Power Platform Environments


What is a Power Platform environment?

A Power Platform environment is a space to create, manage and share your organisations apps, flows and data.

Each organisation with Power Platform licences must have a dedicated environment to ensure that your environment acts as a ‘container’, separating your own apps and flows and data from other organisations.

There are three types of environments enabled on the central tenant:

  • Production – allows users to develop and store live applications and flows
  • Trial – allows users to try new Power Platform features and/or pursue training. Trial environments automatically expire after 30 days
  • Sandbox – allows users to safely develop and test application changes without deploying to production

Depending on the requirements for your organisation, you may choose to have multiple environments. For example:

  • You can choose to only build your applications in a single Production environment
  • You might want to ensure that the test versions and production versions of your applications are in different environments

Visit the Power Platform Licence Guidance for more information on the minimum licence requirements to create an environment for your organisation.

NHSmail Default Environment

Important Note

Please note that organisations are no longer permitted to build on the NHSmail Default environment.

Organisations are required to host Apps and Flows in a dedicated environment to ensure that your environment acts as a ‘container’ for your own apps, flows and data.

Applications and flows built on the new NHSmail Default environment will be permanently deleted retrospectively with warning to ensure that your organisations data is contained within your own environment and prevent unnecessary data sharing with other organisations.

Power Platform Environment Strategy

The Power Platform Environment Strategy outlines how the platform will be centrally managed by NHS Digital alongside the local controls at the organisation level.

The key principles of the strategy are as follows:

Environment Type Key Principles
NHSmail Default environment · Production Apps and Flows will not be hosted on the NHSmail Default environment.

· Apps and Flows built on the NHSmail Default environment will be deleted retrospectively with warning.

Organisation’s Dedicated Environments · Production Apps and Flows will be hosted on the organisation’s dedicated environments.

· Dedicated environments for organisations will default to the United Kingdom data region.

· Organisations can request a dedicated Production, Trial or Sandbox environment with the NHSmail Helpdesk Self-Service provided minimum licence requirements are met. Visit the Power Platform Licence Guidance for more information on the minimum licence requirements to create an environment for your organisation.

Requesting a Power Platform environment

To begin using the Power Platforms plans, a dedicated organisation environment must be set up to host business applications, data and flows through a process that involves a Local Administrator (LA), the NHSmail Helpdesk and Microsoft resellers.

PLEASE NOTE

Dedicated environments are currently unavailable for organisations managed by the National Administration Service (NAS). This position is under review.

For further information please contact feedback@nhs.net.

Prior to submitting a NHSmail Helpdesk Self-Service request for a Power Platform environment, please ensure you have completed the following pre-requisites:

1. Environment naming convention

Your new environment name follows the naming convention composed of the Organisation name, ODS code and Environment Type. For example:

  • XYZ NHS Foundation Trust – XYZ – PROD.

2. Decide who will be the security group owner

Ensure that you have the details of who will be the security group owner.

Additionally, please ensure that the security group owner understands how to manage and maintain the security group and assign security roles.
Visit the Control and Management section for more information.

3. Licence purchase

A new Production or Sandbox environment cannot be created unless the correct amount of database capacity from the purchased licences is available (1GB). Visit the Power Platform Licence Guidance for more information on the minimum licence requirements.

Please note that Trial environments do not require a minimum storage capacity to be created. Such environments can be requested through the NHSmail Helpdesk Self-Service. Trial environments are limited to one user and expire after 30 days. Once provisioned, a Trial environment can be converted into a Production environment provided that a business justification is approved and there is at least 1GB of data storage capacity available. For more information on converting an environment, please email the NHSmail Helpdesk (with ‘Power Platform’ in the subject line).

 Submitting a new environment request

Once the pre-requisites are completed, follow the steps outlined below to request a new Power Platform environment:

1. Visit the NHSmail Helpdesk Self-Service page and navigate to ‘Power Platform Request’. Select the category ‘Create a Power Platform Environment’ and input the information requested in the form.

