Microsoft Power Platform · Tenant Administration
Power Platform Administrator
Tenant-wide administration of Power Platform: manage all environments, capacity, DLP policies, tenant settings. Cross-listed from Microsoft Entra ID.
Scope: Tenant-wide Power Platform administration; Dataverse data access requires a separate System Administrator assignment in each environment
Permissions
- Environments - Create, manage, and delete all environments in the tenant
- DLP policies - Configure tenant-wide Data Loss Prevention policies for connectors
- Capacity - Manage Power Platform capacity (storage, API requests, AI Builder credits)
- Tenant settings - Configure tenant-level Power Platform settings
- Admin center - Full access to https://admin.powerplatform.microsoft.com
- Analytics - View tenant-wide usage analytics
- Recommendations - Manage tenant-level recommendations and best practices
- Connections & gateways - Govern enterprise data gateways
Common use cases
- Platform owner / Centre of Excellence (CoE) lead
- Org-wide DLP policy enforcement for citizen developers
- Cross-environment governance and reporting
Best practices
- Limit to 2-5 users; use PIM for just-in-time activation
- Pair with Power Platform CoE Kit for visibility
- Use environment groups (preview) to govern at scale
- Implement DLP policies before opening to citizen developers
Security considerations
- Can self-elevate to Dataverse System Administrator; that separate role can expose all data in the selected environment
- Can change DLP policies that gate connector usage org-wide
- Tenant admin actions are audited via Microsoft Purview audit logs
Common questions
When should I assign the Power Platform Administrator role?
Assign Power Platform Administrator when you need to: Platform owner / Centre of Excellence (CoE) lead; Org-wide DLP policy enforcement for citizen developers; and Cross-environment governance and reporting. It is part of Microsoft Power Platform and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Power Platform Administrator role do?
The Power Platform Administrator role grants permissions including: Environments - Create, manage, and delete all environments in the tenant; DLP policies - Configure tenant-wide Data Loss Prevention policies for connectors; Capacity - Manage Power Platform capacity (storage, API requests, AI Builder credits); Tenant settings - Configure tenant-level Power Platform settings; Admin center - Full access to https://admin.powerplatform.microsoft.com; and Analytics - View tenant-wide usage analytics. See the Permissions section above for the full list.
What are the security risks of the Power Platform Administrator role?
Key considerations when assigning Power Platform Administrator: Can self-elevate to Dataverse System Administrator; that separate role can expose all data in the selected environment; Can change DLP policies that gate connector usage org-wide; and Tenant admin actions are audited via Microsoft Purview audit logs. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.