dataset.

Using the management connectors listed here, the customer can easily build their own Power Platform administration flows without using any code. The following screenshot illustrates a possible Power Automate flow for creating a new Azure Active Directory user:

Figure 3.6 - Power Automate flow for creating an Azure Active Directory user

As illustrated in the preceding screenshot, this is a manually triggered button flow, which collects basic information about the newly created user and then performs user creation in the Azure Active Directory using the Azure Active Directory management connector.

The management connectors can be also used for certain monitoring tasks:

• Administrators alerting and notifications: This capability can be used to notify administrators about Power Platform ecosystem events (environment creation, apps creation, flows creation, connector usage, custom connector creation, and so on).
• Makers alerting and notifications: This capability can be used to send welcome messages to new Power Apps or Power Automate makers, notify them about improper use of resources and suggested correction steps, and so on.

Administration using Azure DevOps

Although Azure DevOps's primary purpose is solution development, it can be used for certain administration tasks as well. It is highly recommended to install the Power Platform build tools into Azure DevOps for every Power Platform implementation.

Important note

You will find more details about using Azure DevOps for Power Platform projects in the next few chapters of this book, where we will discuss tools and techniques, application lifecycle management, the implementation approach and methodologies, and so on.

The build tools provide the following administration capabilities:

• Environment management (create, delete, back up, and copy environments)
• Solution management (export, import, pack, and unpack deploy solution packages, as well as publish the customization)

Learning about platform auditing

Another very important and useful monitoring tool is platform auditing, which is used for collecting detailed information and providing insights into what is happening within the various Power Platform applications. In Power Platform, there are two main auditing technologies:

• Office 365 Activity Logging
• CDS auditing

The capabilities of these two auditing technologies will be described in the following sections.

Office 365 Activity Logging

The Office 365 Activity Logging is an auditing feature that is part of the Office 365 Security & Compliance Center: https://protection.office.com.

Office 365 Security & Compliance Center is a comprehensive tool used for managing security and compliance in the Microsoft SaaS cloud products. You will learn more about this tool in Chapter 7, Microsoft Power Platform Security.

The activity logging feature enables auditing of all Office 365 cloud services, including the Power Platform components. Office 365 Activity Logging needs to be enabled. After you've enabled it, it will automatically start collecting auditing data. This feature collects data about the following events:

• User management events (adding, updating, and deleting users, as well as user password and license-related events).
• Group management events (adding, updating, and deleting groups, as well as group membership events).
• Power Apps events (creating, editing, deleting, publishing, and launching apps, as well as apps permission changes).
• Power Automate events (creating, editing, and deleting flows, as well as flows permission changes).
• Model-driven apps and Dynamics 365 events (administration events, creating, reading, updating, and deleting data in CDS entities, exporting to Excel, SDK calls, working with reports, and so on).
• Power BI events (creating, updating, deleting, viewing, publishing, retrieving, exporting, and so on of all Power BI elements).

All the data that's collected from these sources and their events can be filtered, sorted, and viewed in the Office 365 Security & Compliance Center. The data is stored on the auditing platform for a certain period of time, for up to 1 year. After this retention period, the data is automatically deleted.

To ensure a longer retention and enhance the reporting and analytical capabilities provided, it is possible to export the data into a separate repository and process it with an appropriate tool.

In order to achieve this, the following steps need to be implemented:

1. Use PowerShell or Power Automate flows with the management connectors.
2. Connect to the Office 365 Management Activity API: https://manage.office.com.
3. Extract the required data from the activity logging repository.
4. Store the data in a permanent repository. The best option for further analytics and reporting would be a database.

Next, we'll look at CDS auditing.

CDS auditing

Another auditing option is to use traditional CDS auditing, which runs within a model-driven application and stores the auditing data in a specific auditing entity in the CDS database. Auditing only works within the boundaries of a CDS database and the amount of information that's tracked is smaller; for example, no read transactions can be audited.

Understanding application monitoring

Another important monitoring option is to monitor the Power Platform solutions directly in order to gain an analytical overview of the usage of various parts of the solution, including performance metrics, errors, and so on. A recommended way to build centralized monitoring into the solutions is to make use of Azure Monitor's capabilities; that is, Azure Application Insights and Azure Log Analytics.

Model-driven apps integration with Application Insights needs to be implemented with code. The following integration possibilities are available:

• Client-side integration using JavaScript code can be used in any place in a model-driven application that supports client-side event handling.
• Server-side integration using Azure Functions with server-side registered Webhook event handlers. Alternatively PlugIn error handlers can be used for any server-side events.

Canvas apps integration with Application Insights can be easily implemented by only configuring the Application Insights instrumentation key in the canvas apps settings.

Integration with Log Analytics can be implemented using the Azure Log Analytics Data Collector connector from any canvas app or Power Automate flow.

Another possibility is to extract data about previous Power Automate runs from the platform using PowerShell, and then write that data into Log Analytics using code with the HTTP Data Collector API.

In this section, we have learned about Power Platform administration and monitoring aspects. We also learned about administration centers, the Power BI admin center, and API administration. We also gained knowledge about administration and monitoring using Power Automate and Azure DevOps.

In the next section, we will learn about architectural best practices.