Should PowerApps and MS Flow be Available for Everyone in Your Organization?
If your organization has an Enterprise Office 365 license (E1, E3, E5), chances are that most, if not all, of your employees have access to create PowerApps and MS Flows.
PowerApps and MS Flow are turned on by default for all employees. Your employees will be able to see a Flow button in SharePoint, Excel, and MS Teams.
Also, by default, all available connectors, including social media and personal storage, are accessible to all members.
However, if you wish to operate more control on access rights, there are methods for turning off these services for employees. A few of our clients have opted to do this until they get a better understanding of the impact such access might have on their operations and data security.
Are You Ready for Organization Wide PowerApps and MS Flow Access
As per our clients, some of the major concerns that occur if access to PowerApps and MS Flow is available to all employees are:
• Increase in the number of support calls
If everyone in an organization decides to create apps and flows, then as soon as they run into something they can’t figure out, they will open a support ticket with IT. If this were to occur, then the increase in the number of support tickets submitted would be tremendous and costly for the organization.
• Mission critical apps developed by front line employees
Based on the number of videos and demonstrations available for learning, it does not take a lot of skills to create a data-integrated app. This increases the likelihood of a front-line employee creating a “simple” app that can quickly evolve into a mission critical application.
Such “simple” apps do not usually go through proper development lifecycles, thorough testing, performance tuning, and sign offs, and hence can prove fatal in the long run, if something goes wrong.
• Loss of control (visibility) by IT department
All apps, by default, are stored in the PowerApp/MS Flow default environment. If, in an organization, most employees take advantage of creating Apps and Flows, there will be hundreds of Apps/Flows to manage, and it will be difficult to determine mission critical applications from the myriad apps hosted in the default environment of the organization.
Other Independent Apps in Use and their Impact
The concerns listed above are all valid, but let’s look at how things are today and how front-line employees are leveraging existing technology, outside of PowerApps and MS Flow, to streamline their day-to-day work activities.
MS Access may not be as prevalent today as it was years ago, but with majority, if not all of our clients, there are still a few database systems that are in use and are part of their critical business processes.
A more common application that employees use these days to create “simple” apps is MS Excel. We have seen a wide range of uses for Excel, from simple forms to full-blown XRM and Accounts Payable processes. A good portion of these Excel files contain mission critical data, business processes/rules, logics and calculations. These files are typically stored on local computers or on file share systems. If the person who created the spreadsheet leaves the company, the file is usually left to the IT department to figure out the intricacies (usually macros).
IT departments typically have no visibility or clarity on to how many of such “simple” mission critical Excel spreadsheets are present, at any given moment, in an organization. Therefore, there is a need to organize such apps by enabling access to PowerApps and MS Flow for employees.
There are pros and cons for enabling PowerApps/MS Flow and maintaining the status quo. Nevertheless, PowerApps and MS Flow do make a compelling argument for empowering employees; therefore, Microsoft has addressed most the concerns listed above.
Exercising Measured Admin Control on PowerApps and MS Flow Access
PowerApps and MS Flow come with an Admin Center (requires P2 license), through which admins can see all Apps and Flows created by employees with their metrics.
Admins can create Data Loss Prevention Policies that can limit the type of connectors that PowerApps and MS Flow can use. For example, admins can limit employees from creating a flow that can automatically send an email attachment to DropBox.
Admins can create environments to better organize their apps and flows. With the help of such measured admin control, the default PowerApps and MS Flow environment can be used by everyone in the organization, and at the same time, mission critical or enterprise apps/flows can be moved to a more controlled environment.
If employees of an organization are encouraged to move their “simple” Excel apps to PowerApps and MS Flow, their IT department would have better control and visibility over the apps, as the author of each app or flow is clearly documented in PowerApps and MS Flow.
There are ways to better control or manage how PowerApps and MS Flow are distributed. Here are some recommendations:
• Create subsets of employees with different access rights
• Create a mechanism for employees to request access to PowerApps and MS Flow
• Set clear expectations for support; the most common rule we have deployed is that if employees create their own PowerApp or Flow without permission or approval, it is not supported by the IT department
• Delete (or turn off) PowerApps or Flows for authors not listed on the ‘allow list’; this can be done using Flow
With all the administration tools, templates, reports and admin connectors available for PowerApps and MS Flow, Microsoft has done a good job of addressing some of the major IT concerns.
It is a major shift in the thinking for IT departments to allow employees access to development tools. But as mentioned earlier, employees are already working around IT by leveraging tools like MS Access, MS Excel and other cloud services that are usually paid using their corporate credit cards. Apps created with such independent tools are hard to monitor.
By enabling employees with controlled and organized access to PowerApps and MS Flow, subject matter expertise is leveraged, IT ceases to be a bottle neck, Apps are better monitored and tracked, and there is improved accountability and transparency for each app created, as app authors can be clearly identified in such an environment.
This can be achieved gradually by an organization. To start with, as mentioned earlier, admins can experiment with a subset of employees, track progress, and adjust as necessary.