Tag: coe

The CoE toolkit is dead, Long Live Managed Environments!

Possibly a slightly drastic headline, but let me explain the background to this. I’ve been working with the Power Platform CoE toolkit for over 6 years, with using it to educate and help customers with their Power Platform governance journey. Though it’s never been an ‘official’ Microsoft product (ie it’s not supported at all), the Power CAT team created it and have given it much love over the years (the GitHub repository for this is testimony to the efforts of the team).

My general approach to Power Platform governance has been to use both Managed Environments and the CoE toolkit – Managed Environments being the platform base, and the CoE toolkit being the way that customers can then built on the top of things, to meet their own needs.

For the European Power Platform Conference (EPPC) 2025, I had submitted a session with the above title, as based on what I was seeing I was figuring that the CoE toolkit would be announced as being end of life at some point. Microsoft had been (& continues to be) doubling down on Managed Environment capabilities – possibly due to the licensing needed for them (so more revenue – yes I’m being cynical here!), and kept on announcing new features for it.

In the meanwhile, no real new functionality seemed to be coming out for the CoE toolkit in a while. Bugs were being addressed, but for the most part that seemed to be it.

We’ve all seen this pattern happen before, so I thought it would be a good idea to talk about Managed Environment capabilities, and how organisations could look to pivot from current use of the CoE toolkit to them.

Now leaving aside that the session I did was actually entitled ‘The CoE (toolkit) is done for – Long live Managed Environments’ (EPPC did not like the usage of the word ‘dead’ in the title, lol), I had prepped the session without issues, and was ready to deliver it. Imagine my surprise a few weeks before the event, when some people in Microsoft reached out to me to say that I was possibly overexagerating the situation a bit, and that it wasn’t dead, it was just on hold (pending new platform capabilities being developed for it to use).

I had my own thoughts about this, having seen similar patterns before, but kept my thoughts quiet. In my mind, the CoE toolkit is great, but Microsoft seemed to be focusing on all things Copilot and AI, which the CoE toolkit wasn’t at all.

Well, the news is now public. There’s now an announcment on the official Microsoft Power Platform Center of Excellence (CoE) Starter Kit learn page:

Microsoft then goes on to say:

The Power Platform Center of Excellence (CoE) Starter Kit has historically helped organizations establish governance, visibility, and best practices for Power Platform adoption.

Today, you can find these core capabilities directly in the Microsoft Power Platform admin center through in-product experiences such as Inventory, Usage, Monitor, and Actions. These experiences provide real-time visibility into resources, usage, operational health, and governance insights in a centralized, enterprise-scale experience.

As Microsoft continues to invest in delivering these capabilities natively in product, the CoE Starter Kit is no longer receiving ongoing feature investments or updates.

As said above, this isn’t really coming as a surprise to me – I feel I had seen the writing on the wall for a while. Don’t get me wrong – Managed Environment are great, and the capabilities being developed by the team responsible for it are getting better and better, but licensing can be a challenge.

After all, when dealing with large organisations, it’s something that they have to pay for, and we all know how resistant they can be to such things. Yes, I know the arguments for licensing premium SKU’s (I deal with customers on this regularly), but it’s another barrier to overcome.

What could be interesting to see over time is the influence & use of AI in this area – rather than (admin) users needing to go in and do things, or view data, to use AI to be able to carry out the tasks for us. Dataverse is already MCP enabled (though some of the actions through the admin connectors aren’t available), but it could be something to consider in the future.

So what are your thoughts on this? Are you and your organisation heavily invested in the CoE toolkit, and will look to continue to use it? Or do you have a different journey planned out? Please drop a comment – I’d love to hear!

The story of MFA & the Centre of Excellence

I’ve been rolling out the Microsoft Centre of Excellence solution for several years now at customers. It’s a great place to start getting a handle on what exactly is going on within a Power Platform tenant, though there’s obviously so much more that takes place within a Centre of Excellence team.

The solution gathers telemetry around environments, Power Apps, Power Automates etc through the usage of the Power Automate Admin connectors for Power Platform (see Power Platform for Admins – Connectors | Microsoft Learn for further information on these).

Now obviously we need a user account to run these, and this usually has been through the use of a ‘pseudo service account’, as using a service principal has been tricky, to say the least. So we would get customers to set up an appropriate account with licensing & permissions in place, and use this to own & run the Power Automate flows that bring in the information to the CoE solution.

It is important to note that usage of these connectors do require a pretty high level of permissions – in fact, we usually suggest applying the Power Platform Admin security role (within the Microsoft 365 Admin Centre) to the user account. All good so far.

The tricky part has, to date, been around security. Organisations usually require (for good reasons) multi-factor authentication to be in place (aka MFA). Now this is fine for users logging in & accessing systems. However, it proves to be somewhat tricker for automations.

See, when a user logs in & authenticates through MFA, a token is stored to allow them to access systems. Automations can also use this. However the token will expire at some point (based on how each organisations has implemented MFA access/controls). When the token expires, the automations will stop running, and fail silently. There’s no prompt that the token has expired, and the only way of knowing is to take a look at the Power Automate flow history. This can be interesting though, as signing in (with the pseudo service account) will prompt for MFA authentication, and then everything will start running again!

So this has usually resulted in conversations with the client to politely point out that implementing MFA on the service account will mean that, at some point, the Power Automate flows are going to start failing. Discussions with security teams take place, mitigation using tools such as Azure Sentinel are implemented, and things move ahead (cautiously). It’s been, to date, the most annoying pain for the technical implementation (that I can think of at least, in my experience).

Now you’d think that a change in this would be shouted from the rooftops, people talking about it, social media blowing up, etc. Well, I was starting an implementation recently for a customer, and was talking to them around this, as I’d usually do. Imagine my surprise when Todd, one of the Microsoft technical people attached to the client, asked why we weren’t recommending MFA.

Taking a look at the online documentation, I noticed that something had slipped in. Finally there was the ability to use MFA!

Trawling back through the GitHub history (after all, I wanted to find out EXACTLY when this had slipped in), I discovered that it was a few months old. I was still very surprised that there hadn’t been more publicity around this (though definately a good incentive to write about it, and a great blog post to start off 2023 with!).

So moving forward, we’re now able to use MFA for the CoE user account. This is definately going to put a lot of mind at rest (especially those who are in security and/or governance). The specifics around the MFA implementation can be found at Conditional access and multi-factor authentication in Flow – Power Automate | Microsoft Learn – but it’s important to note that specific MFA policies will need to be set up & implemented for this account.

So, now the job will be to retro-fit this to all organisations that already have the CoE toolkit in place. Thankfully this shouldn’t be too difficult to do, and will most definitely enhance the security controls around it!

Have you implemented any mitigation in the past to handle non-MFA? I’m curious if you have – please drop a comment below!