Microsoft Power Platform · Environment Roles
Environment Admin
Administers a single Power Platform environment that does not have a Dataverse database. Can manage resources and role membership and can provision Dataverse.
Scope: Single Power Platform environment without a Dataverse database
Permissions
- Role membership - Add or remove users from Environment Admin and Environment Maker
- Dataverse provisioning - Provision a Dataverse database for the environment
- Environment resources - View and manage resources created in the environment
- Data loss prevention - Create environment-level DLP policies
Common use cases
- Business unit IT lead managing their team's environment
- Solution architect during a Power Apps project
- Delegated environment ownership in a federated governance model
Best practices
- Use security groups for environment membership
- Document environment purpose, owner, and lifecycle in CoE inventory
- Assign System Administrator after Dataverse is provisioned when full database administration is required
- Pair with Environment Maker for citizen developer enablement
Security considerations
- Can grant Environment Admin to others, expanding the privileged set
- Can view all apps and flows in the environment
- Can provision a Dataverse database, changing the environment security model
Common questions
When should I assign the Environment Admin role?
Assign Environment Admin when you need to: Business unit IT lead managing their team's environment; Solution architect during a Power Apps project; and Delegated environment ownership in a federated governance model. It is part of Microsoft Power Platform and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Environment Admin role do?
The Environment Admin role grants permissions including: Role membership - Add or remove users from Environment Admin and Environment Maker; Dataverse provisioning - Provision a Dataverse database for the environment; Environment resources - View and manage resources created in the environment; and Data loss prevention - Create environment-level DLP policies. See the Permissions section above for the full list.
What are the security risks of the Environment Admin role?
Key considerations when assigning Environment Admin: Can grant Environment Admin to others, expanding the privileged set; Can view all apps and flows in the environment; and Can provision a Dataverse database, changing the environment security model. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.