Microsoft Power Platform · Environment Roles

Environment Admin

Administers a single Power Platform environment that does not have a Dataverse database. Can manage resources and role membership and can provision Dataverse.

Scope: Single Power Platform environment without a Dataverse database

Permissions

  • Role membership - Add or remove users from Environment Admin and Environment Maker
  • Dataverse provisioning - Provision a Dataverse database for the environment
  • Environment resources - View and manage resources created in the environment
  • Data loss prevention - Create environment-level DLP policies

Common use cases

  • Business unit IT lead managing their team's environment
  • Solution architect during a Power Apps project
  • Delegated environment ownership in a federated governance model

Best practices

  • Use security groups for environment membership
  • Document environment purpose, owner, and lifecycle in CoE inventory
  • Assign System Administrator after Dataverse is provisioned when full database administration is required
  • Pair with Environment Maker for citizen developer enablement

Security considerations

  • Can grant Environment Admin to others, expanding the privileged set
  • Can view all apps and flows in the environment
  • Can provision a Dataverse database, changing the environment security model

Common questions

When should I assign the Environment Admin role?

Assign Environment Admin when you need to: Business unit IT lead managing their team's environment; Solution architect during a Power Apps project; and Delegated environment ownership in a federated governance model. It is part of Microsoft Power Platform and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Environment Admin role do?

The Environment Admin role grants permissions including: Role membership - Add or remove users from Environment Admin and Environment Maker; Dataverse provisioning - Provision a Dataverse database for the environment; Environment resources - View and manage resources created in the environment; and Data loss prevention - Create environment-level DLP policies. See the Permissions section above for the full list.

What are the security risks of the Environment Admin role?

Key considerations when assigning Environment Admin: Can grant Environment Admin to others, expanding the privileged set; Can view all apps and flows in the environment; and Can provision a Dataverse database, changing the environment security model. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →