What is a Power Platform environment?
A Power Platform environment is a space to create, manage and share your organisations apps, flows and data.
Each organisation with Power Platform licences must have a dedicated environment to ensure that your environment acts as a ‘container’, separating your own apps and flows and data from other organisations.
There are below types of environments enabled on the central tenant:
| Environment Type | Key Features | Limitations | Considerations | Additional Licensing |
| Trial | Allows users to try new Power Platform features and/or pursue training. Trial environments automatically expire after 30 days | Full control. | Trial environments are intended to support short-term testing needs and are automatically cleaned up after a short period of time. They are limited to one per user. | N/A |
| Sandbox | Allows users to safely develop and test application changes without deploying to production | Full control. If used for testing, only user access is needed. Developers require environment maker access to create resources. | These are non-production environments, which offer features like copy and reset. | The tenant must have at least 1GB of database storage capacity available. |
| Developer | Provides a dedicated environment for building and testing custom applications | Limited storage capacity | This environment is intended for development purposes only and should not be used for production workloads | Additional capacity add-on may be required for higher storage requirements |
| Test | Provides a dedicated environment for testing and quality assurance | Limited storage capacity and access to some premium features | This environment is intended for testing purposes only and should not be used for production workloads | Additional capacity add-on may be required for higher storage requirements and premium feature access |
| Production | Provides a dedicated environment for running production workloads | Full access to premium features and higher storage capacity | This environment should be used for running production workloads and requires careful consideration of security and compliance requirements | Additional licensing may be required for some premium features, such as AI Builder and Power Apps Portals |
| Power Platform for Teams | Provides a low-code data platform that enables Teams users to build custom apps, automate workflows, and create chatbots | Limited to Teams users only | This environment is optimized for low-code app development within the Teams ecosystem | No additional licensing required, but some features may require additional licensing, such as Dataverse for Teams. |
It’s important to note that each Power Platform Environment is designed to serve a specific purpose, and users should carefully consider their needs before selecting an environment type. Users should also keep in mind the limitations of each environment type, such as storage capacity and access to premium features, when selecting an environment type. Additionally, some premium features may require additional licensing, such as AI Builder and Power Apps Portals, and some features within the Power Platform for Teams environment may also require additional licensing, such as Dataverse for Teams.
The information provided above regarding the different types of Power Platform Environments, their features, limitations, and licensing requirements, is based on official Microsoft documentation. The links to this documentation are provided below for reference:
- Power Platform Environments overview: https://docs.microsoft.com/en-us/power-platform/admin/environments-overview
- Capacity add-ons for Power Platform: https://docs.microsoft.com/en-us/power-platform/admin/capacity-add-ons
- Power Platform licensing: https://docs.microsoft.com/en-us/power-platform/admin/powerapps-flow-licensing-faq
- License requirement to create environments:Create and manage environments in the Power Platform admin center – Power Platform | Microsoft Learn
Users are encouraged to refer to these resources for additional information and to ensure they have the most up-to-date and accurate information on the Power Platform Environments.
In summary, the Power Platform offers six main types of environments: Trial, Sandbox, Developer, Test, Production and Power Platform for Teams.
Depending on the requirements for your organisation, you may choose to have multiple environments. For example:
- You can choose to only build your applications in a single Production environment.
- You might want to ensure that the test versions and production versions of your applications are in different environments.
Visit the Power Platform Licence Guidance for more information on the minimum licence requirements to create an environment for your organisation.
NHSmail Default Environment
Please note that organisations are no longer permitted to build on the NHSmail Default environment.
Organisations are required to host Apps and Flows in a dedicated environment to ensure that your environment acts as a ‘container’ for your own apps, flows and data.
Applications and flows built on the new NHSmail Default environment will be permanently deleted retrospectively with warning to ensure that your organisations data is contained within your own environment and prevent unnecessary data sharing with other organisations.
Power Platform Environment Strategy
The Power Platform Environment Strategy outlines how the platform will be centrally managed by NHS England alongside the local controls at the organisation level.
The key principles of the strategy are as follows:
| Environment Type | Key Principles |
| NHSmail Default environment | · Production Apps and Flows will not be hosted on the NHSmail Default environment.
· Apps and Flows built on the NHSmail Default environment will be deleted retrospectively with warning. |
| Organisation’s Dedicated Environments | · Production Apps and Flows will be hosted on the organisation’s dedicated environments.
