Microsoft Power Platform · Tenant Administration

Power Platform Administrator

Tenant-wide administration of Power Platform: manage all environments, capacity, DLP policies, tenant settings. Cross-listed from Microsoft Entra ID.

Scope: Tenant-wide Power Platform administration; Dataverse data access requires a separate System Administrator assignment in each environment

Permissions

  • Environments - Create, manage, and delete all environments in the tenant
  • DLP policies - Configure tenant-wide Data Loss Prevention policies for connectors
  • Capacity - Manage Power Platform capacity (storage, API requests, AI Builder credits)
  • Tenant settings - Configure tenant-level Power Platform settings
  • Admin center - Full access to https://admin.powerplatform.microsoft.com
  • Analytics - View tenant-wide usage analytics
  • Recommendations - Manage tenant-level recommendations and best practices
  • Connections & gateways - Govern enterprise data gateways

Common use cases

  • Platform owner / Centre of Excellence (CoE) lead
  • Org-wide DLP policy enforcement for citizen developers
  • Cross-environment governance and reporting

Best practices

  • Limit to 2-5 users; use PIM for just-in-time activation
  • Pair with Power Platform CoE Kit for visibility
  • Use environment groups (preview) to govern at scale
  • Implement DLP policies before opening to citizen developers

Security considerations

  • Can self-elevate to Dataverse System Administrator; that separate role can expose all data in the selected environment
  • Can change DLP policies that gate connector usage org-wide
  • Tenant admin actions are audited via Microsoft Purview audit logs

Common questions

When should I assign the Power Platform Administrator role?

Assign Power Platform Administrator when you need to: Platform owner / Centre of Excellence (CoE) lead; Org-wide DLP policy enforcement for citizen developers; and Cross-environment governance and reporting. It is part of Microsoft Power Platform and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Power Platform Administrator role do?

The Power Platform Administrator role grants permissions including: Environments - Create, manage, and delete all environments in the tenant; DLP policies - Configure tenant-wide Data Loss Prevention policies for connectors; Capacity - Manage Power Platform capacity (storage, API requests, AI Builder credits); Tenant settings - Configure tenant-level Power Platform settings; Admin center - Full access to https://admin.powerplatform.microsoft.com; and Analytics - View tenant-wide usage analytics. See the Permissions section above for the full list.

What are the security risks of the Power Platform Administrator role?

Key considerations when assigning Power Platform Administrator: Can self-elevate to Dataverse System Administrator; that separate role can expose all data in the selected environment; Can change DLP policies that gate connector usage org-wide; and Tenant admin actions are audited via Microsoft Purview audit logs. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →