GOVERNANCE · April 12, 2026 · 12 min read
Power Platform Governance Assessment: The Shadow IT Layer Most Tenants Forget
Microsoft Power Platform is the layer of Microsoft 365 that grew up while IT was looking somewhere else. Power Apps for end users started as a "build a small form, no code required" tool. Today the median enterprise tenant we scan has 40-plus environments, hundreds of apps, thousands of flows, and dozens of premium connectors — and the governance team finds out about all of it the day a maker leaves the company and IT inherits a critical app nobody can edit.
The Power Platform Assessment is the read-only audit that finds the sprawl before it becomes an outage. This post explains what v1 ships with today (Graph-only auto-detection), what v2 will add (full BAP API integration), and how the manual verification fallbacks bridge the gap honestly.
What v1 Detects via Microsoft Graph
The Power Platform's full administrative surface lives behind the Power Platform Admin API at api.bap.microsoft.com, the Dataverse Web API, and the "for Admins" Power Apps + Power Automate connectors. None of those are part of Microsoft Graph and none of them are reachable with the same client-credentials service-account flow we use for the other five governance modules. v1 ships with what Graph can see and is honest about the rest.
Check 1 — Power Platform license presence
We pull /subscribedSkus and detect every Power Platform SKU variant: POWERAPPS_PER_USER, FLOW_PER_USER, POWER_BI_PRO, POWER_BI_PREMIUM_PER_USER, the GCC government variants, the developer SKUs, and the trial SKUs. The check is case-insensitive (some tenants return part numbers in all caps) and uses an explicit allow-list rather than substring matching to avoid false positives on Dynamics 365 SKUs that share name fragments.
If we detect at least one Power Platform SKU, the module emits PP-002 (Nice to Have) with the full list of detected variants. If we detect zero Power Platform SKUs but other SKUs are visible in the tenant, we emit PP-001 (Nice to Have) noting that auto-detection failed and recommending manual verification — because some Power Apps usage is included in M365 base SKUs and is not visible in /subscribedSkus at all.
Check 2 — Service principal inventory
We filter /servicePrincipals to known Power Platform display names: PowerApps Service, Microsoft Power Automate, Microsoft PowerApps, Power Apps, Power Automate, Microsoft Dataverse, Common Data Service, Power BI Service, Microsoft Power Platform Admin Center. If any of these service principals are present in the tenant — even if no Power Platform SKUs were detected in Check 1 — we know Power Platform is in use. PP-003 fires with the SP count.
Check 3 — OAuth permission grants
For each Power Platform service principal we found in Check 2, we look up its /oauth2PermissionGrants to confirm it has user consent. This catches the edge case where a service principal exists in the tenant but no users have consented to it — a common pattern in tenants where Power Platform was provisioned for a single department but never used broadly.
Check 4 — Conditional Access targeting
We cross-reference the Power Platform service principals against the tenant's Conditional Access policies. A tenant where Power Platform is in active use but no CA policy targets the Power Platform service principals is a tenant where Power Apps users can sign in without MFA — even if the rest of the tenant has 100% MFA coverage.
What v1 Cannot Do (and the Manual Verification Fallbacks)
The four checks above are all v1 can do via Graph. The four governance topics that actually matter for Power Platform sprawl require the BAP API:
PP-005 (Manual Verification): Environment Inventory
What you need to check: Open the Power Platform Admin Center → Environments. Count how many environments exist. Anything over 10 in a tenant under 5,000 users is sprawl. Trial environments older than 90 days that nobody owns are the canonical "we have 47 trial environments nobody owns" failure mode.
v1 emits this finding with the deep link to https://admin.powerplatform.microsoft.com/environments as a manual verification finding. v2 will pull the full environment list automatically via GET api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments and emit per-environment findings.