· Dedicated environments for organisations will default to the United Kingdom data region. · Organisations can request a dedicated Production, Trial or Sandbox environment with the NHSmail Helpdesk Self-Service provided minimum licence requirements are met. Visit the Power Platform Licence Guidance for more information on the minimum licence requirements to create an environment for your organisation. |
Requesting a Power Platform environment
To begin using the Power Platforms plans, a dedicated organisation environment must be set up to host business applications, data and flows through a process that involves a Local Administrator (LA), the NHSmail Helpdesk and Microsoft resellers.
Dedicated environments are currently unavailable for organisations managed by the National Administration Service (NAS). This position is under review.
For further information please contact feedback@nhs.net.
Prior to submitting a NHSmail Helpdesk Self-Service request for a Power Platform environment, please ensure you have completed the following pre-requisites:
1. Environment naming convention
Your new environment name follows the naming convention composed of the Organisation name, ODS code and Environment Type. For example:
- XYZ NHS Foundation Trust – XYZ – PROD.
2. Decide who will be the security group owner
Ensure that you have the details of who will be the security group owner.
Additionally, please ensure that the security group owner understands how to manage and maintain the security group and assign security roles.
Visit the Control and Management section for more information.
3. Licence purchase
A new Production or Sandbox environment cannot be created unless the correct amount of database capacity from the purchased licences is available (1GB). Visit the Power Platform Licence Guidance for more information on the minimum licence requirements.
Please note that Trial environments do not require a minimum storage capacity to be created. Such environments can be requested through the NHSmail Helpdesk Self-Service. Trial environments are limited to one user and expire after 30 days. Once provisioned, a Trial environment can be converted into a Production environment provided that a business justification is approved and there is at least 1GB of data storage capacity available. For more information on converting an environment, please email the NHSmail Helpdesk (with ‘Power Platform’ in the subject line).
Submitting a new environment request
Once the pre-requisites are completed, follow the steps outlined below to request a new Power Platform environment:
1. Visit the NHSmail Helpdesk Self-Service page and navigate to ‘Power Platform Request’. Select the category ‘Create a Power Platform Environment’ and input the information requested in the form.
2. The NHSmail Helpdesk will review your request and ensure that it meets the pre-requisites outlined above
3. You can view the status of your request by following the instructions in Viewing tickets & updates
4. Your new environment will be created, and the licences will be applied.
-
- If you have purchased a Per User licence type, once your ticket is closed, the licence will be available to assign to users in the NHSmail Portal
- If you have purchased Per App or Per Flow licence type, the licence will be assigned to the environment by the Power Platform SME. Visit the Power Platform Licence Guidance to learn more about this process
5. Once your ticket is complete, you will receive a confirmation email notifying you that the ticket has been closed
Managing an environment
An organisation’s Primary Local Administrator (PLA) or Local Administrator (LA) is responsible for managing roles and access to their dedicated environment for users within their organisation. This includes determining whether users have the Basic Access or Environment Maker Role, as well as assessing the number of PLAs and/or LAs assigned as System Administrators.
To understand more about the responsibilities and security roles of an LA, please see the Control and Management section.
Each Power Platform environment has the capacity to have up to 100 assigned System Administrators. It is important that the System Administrators role is applied following the principle of least privilege to enhance security and management of the dedicated environment.
Each dedicated environment should have up to 10 System Administrators.
The number of System Administrators should not increase this threshold to prevent unauthorized or unintended access to data within your organisation’s dedicated environment .
As a best practice, the following steps should be taken to assess current role assignment to prevent overprivileged access to your organisation’s dedicated environment by revoking unused and reducible permission:
 |
 |
 |
| Analyse current role assignment within environment |
Update security role assignment | Continue to monitor and control access to environment |
1. Analyse current roles within environment
Review what users currently have access to the dedicated environment and determine their security role assignment.
The associated security group for your organisation’s dedicated environment will need to be updated to reflect changes in role assignment where required.
Please review the NHSmail policy for managing a security group.
To learn more about the different roles in your dedicated environment and for further information on role based access control (RBAC), please review the Power Platform Control and Management guidance.
2. Updating security role assignment
Where applicable, update the assignment of security roles to ensure the principle of least privilege continues to apply and security role assignment is up to date. This will include:
- Removing access from users who have left or moved from your organisation
- Adding new users to as either Basic Access or Environment Maker Role per request. Please note, the type of security role assigned will be determined by if a user requires the ability to be able to create/share/edit resources in the environment.
- Upgrading access to System Administrators if required. Please note, System Administrators roles are limited to PLAs or LAs and requests will be reviewed on a case by case basis.
