Think Your Power Pages Are Secure? Check These 5 Layers First

Power Pages Security ensures that data and content exposed through a Power Pages (formerly Power Apps Portals) website are protected and only accessible to the right users. Technically, it relies on Dataverse security, web roles, page permissions, and table permissions to control how internal and external users interact with data. Below is a deep technical breakdown:
1. Site Visibility
Purpose: Controls who can see the website.
Options:
- Public – Anyone can access the site without login.
- Private (Authenticated Users Only) – Only users with valid credentials (Azure AD, local portal account, B2C, etc.) can access the site.
Technical Note: Site visibility doesn’t restrict data access; it only controls entry to the portal.
2. Authenticated Users
Purpose: Identifies who the logged-in user is to apply security.
Supported Authentication Providers:
- Azure AD (Office 365 users)
- Azure AD B2C (External Users)
- Local authentication (Username & Password)
- External identity providers (Google, LinkedIn, etc.)
Technical Role: Authenticated users are mapped to Contacts in Dataverse, which are linked to Web Roles to enforce security.
3. Web Roles
Purpose: Similar to security roles in Dataverse, but specific to Power Pages.
Function:
- Assign table permissions.
- Assign page permissions.
- Determine which parts of the site a user can access.
Key Points:
- A single user (contact) can have multiple web roles.
- Security logic flows from Web Role → Permissions → Dataverse Data.
Purpose: Controls who can access a specific page or set of pages.
Options:
- Anonymous Access – Anyone can access.
- Authenticated Users Only – Only logged-in users can access.
- Web Roles Specific – Restricts access to users with specific web roles.
Technical Impact:
If page permissions deny access, data-level permissions don’t apply because the page is not reachable.
5. Table Permissions
Purpose: Enforces row-level and column-level security on Dataverse tables exposed through Power Pages.
Components:
- Scope: Determines which records are accessible.
- Global, Contact, Account, Self, Parent, etc.
- Access Rights: CRUD (Create, Read, Update, Delete).
- Web Role Link: Table permissions are linked to web roles to decide which logged-in users get access to data.
Technical Example:
Table Permission for Case Table
- Scope = Contact
- Read access = Yes
- Linked to Customer Web Role
- Effect: Users only see cases related to their contact record.
How They Work Together
- Site Visibility: Controls entry to the portal.
- Authenticated Users: Identifies logged-in users.
- Web Roles: Assigns security permissions to those users.
- Page Permissions: Controls page-level access.
- Table Permissions: Controls data-level access in Dataverse.
Security Flow Example:
Summary:
Power Pages Security ensures that only the right users can access the right content and data within a Power Pages site. It combines Site Visibility, Authenticated Users, Page Permissions, Table Permissions, and Web Roles to provide a layered security model. Site Visibility controls who can see the site (public vs. private), while Authenticated Users verify identity for restricted content. Page Permissions determine which pages a user can view or edit, and Table Permissions define access to Dataverse data at the record and column level. Web Roles act as the glue, linking users to the permissions they need. Together, these components create a robust, end-to-end security framework that protects both the site and underlying data.
Published on:
Learn moreRelated posts
Power Pages 2025 release wave 2 highlights
Power Pages: Tired of filling forms? Use an agent!
Have you heard of AI agents? 🤣 Agents are now popping up everywhere and Power Pages is no exception. The ability to create a site agent that ...
Power Automate Cloud Flows in Power Pages
What are Cloud Flows in Power Pages? Cloud flows allow you to: You configure this using the Power Pages + Power Automate integration via the “...
Introduction to Copilot in Power Pages
In today’s low-code/no-code world, Copilot in the Power Platform ecosystem is a game-changer — especially for Power Pages developers. It bring...
Power Pages: Stop using the default maintenance mode page!
There are times when you need to do some work on your Microsoft Dataverse backend that could affect users and visitors to your Power Pages web...
Dynamics 365 Customer Insights – Journeys – Create event portals with event registration details using Power Pages
We are announcing the ability to create event portals with event and registration details using Power Pages in Dynamics 365 Customer Insights ...
Power Pages Fundamentals #23: Prepopulate Case Form with Contact Info via JavaScript and Web API: Quick Read Series
Another common scenario is to work on multiple tables using web api . In this post , we will see how to work with contact and incident(case) t...
Best Practices for Using Liquid in Power Pages
Liquid is a powerful templating engine, but it needs to be used thoughtfully — especially in enterprise-grade Power Pages projects. Below are ...
Liquid in Power Pages: Real-World Guide for Developers
What is Liquid in Power Pages? Liquid is an open-source server-side templating language originally developed by Shopify — and it’s a core part...