PP-006 (Manual Verification): DLP Policies on Connectors
What you need to check: Power Platform Admin Center → Policies → Data policies. Verify that connectors that touch sensitive data are in the Blocked group, not Business Data or No Business Data. The most common mistake: Twitter, Facebook, and other social connectors classified as Business Data so they can be combined with SharePoint connectors in a single flow — that is the canonical data exfiltration path.
This is the single most important Power Platform governance check, and unfortunately Graph cannot expose it. v2 will pull policies from GET api.bap.microsoft.com/providers/PowerPlatform.Governance/v2/policies and analyze the connector classifications automatically.
PP-007 (Manual Verification): Premium Connector Usage
What you need to check: Power Platform Admin Center → Resources → Capacity (and the Power Apps maker portal → Connections view). Identify which premium connectors are actually in use, by which apps, and whether the makers using them have the per-user licenses required. Catches the licensing compliance gap before Microsoft does.
v2 will walk every flow's connectionReferences via the Flow REST API, classify against the premium connector list, and cross-check maker licenses from /subscribedSkus.
PP-008 (Manual Verification): On-Premises Data Gateway Audit
What you need to check: Power Platform Admin Center → Data → On-premises data gateways. Inventory who installed which gateways, which connections route through them, whether they are cluster-redundant, and which on-prem systems they reach. The hidden single-point-of-failure surface in most enterprise tenants.
v2 will pull the gateway inventory via GET api.bap.microsoft.com/.../environments/{env}/gateways and audit cluster redundancy automatically.
The Honest Cap: Score 2 (Partially Ready)
Because v1 can only detect what Graph exposes, the Power Platform module score is honestly capped at 2 / Partially Ready in v1, regardless of how clean the auto-detected signals look. This is a deliberate design choice. We could fake a higher score by treating "no service principals found = score 4 = Ready" but that would be misleading: a tenant with Power Platform service principals invisible to Graph (e.g., installed by a different admin role) but real DLP gaps in the BAP API would get a clean score from us and a six-figure compliance fine from their auditor.
v2 (full BAP API integration) will lift the cap once the deep checks are automated. Until then, the score reflects "what we honestly know" rather than "what we hope is true."
Why This Pricing Tier Exists
The Power Platform admin tools market splits into three buckets:
- The Power Platform Admin Center itself — free, included with M365. Excellent for poking around interactively. Useless for "produce a prioritized list of governance gaps in 5 minutes" because everything is screen-by-screen and nothing is exportable.
- Microsoft's Center of Excellence (CoE) Starter Kit — free, but requires a Power Platform Administrator to install and maintain a multi-environment deployment with its own Dataverse database, monthly maintenance, and a 200-page admin guide. Built for an ongoing CoE practice, not a one-time scan.
- Third-party Power Platform governance platforms — Argon, Stoneridge, AvePoint Power Platform Manager. Per-environment per-month pricing, $5K to $50K minimum annual contracts.
The Power Platform Assessment at CA$399 sits in the empty slot: it auto-detects what Graph exposes today, gives you four manual verification checklists with deep-links into the admin portal for the rest, scores honestly, and produces an exportable PDF in five minutes. It does not replace a CoE practice but it is the right tool for the "I need to know if there's a problem here before I commit to a CoE rollout" scenario.
How to Run It
Free Snapshot first — view-only score, four-state verdict, one sample finding, one snapshot per tenant per month per product, no credit card. If you want the full report with all four manual verification checklists and the JSON / HTML / CSV exports for 90 days, the CA$399 single assessment unlocks it. The CA$1,599 Microsoft 365 Complete Bundle includes Power Platform plus all 5 other assessments and ships with white-label PDF and a commercial redistribution license.
Power Platform Assessment
CA$399 one-time
90-day access · 1 tenant · v1 Graph-only with manual verification · v2 (BAP API) on roadmap
Buy CA$399 →Or run a Free Snapshot first — no credit card
Read more: Power Platform Assessment product page · Copilot Readiness deep-dive · The Complete Bundle