- Downgrade System Administrators when no longer required
To update security role assignment, please follow the steps outlined in Control and Management – How to assign a security role.
For further guidance Power Platform Environment governance please visit the Microsoft document on Governance Considerations.
3. Monitor and control access to your environment
Continue to review security role assignment within the dedicated environment on a frequent basis.If you have an issue with your System Administrator access, please email the NHSmail Helpdesk (with ‘Power Platform System Administrator Access’ in the subject line).
Deleting an environment
Deletion of an environment should be done by submitting a NHSmail Helpdesk Self-Service request.
To request the deletion of a Power Platform environment, follow the steps outlined below:
1. Visit the NHSmail Helpdesk Self-Service page and navigate to ‘Power Platform Request’. Select the category ‘Delete a Power Platform Environment’ and input the information requested in the form
2. The NHSmail Helpdesk will review your request and proceed to delete your environment
3. You can view the status of your request by following the instructions in Viewing tickets & updates
4. Once your ticket is complete, you will receive a confirmation email notifying you that your environment has been deleted and that the ticket has been closed
5. Any licences that have not expired and were assigned to your environment will now be available to be reassigned in the Power Platform admin centre
To reassign these licences, please follow the steps outlined in the Power Platform Licensing Overview – Assigning Power Apps and Power Automate Licences.
Note that in exceptional circumstances, should an environment deleted by the NHSmail Helpdesk need to be recovered, please submit a ticket via NHSmail Helpdesk Self-Service.
IMPORTANT:If an environment is deleted by a System Administrator the environment, files, data and business applications cannot be recovered.
Managed Environments
Managed Environments (ME) is just the journey to allow admins to manage their Microsoft Power Platform adoption with a lot less effort.
Managed Environments is a suite of capabilities that allows Local Admins(LAs) to manage Power Platform at scale with more control, less effort, and more insights. LAs can use Managed Environments with any type of environment. These are the primary elements of Managed Environments:
License requirement:
When Managed Environments is activated in an environment, every app, Power Automate flow, Power Virtual Agents bot, and Power Pages website in that environment requires standalone licenses for accessing respective resources which is not included in E3R licence.
Every user running an app in a managed environment must have a Power Apps per user or per app license.
Every user running a Power Automate cloud flow in a managed environment must have a standalone Power Automate per user license or a Power Automate per flow license.
Every user accessing a managed environment will need a premium license.
Important: At this time enabling pay-as-you-go for managed environment will not be sufficient to meet Managed Environments licensing requirements, if:
- There are issues without stand alone Power Apps licenses using Power Apps in that environment.
- There are users without stand alone Power Automate licenses using flows in that environment, or users using flows without Power Automate per flow licenses in that environment, or users using flows without Power Automate per flow licenses in that environment.
To learn more about Managed Environment licensing, see Licensing and Licensing overview for Microsoft Power Platform
Ensure that you have the right licences for your needs and that your licence purchases meet the minimum licencing requirement of 1GB capacity required to create a dedicated environment.
The Power Platform Licence Guidance provides an overview of licences types, how to onboard your licences to the central tenant, how to manage Power Platform licences and more. You should purchase and/or assign user license to stay compliant to continue using Managed Environments.
If a managed environment doesn’t have the necessary licenses or it is disabled, only the central admin team will be able to sign in. However, they won’t be able to access any data or run any application until the environment is enabled and the necessary licenses are assigned.
Enablement
LAs can select environments in the Microsoft Power Platform admin center and enable them as Managed Environments with a single click, simply select an environment and click “Enable Managed Environments” to activate. They can get more visibility, more control, with less effort to manage all their low-code assets with greater peace of mind. Please see Enable Managed Environments – Power Platform | Microsoft Learn
More visibility with admin digest
Getting a birds-eye view of the organisation’s low-code adoption is critical to administering the platform. With the Managed Environments, LAs will receive a weekly admin digest that provides proactive adoption insights, such as apps and flows that have not been active for a while and may need to be cleaned up. These proactive notifications and recommendations are delivered directly to your inbox so that stale apps can be quarantined or cleaned up.
More control with sharing limits
Managed Environments offers LAs a simple way to block makers from sharing with security groups or specify how many people a canvas app can be shared with. These sharing controls help admins feel confident that apps can be reviewed before they are broadly distributed across the company. After disabling a Managed Environment, this limit will no longer take effect in that environment.
| Last Reviewed Date | 27/10/2023 |
