We're currently evaluating the possibility of enabling Microsoft Power Automate for our business users to develop personal workflows. While our users are entitled to utilize this app through our M365 licensing, we have concerns about potential misuse and security risks. We have observed a growing number of requests for Power Automate access, and we're keen to support our users while maintaining robust security controls. I would appreciate any insights or experiences you could share regarding: What types of controls or governance structures have you implemented to manage Power Automate usage? How do you balance user autonomy with security and compliance requirements? Are there specific policies or guidelines you recommend to minimize risk? Have you encountered any challenges or successes that could guide us in our approach?  

Well, we do in fact use PowerAutomate in a large extent. However we have not had a silver bullet to secure it down. We have a mix approach, where we do have M365 monitoring in place alarming if users create risky connectors, whilst requesting the Power admins to perform recurring reviews of the connectors used to identify potentially risky setups.

I do not know if this helps - We definitely will have to update our way forward here ensuring more security on this.

The Microsoft 365 suite offers multiple tools to secure company data, which should be utilised to ensure all data included in any future user-based Power Automate flows is secure and follows organisational standards. As part of any initial deployment of 365 standard controls and user access policies should be implemented which will ensure Power Automate has a robust baseline from which to work. Products such as Microsoft's Purview and Entra ID's Conditional Access can be implemented to increase security and compliance across the M365 tenant and are not isolated to the Power Platform.

These features of Microsoft 365 require certain license levels—M365 E3 or M365 E5 for full advanced features of E5.

Key points to take into consideration:

- Power Automate Admin: Perform a default Power Automate tenancy setup to ensure all required tenant settings are enabled before users gain access.
- Implement Access Control: Users can only access data and systems that align with their existing permissions. Standard users do not have system-level access.
- Data Security: Utilise Microsoft's Purview platform to secure data, as it integrates seamlessly with Power Automate's core functions.
- Security Controls: Various security features, such as Conditional Access in Microsoft 365, help prevent data exposure and unauthorised access.
- User Education: It's important to make sure users understand the potential implications of the automations they create, ensuring responsible usage.
- Regular Reviews: Conduct regular reviews and use analytics to monitor usage and identify any unusual activity. Additionally, review created flows to ensure they adhere to standards.
- Administrative Processes: IT administrators should have clear processes and procedures to manage and oversee the use of Power Automate effectively within the organisation. 

Supporting documentation -

https://learn.microsoft.com/en-us/power-platform/admin/governance-considerations