Control and Management

Security groups

Security groups allow an organisation’s Primary Local Administrator (PLA) Local Administrator (LA) to control which licenced users can be a member of a particular environment.

When a security group is associated with an environment, users in the platform that are not members of the group will not have access to the environment or shared applications and flows.

Once a security group has been setup, it is easy to manage users in the environment. Adding and removing users from a security group enables or disables those users to the database environment respectively.

The table below outlines some examples:

Environment Security Group Name Description
NHSmail Finance Finance_SG Created to provide access to the environment that processes internal financial information and payroll.
NHSmail Nursing Nursing_SG Created to provide access to the environment that stores health data (for example: blood test results, etc.)
NHSmail Dev Developer_SG Created to provide access to the Sandbox environment used for development and testing.

The environments in these examples have a specific purpose and should not be accessed by general users of the tenant. Rather, only specific users relevant to the use case should be assigned and managed by the security group.

Note, all licenced users must be assigned security roles to access environments. Users cannot access environments until they are assigned at least one security role for that environment. Apps and flows can be shared with the security group assigned to the environment.

For more information, please see further guidance outlined in the section on Role Based Access Control (RBAC).

NHSmail policy

Organisations will have their own dedicated environment to host applications and flows. To manage access to the Power Platform, all NHSmail dedicated environments must be associated with a security group.

To find out if a dedicated environment and security group has been set up for your organisation, please contact your organisation’s Primary Local Administrator (PLA) or Local Administrator (LA).

It is the PLAs or LAs responsibility to manage and maintain their organisation’s security group.

Creating a new security group

NOTE: Security groups for Power Platform environments are created by the Power Platform admin upon request for a Power Platform dedicated environment.

Security groups will follow the “ODS CODE_PowerPlatform_SecurityGroup” naming convention.


Please note that group owners are responsible for adding users to the security group once it has been created, as well as granting users access to the Power Platform environment and assigning security roles.

See below for an overview of the process:

Managing a security group

Once the group has been created, Primary Local Administrators (PLAs) or Local Administrators (LAs) who are the group owner can manage the group through O365 groups by opening the Outlook Office 365 application either in their choice of browser or via the desktop app.

To access and manage users in the security group, click on the relevant group in the left-hand ribbon as shown below.

Locate the group settings by clicking on the three dots and selecting Settings > Edit group to view, add, delete, and update user rights for the group within the “members” tab.

If you are a group member and would like to know who the group owner is, click on ‘x’ members (please note the number of members in your group might be different then the screenshot below).

Adding users to the security group

Select add members and type the name or the email address of the users that you want to add to the security group in the search bar.

You may add multiple users to a security group at once if they are part of a static distribution list by searching for the distribution list in the search bar.

Granting a security group member access to a Power Platform environment

Once users have become part of the security group assigned to the organisation’s dedicated environment, they will need to be granted access to the Power Platform environment.

Navigate to the Power Platform admin centre – Environments page and click on the environment that the user needs to be granted access. Next, click on the settings icon.

Select Users + permission to open the options. Next, click on Users and finally select + Add user. Type in the user’s name or email address to add the user to the environment.

Please note that for users to be successfully added to the environment they will have to comply with the user access requirements outlined in the red box above. Once added to the environment, users will need to be assigned a security role.

Removing users

Members of a security group will appear under the “members” tab. To remove users from the group, select the “x” icon as shown below. Note, it is only possible to remove users individually.

Changing user rights from group “member” to “owner”

Members of a security group can be promoted to group “owner”. By granting this role, the user will have the ability to add, remove and update user rights of other members.

It is recommended that only Primary Local Administrators (PLAs) have the group “owner” role. If the organisation does not have a PLA, then a suitable Local Administrator (LA) should assume the “owner” role​.

To change the user role from “member” to “owner”, locate the user in the list of group members, click on the user role and select from the drop-down the new role.

Creating a static distribution list

To bulk upload a large group of users into a security, you must create a static distribution list.

  1. Login to NHSmail Portal and navigate to Admin. Select Distribution List from the dropdown and then select Static Distribution List.