2. The NHSmail Helpdesk will review your request and ensure that it meets the pre-requisites outlined above

3. You can view the status of your request by following the instructions in Viewing tickets & updates

4. Your new environment will be created, and the licences will be applied.

    1. If you have purchased a Per User licence type, once your ticket is closed, the licence will be available to assign to users in the NHSmail Portal
    2. If you have purchased Per App or Per Flow licence type, the licence will be assigned to the environment by the Power Platform SME. Visit the Power Platform Licence Guidance to learn more about this process

5. Once your ticket is complete, you will receive a confirmation email notifying you that the ticket has been closed

Managing an environment

An organisation’s Primary Local Administrator (PLA) or Local Administrator (LA) is responsible for managing roles and access to their dedicated environment for users within their organisation. This includes determining whether users have the Basic Access or Environment Maker Role, as well as assessing the number of PLAs and/or LAs assigned as System Administrators.

To understand more about the responsibilities and security roles of an LA, please see the Control and Management section.

Each Power Platform environment has the capacity to have up to 100 assigned System Administrators. It is important that the System Administrators role is applied following the principle of least privilege to enhance security and management of the dedicated environment.

Important Note:

Each dedicated environment should have up to 10 System Administrators.

The number of System Administrators should not increase this threshold to prevent unauthorized or unintended access to data within your organisation’s dedicated environment .

As a best practice, the following steps should be taken to assess current role assignment to prevent overprivileged access to your organisation’s dedicated environment by revoking unused and reducible permission:

Analyse current role
assignment within environment
Update security role assignment Continue to monitor and
control access to environment

1. Analyse current roles within environment

Review what users currently have access to the dedicated environment and determine their security role assignment.

Important Note:

The associated security group for your organisation’s dedicated environment will need to be updated to reflect changes in role assignment where required.

Please review the NHSmail policy for managing a security group.

To learn more about the different roles in your dedicated environment and for further information on role based access control (RBAC), please review the Power Platform Control and Management guidance.

2. Updating security role assignment

Where applicable, update the assignment of security roles to ensure the principle of least privilege continues to apply and security role assignment is up to date. This will include:

  • Removing access from users who have left or moved from your organisation
  • Adding new users to as either Basic Access or Environment Maker Role per request. Please note, the type of security role assigned will be determined by if a user requires the ability to be able to create/share/edit resources in the environment.
  • Upgrading access to System Administrators if required. Please note, System Administrators roles are limited to PLAs or LAs and requests will be reviewed on a case by case basis.
  • Downgrade System Administrators when no longer required

To update security role assignment, please follow the steps outlined in Control and Management – How to assign a security role.

For further guidance Power Platform Environment governance please visit the Microsoft document on Governance Considerations.

3. Monitor and control access to your environment

Continue to review security role assignment within the dedicated environment on a frequent basis.If you have an issue with your System Administrator access, please email the NHSmail Helpdesk (with ‘Power Platform System Administrator Access’ in the subject line).

Deleting an environment

Deletion of an environment should be done by submitting a NHSmail Helpdesk Self-Service request.

To request the deletion of a Power Platform environment, follow the steps outlined below:

1. Visit the NHSmail Helpdesk Self-Service page and navigate to ‘Power Platform Request’. Select the category ‘Delete a Power Platform Environment’ and input the information requested in the form

2. The NHSmail Helpdesk will review your request and proceed to delete your environment

3. You can view the status of your request by following the instructions in Viewing tickets & updates

4. Once your ticket is complete, you will receive a confirmation email notifying you that your environment has been deleted and that the ticket has been closed

5. Any licences that have not expired and were assigned to your environment will now be available to be reassigned in the Power Platform admin centre

To reassign these licences, please follow the steps outlined in the Power Platform Licensing Overview – Assigning Power Apps and Power Automate Licences.

Note that in exceptional circumstances, should an environment deleted by the NHSmail Helpdesk need to be recovered, please submit a ticket via NHSmail Helpdesk Self-Service.

IMPORTANT:If an environment is deleted by a System Administrator the environment, files, data and business applications cannot be recovered.

Last Reviewed Date 19/09/2022
Updated on 19/09/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top