Browse all topics
All guidesGlossary
Power Platform

Power Platform environments and governance

Environments are the unit of isolation in Power Platform. Designing them well prevents most governance problems.

A Power Platform environment is a container for apps, flows, agents, and Dataverse — and it's the unit of isolation between projects, teams, and lifecycle stages. Designing environments well prevents most Power Platform governance problems before they happen.

What an environment contains

Each environment has:

  • A Dataverse instance (optional but common).
  • Canvas apps, model-driven apps, and Power Pages sites.
  • Power Automate flows and desktop flows.
  • Power Virtual Agents / Copilot Studio bots.
  • AI Builder models.
  • Connections to external services.
  • A security model with environment roles and Dataverse security roles.
  • A region (data residency boundary).
  • Optional data loss prevention (DLP) policies that limit which connectors can be combined.

Environments are not free — Dataverse capacity, dedicated Dataverse capacity, and (sometimes) per-app licensing usage are scoped per environment.

Standard environment types

  • Default environment — every tenant has one, automatically created. Every user can create apps here. Don't run production workloads here. It can't be deleted and grows unmanaged.
  • Production environments — created intentionally for specific apps or business units.
  • Sandbox environments — for development and testing; cannot be promoted directly to production but can be copied.
  • Developer environments — free per-user environments for individual learning and experimentation.
  • Trial environments — short-lived, for evaluating features.
  • Default-with-Teams environments — auto-created when someone adds a Power App to a Teams team (limited capabilities, but they multiply if not governed).

A simple environment strategy

For most organisations:

  • Default — locked down, no premium connectors, no Dataverse, monitored.
  • Developer environments — provided to citizen developers for experimentation.
  • Dev / Test / Prod per major app or business unit — proper ALM with solution packaging moving between them.
  • Shared CoE environment — for the Centre of Excellence toolkit and shared utilities.

DLP policies

DLP policies decide which connectors can be combined in apps and flows. Each connector is categorised: Business, Non-business, or Blocked. Connectors in different categories can't be used together — preventing, say, a flow from reading SharePoint (Business) and posting to Twitter (Non-business).

Policies apply at the tenant level or to specific environments. A good baseline: a tenant-wide policy with strict defaults, plus per-environment overrides for apps that need exceptions.

Centre of Excellence (CoE) Toolkit

Microsoft's CoE Starter Kit is a free set of apps and flows for governance: inventory of every app, flow, and bot in every environment; usage analytics; orphaned-resource cleanup; developer adoption tracking. For any tenant with more than a handful of makers, deploy it on day one.

Licensing implications

  • Premium connectors and Dataverse require Power Apps premium licensing in the environment where they're used.
  • Power Automate premium flows also require licensing.
  • Pay-as-you-go alternatives exist for unpredictable workloads.

Environment design is where governance succeeds or fails. Spend time on it before users start building.