2. Create a new distribution list by filling in the mandatory information including, Name, Organisation and Organisational unit. Then click Create.
Note: bulk upload is only possible after the distribution list is created.

3. Once created, select edit distribution list and then Add Recipients.

4. The message below will appear. At this point you can bulk upload users using a .csv file of email addresses

5. Once the file has uploaded, click Upload.

Service principles

Please note, service principles are currently not available in the NHSmail central tenant.

Please see the NHSmail Roadmap or email for further information.


Role Based Access Control


Microsoft Dataverse uses a role-based security model to help secure access. Security roles control a user’s access to an environment’s resources through a set of access levels and permissions. A security role must be assigned to any licenced user within the security group to access environments.

Security roles

The view of applications and data inside a dedicated organisation environment will be limited depending on the specific security role each user is assigned.

An organisation’s Primary Local Administrator (PLA) or Local Administrator (LA) is responsible for managing licences, environments and Data Loss Prevention (DLP) Policy for their dedicated environment. All other users will be either assigned a Basic User or Environment Maker role.

The three types of security roles are outlined in the table below.

Security Role Applicable to Scope and Responsibilities
Basic User All other users For users who can access Power Platform but cannot create/share/edit resources in the environment.

Access to the environment only, cannot view applications & flows unless explicitly shared.

Environment Maker All other users For users who can access Power Platform but can create/share/edit resources in the environment.

Can create new resources associated with an environment, including applications, connections, custom APIs, gateways, and flows.

System Administrator LAs Management of licencing, environment and the resources located in the environment.

Has full permission to customise or administer the environment and can view all data in environment

The level of access and permissions for each role are highlighted below:

Can create new resources associated with an environment, including applications, connections, custom APIs, gateways, and flows.

Role Environment name visible Play Apps Edit Apps Apps visible in admin centre View shared app
Basic User X X X X
Environment Maker
System Administrator

How to assign a security role

As a Primary Local Administrator (PLA) or Local Administrator (LA) with System Administrator rights, you can assign security roles via the Power Platform admin centre.

A PLA or LA should only assign the roles supported for users in the organisation such as Basic User or Environment Maker. To request System Administrator rights, please see the section Request System Administrator access.

  1. Sign in to the Power Platform admin centre.
  2. Select Environments.
  3. In the Access tile, select See all under Security roles.

4. If you own multiple environments, make sure that the right Business unit is selected. The Business unit is the unique identifier for the environment (also known as Environment URL).

5. If you own multiple environments, make sure that the right Business unit is selected. The Business unit is the unique identifier for the environment (also known as Environment URL).

6. In example below, we will add a person from the security group assigned to this environment to the role of Basic User by clicking on Add people.

Request system administrator access

Upon requesting a dedicated environment, the system administrator role will be assigned to the designated Primary Local Administrator (PLA) or Local Administrator (LA) who is the security group owner.

The PLA or LA assigned the System Administrator role can then add any additional System Administrators. To request system administrator access, contact your PLA or LA in the first instance.

If you have an issue with your System Administrator access, please email the NHSmail Helpdesk (with ‘Power Platform System Administrator Access’ in the subject line).

Please note, System Administrators roles are limited to PLAs or LAs and requests will be reviewed on a case by case basis. All other users should have one of the Security Roles outlined above assigned to them.

Data residency​

The table below outlines the current residency of each of the components of the Power Platform.

Please note this is subject to change to the UK as the platform is updated.

Environment Data Residency
Default Environment Europe
Dataverse for Teams Europe
Dedicated environments for your organisation United Kingdom

Power Virtual Agents

Power Virtual Agents (PVA) in Teams is available to users who have an Office365 Teams license. Everyone in a Team has access to the bots created using PVA in Teams and can be shared with other users by adding them to the Team.

Permissions are determined by your Microsoft Teams roles in the team where a bot is created:

  1. Team Owners can create, view, edit, and configure all bots in the team where they are Team Owners.
  2. Team Members can create, edit, and configure bots they have created. They can view other member’s bots in the team.
Updated on 04/11/2021

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top